Jump to content

Recommended Posts

securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3298-1 security@debian.org

https://www.debian.org/security/ Markus Koschany

July 01, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jackrabbit

CVE ID : CVE-2015-1833

 

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a

XXE/XEE attack. When processing a WebDAV request body containing XML,

the XML parser could be instructed to read content from network

resources accessible to the host, identified by URI schemes such as

"http(s)" or "file". Depending on the WebDAV request, this could not

only be used to trigger internal network requests, but might also be

used to insert said content into the request, potentially exposing it to

the attacker and others.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.3.6-1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.3.6-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 2.10.1-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.10.1-1.

 

We recommend that you upgrade your jackrabbit packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVkxndAAoJEBDCk7bDfE42wL4P/iw/LPaPCIu7eAmEpo3gZE94

Ev+kR1XPP/2jG1w/GwiedYUaYMAC1EouGSaRDPFt2E7yipLBpxEZSFclG54utzzU

NoW5BwSjt1r9fwCvDNxFY4kuwFF61s95kCMV4lwKLDsNW+wTrWSZEw23NW4cyLfT

P6kPEQp2n12YdC3PjoQ8U0Iwo1d+Z6KFQclEy1ADZcIhsryRCHR1V+oEHPvOOo6S

fPHZDWfAeUdMtC8QVRU+KtQt2dyrJWW/i/lrsRACQZbrZdCEnwukRlrDoBqGNuGY

mfyou8TW/bnrn8/AraTyUC+jq6V5xN6lE4Velv/IIN7BUwvBWJmaPlGF92lnp3IA

K4k2zSJLc35AoxpGzdLWAsesgckrHm+sdp0N0RgqG34jcbdtb1leWMmxlQxO2o8Y

zSFrfk8hwM+r3R9WMhyWb3hCKzSrZQy5N9zi1rIUTRZKbtqTy3S7deJqmmYbqKVC

zC5gT+5b+nYpvEkyg/r3e1byNjQFyBb5KGjQ7feYWfvIcEswVFpC6g44UZpQ12uN

i+lFiR4EY8XdTTis6inr/j4K2b+vfy4iRXj5iQLZBLxNFKfDMJOFTo2+q10UQO4/

ZbyFnByHRepYIf74Lh2oAg2Da8nUecdU1Q//4vGH8yIaOMqHMpvJN/PM3q1DRLJt

W3aqLiUN9LCrWvUlFjpa

=8rkS

-----END PGP SIGNATURE-----

Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1557

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3299-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 02, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : stunnel4

CVE ID : CVE-2015-3644

Debian Bug : 785352

 

Johan Olofsson discovered an authentication bypass vulnerability in

Stunnel, a program designed to work as an universal SSL tunnel for

network daemons. When Stunnel in server mode is used with the redirect

option and certificate-based authentication is enabled with "verify = 2"

or higher, then only the initial connection is redirected to the hosts

specified with "redirect". This allows a remote attacker to bypass

authentication.

 

For the stable distribution (jessie), this problem has been fixed in

version 3:5.06-2+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 3:5.18-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3:5.18-1.

 

We recommend that you upgrade your stunnel4 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVlVtTAAoJEAVMuPMTQ89Ez4wP/1HBhk0TceEkAqzpxWukyK5W

i2L4/QNbh2xCAKAXn/6YcgiNjeec0CDkXx9xsXMKG8jiUEobxdXMISznOIt0OZTN

a8QleldQYD+lTaLxCoXYkTZEefuvkDYEETQdLEql7D5T1QW6UQ5RTnDX+7BO7uNS

uNsqeKye5FeoNRZznbndjfGkh/Xyk0CzPv9my5FreTzneq9XxrrnoMHsYDNCIeFB

hxuaPDnaEejcXYaA2T0FtDW9nG3BVEcnlxl9/Ryj2js+LVRc03gIsiQFgP6hhgB8

Jx9bz9OErGs8uR272nQJuV60qCMGDMhtNhVngQtfc1JwwwQ4vmv1W0nsvT03LdNP

VaLYTT+8NQRY8WVzOswJhC+6zVt6XF5aoOhxyW0Q1bFHi6Hb5rDM01DCkZLYnUvX

1McJel3NySZxf4ckZ8HGOCsYDcoMd+gczrmhfd29iGT0+M5Yx/vyY0Eb7XX8aCLA

Maszd/pUBkY5BRyl8+flFwRVO0ma7zVi29z7f7679XZ9Hc+r77OROStbk8SJe/ec

dzOPTG4SzzBvgpbdChtjX6B/nDJMl63H5vovG/dVkMxna+iE6eOjwFFZQ2dfP3UM

64tJvHHRn0v49kU2xDrZDxmoDcT4HhSB+9bABh24u9IR9JpaSIruxx3OZhluuYP4

/XxtShKrQNCApKgc7pjR

=jN0q

-----END PGP SIGNATURE-----

 

 

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3300-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 04, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : CVE-2015-2743 CVE-2015-4000 CVE-2015-2734 CVE-2015-2735

CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739

CVE-2015-2740 CVE-2015-2728 CVE-2015-2731 CVE-2015-2724

 

Multiple security issues have been found in Iceweasel, Debian's version

of the Mozilla Firefox web browser: Multiple memory safety errors,

use-after-frees and other implementation errors may lead to the

execution of arbitrary code or denial of service. This update also

addresses a vulnerability in DHE key processing commonly known as

the "LogJam" vulnerability.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 31.8.0esr-1~deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 31.8.0esr-1~deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 38.1.0esr-1.

 

We recommend that you upgrade your iceweasel packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVlwcNAAoJEBDCk7bDfE423YUP/jMCjFkgYL0Ky89PzBZ48FLz

C2hL8LuRYamhXO3ZbvcktEABX9hJxoRUfrcDRjjoSEGgThhmOEzqC/R1TTz/8ExW

2lX326be5sNc4VEfNs5B2Sm2e/jYmwgghvYQUFlRnS/dSUpXuiqdgRc3+eteeCBU

CRmYreptEAvMf2QaXJJIb8g+jGd1NQiklkCXpUIWdQP4jm5K6xyM9+pxhFhMAVkM

0vw6fy566WJqMhjFyTQeXYR+fE32GVJ3wZmR5OSWrBQh5Rt1FrJ2mSA17HsGTCRG

T3CgfTRVbPHg5w7C7k83GlQeXZbJUgHZp47t3+YZr17N6BeeSHHWTwap9eM/rHd4

qn0jDMhgWAjCK0Z975Z+1ZblP2hvyr/PJF1Zwm6dJbjWP3mMsfdrYBnoeXupI9Y7

xA+LbXjKUW//6fGkuEAbOHJO45XrTE+OrbZ5+jAS3BIpyk+JuWh7M6q/UggMe+v7

ZUZanLxM3aaw6dVca9TLhFzOs3cpe8vCqavPpQWm0S1dszkH23IkoaKT8zWRqwIt

rxFhFoymGbtsJn6W481DO3cY/ujaJUVWWXteB4LYU8QboQ9BdVXFSqedF87jIsRy

aqnhltYQZ23SsQX3elsbQY6OOmYMUXWyb4xRkAZ2xTtCDlHI8Fe5pQftldg3LNyP

Cnr+4/67BJCGy4qYH9VU

=7/pR

-----END PGP SIGNATURE-----

Link to post
Share on other sites
  • 2 weeks later...
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3308-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mysql-5.5

CVE ID : CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648

CVE-2015-4737 CVE-2015-4752

Debian Bug : 792445

 

Several issues have been discovered in the MySQL database server. The

vulnerabilities are addressed by upgrading MySQL to the new upstream

version 5.5.44. Please see the MySQL 5.5 Release Notes and Oracle's

Critical Patch Update advisory for further details:

 

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-44.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 5.5.44-0+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 5.5.44-0+deb8u1.

 

We recommend that you upgrade your mysql-5.5 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVqhzSAAoJEAVMuPMTQ89EomAQAI1juPOJEuifOd68GP6QXgGp

UQC9bn9+34p6lF6Zppz3QdHHD1GkTC2NBuLo8uESdJlb7FP6cvNR/tXxuq/1RAzf

WYbzf9MzaA+HeRkyaH1PPz+RUVEw71na6UzbP+aRtOgQBWY66gIk08Nu+hQg7wlN

YkF7SVRq7Iag3wxTa6PEu6tSvFgBnW7fAq3vX/S8vzd6LKYj0YR1DiLAjhGrrgXf

Z3sqanyKxciqZJYDoIB/b+U32cVBg7SVupTUrLtj2xnKD/jAJ1M5uHvnmNeTswsf

VdOlDTuIC+1z0roQ8utXZP2y2siPOOz/a/NNVIz4+mSZG2Q11Z8zJA5hR2BQidE2

ZZkCOdRg8G/3XMGQpw82mr1gY2gknlJUUhwgjZFJGLRD9B0EYQuYccogdoifwo8h

/q/gYHXfBOEMtWPv01/OeQl9IISDjOgwcYXAaIqHJD655nVzBTSxhzrFEB1QRqan

UHjDORz58995q5vEwHQy9ZV8R7teLE3VLYkuZB5hTAPfl7ifErAsfR9EnEp7O0Sn

rhnhbn9Iy5pYWX4YIkJyAxuDVKKs1D4Msg6lvcSEYAHXhVpQREYqHEmqOhrYHOQh

lPKOmlv1+DyCSsIu+VKZRJXAHY/LEP6XFd5XR3AvgW/eoOVV/5CHCf/IutBJAUJ0

CZi++pP2XBPba1b1J2OJ

=TnIo

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3309-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

July 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tidy

CVE ID : CVE-2015-5522 CVE-2015-5523

Debian Bug : 792571

 

Fernando Muñoz discovered that invalid HTML input passed to tidy, an

HTML syntax checker and reformatter, could trigger a buffer overflow.

This could allow remote attackers to cause a denial of service (crash)

or potentially execute arbitrary code.

 

Geoff McLane also discovered that a similar issue could trigger an

integer overflow, leading to a memory allocation of 4GB. This could

allow remote attackers to cause a denial of service by saturating the

target's memory.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 20091223cvs-1.2+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 20091223cvs-1.4+deb8u1.

 

For the unstable distribution (sid), these problems will be fixed soon.

 

We recommend that you upgrade your tidy packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVqojcAAoJEK+lG9bN5XPLn34P/3E7efokZezirY7p4eikB6ER

CevFoVPDXpQNBKzr+0P21HyQva318/9sZasVmuPK+M3u/IMo+swUjRTph/FxSxiT

vegTYRWxvPHgwF7AiwV6eyPzRaMQcUsXslAY/F2YjmYYfhTHW4Rv0Gk2H0B2woYx

cjuMjC5uUXN32pU3Wpq24XayL2pcdT6r4L22TguXF1t1bydygiJLYMhANjCDNVf6

0s+NYTOIHBzH7Fkm6gkqBnkRmdg6yI48HrbD0TcjZR5BtwrbzcJmKk9e5wU5UNSa

Ilx56N91VTq48F8mi5ZB57hqzdbWD4I5h+lZMDS7hy57isuTIvc4uDR/LF9e7E2U

6qIJ7IN0J6dsLOAQLIGpnkUTF/SLJJIgYUon4zkPEjIstGExRAn1Of+l/A5k1vaF

I3ZPs5pWuvVTxkr1DzoDdELB3aRL20+j+zs1nxc8IucCt8/EHvpDI1iyb3e4w3i3

6rnTIes6h/vA6c310xJk2avMNzv3UhFtSVNPIl+yIZT/QF1tRldViALR5a5BXI5e

FgucdM7/+zOT7yWW0uI2EnPCCYLnCumSS9Pjo50/Le/FYkbh0IIg2RrSADwdFq7y

qLWaE8neaDxe8KaqIw6fkEHl1W2xwhwuLX3DfPEO04/nYY8whx4HPZF2xoQxU8jO

On7mgKze4gCc4ozkDzDr

=jhhR

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3310-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 19, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : freexl

CVE ID : not yet available

 

It was discovered that an integer overflow in freexl, a library to parse

Microsoft Excel spreadsheets may result in denial of service if a

malformed Excel file is opened.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.0.0b-1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.0.0g-1+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.0.2-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.0.2-1.

 

We recommend that you upgrade your freexl packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVq+KDAAoJEBDCk7bDfE42fAIQAKfMu9ZBVUkmPsxKTf3J1ygS

DuK7g2PP2hacV3D+igshEL7IxzNKkvdz/Eguz/6ZZUisCueWGginhXNcfvmdjISU

bd90aHVZv9c0ZnGTnsY0Fbw8Q2bDyOL05ebSOc7QRLJyMqsdP43MgqjICFw7RgoV

Pn3lIVKrfQ9qEE/OKJQa8j0Q+R3tPuwC34z4Gw06HTsB1srtmGLHh9QcfpY0uTeW

3MymXOTAVMOpc/VDAcE2HWcy66d1HtKt96pfBSU5koP4ZX3rF3MmPl3FBKfA+RyR

Z8Kxr1PoNuttwldbXwHRMX65Swr655+qV+Y5Nj2qawEBTbcsrSIH3RLjgwoSbojc

pzazg9qejxQOrN7E7b+x0tIu1F0Nq+gxc9/d9mWsuBGHV9SyiS+CP7FKYsQgir9b

CeKgIu1lU3Rlk5wVpQyZteyLMkMN0zsaQD6DNeTHyRYF7rCaSXvt/9JSLsj2jagN

JkPXWByxHitMtWeMMeg1cgQ77qIurk9Mm1tNeQ3lsM43pJqRKr5ggp2cVMtihSFX

8ptrETGzy7NR+If241sYMFTqUn4E8qKTS+0U0HlOPjg/yQ/3zY50/t5udMl5ToV2

b7MS1grueUWFSOKe2kfj2r0VFib3WYNXsm06UvjL5+2sGBtlqCSIFBZbnw+SZw8E

UX4FIBx19in8mVfB1C5K

=Crfh

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3311-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 20, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mariadb-10.0

CVE ID : CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501

CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573

CVE-2015-3152

 

Several issues have been discovered in the MariaDB database server. The

vulnerabilities are addressed by upgrading MariaDB to the new upstream

version 10.0.20. Please see the MariaDB 10.0 Release Notes for further

details:

 

https://mariadb.com/kb/en/mariadb/mariadb-10017-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10018-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10019-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/

 

For the stable distribution (jessie), these problems have been fixed in

version 10.0.20-0+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 10.0.20-1 or earlier versions.

 

We recommend that you upgrade your mariadb-10.0 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVrIYBAAoJEAVMuPMTQ89EdIAQAJdlVgw+55A0llZY8DhqZg6D

R8gNis9vRgbGDRx10fO18q4gprPfK64bh5GoEf7CCI+WOW0E+JyxgJzdPISOKjGz

GTcgBZ2dzjv283vkHD5uWFJcdwIpLO0R3pyjqKZWCURm8UpjrF4e9gUG64ZuC1eV

GvTkdFwgtj15STidIpDXx9lrHAdTsdnhUb4H2OVfvGlkgqxMipOsVldOYemJsUKE

1AqObB+Rqtkk++tf3xU5TnR6wWLMBKGjFsofVBcbhwGy58IH8o2m9sG0/0IBVmUP

aoXzTEZVU2ou32hIhcoVoGMn4FfKxOfE9aU2YTLkAhzkv0AZKFNQnB0owXxOZLBe

HV8LhDFPQTSzHqYspkOj1vD9DAifMayrPayBnbkkAcCh2cMp7Eciso6tKhiZyQFU

4Gts0Kh8n3Qh1yOrKhkP9yR0Kp2jJSIJ7TRm1YK0+Z4hFsms4hS6luI1nwwtKVrg

rqTsYRvUucVFSi7yrvwnzuh6R875qvgNGhpN4pskJ1T+yafu1QRtloWEoD/ilG97

AYvKmi4JID4tswnxzRMAzIQ69114rBEpfh5mPe92ScfLlmdDch+HotQjv7yPZBAv

iY5EUKBLATmPNf0gzbeZQxu4EhjqWEWI/v9E77xRfYPUPugx/Zs+TZJ3t1knaGCK

jAGWX7MbCQGk0QrAWeo0

=f+xe

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3312-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

July 22, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cacti

CVE ID : CVE-2015-4634

 

Multiple SQL injection vulnerabilities were discovered in cacti, a web

interface for graphing of monitoring systems.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.8.8a+dfsg-5+deb7u6.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.8.8b+dfsg-8+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 0.8.8e+ds1-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 0.8.8e+ds1-1.

 

We recommend that you upgrade your cacti packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVr2LGAAoJEK+lG9bN5XPLmCkP/0CZdwQviJrjPhUP6OP/gj/N

DY4gKN2BfaXjw0wHqb6tpslJXw8jzXoBgRkOjtsVscnS/bCYlpQyXyi9PmUBNvEN

r+s1ChWqneZ36iM7s5ZYaa7F9o2zIRjN26NQIpuY41WAe42RmNNKZkq5byVDjUke

wYDJGGn4ufkxxXFEUcmGaKQR9nuFLvkGP8CahQNUo7NAp2O1P2mTm7pLu4/YAFDr

MAw+hDWAg5e6sUqnrZgMI1qbJHbRWanTQO4JQunESV7fhoZTXvuLC7bOkJh0aE4F

iQIjitw/dz7dKqn4sGb5QBf3USGTA8QzQk0gVbdYw7puc21kB+TYwXe+3Ws4qPPw

282f5hdXfC/P2qlIszwVhqfwgh/II0bsupeBJEUWKlo6fS23P6fupcSXf7GGylhH

f0bl2JIkB7TfrpPkNKLcsb/c+g1jr54tcEgZlMU/SvPOBepTvAhH8mmTEyT4bfi3

b7mlsxCGf5eFogFbm3V4/CRQSrEZ+sLK+RpIT6REhJdGPOs+8wSm/6u9SyTMLEMP

hjYR9HLWzOVt77EU/WHlqL6//MCiBoWKQCoGGJ/Plxry1DG5b4bj2YNnsXCsMpe6

OCuyr4MHNL1MYFCqgqFI5j496yl0fvqJE48USN5nT/i0uqXg9807um8qc6t7gZG7

9XiDnFFQO3x75b+pLV0J

=eVij

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3313-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 23, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2015-3290 CVE-2015-3291 CVE-2015-4167 CVE-2015-5157

CVE-2015-5364 CVE-2015-5366

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation or denial of service.

 

CVE-2015-3290

 

Andy Lutomirski discovered that the Linux kernel does not properly

handle nested NMIs. A local, unprivileged user could use this flaw

for privilege escalation.

 

CVE-2015-3291

 

Andy Lutomirski discovered that under certain conditions a malicious

userspace program can cause the kernel to skip NMIs leading to a

denial of service.

 

CVE-2015-4167

 

Carl Henrik Lunde discovered that the UDF implementation is missing

a necessary length check. A local user that can mount devices could

use this flaw to crash the system.

 

CVE-2015-5157

 

Petr Matousek and Andy Lutomirski discovered that an NMI that

interrupts userspace and encounters an IRET fault is incorrectly

handled. A local, unprivileged user could use this flaw for denial

of service or possibly for privilege escalation.

 

CVE-2015-5364

 

It was discovered that the Linux kernel does not properly handle

invalid UDP checksums. A remote attacker could exploit this flaw to

cause a denial of service using a flood of UDP packets with invalid

checksums.

 

CVE-2015-5366

 

It was discovered that the Linux kernel does not properly handle

invalid UDP checksums. A remote attacker can cause a denial of

service against applications that use epoll by injecting a single

packet with an invalid checksum.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.16.7-ckt11-1+deb8u2.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.0.8-2 or earlier versions.

 

We recommend that you upgrade your linux packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVsI3hAAoJEAVMuPMTQ89EqhcP/3/kR3DnbodC4GFblOYwidim

LclDavSNCZGxJzLhlqDczTmEma/z0nr2UxSy1Y4E3QlIXzd+3KaYZBBH71Ktnk6L

LJ79i3KKHtHogwvSUcjPNJD6++mbh5WS4uFKLepH9zO6ApF8BggThr7PFtl4r8Wn

bPxUHYd0fhrfqksvvBSM3JDlDvZx2xTMl0/FG9Ka21zm5AjnU7TVa3VsQiU5Qirv

hKTQSq5OyJ6URkfaOnB0ulmTWofCSy/A6QSN9meu8eHsB1qCkKw01DPBIs3LMaiv

AzZZ3s/F9ovNI+BiQyWRvsJvqV6uYYHTrTsW/2LXdULsIR5nwohoi6OBHbtyA88L

jOPgMMGZ0WwXTDGDgPjzWXInBhJh31j0hZr/yiW+owBhlqKrPoxgUoa3GDNgBvXS

Pe/22MjxAne2XjIY0aWGJFokIDB10n4TJuLHYCtgqOUtAr2r5x/3p5nmU325QiqD

f/9MMDwRS6AXabh6xFeW38b/NrYDuSm8wbYlFlzFh5plzNrb1pSSnW8QBAcapZuN

u0XVrTSHpW0vabokKXs0KLlLhDGWIr0QnGCFt9DMEAISkyn13zLOYr65U8w+AXjB

UFeDPcmZul83a4BlW86DxCBQmRPkGl1LeS/xRqYLMBS0OneE3xZx1Nv2FneVxwlr

Cu+sM+Z7F1vlYKqRzhxw

=4jts

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3314-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 23, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : typo3-src

 

Upstream security support for Typo3 4.5.x ended three months ago and the

same now applies to the Debian packages as well.

 

Newer versions of Typo3 are no longer packaged in Debian, so the

recommended alternative is to migrate to a custom installation of Typo3

6.2.x (the current long term branch).

 

If you cannot migrate for some reason, commercial support for 4.5 is

still available. Please see

https://typo3.org/news/article/announcing-typo3-45-lts-regular-end-of-life-eol/

for additional information.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVsUpjAAoJEBDCk7bDfE42AXMQAKMNFzMt7GC8So1vnB7iw9HN

Om4Rn+HiXfnxRyQJOwjxkw2BgEJR3/XWHvGB85LReqXWhUObZib5jkLEh4O/PNWj

WWmzSebOyTYUJeieFb08vvwk6FriXOX4sPoUeycGKaOVtyDPWrRg2BcuRbBDr6JJ

UuSEdYliVWfKgN0XG4L14dQy5gsEB/32K7rT11H/TOfyhBBIzn3vb+ar4mKFpcfK

Dpt1E6RHQGVsUd0SE6DcIBoGUfPWsIFDe5fwmz7cE+xzZ1Da954cPz7Z4DbV5I/M

yxd1wu1zfH6vy+yzpsNV7ro7tejjvJpN+P65FBkDpEbn+LNghXY4Go0UdD4F/0hQ

tDZ2u/UxuI5JgzBOxzxlv4qsUneCNZiKQROtfrQH9gt+PR1EUDliwvj3WX97djFq

19gWgx81c+JG0N2mRLpMLNnFXSHwOtmNce9sCTAJ+Ebh3ARzQNxZDrj3cvPcdiqY

OI1GV7Z+t+93zMalDp2iHQzcLiJF1gTwH/v61nIAQuB7LTTmQxW1U6AfMJSSxuus

89MZ8kA6cGNV/D1htQ9h1eHQg1BS0iqPJ8H9gSULvlxNC85EBvrPzRUYYM48v14D

sxRac7yVe4qgPzF4oqj1yYN4nZH3xuk3ioLxC/IFzkckOKzbq3NjvO6Cz95k72YE

A7NyAuYSI6Sw/RscTVy2

=X3ZI

-----END PGP SIGNATURE----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3315-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

July 23, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2015-1266 CVE-2015-1267 CVE-2015-1268 CVE-2015-1269

CVE-2015-1270 CVE-2015-1271 CVE-2015-1272 CVE-2015-1273

CVE-2015-1274 CVE-2015-1276 CVE-2015-1277 CVE-2015-1278

CVE-2015-1279 CVE-2015-1280 CVE-2015-1281 CVE-2015-1282

CVE-2015-1283 CVE-2015-1284 CVE-2015-1285 CVE-2015-1286

CVE-2015-1287 CVE-2015-1288 CVE-2015-1289

 

Several vulnerabilities were discovered in the chromium web browser.

 

CVE-2015-1266

 

Intended access restrictions could be bypassed for certain URLs like

chrome://gpu.

 

CVE-2015-1267

 

A way to bypass the Same Origin Policy was discovered.

 

CVE-2015-1268

 

Mariusz Mlynski also discovered a way to bypass the Same Origin Policy.

 

CVE-2015-1269

 

Mike Rudy discovered that hostnames were not properly compared in the

HTTP Strict Transport Policy and HTTP Public Key Pinning features,

which could allow those access restrictions to be bypassed.

 

CVE-2015-1270

 

Atte Kettunen discovered an uninitialized memory read in the ICU library.

 

CVE-2015-1271

 

cloudfuzzer discovered a buffer overflow in the pdfium library.

 

CVE-2015-1272

 

Chamal de Silva discovered race conditions in the GPU process

implementation.

 

CVE-2015-1273

 

makosoft discovered a buffer overflow in openjpeg, which is used by

the pdfium library embedded in chromium.

 

CVE-2015-1274

 

andrewm.bpi discovered that the auto-open list allowed certain file

types to be executed immediately after download.

 

CVE-2015-1276

 

Colin Payne discovered a use-after-free issue in the IndexedDB

implementation.

 

CVE-2015-1277

 

SkyLined discovered a use-after-free issue in chromium's accessibility

implementation.

 

CVE-2015-1278

 

Chamal de Silva discovered a way to use PDF documents to spoof a URL.

 

CVE-2015-1279

 

mlafon discovered a buffer overflow in the pdfium library.

 

CVE-2015-1280

 

cloudfuzzer discovered a memory corruption issue in the SKIA library.

 

CVE-2015-1281

 

Masato Knugawa discovered a way to bypass the Content Security

Policy.

 

CVE-2015-1282

 

Chamal de Silva discovered multiple use-after-free issues in the

pdfium library.

 

CVE-2015-1283

 

Huzaifa Sidhpurwala discovered a buffer overflow in the expat

library.

 

CVE-2015-1284

 

Atte Kettunen discovered that the maximum number of page frames

was not correctly checked.

 

CVE-2015-1285

 

gazheyes discovered an information leak in the XSS auditor,

which normally helps to prevent certain classes of cross-site

scripting problems.

 

CVE-2015-1286

 

A cross-site scripting issue was discovered in the interface to

the v8 javascript library.

 

CVE-2015-1287

 

filedescriptor discovered a way to bypass the Same Origin Policy.

 

CVE-2015-1288

 

Mike Ruddy discovered that the spellchecking dictionaries could

still be downloaded over plain HTTP (related to CVE-2015-1263).

 

CVE-2015-1289

 

The chrome 44 development team found and fixed various issues

during internal auditing.

 

In addition to the above issues, Google disabled the hotword extension

by default in this version, which if enabled downloads files without

the user's intervention.

 

For the stable distribution (jessie), these problems have been fixed in

version 44.0.2403.89-1~deb8u1.

 

For the testing distribution (stretch), these problems will be fixed soon.

 

For the unstable distribution (sid), these problems have been fixed in

version 44.0.2403.89-1.

 

We recommend that you upgrade your chromium-browser packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQQcBAEBCgAGBQJVsi9LAAoJELjWss0C1vRziN0gALQ34XXl/qN5BlJrTH+8xaUm

ZUZYAqSJK+QgFOOVxXiMWDREsLV7OcQ8CgAbq/l+jumfaq2yY6uVo61xT+mlzIY5

aVT6t72NX3fUR9dVxiW31M0qnY3jfNFd0tBD2Q42Zuh7PvDspLYKKsytrcyz5oYJ

GFbxrW2C7/8bUmhd+muzfYCQ5VHohNMaV+QgeEPy/XUrgFgjWJlEVDSFIS9UnGsZ

y+bI4ssZjC3/+SeqkyIxBzeqUK7zbt3cDqpyEtEjI1e6KijkJRbazWh2Lc9qkWON

VOzU0o0Sb/ftdCV0Rbkfakk2cj2F3WAoZh7nFzCMAdqRVzczfUZFzyOH4Ups30CZ

qjHy2K+cqtmDg2egsuDKI7M7k8uWlSWo2J6hyLY1UKHei5QwP3nLkC6BQUaTXxCW

gt1IlVF77eoBOXTnVOXj59OQdh1KKXsZ9IkQVi3c3JunKHeOgYRPey8jNEjTp0IV

7YNew1a8RnsIpf8GwTqCM8YaVUcxxQE7sv1ya7k2C0QTGQpqUlyT8FV/P1ZembDJ

6fpqn/IQWv98ztj3yuuJA6SwI5uDpE69u3JUuGCweGL8iMN+DU9cyWcxfIvvAewK

CAEehgKVA1HKfBZoCmS1lky4QCJZrgHyxSe1c3CW0pDy/IfOvV54Xzr3Qn9Whx19

kq/tOP3UcrfGjyy2oRPTdKFEC9qUufrRoZw39d1yvVxsqtEzZp9ri6mND4WPuZYf

i5mVplBPJsvXOC5RXJ/pnSu8IrsbC5Qz9CxSlWLcDx+DjktUuMza6lawJyKh3QUK

GUOXMG4bC5CilN+r2Fm41ZHW9ZUMHLcqnE/jBkvNUMw+Z+0i6noQkgG6t1CeIki5

OeuEMuES3UU5joyRL24b4ejiUJxeIb9sik0WSrR4qelBeOLXFKyKNvpm243Nq/W5

BMoFvQkmiF37IZ9naVmPUTwPmicTeD35wEs9XerMSvvAoKUfJtXMWglN0aP2hxK5

2Dhr5ZAQ0jJTxIx/l6dV23hJNql0hCurFPF9tQxYZHDpl3WUS3YLs9Bj9mGz0AjH

HAyuJrQWVMCT2gao//1I7T3O5JkrVTVXNVcY+1gg+HTE0iOxe20Uhiat0pd+TCW9

ops3rpYOjSDy2bpipdkxSblb5QNWN1SRmSywGuESESIPLKdmooeD3nyMBGA7bWVa

FJukfJcBaDnGFfgMfQmEfckawvcGhErNQtXReqGQ3AYUn+/mYiV8gvVatn8x8dy9

qpRHWM1VwVD5DsgxkeUTRyimOi374RrkCPx1olMwCkbNQiQJ9VTSK5Ji7HoOZz9P

FazeCSZ1csx1HTx47ch+DvRfsJMnSDwbBst2aRAmRaInUu7qSb/VJwXtjdI6HRo=

=0awE

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3316-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 25, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openjdk-7

CVE ID : CVE-2014-8873 CVE-2015-0460 CVE-2015-0469 CVE-2015-0470

CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488

CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621

CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808

CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733

CVE-2015-4748 CVE-2015-4749 CVE-2015-4760

 

Several vulnerabilities have been discovered in OpenJDK, an

implementation of the Oracle Java platform, resulting in the execution

of arbitrary code, breakouts of the Java sandbox, information disclosure,

denial of service or insecure cryptography.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 7u79-2.5.6-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 7u79-2.5.6-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 7u79-2.5.6-1.

 

We recommend that you upgrade your openjdk-7 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVs2DrAAoJEBDCk7bDfE42DG8QAJXbD/hks9A+ytcoVAQe0Aq0

2xoZwEuSn8QyKiC8uP49jMWreR7SQ8eRpoNZzQ13iZjQE0aRGPMEOd0rA20EEXk8

BPzuvpctAmSbfchFLd+1pAAuXX/a2VC3aw+zIFvRnH2GQPFpZjWm7KczxXrsLyGK

jpowbTtSYJBcZCg6Cs1S1A3bFg/BKFxaJzrDqndYFPXQwW8tDQlT9I/Sx8tpigDH

cqW0sbjmHvxJAr61pxcUIrd2WJ2PhjMsRXlucC57DwzjLULZ11WrATLgVLkQUhea

shMXEp77uCRJJyf/TPJJVvMDqBdfUQY5LwllW+liAQylHCq0YW4XACvkUVDRdwS5

FHjtu90Sd7AOOF8LhwzQ6bSWZPXrtYpQYykAFSdqBCU+8wOlz1fFNq7Ne74B/n5f

vjqeYWMuf3/Fg/tNNlrx4jJlZzIwnERuAbbT+R9EytcInTTJhsdUYdCWRQi1JXtD

pkjDtKx6gauIxaR9J1z6vE3EBAebhQwZrkieXHtJyrt2Ywls+b7fsf0QvM/qXN26

7LabsuQHCphsE/xf9tv0xPoQK9Q0GfLWDC/l/S+0mzIru3o0eSn5/63xY1a/vuQt

q4mF4AZnlvNeUG8liYzbfSEmQNQ+cCNZF2CRkBzU95pjTASKQIm+hCbno2Zk9ky9

solb6saRbLOtnTNRQYnL

=aOkr

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3317-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 25, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : lxc

CVE ID : CVE-2015-1331 CVE-2015-1334

Debian Bug : 793298

 

Several vulnerabilities have been discovered in LXC, the Linux

Containers userspace tools. The Common Vulnerabilities and Exposures

project identifies the following problems:

 

CVE-2015-1331

 

Roman Fiedler discovered a directory traversal flaw in LXC when

creating lock files. A local attacker could exploit this flaw to

create an arbitrary file as the root user.

 

CVE-2015-1334

 

Roman Fiedler discovered that LXC incorrectly trusted the

container's proc filesystem to set up AppArmor profile changes and

SELinux domain transitions. A malicious container could create a

fake proc filesystem and use this flaw to run programs inside the

container that are not confined by AppArmor or SELinux.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:1.0.6-6+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1:1.0.7-4.

 

For the unstable distribution (sid), these problems have been fixed in

version 1:1.0.7-4.

 

We recommend that you upgrade your lxc packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVs6LAAAoJEAVMuPMTQ89EP8kP/iJUCwyKpqnqhKjfBhvHSVKX

4QsAubBAVLwmqLnT5DT1BghXHpeQFdQsl6CTfDas2H6SbwV5pJeZFWyItLVA1shf

6ocFssYQtKjM8q85zEYIPc1xiwuQpHsS270xh/hR75XSTYbBjpZ+wbCKrZGjqhQU

QOBME9CIEeyhGfToaGxh4f1FDcxT/YStq49ISgqrJ+4qFeJiCMvBkOIHeXTwKkxs

sKgXx7fJ90PVqSRDWCFggLQENpkTmftS4IAGF22VCRP8dO1Bnwz0TZVl5TzXe+22

r+L3BWie1W6jclMXTzphu5DyYOwo2mSylUmEhOkG7E8JIO3wc0AdK6hXqE/lNSGe

eUx2DRVw3R4yFOKs+LDLAgntuBbMqRAR+lEeifNrr9i8RzxHnf27fm3qGDdKIohd

mTt18f6L/hYdN372D4IpF/unA1uPMYmtnz9VCTK6Y5ppooOaxCkh3mPUe3vVZapa

X/Gahw67/1z7TI8b0wt0Hx/fxdkoTmubMU28o/qeWWu5aheA7MU69+EqpXiU2xxl

xpNy/7oCpdFswowcSpQ8DdzQBO8alLnu6j7s3d5vn87f7QIyZ2PIB61PEB61JBpC

ssi7CQzdV9OrnUb+mAZ48V3YfT73duO2C8NI3fi3cVdWjFWyvC/QKHbKOOUYutiV

pMFQTIT+IdFpU/c0fowx

=mtWe

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3318-1 security@debian.org

https://www.debian.org/security/ Laszlo Boszormenyi (GCS)

July 26, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : expat

CVE ID : CVE-2015-1283

Debian Bug : 793484

 

Multiple integer overflows have been discovered in Expat, an XML parsing

C library, which may result in denial of service or the execution of

arbitrary code if a malformed XML file is processed.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.1.0-1+deb7u2.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.1.0-6+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.1.0-7.

 

We recommend that you upgrade your expat packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVtR53AAoJEBDCk7bDfE429xUP/iYH65ZkPj1OsUWAmTeTGboo

QvUDZMA+TvtS4Wnnxx07ln30JwiaEqPBVUjwkHqSeJ+WpzXT961E+gLCnAN6QOdw

Bilxx8HSytsQN2Gov7h0wSOxqQ9sbZRh3Cb6939WU7pp+XjwvPqXf2HxJN2uEz9S

/tWQYOVn9yAkyaDC+LUVInmRnrF5OW4IY5mGOolOobfF/RdSRICHEdkKry8buTUQ

mxtMuALwM2Yo1iEyTro2GLJWiCzqmzhMN+JbJ9DWv4+gbExMe1gXB3hSlfw8OIDb

Em2rgEuwzUg3JZlEo7HIUO/IaL4ao5d/9Z7DyO9RLd385QZsF3iBfcp15U+6qJ3t

f9Ftrl4N+fgmJt1DryYTZmX2Yg3+anCF25GMt+rHo4xWateKriG88eBNcoxnbjM5

Laitgvnih09b9FibnnnIihB6mOuYNdfvRtHncxdTaA9HiWGwlzeDXMX1pQVsDOxE

k6hcrrE5p6ixzQLJI6FvPDVkRU5UdlAeFXOiKFfKp7ztx6KxgiAMceVH2zEfdl5x

7Vovd07/BJ0PFKWe1lUDJpvijb0X2RoZA5NsQWUN3QBONQPfpHjSl0sC8tiHhm2y

ecwbdHMdOqpNlTZr4rZgfqD/M2sXqp8sK7Z3kjz59qTJ/hoE4Gj6eb8xx5MjsEti

hqrriI8A4uSmvWjQl4XH

=TfCY

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3320-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

July 30, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openafs

CVE ID : CVE-2015-3282 CVE-2015-3283 CVE-2015-3284 CVE-2015-3285

CVE-2015-3287

 

It was discovered that OpenAFS, the implementation of the distributed

filesystem AFS, contained several flaws that could result in

information leak, denial-of-service or kernel panic.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.6.1-3+deb7u3.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.6.9-2+deb8u3.

 

We recommend that you upgrade your openafs packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCgAGBQJVug6sAAoJEBC+iYPz1Z1kz+kIAKTX5q9GSKOuTljGXoBREZo4

SXFNsKGUPFvSEzvcYEbQ0wYaS0DMv/LJYvwyac+KgoMKJPLSiAG1RybkjeIloE/4

wbXrlCS/r7F9M/qFYOaOlr076BNPxERS3YBhwNI5bNNfqimVrJiRF1TUY+og0qul

cqED9sAazr4xE+vDo2tF0s0JRPiV1FnI9SMdXnoLgpXOLb3UrpJuhUSUI7gJ1PNr

pqp0TenHQscrK6AyWIQYQUlxOl+gJhxpIOpJp+Z6UQlAy+Jz85FIya3BgTDYxB90

IlgZ3NG2UTUWH0Fg384vsR41mElEM+Wn987OiVPGdrffKNMg/URUfuU6V9X0TU4=

=EAi5

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3321-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

July 30, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xmltooling

CVE ID : CVE-2015-0851

Debian Bug : 793855

 

The InCommon Shibboleth Training team discovered that XMLTooling, a

C++ XML parsing library, did not properly handle an exception when

parsing well-formed but schema-invalid XML. This could allow remote

attackers to cause a denial of service (crash) via crafted XML data.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.4.2-5+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.5.3-2+deb8u1.

 

For the unstable distribution (sid), this problem will be fixed shortly.

 

We recommend that you upgrade your xmltooling packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVuoLsAAoJEK+lG9bN5XPLpgUP/07/YpmqvpItmNLfLvnE5yRD

lLBc5TgD1oOOcV9SWk8fMdwU+YQ/uWOaBOYWXLwmTgriSXZgLSTUVn3BhWp9o7AQ

/7E0wCBGrRErx/cQ1FOrRXAaZhXPgimaL9+7RPs+wkruIUyjhzHcj+TR13CkdHIE

GI6Ah1NwuMWmqADXZd+XM3nV7Lieg9JBoXxsn0ZSY/7/BwwZh/HSME81+JmEvmTW

OL+knet01hwVH39XI7fGgnpfRqxqTNf1gqmAu4Q0lbHcVClLDYtZlPpUQ55/evks

rNyFaN5QmzMhZiiAcy6yakVKKFx/fdrAKog9xtfTUicBmkxFREQfy+CjhY7GmY4o

o1S4DcV52z5YC3emSHUyQxqlwrKUzJznfVzjCLb289kS7JaySuYRuPM64y33Wyom

nqXFZfjzgPIjskBqdxrctabDIcTHy0Mk+97yyMC8R8Wkw/00pzhcu6AIhGczSkCO

cyOGOvdaDKFSj0RDqgJWuFtuKiJVSaClMJZTYNJATlKXeHtVHFptSo5POQAFXOEt

BBeMRlw+gYhykNIjZTewHhiv/R27bjGaoV1lIcc3MMo6vhbOGmp6rjnMfTUYLO85

eDiiGn406vBB/4C5vvfSBBLpdnm6cSLQHHfLXGpU7wdIh2O1YAIo24Qp6Y9Njo5p

p0yQgYhONZ0+MuBclNES

=Jzdd

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3322-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 31, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-rack

CVE ID : CVE-2015-3225

Debian Bug : 789311

 

Tomek Rabczak from the NCC Group discovered a flaw in the

normalize_params() method in Rack, a modular Ruby webserver interface.

A remote attacker can use this flaw via specially crafted requests to

cause a `SystemStackError` and potentially cause a denial of service

condition for the service.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.4.1-2.1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.5.2-3+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.5.2-4.

 

We recommend that you upgrade your ruby-rack packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVu9FfAAoJEAVMuPMTQ89EtasP/isRvloSrZg5M+yn5jwzXm9P

s+EssK1s26BQIzEBoxqEsUBVdjVH7Jrf0BHfAiTZoqjOB8SGqun/CV8B0tQGe911

MGumBe1I6458y1a1EbydHfnFoWouUveMd8AyO9HBXpvUXyRLowUQ0FvwxVKh10z1

+63+ckR1BvuZj7HlipTSeyFTd59QgGX+Z84kIdJuy4da+0OWrG2EWwXS6cAFCyVA

mBogkE/4/XydrYt1ia3MuGdsrfiAKCEVq+WOQxpURtqLREY0UFNs+8OUuigu5RS+

gxLFE1kZpGa0f9fn+1mf19h1VBGbaRMqR1/kFrBHWWXQbCtmdHU62IbluLrD7wNg

tw16+9WZ4N+izNOWwT+F+ZvvEI2bg/pC6NmLzYwTqnK4WePrMsCQYncFKqxNq4MQ

W4C2gr/aKYNkExMx9uVJm51T8ObFmtHdCeli48b8fnB987krT4lXDstWEJBMr1wg

oE3UbxgeHyYmO3g+V+TceNLg47mKhgU/+8a28zHNCHBWVhKi+CyKIqWJ+GC6f1/F

6etfMsnD8jN6GOS7Xh5TlHpZ6BoGuLQNsvpeQceST4DtFn5Ap8XxXi25aIvpIqot

Q/XBdetalH92qTMlRixNsK23w/MCDu9wC3nwMqqsoX4tmEUjuMTbRCpW4j7AZgZ1

YqOyA+8ehwEsiv2VR6F0

=jxhT

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3329-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 07, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2015-1333 CVE-2015-3212 CVE-2015-4692 CVE-2015-4700

CVE-2015-5364 CVE-2015-5366 CVE-2015-5697 CVE-2015-5706

CVE-2015-5707

 

Several vulnerabilities have been discovered in the Linux kernel

that may lead to a privilege escalation, denial of service or

information leak.

 

CVE-2015-1333

 

Colin Ian King discovered a flaw in the add_key function of the

Linux kernel's keyring subsystem. A local user can exploit this flaw

to cause a denial of service due to memory exhaustion.

 

CVE-2015-3212

 

Ji Jianwen of Red Hat Engineering discovered a flaw in the handling

of the SCTPs automatic handling of dynamic multi-homed connections.

A local attacker could use this flaw to cause a crash or potentially

for privilege escalation.

 

CVE-2015-4692

 

A NULL pointer dereference flaw was found in the

kvm_apic_has_events function in the KVM subsystem. A unprivileged

local user could exploit this flaw to crash the system kernel

resulting in denial of service.

 

CVE-2015-4700

 

Daniel Borkmann discovered a flaw in the Linux kernel implementation

of the Berkeley Packet Filter which can be used by a local user to

crash the system.

 

CVE-2015-5364

 

It was discovered that the Linux kernel does not properly handle

invalid UDP checksums. A remote attacker could exploit this flaw to

cause a denial of service using a flood of UDP packets with invalid

checksums.

 

CVE-2015-5366

 

It was discovered that the Linux kernel does not properly handle

invalid UDP checksums. A remote attacker can cause a denial of

service against applications that use epoll by injecting a single

packet with an invalid checksum.

 

CVE-2015-5697

 

A flaw was discovered in the md driver in the Linux kernel leading

to an information leak.

 

CVE-2015-5706

 

An user triggerable use-after-free vulnerability in path lookup in

the Linux kernel could potentially lead to privilege escalation.

 

CVE-2015-5707

 

An integer overflow in the SCSI generic driver in the Linux kernel

was discovered. A local user with write permission on a SCSI generic

device could potentially exploit this flaw for privilege escalation.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 3.2.68-1+deb7u3. CVE-2015-1333, CVE-2015-4692 and

CVE-2015-5706 do not affect the wheezy distribution.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.16.7-ckt11-1+deb8u3, except CVE-2015-5364 and CVE-2015-5366

which were fixed already in DSA-3313-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.1.3-1 or earlier versions.

 

We recommend that you upgrade your linux packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVxFhxAAoJEAVMuPMTQ89Ew5wQAJtibxM4B5zSP8svVyhcDOWy

bmBlyxP5ibxgtq+mh5jPO8R9W18LnZE7Bz6z0lGkOfwcmWbfsIPBLES3mHhwskZq

HK9r+h4rh82Ydn7OC3pKISayxCyWcHQ/9lCPQ5qsv3/ZZn9/G0hq+zYDubT6M7c9

QdppP0dg8+pF+8ZhWjy1Jpl3EY5IwdNojx6oXD4VyK7c8gZlpX2FGdaQ9Sc6v8Cm

0Nj5UJFSosrJqa8HEuV6XwrWmj27onIqjGsVuU9F8L2282uOZdA8fEe8u7mheeH1

n0cziRhkGVdmkdCHWrkZOHq3FrldRpMMUP7c4nLilmXECaJRiHmeXYJzYQTdebIB

9MkLT3qQI07c1LDTtugAiRMuuMOt9Y7P5o5adAtTfyKcfpy6pp7E8zhmKBAHFx90

hnjYIg/kM6Fd+Xmm18d1mQIVA8rRtI6sYfnpUPrsfhtLZibcHgyKTq9FiLBjZ70R

TLq8jFGs9mWEh+0C0z4/C8sOMrE9uDujy6kOaBzxfNRvlaXjr9DuusOwCjl+Ygqy

8ylhgJ70+31FQst8xsnkOBOUYdZ3yWJ2winjRLiMLmII/haWGGNdhZeVdwNMUAHY

0OdVcqUBxsHpXr6tHU9s1fMzhPHzD92ApaCOupTbxroRGgm6wxnXUPZAPYkMFNQa

4ouuRAK0QohqIRquuebC

=Ra/9

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3321-2 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

August 08, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : opensaml2

CVE ID : CVE-2015-0851

Debian Bug : 794851

 

It was discovered that opensaml2, a Security Assertion Markup Language

library, needed to be rebuilt against a fixed version of the xmltooling

package due to its use of macros vulnerable to CVE-2015-0851 as fixed in

the DSA 3321-1 update. For reference the original advisory text follows.

 

The InCommon Shibboleth Training team discovered that XMLTooling, a

C++ XML parsing library, did not properly handle an exception when

parsing well-formed but schema-invalid XML. This could allow remote

attackers to cause a denial of service (crash) via crafted XML data.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.4.3-4+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.5.3-2+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version $stretch_VERSION.

 

For the unstable distribution (sid), this problem has been fixed in

version $UNSTABLE_VERSION.

 

We recommend that you upgrade your opensaml2 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVxddYAAoJEK+lG9bN5XPLgl0P/jqYjaW7MRUFbyNzPgUqqOz5

OzA2dUrr4HpkoGl99EwROHdqhbRPZEmONxfwW3FSe1VpWar6gT2xkr7ovBuxFa6k

fX38CSeWIO4olpHDhPBKWcEMYlRptOzWXsEz5e3VPVOyUSxUhYPC/MY7WiLdenwZ

F7wmpOVhuGpy2DXneUHo2XT+pOmUaj8i2Lioc1qZVBMFpMqg2OkPCuxj0KbdGfNi

q0AyUJ6otqFSB2GeTIyVGXn9DBDel6XL4B97lWAN8MqFKM1x4wDYO17OMhXLiQ85

srjJcM9bq79zWmyYPC72/E3+iHODkR4e31YySFkXnGONgQ0zzg+4D2SGJHgwJpJk

jfPPXGdEeMwguo0jMQRxFeCMmoybjB8lKtIeKcq3ZVW4wIrKy1Qg6vnOlzfIsGfx

1i6FIb/dh17Yh+jvFFaYfM7Qv9tDuvTm3qAk+hyhktX6V3ddMZlWjAmsbToZZF5U

HUGDmKx7/3gnaCvPJZz5aGdlJ3jtKY1DW1yj91J0LGqOH+LrlrBg5J2bPVyB+Hq/

bSU4s4k4OSmo3cSoWrCEX4dpyfvjJrN15w77Li9gWA7HXI5Vty0Ser1+nJy4c0Nj

lcTcSAdqnzAwuwAlhbBrC/whNchJ5tU3huwbyDIzgaNlAGCVs2f4drrjC9XoCkKL

897k2igFbSLklsZSC/jY

=rakm

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3331-1 security@debian.org

https://www.debian.org/security/ Stefan Fritsch

August 10, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : subversion

CVE ID : CVE-2015-3184 CVE-2015-3187

 

Several security issues have been found in the server components of the

version control system subversion.

 

CVE-2015-3184

 

Subversion's mod_authz_svn does not properly restrict anonymous

access in some mixed anonymous/authenticated environments when

using Apache httpd 2.4. The result is that anonymous access may

be possible to files for which only authenticated access should

be possible. This issue does not affect the oldstable distribution

(wheezy) because it only contains Apache httpd 2.2.

 

 

CVE-2015-3187

 

Subversion servers, both httpd and svnserve, will reveal some

paths that should be hidden by path-based authz. When a node is

copied from an unreadable location to a readable location the

unreadable path may be revealed. This vulnerablity only reveals

the path, it does not reveal the contents of the path.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.6.17dfsg-4+deb7u10.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.8.10-6+deb8u1.

 

For the testing distribution (stretch), these problems will be fixed in

version 1.9.0-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.9.0-1.

 

We recommend that you upgrade your subversion packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIVAwUBVcjqIsaHXzVBzv3gAQgK6g/9EWrcngyRZb/uqdTQ0RgeNBnCrf4Dhb3I

pB0av6tArV7lYuAO3+cIj4/Q1tRrM/qNKZQyt2lSe+O3xptcxIFtVTc6ocPBk8Qg

oSoSDPwrBJ7VDWsV+fto+u8lCEK7/Lxwx3QeaPgs3nJmRK0snx5lwSXRSEfBoOiq

Z1GGXvKDm2+UjwTJTuVOt2xMLnss+TgoODheCaX7+rhP8Ot+Do3oB2PR9JJAHy28

VeJ4HxhB8Z8+rGVvauJK6XUAd5D+EczLoO9HHy6C/w6wSpZo4vZOsiVgqFzmv0gY

ij8vaqGbsuvIZXudHxiDxE0AuJLBqs0K9FdfjL/5FOA9AdMpGh0IP/+lUowloqnJ

Fz1bQPeKohik1kNzcPYlzmp5/czkdTNmTRYvzfRbVZJc7TNcyhfzsCAhAudcI9fU

aUfgZTIFH33En5qIpC/YixC2WQ4rRx862etFICERQWp+cuByQZ4ZT8k9w1kV9oNA

vjrjx10LAiaa7ZPYc9yHz8dsZ9Gviu1vzUzVjf8fIUTkUP+aev7dScXv45otpFcz

/tR8bN4FFcJasFN77J6Yv51IshycVgx7V7TWDJzXZTI61LU4oKMVAX/l43+T1fWE

84KpkQVrrXdtsU01KvyMnrb+4XhKnbOxk3a5/GocQ63xeZQ+QEnvrsbryV7ojwss

4FnzRKNizm8=

=4NJm

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3332-1 security@debian.org

https://www.debian.org/security/ Thijs Kinkhorst

August 11, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5730 CVE-2015-5731

CVE-2015-5732 CVE-2015-5734

Debian Bug : 794548 794560

 

Several vulnerabilities have been fixed in Wordpress, the popular

blogging engine.

 

CVE-2015-2213

 

SQL Injection allowed a remote attacker to compromise the site.

 

CVE-2015-5622

 

The robustness of the shortcodes HTML tags filter has been

improved. The parsing is a bit more strict, which may affect

your installation. This is the corrected version of the patch

that needed to be reverted in DSA 3328-2.

 

CVE-2015-4730

 

A potential timing side-channel attack in widgets.

 

CVE-2015-5731

 

An attacker could lock a post that was being edited.

 

CVE-2015-5732

 

Cross site scripting in a widget title allows an attacker to

steal sensitive information.

 

CVE-2015-5734

 

Fix some broken links in the legacy theme preview.

 

The issues were discovered by Marc-Alexandre Montpas of Sucuri,

Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point,

Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.1+dfsg-1+deb8u4.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.2.4+dfsg-1.

 

We recommend that you upgrade your wordpress packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQEcBAEBCAAGBQJVylLuAAoJEFb2GnlAHawEYZcH+wYhmzviQqvT3UyFGW6YVg7R

Xw0usIm12p1/bOPO+ReBycnfhjebD6/xyJpKGtPFzKTvH7C7aUStRuL12OCOOgsJ

W6mP1N5mWH4+As9gTurLAyOogGvnyAzksjLboekAJ33bkEMdCSsmC/jSi44x677w

Pw10qmvA/rocKvsn1KCBCJKYr9rcrZ0S80rpE88309xxKOG+xL+5PvXQEs0FhzLk

uhcZXro2IMQ07/tiQVzcJTyZvYUjQ+UDPoUiDdtsfHz/d7HbO5iP3qkIa0y0cBSc

OdeleqZ7cV8QuMZSEHwkNYXZGmndJb3m+ooCf96kGcTZq5BqsUrXjXbzTFy9xlM=

=i7sr

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3333-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 12, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : CVE-2015-4473 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480

CVE-2015-4484 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489

CVE-2015-4492 CVE-2015-4493

 

Multiple security issues have been found in Iceweasel, Debian's version

of the Mozilla Firefox web browser: Multiple memory safety errors,

integer overflows, buffer overflows, use-after-frees and other

implementation errors may lead to the execution of arbitrary code,

bypass of the same-origin policy or denial of service.

 

Debian follows the extended support releases (ESR) of Firefox. Support

for the 31.x series has ended, so starting with this update we're now

following the 38.x releases.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 38.2.0esr-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.2.0esr-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 38.2.0esr-1.

 

We recommend that you upgrade your iceweasel packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJVyx6lAAoJEBDCk7bDfE42gyIP/2KJIusPESkAk6LONEz5aXZz

Q4zyIIwlxux2g44iXRXZ/wStUW+0Q5B++S5DyXoczGYLfSoQ7Vsx7y2EEWxN/8kU

IR4/ZCeLbTvkeT97DgOQxpcRAnElz87NIanjcPg8syrXRIlAVeDe8mfRVNTCUCff

NBD2OOarA8kDvMqZE9J4/t3VmZwJx++O1DJfjOD9UEfda8Vm0or0+/xNVm79TV9m

fZfIsSnbUlTZvizrMIQ/cx6FQYWB8UrO5MLCEADFiyLrBh/kWyInMCkBoL2Cj2l9

x7ePsHTdVFNmoLXVtnjwwRwhfysOpQ3mpbw79Xcmd5ODgpeuywiWFhx/HgKKwBGY

BuWbZrmxj0k+DVN931eSiT0cYl2fsENK+x7Y+JZw4jCQupNBmfBjh+NnAbr2pIkG

wcuxPKJ51H0UVcmrRs7oxvyaVRNBFM+jk99WuQ5+2CQqvf+6kOMG/KGssX2+4Kpy

utt/lTkRpF82KwjdhVixncwgmZurLOVE+iBtBVTUwXdcfQXWWW5tPebD5/29KQ4G

3ZmF/jI3meVST6SX3hE0bt/2PYjkvFuXIvVgT+yXdkOr6XVWELivjiP0v/XmsNun

bSaXu3N9ZQiTKzT7JZ/WR8FHmbZr/4tn7nE+1NBuMhYqAPz2/7VSX3elKJoIGdnS

MSVHgssiBkMRn7KhXePD

=v2Mz

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3334-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 12, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gnutls28

CVE ID : not yet available

Debian Bug : 795068

 

Kurt Roeckx discovered that decoding a specific certificate with very

long DistinguishedName (DN) entries leads to double free. A remote

attacker can take advantage of this flaw by creating a specially crafted

certificate that, when processed by an application compiled against

GnuTLS, could cause the application to crash resulting in a denial of

service.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.3.8-6+deb8u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.3.17-1.

 

We recommend that you upgrade your gnutls28 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVy101AAoJEAVMuPMTQ89EfH4P/iSOwPmzlrfUTCdHJigU3YCs

yhabtdQ8NMihsrDWr6TftoK8WrY2vSOb3wKY/mTxqCd0B95nObilsTnSMknJYkuw

tADoaNgaStgIR7dv7WxAt9+2h4DvagPRwRLT3Dswxuf/z3Q8TS2FAe1zK9XYbSm/

swFTIYyLSw2YRGm8LqwD2AN634byvwDpTXqe5RGPIJjVQTx3MfF5wpCeU1zlH3LZ

BO9DrGFg8ffGWQ/TYateHmnICjuiW0fTWZeuzgjTgAfEI8gG1YVpcknTQxEU6UBa

6XSb8Tz3OseCb1bf4zzP0T4rQH81tdIA2ttFRNHOWFS3Skn42QQD2nWIAWObpZ7n

H/rWdOgZRDoe4M8MsBStDcwn4OHG/whRuF862Cj2sYo9kinc7kKVDmdjNQ/c/lB6

Cq7gR0Kih9epND6t7M9P38Ibq+dG3c2M72IqQIEL8jqw4XEfDKyK0vI7kJM812yd

9FUaQUPoGKscPMX25Q76ClE8Q8U1aJXmtSzBqY2np3ml0QSyRlNJ2NNLZ0+Z9xmI

xeked1VIvQnkE5GFauXx6HOxPqMz3BQ+Qdevf0SNWysUcvc4vMgjn1Mo3z6ukUjY

hcpc7DDi9HsEYQjrCKQpQdX9k4kawOXJI8KmECRKEujk7oFTsM3WAiHoEGYnDwxs

FDDj1OJMUvgD49ihbaoO

=j1MK

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3335-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : request-tracker4

CVE ID : CVE-2015-5475

 

It was discovered that Request Tracker, an extensible trouble-ticket

tracking system is susceptible to a cross-site scripting attack via the

user an group rights management pages (CVE-2015-5475) and via the

cryptography interface, allowing an attacker with a carefully-crafted

key to inject Javascript into RT's user interface. Installations which

use neither GnuPG nor S/MIME are unaffected by the second cross-site

scripting vulnerability.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 4.0.7-5+deb7u4. The oldstable distribution (wheezy) is only

affected by CVE-2015-5475.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.2.8-3+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.2.11-2.

 

We recommend that you upgrade your request-tracker4 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJVzJhOAAoJEAVMuPMTQ89Exc8P/3jiiaHi58Qd7XKfXtrhiZ9F

C151U/8ohyNmh1bPt2VaxJbKI+7/ILYqDzbuYNhrtDg8zgCcBN3O/kjpuJ7lEJo4

569osYurswsZTknZ3JND0BRazmkHUX4T4NFTMOB2DvsV/cpBy7tMvq4ZzHrMoned

If+NfyuU8FEJKpielUixulzNzowXGOEwsPp9RTEitRhzWnh5GjM92e+9fyFa4d94

Iy9yIMZkKhB3uxJWX52dxA8sqVzn6Q4Pz7IWbKrgccrEb3p7VYoJ72ehWI5sNR/J

FhRJhd09tn/kbl+c4BMG4awNZFLlRbGUsK6Dy0OWz5jdiUx4BF/7hyyJ6k3M/ZIT

wktinMGRPXcteOXt5VFPhCBkGSqnEUwejTUwwFpTcimQ9RPyMjvaYrmOiqVpRIMB

JaDhPVF9vXGvf6TwbLDio8TE1tdDvDupsf54jHYnJm6Xg/FuBJSn6Gu7A0FhWEsS

Viq5ROODuMbmyPdU3KVK9wEh3XLFyWr4HUvKFCInIA2fvc8X+i7Ysopfwm2AmgUl

LN0IYHsvoSTuvtAAUYzY9HaGXdJbRGZMNIje4jv66JqNNrWHr1aWgWXLQhjMZzF8

MNaRffl33jZQAA4Y2X1w0vou44PNxZjNhPp9MjnOkLpgy2CgiftO3jh2wv+kFWFu

VEgGCo6aTDpXbU/3nUL0

=Aes9

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3336-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 17, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : nss

CVE ID : CVE-2015-2721 CVE-2015-2730

 

Several vulnerabilities have been discovered in nss, the Mozilla Network

Security Service library. The Common Vulnerabilities and Exposures project

identifies the following problems:

 

CVE-2015-2721

 

Karthikeyan Bhargavan discovered that NSS incorrectly handles state

transitions for the TLS state machine. A man-in-the-middle attacker

could exploit this flaw to skip the ServerKeyExchange message and

remove the forward-secrecy property.

 

CVE-2015-2730

 

Watson Ladd discovered that NSS does not properly perform Elliptical

Curve Cryptography (ECC) multiplication, allowing a remote attacker

to potentially spoof ECDSA signatures.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 2:3.14.5-1+deb7u5.

 

For the stable distribution (jessie), these problems have been fixed in

version 2:3.17.2-1.1+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 2:3.19.1-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2:3.19.1-1.

 

We recommend that you upgrade your nss packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV0jEdAAoJEAVMuPMTQ89EbcoP/2lAa4LK7T2Bn199scnMF+qB

wUu3xnqCarNP2p9zGxmk5Hc4Gqdwh7uYMfxSYwFL71tSME78Hk3latLAlPm9Jjme

CkKulWaYBZmZtincdkXUcnhXWUeVj43CALUsZQ02zpXBQcLW4Brl8AvoDqFFx9ZH

aDBe4ETeQKKbm22RaLOvHY7jfLbKhB6h4xbgQ6qo7TOvth8TQTjsQNhaOfs7jkfv

yvBRp721cDbSfJIZexEOok9i7GU3W7UkLQEIAK+wdArlssR6qmZwWBPSF660Q27C

hPRC5N1grEgzPHCoB87C0sxJXC3qF1ti8P7TDyB2b4DdWO04GPb5xrOL73vZYzqH

/UH5YQpMX9dnmZogyZBjmCSFXqAgypdgUNwg1UHCMHhGCw/Qxb6T02ok0YIHvBeH

EIdyid4jAovvDQViSTpWhkTRjzGxPQcwckUzvi6iJ9ylT5cqEZKA9+3K8i64oJgZ

j/wGj5X06+DSG8gYzHZyjGFJ1d4yldDHOxmSVfA0ynoSiW9MPbVT+PYMbwNGDHmP

QNMZInUTxrO3haI84cA4AJYrLSJYNKL95Ps2WZJXR9pVm4WW8ceOAKSt8+06jeYL

5JlfSQcMugBmLDErnf0NfeBSDOvpS2XvWLpZeLFWvBsWz52armPLMYQ+x501wA5X

CgaRR9tJehVdcDG2c07j

=/Chx

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3325-2 security@debian.org

https://www.debian.org/security/ Stefan Fritsch

August 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : apache2

CVE ID : CVE-2015-3183 CVE-2015-3185

Debian Bug : 794383

 

The security update from DSA-3325-1 caused a regression for the

oldstable distribution (wheezy). In some configurations, apache2 would

fail to start with a spurious error message about the certificate chain.

This update fixes this problem. For reference, the text of the original

advisory follows:

 

 

Several vulnerabilities have been found in the Apache HTTPD server.

 

CVE-2015-3183

 

An HTTP request smuggling attack was possible due to a bug in

parsing of chunked requests. A malicious client could force the

server to misinterpret the request length, allowing cache poisoning

or credential hijacking if an intermediary proxy is in use.

 

CVE-2015-3185

 

A design error in the "ap_some_auth_required" function renders the

API unusuable in apache2 2.4.x. This could lead to modules using

this API to allow access when they should otherwise not do so.

The fix backports the new "ap_some_authn_required" API from 2.4.16.

This issue does not affect the oldstable distribution (wheezy).

 

 

In addition, the updated package for the oldstable distribution (wheezy)

removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits.

This limitation may potentially allow an attacker with very large

computing resources, like a nation-state, to break DH key exchange by

precomputation. The updated apache2 package also allows to configure

custom DH parameters. More information is contained in the

changelog.Debian.gz file.

These improvements were already present in the stable, testing, and

unstable distributions.

 

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.2.22-13+deb7u6.

 

The other distributions were not affected by the regression.

 

We recommend that you upgrade your apache2 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIVAwUBVdMXkMaHXzVBzv3gAQiHqw/8C0D7A3IyzFUpdCqkT9CWmRGxajuszUhI

DaV5xI8oWQrQuDYRTHVh5e4jJfPoutSt3sGqwSwny+e2elefhrwlX53R0ysK1hDk

JBklHjHFNOlJC+dekb5PHrbM+70Srvv0uKeP2Hx6L91L8Z3uvMLYxy4DXUlmpegz

08cl7tvx+oc4RunEejC2YhVs+zhm4pIwVajedpRn89uNKW1u5ZsoMNxGu+RyTmC1

C9+dO2p8xyKnrZrHrMyjuYCliURmskQwo+V44Q6WSvWfuSlazV9rVo8dG9CPDdTG

p+tJdb5uRh3fAaiBL4YYsR2cUzNje6Teu3KWYB+lRPpuEMibERFYCqKTXu3JoBmb

CEuui+mRq347cZoTQvH+fW+6dzC7vNpGaXacXdNB+WfR1C6LAFljYU9gYgHjNt1I

TDLB9u8CYKNxR7rubQZ7lSzli1vvMQvC9hGPHU6YLQbVrMzCb5S+9lSB1QUYCUXJ

9RJBwys73O7TurMGF7UWndOwfk3lugiavyS1+N50M8ESSZSiMOfUhjCMFOoTVz/5

/B7700omPBLpKjrf+UFjYQmx/WR1STVG7egaCk81xNy4Ezx0cDzhsaNjo1B6WT0p

R30zw+UrSKe+T6gyajslo10uKHWEh8AamJW1tqFhWEOOmk6fT8zMteWCxLYZ4b4X

m/4aYl1nORs=

=fY9Q

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3337-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gdk-pixbuf

CVE ID : CVE-2015-4491

 

Gustavo Grieco discovered a heap overflow in the processing of BMP images

which may result in the execution of arbitrary code if a malformed image

is opened.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.26.1-1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.31.1-2+deb8u2.

 

For the testing distribution (stretch), this problem has been fixed

in version 2.31.5-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.31.5-1.

 

We recommend that you upgrade your gdk-pixbuf packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJV0zTdAAoJEBDCk7bDfE42zp8P/iflDoo1XfYo29Bgq7YDYs17

6WV9IO84Dl1WRt5YyL2EFDiUxO7p6PX5nGX0IWqM/3+uJwzyE9qwmgYj6up0MJhP

zSiljadEHble9DLgR0C/sHWwN9HR1yMw4tjuK/2RByXdTwhvNnIOLTfTJp8S1HJq

envBhDoX79jodw7ZlQCtSvG+SSK4JLz7uoLII0yUgriBdy05UmkLgwHnViYRHKGc

TAcZZqrcMMvdPyE72f+syBFMiB+6LZNmk+V8zjAbAd5EYnWc/eq/5NpJG0B4hv/4

wb26biO2Nc38adjYZfXSmq8z2wDhQrkra+4zVhQ5eCvqG/geXQ1gNS9RR3xFwPsN

R55e82eAX/Rg1mLHWNhzS6Ues5rfWUtUgHHz0AdHzvF+kGCyqA4WoPnPTBEtphnF

nKOSJQhfx7pwXaFURj3hvrfG7b1ATM/lFLL7MNe6bhHH9Bm+birGGvw5JexgJPD5

r2aGIvq/UYjTMs1pFQ9BnMJ2UCMnMEj3mRagyXwqTY6E/pY6V1aFfqoRonpVr0Cf

1tH16pJcBWHR+j70sI6s2BN0WT3UONDBWcsJ8daXGtPc+p/cQAoDioKcCQWSQwNg

6R4iIMMqVMtwghdwisTQa4uiwwCXH8NbdA49tRyIlXvlO0/suBFqY+k3RMxdpAex

2OQ/e2/gaPiquitk7246

=Ezva

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3338-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

August 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : python-django

CVE ID : CVE-2015-5963 CVE-2015-5964

 

Lin Hua Cheng discovered that a session could be created when anonymously

accessing the django.contrib.auth.views.logout view. This could allow

remote attackers to saturate the session store or cause other users'

session records to be evicted.

 

Additionally the contrib.sessions.backends.base.SessionBase.flush() and

cache_db.SessionStore.flush() methods have been modified to avoid

creating a new empty session as well.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.4.5-1+deb7u13.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.7.7-1+deb8u2.

 

For the unstable distribution (sid), these problems will be fixed

shortly.

 

We recommend that you upgrade your python-django packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV03kkAAoJEK+lG9bN5XPLIJwP/3Pam6jrmKxI2zUJc8WJax6G

NMH/7y26b1+XeaKnNIGs5RduicuRXenAnD8dnCOWceYkw0iFrqABxo4rJM/TX8z2

u+B/XkFTZcm+EhXCKgKKA3UkeNL5i4RhuwUk4AaIX2cztuDRZLuEp6X2pc8ZUoM+

1XVRGdt1D6qQwgSqFCBepHNA0cD1kZXSNZsoOOIgUl09u5T0aBKZ2Nfqy0KStOlE

fiDab7oxw5M8HwwKPpgGEMwx6MrDsHbT3mhQxYln/WjwDXmfHn5EGBWGoru2RIKH

as1AMPMVJ+NSbxJfjeRCtuq+gfaBxkxT+0tPPF6+4AxUr7aYwEH0R99NPXPV2q14

FOfv1y8axaxnQS8YqyIxW8Gd7satHv7afQGnDSosu+98+rVE++GM7lJgouM95XhA

uo3PYSUcWC/Jj6QwF7Tw9hdl7MQnRQSQJLuoe2HOjyaYpFh8lFy7nJkp7uzzaw5f

jwbwOXOhUITa0omwjBVQAmTXh+QrrXc+LOm8POpE4Ox7BtyW27QjB0aPmrWCe4vJ

/DhBcMcf5EqiktcJmMOwlXKP45j+37DWdwxBsj6VTVfOa7xKUGvfnKkPBkbf18YL

2LdlgZ/5/C8QjZYsB6THfwCH/m+iOpXGMIK1dhkOkzEMEW1CdVgTw5MLAWK8K3Q+

uiHd2ChEyhJajj/3L4Gn

=y7rl

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3340-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

August 19, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : zendframework

CVE ID : CVE-2015-5161

 

Dawid Golunski discovered that when running under PHP-FPM in a threaded

environment, Zend Framework, a PHP framework, did not properly handle

XML data in multibyte encoding. This could be used by remote attackers

to perform an XML External Entity attack via crafted XML data.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.11.13-1.1+deb7u3.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.12.9+dfsg-2+deb8u3.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.12.14+dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.12.14+dfsg-1.

 

We recommend that you upgrade your zendframework packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV1PhuAAoJEK+lG9bN5XPLQjoP/07zcTekHwPyQi/BNw0wVwNt

WvglZIiPwd4pvBaxeUalKlJfvGpCbahLKivPzOiaDcD/dIMXLGqwHnKQRVOcPWH2

uMFnJx8XhO2bWHbaG3NzVBXc8EtV3YpWNo48BCpPGnNhywYm59hVsocZr96rti4g

0GR5Rr63tlYG3b5JMklfYLj7KBgMD77HIakZTb7Uo+5efL3N5PIveAZdpD5h/xPq

wR+84YSM3Zor4FTIYfT6IZv4LQPH76u9vpw/EMmHybQ06unx2TNKUHHn7XM344Lo

yxGq8vuAFkIl60S88T6MiiwjVmoSYElJh/fdpXMfbPJigrQDWl0wTScOuPxja5KJ

1u1JLYn/NlhIsnDk4aH5zQDmET5W11CSQD3TENGeDAgVX6eXq0Ro12G8XjBcNHvE

xewnkzJV9XtYj9dOfBShF1SZN/SxVkT1cPeZ/+w1lTMXDc9t0+nRxwqtAEAeUJ+U

c7ONekrgV48bxE+KcNRo2GTnfT9c9fsDHJdQrgo8rsUdfZHO88VzWSRTTmBLMFux

wpHwVQKs7qN0WrbXk3CdSKObXbgPfr0xQ1g3FWmcX+KENgrx9khTcRiE5mrG8+r+

fpEoupuJ7y+AR24gzZ8tyRwFpK4BJAZXh5j27lyBqoQ8quR+KER5wlNHq4y47eaI

gKvVg66bMaOScsAZg0VU

=Yn6b

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3341-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 20, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : conntrack

CVE ID : CVE-2015-6496

Debian Bug : 796103

 

It was discovered that in certain configurations, if the relevant

conntrack kernel module is not loaded, conntrackd will crash when

handling DCCP, SCTP or ICMPv6 packets.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1:1.2.1-1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:1.4.2-2+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:1.4.2-3.

 

We recommend that you upgrade your conntrack packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV1b6tAAoJEAVMuPMTQ89E9acQAI9mJw2+XMAYv6o3b3LPoWEw

blxUTwWaoEB8JzMthDL4vw54GbfYaAecIQ2/3Q81TQVHn+CUw4q3lgKIgRg4MHd5

Zi5WGD8tUFc0OLzX34E7FkHzMLgNDt2x1GfVCNZYJ2cLvEu1xMJTRKl0UxCfSUGU

THHNEc6Ko9NgAtzJZgun2K3bxEpko61VuCNpoHW4ib4kGyeJ9aZE0E0CDh5s1CVm

F6qSvoI5KOm4molOStf7AQU9dAubTi6ZNc8YaKKlHon6/uCySsXt52nBDfcygAlf

HVK1lio+t5s0T24qzYjaJZxH6VqQ6dLLsc2YDdiBYuMkmylOgnAXlqW5kRjyrJEb

kX3JCgLxI/lbdw9XHwsUELDcEppSXkrhor97K1Kmv4ef5qTLEp1IHUMppmn609Jk

+P2sBlPco4+3fj/CSqhEdtnZADwKt/5ZuvEJr1J0ueZJvUrmuRi4v1tiwNUmnzlU

0Rwo0npZs0T/QarPtCtPgWutG2v8yS1XaOl5al8nqmE7+DtBql7Z22QbGYG9nD8t

tHPTPMy8o9mctyrJ8bR7f3dQBbYjQwB3WJSNnC+1ceiU2+f4L6FuWUFbkU8rum31

8WpfUUA519b6vh8/SoiZrMaOwNcGtw23BkIYXko3GoEF3Docnb2dfXLRosZCIoH/

IC2ZqmuMiY41a0obKSdj

=S6/f

-----END PGP SIGNATURE-----

Link to post
Share on other sites

×
×
  • Create New...