Jump to content

Recommended Posts

securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3342-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

August 20, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : vlc

CVE ID : CVE-2015-5949

 

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a

multimedia player and streamer, could dereference an arbitrary pointer

due to insufficient restrictions on a writable buffer. This could allow

remote attackers to execute arbitrary code via crafted 3GP files.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.2.0~rc2-2+deb8u1.

 

For the unstable distribution (sid), this problem will be fixed shortly.

 

We recommend that you upgrade your vlc packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV1fJdAAoJEK+lG9bN5XPLK9oQAJrHDlaC/qYA842zrby5b2jk

ZhKkyU8x9hF80TV6l3XuIk66scm6PZVTaX1xTslvOLZQP/oALFdL8CWyZhB1YkG8

G2R3VKotoW20YR2ww6WY/eAgH+a56g0rjBNYAub3pyTOA7nmH0RkDtkgJNpwlmd0

Nqg0mXVeW1gdP+WXD44DU2j/3O6sqIjp/YWB00p2IIgOaMKV7IU8eCvjLNI3fi8E

A1PTXoJo8LHsN1mXzuAG5Yan7P1mK3u/BgwJqW0rQDy6HaDdvG7zoBZyMcwOaqNX

4hhMVfrdNJFwXXIYPk9eIUyyKEk7Wz74y6EJ1cxJXYmreYzW7GWrKmofdnWNHK5q

nwK6Csuqm1Z8nGclJVRd/+qtwIXX1s4ECwaK9pTE2+ScWNrFSGyqZ2MKcWkx3p3I

xX/aDIWaWlJ2SH3hikK4amMFBLVEXCS+khQPFAdWwsQvjJ2QbJL4nJQ87quNrv/K

2MkoSPBoXnF+2e5DuN5YlieJ6SOSjjOE+qfS+Qg6k01ac0lxijEEjAJ1zfM+AfA+

I02kMDoUdhKxlgdcFxZX9HotZzjThMrdivuonKhtD0xICcRqxXHe2pD3QdPM6FhZ

mVH3r1XSQGl+I4RHWUuflZiCj1uFfe6gbkzvNddPjZtXbHTSAYqpD8SOr8pr7rtU

uviKCGQVXZxhc3LZIYwE

=kepn

-----END PGP SIGNATURE-----

Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1538

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3343-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 26, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : twig

 

James Kettle, Alain Tiemblo, Christophe Coevoet and Fabien Potencier

discovered that twig, a templating engine for PHP, did not correctly

process its input. End users allowed to submit twig templates could

use specially crafted code to trigger remote code execution, even in

sandboxed templates.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.16.2-1+deb8u1.

 

For the testing (stretch) and unstable (sid) distributions, this

problem has been fixed in version 1.20.0-1.

 

We recommend that you upgrade your twig packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCgAGBQJV3ZhyAAoJEBC+iYPz1Z1kfZAH/j4xWjGxAVvIIoIkyBOzdXZ4

xQgiHtPjJmrDqsAiW1kEFgpBRNA29WWDM8a0YNP0sI1KfhAwypAoaGhkWdeVoAgv

yOTUcphI5eWc4PXnExf4xVqoWIMtY4eSs5CQ3Iy1wwMOLgoQGPfwMCuvQHx22Kyg

tkqOgnfqwR1zEzZ4yQqOWVING4k6juIH3vjf1IvDeijfVnvKzCVT02CIX2sxLK4B

OnYVXMnXPUHBqWFNrdycKmA1+dP4Pv0f5XuD69vRueXxVWwddnHyrxN9sStlPkP1

k0E6VLTxlwjlYxt9vigsx2q5lt3u+/FtpLmVVrmdU6yahOh+nC05rUzFoZUoa9k=

=FPDb

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3344-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 27, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php5

CVE ID : CVE-2015-4598 CVE-2015-4643 CVE-2015-4644 CVE-2015-5589

CVE-2015-5590

 

Multiple vulnerabilities have been discovered in the PHP language:

 

CVE-2015-4598

 

thoger at redhat dot com discovered that paths containing a NUL

character were improperly handled, thus allowing an attacker to

manipulate unexpected files on the server.

 

CVE-2015-4643

 

Max Spelsberg discovered an integer overflow flaw leading to a

heap-based buffer overflow in PHP's FTP extension, when parsing

listings in FTP server responses. This could lead to a a crash or

execution of arbitrary code.

 

CVE-2015-4644

 

A denial of service through a crash could be caused by a segfault

in the php_pgsql_meta_data function.

 

CVE-2015-5589

 

kwrnel at hotmail dot com discovered that PHP could crash when

processing an invalid phar file, thus leading to a denial of

service.

 

CVE-2015-5590

 

jared at enhancesoft dot com discovered a buffer overflow in the

phar_fix_filepath function, that could causes a crash or execution

of arbitrary code.

 

Additionally, several other vulnerabilites were fixed:

 

sean dot heelan at gmail dot com discovered a problem in the

unserialization of some items, that could lead to arbitrary code

execution.

 

stewie at mail dot ru discovered that the phar extension improperly

handled zip archives with relative paths, which would allow an

attacker to overwrite files outside of the destination directory.

 

taoguangchen at icloud dot com discovered several use-after-free

vulnerabilities that could lead to arbitrary code execution.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 5.4.44-0+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 5.6.12+dfsg-0+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 5.6.12+dfsg-1.

 

We recommend that you upgrade your php5 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCgAGBQJV3t20AAoJEBC+iYPz1Z1kPWgIAKa4oEs0lHk2z/kWhdbPodRR

i5QpFWjxD0MMC7ey8MZ2zyQFmC/YMnWtlxG98L4EBrMM9hgoWt/ZP1+WNANKX/4n

nhtb587OxTNjjIDZ/tu81419HubGzsy5eqKA880KZqIGLBRNC0KBTe2SuEZxA/oG

lJqWHFktUQfC6Z2JJwUe8Yy1nrxUsd/P/5y5igGoRrFNiskUoE0KsPLcqAXmxSp4

h4qJ+9MjlvnHJocYTBOdJOn9Sob3kviORO+5zXcE+UOTtdkSlWLykXkzSykM9g9d

a2nu6CPYZN9UO3BsLT2SBJ/LOdTZXSoPjXsUK5SyxqXpgAp/XVJrJZJBH77xBv8=

=QjTz

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3345-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 29, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : CVE-2015-4497 CVE-2015-4498

 

Multiple security issues have been found in Iceweasel, Debian's version

of the Mozilla Firefox web browser. The Common Vulnerabilities and

Exposures project identifies the following problems:

 

CVE-2015-4497

 

Jean-Max Reymond and Ucha Gobejishvili discovered a use-after-free

vulnerability which occurs when resizing of a canvas element is

triggered in concert with style changes. A web page containing

malicious content can cause Iceweasel to crash, or potentially,

execute arbitrary code with the privileges of the user running

Iceweasel.

 

CVE-2015-4498

 

Bas Venis reported a flaw in the handling of add-ons installation. A

remote attacker can take advantage of this flaw to bypass the add-on

installation prompt and trick a user into installing an add-on from

a malicious source.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 38.2.1esr-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.2.1esr-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 38.2.1esr-1.

 

We recommend that you upgrade your iceweasel packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV4Ti2AAoJEAVMuPMTQ89EuxQP/3bWxIX2aDy1urpbNZhrIvSC

8QvGSKIhtz9XcCO53oMcah+XTjZEthjKc4wd+wNGEybw9fR6YojFbf/RjLetUMMF

1sDYvt34jRzcz2tLnGqYfY/hLkbxr5L52kcYn1YVZZJ3ol+XFGqm2sf/OTRpiQgl

mvh7NtNjpBGhkL3x85B+wlKvKd0Nz+p83XgQ6qq+PQcm4iusrCyjnc0DwXCngc+1

kSNho0+/aOUnCxpX1QOmyRGqcxUWDmj88YIpg7xBjfcKhTslFiTpYC3yF2dz73+X

MyySK1I7nu9U5alH/eoOd4SaYVdpkufR/MhhCWOxDzTjRtiP+tGAc3/a5/7i6/Kl

B8wPDhgkui2DHLaxz4dsjsuJ1YPfBMDa68+ilCYuNWjTnIid/Yho1vr5a0fQFNqF

vTUaLVH9xnqTUM/SShp79Sta4n7f+NM8DrIJKQQH03D3XwA9NcJWPUoUm6nftdp9

qcvO3du4Zqn8vwxSVb+xNQlQgrrvJ37nvJtVXavSqfAZWKVYeMpNjyqlOcMKvhR0

tbT0x4YhtHs6c1q+BoldnjISe2wHNNWwQNRW8SrM5K+nzReQLjbm28uSWFVWf3Lq

567zgxCsbjlI2oXh3tftG9BY3ylh4mEna1cRhnnrnQU2Nl873sL3YOyuHyheAdTp

g71rt6+1YTi8VmDxycAZ

=tzb9

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3346-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

August 31, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

CVE ID : CVE-2015-6658 CVE-2015-6659 CVE-2015-6660 CVE-2015-6661

CVE-2015-6665

 

Several vulnerabilities were discovered in Drupal, a content management

framework:

 

CVE-2015-6658

 

The form autocomplete functionality did not properly sanitize the

requested URL, allowing remote attackers to perform a cross-site

scripting attack.

 

CVE-2015-6659

 

The SQL comment filtering system could allow a user with elevated

permissions to inject malicious code in SQL comments.

 

CVE-2015-6660

 

The form API did not perform form token validation early enough,

allowing the file upload callbacks to be run with untrusted input.

This could allow remote attackers to upload files to the site under

another user's account.

 

CVE-2015-6661

 

Users without the "access content" permission could see the titles

of nodes that they do not have access to, if the nodes were added to

a menu on the site that the users have access to.

 

CVE-2015-6665

 

Remote attackers could perform a cross-site scripting attack by

invoking Drupal.ajax() on a whitelisted HTML element.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 7.14-2+deb7u11.

 

For the stable distribution (jessie), these problems have been fixed in

version 7.32-1+deb8u5.

 

For the testing distribution (stretch), these problems have been fixed

in version 7.39-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 7.39-1.

 

We recommend that you upgrade your drupal7 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV5C47AAoJEK+lG9bN5XPLHMcP/RF8sFLD2wP/V7v4nsuss5De

yw2RpA3LrRTpAJCiQnfZDarw4o/THJYMHr/u/6zCIsvHphgdimZoe4CPnYugBMaN

FmaSNbqDYpvZ7+YiUFm+ipPaHHOX7LzHbrR/c45GKq/dtUE/AemlMzm5BmVkD3Qa

auxL7MRm4urv2iNX+wXwNvGSsBDLPArqjrj6MkkrEpaX6H9U/PdhciOeyTU6Mjop

LwwDPDWSwFP9zJx6j//b77wS9zEFz56msCVuDTJpWYITtNxghLNAxWmfnzTEIlec

llYtBmvrvBsbym8tvlIXM0M5dNQ7bQ8fbbNV3xVF1j6YHEZD2flfgAPbFJCJ5IFf

ECe17HsvOICY3PHGBIs1xLguWflSgUpYBCgn978J3KA+xOXv/d+n2bXvE1T1xbDA

TlX+IxWGBTU0ut/FQR8p7T7Dwai7RrhGGb50KkRYfO5oM1phUPknRMLnFpKq2uFG

EIpe24FPOd21SYlLBkucegMC1+F7tXfMZQ+qj1QpKTBmGIpS1Tc92YVN1v5zKZh+

NjIMspkdgW2xsq/VD/xXMNyy2f6swh7tsFMvjh4Lgrxet6c6sAD6NvbBI9OMaJeb

CEIh2K7SDBbCfFEjgpbBC5sEn3t7zYkNbWgHwj1gpGqVVMbyyy+shzupHb77Jcbe

5KiA8q3ZlDVcDhXfwGFP

=/qJI

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3347-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

September 02, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pdns

CVE ID : CVE-2015-5230

 

Pyry Hakulinen and Ashish Shakla at Automattic discovered that pdns,

an authoritative DNS server, was incorrectly processing some DNS

packets; this would enable a remote attacker to trigger a DoS by

sending specially crafted packets causing the server to crash.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.4.1-4+deb8u3.

 

For the testing distribution (stretch) and unstable distribution

(sid), this problem has been fixed in version 3.4.6-1.

 

We recommend that you upgrade your pdns packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCgAGBQJV5wINAAoJEBC+iYPz1Z1kT9AIAJP2pMIbvung1B0EYDD/+YgT

nCqMFEhT+3miAmBMoDiOYE9K4dhLQAHQD+9YEVFfwcF9IV87mkkBhcCK5lLgQqfj

xtNVcrRxCZlI/jdoVAzP6IhMlhkbAgTIFFGxegbIVx9bgsAs1wR2LpiCPZb3SZim

ZaabfmyUMQfN9xlNbptVSNf08iGGvRTm3wAAGRbeM/DqRPjM5Gk/X7O7qlH8Z9mB

04//RtPzyohQOGMWkEF3oqCicVQRHKFIdB6FvJH9r9cnGghjLxgFfeLT1tqrRnDg

csR4renxQZU/3ztReyibd/amTCpqKfe0ixsYR/PE71czqGmgatcptj2E03+UKa4=

=gxuU

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3349-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 02, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu-kvm

CVE ID : CVE-2015-5165 CVE-2015-5745

 

Several vulnerabilities were discovered in qemu-kvm, a full

virtualization solution on x86 hardware.

 

CVE-2015-5165

 

Donghai Zhu discovered that the QEMU model of the RTL8139 network

card did not sufficiently validate inputs in the C+ mode offload

emulation, allowing a malicious guest to read uninitialized memory

from the QEMU process's heap.

 

CVE-2015-5745

 

A buffer overflow vulnerability was discovered in the way QEMU

handles the virtio-serial device. A malicious guest could use this

flaw to mount a denial of service (QEMU process crash).

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.1.2+dfsg-6+deb7u9.

 

We recommend that you upgrade your qemu-kvm packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV5yHRAAoJEAVMuPMTQ89EB2kP/AtJsGcAf37Nthx8tbD6/LUM

6Ou6bDZBoxgFGgtlM9ijK9W1lN9m7UoJBNgOLMGSDha6xCDhUlNk6r/yyR/3bRnh

Ij2xbQwFMvbB8IG88I7H62YpZihY7O/9vqSYW/ZIu7tL4DAQNHctGZ1XocUiHh8i

Ar/gE8bQSDKpx3XG/ZmlniBjozXEcHPc7WDM5eHU1bekwJ5MlO9S+l7ikAptVWMt

fDT7pS1YcGmYftIYtt7MySTHl9F3ThcWBMuY+GeZnF9zQh0N8ltNtvaO87uJ1Oke

qSDzPKoIy6Q1Cw6SEVloBASzsB7BFu7q8S7Zx6DKVDrS43JZNnXj7xX3DXtIGvtC

yXr+xx15tk8oBVYQpg0kBgZjcU5IXC/zjL8KCzj2Nt8+e1w7ufcdgisp9X91hN5c

t/kJmTI8wj0xT0UYCjCfdPLQr1U8ph5fk5coZkt6YVWkWCp1L1fSLDAhkcqM60ql

ORZwyM7m3ZtoMRfAKNdJgjTHTyijE8CAsQDGcINEkhqz26gFuaU5TnkD/Ls5z0cc

ZwTjXpd1VrCYUB0wkdbXWDtsAIZR4nmxl43Z9lOOXRgCMysakmTGYluFW2ypEhrB

fqvXfYzV8assVcLyXnWyq8Ewh7OjX26Y5OlczgxHyBCDp2HK2ragzf93cYJL1v8t

6AheWSuueDqSs2b11Z8J

=9NK7

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3348-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 02, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu

CVE ID : CVE-2015-3214 CVE-2015-5154 CVE-2015-5165 CVE-2015-5225

CVE-2015-5745

Debian Bug : 793811 794610 795087 795461 796465

 

Several vulnerabilities were discovered in qemu, a fast processor

emulator.

 

CVE-2015-3214

 

Matt Tait of Google's Project Zero security team discovered a flaw

in the QEMU i8254 PIT emulation. A privileged guest user in a guest

with QEMU PIT emulation enabled could potentially use this flaw to

execute arbitrary code on the host with the privileges of the

hosting QEMU process.

 

CVE-2015-5154

 

Kevin Wolf of Red Hat discovered a heap buffer overflow flaw in the

IDE subsystem in QEMU while processing certain ATAPI commands. A

privileged guest user in a guest with the CDROM drive enabled could

potentially use this flaw to execute arbitrary code on the host with

the privileges of the hosting QEMU process.

 

CVE-2015-5165

 

Donghai Zhu discovered that the QEMU model of the RTL8139 network

card did not sufficiently validate inputs in the C+ mode offload

emulation, allowing a malicious guest to read uninitialized memory

from the QEMU process's heap.

 

CVE-2015-5225

 

Mr Qinghao Tang from QIHU 360 Inc. and Mr Zuozhi from Alibaba Inc

discovered a buffer overflow flaw in the VNC display driver leading

to heap memory corruption. A privileged guest user could use this

flaw to mount a denial of service (QEMU process crash), or

potentially to execute arbitrary code on the host with the

privileges of the hosting QEMU process.

 

CVE-2015-5745

 

A buffer overflow vulnerability was discovered in the way QEMU

handles the virtio-serial device. A malicious guest could use this

flaw to mount a denial of service (QEMU process crash).

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.1.2+dfsg-6a+deb7u9. The oldstable distribution is only

affected by CVE-2015-5165 and CVE-2015-5745.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:2.1+dfsg-12+deb8u2.

 

For the unstable distribution (sid), these problems have been fixed in

version 1:2.4+dfsg-1a.

 

We recommend that you upgrade your qemu packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV5yHbAAoJEAVMuPMTQ89EL2EQAJRkjczhzMQFzfjym14afASB

pr7b2Hu/M5i+hyuSr8Pv8G2zuEw2o60ezqcseuG2153hZs/yX0yk8qltwuTdLdMk

At2FMs98XiD8xKY4mpCKHSdXcY+Cl7cjmogkcUe84dG4xfT5HUTOpZ7b2Ei22gOr

lUmFf5SdG7yhsEk12sne06ArJh7AuDEUa9ltc+cH2+2091itC9DwflRf2y7NmYaf

kM47ZBcMfmUxGbMPPxBV19T2L6ts1zTcPKMkE4FynDDsTzqDg5ndz8clBHKRF70x

ltEXjTD1gLoJkNFGo2UrnfTHlu8UO5OAx1C1si+rtt8/93ran8IXaOO+u/AssqPU

Jzwo2j4zOSLnSMlo722NuneqkneaTQabLM1tROpTOgRTXHmIvG1Uls6Rx5tQOUbZ

wMszAC9aRQZiZ32yjUu0cVu7bsSIRzadNPjW3WzljtRGSEPYUg/pLicnAC+Bq6mu

MOYllYs3nhybZoQ6NjFrJfA+sCjZuNmDhh5a3QUb/cjckygf2QMN8YBSoPy2khqX

y8hTUcrYfmsJo5/rvAkki6kxOJiqK+8+fiw0ARcAOkOIOuP4tcExTwjfNBXtWgR6

ZHZOTA68XdkptRhYnlSfAUkhR06vP6q63k/hjR+7syWu6e9n+4cq/moEdUh+77Xo

ULvsd7J2ar7JOVZ9HpWS

=QpIk

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3350-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 02, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : bind9

CVE ID : CVE-2015-5722

 

Hanno Boeck discovered that incorrect validation of DNSSEC-signed records

in the Bind DNS server could result in denial of service.

 

Updates for the oldstable distribution (wheezy) will be released shortly.

 

For the stable distribution (jessie), this problem has been fixed in

version 9.9.5.dfsg-9+deb8u3.

 

For the unstable distribution (sid), this problem will be fixed soon.

 

We recommend that you upgrade your bind9 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJV524EAAoJEBDCk7bDfE42M7IP/RoNIA3BNrMHnjKWlbqRYVua

H8M8yTAf7RRBkqpV50+wLT1xhTSIzcbHb1atn5FNEYFAGikGyRKYVFTO8Xd7lnPE

PT3ZKjdJUQOZLoNqahEwqUENroCO2yVFXAWW6/tyf7sf3IaF0An+7vS9HfRejHSZ

kwvFqQpUr7nk4LSr6uzKXShZm31X9v2+ZDvATX/HM9/ioYVyTIR/XT22tMt7wqUT

ZANmQ+HkEiTXM88HgIgvN8H4/1EXO44Qot/O6ZB9RUopubnFlGCIA3ee2DAa4LNA

qJPvn+5chr0vvgdx9LcyuJzVbFtIk5mLGGR4hUEPcDui/7xMJ+fT6veNfxMzSLpO

5c6vlFTVN9pWycYFN5Af//HfzOMe8y3o4to6cop49YZR0SfdIL7vuqo/jeaRqN8f

hIlN/6HUMNRO9LSupUjkdivwiw1QzKUEHT6+k6X33PTT8zIJ28Nf4ui8AWlauikZ

UQGAVjJEVDX+sdVurYpYel35LS3LFqgVUADzRjtxIszBS0M5UhO/E8JT0Pl4kX1c

HvXe9mAqBPCUcoQ7Jkhjym8AQ2RTtNcNRNkl1rTHjfWtZ1pukfUu12VtXtBXcliH

rJ24PSPSIMl0yGOGenT+Lwr/y5jWpfCp8w2rjMH2pXdz+bKjTfXmRWLe8DvRk5HV

wj1XSuQQOXrR1zXR5zpd

=ae/2

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3352-1 security@debian.org

https://www.debian.org/security/ Laszlo Boszormenyi (GCS)

September 04, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : screen

CVE ID : CVE-2015-6806

Debian Bug : 797624

 

A vulnerability was found in screen causing a stack overflow which

results in crashing the screen server process, resulting in denial

of service.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 4.1.0~20120320gitdb59704-7+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.2.1-3+deb8u1.

 

For the testing (stretch) and unstable (sid) distributions, this problem

has been fixed in version 4.3.1-2.

 

We recommend that you upgrade your screen packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQIcBAEBCAAGBQJV6VmiAAoJEBDCk7bDfE428D8P/RXE9Wg7j11Vt9iHdV5jro8p

XNDvZyxRTyJw1xNLV/VWCV7MOS/9h3XCz8DUJwa6i8TJleaeESEklTL03NNsH0sI

u72HavbLNnhamTREPGia15BByh/ra6U23RRrKgyK+Gxa0SrMRB+FraL06Ic5R5cE

aeVFqTWaEvVem6DbP9P8MTeP5IT1TsNu5GGujzLVLu9QIrZW1sse1t6ccEqe6Mrw

Sb9XevPXMSntskO0kqZVxe1LlmZZuRPMu3IRqOxbw8ycXrNnQzYitWTFpGW2K+BD

KArd8zSKByuEPfnIbNzN6vl3Lly097qmQA4iWRKRVDy1+/alPWsTbrI6bv1hL/O1

fIPkrX8SZpdk6KflWNIS5HtL2u5THPApKh5l8cOkISUvaUWrzomMCbTEcWHEOg+W

WckyAzbGvNQrVQaXJ5fe9RO05NDZ7grII4f7itK2j6pMJvxzE/ZYQObF8MELODxQ

Ufg4n4rKH7lHBQJKWZnYPCNC/B/V/6RPXJlq/QBbZwVqAD7OwUfCrgdLeo37UrO5

u+TIplsAnyTI67VWKnZQB9xDss99ag0HTK+IweVGlV21cngJSr8MTCAjsVSVuG0D

CoyjWU8yGww5wdWOnZK1WOIZ2TO63XfMkcnWaqgbENPnJRIdSdP+AiXSUHmi2/2/

krONwiiLVri4TxlrjyhX

=52Mr

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3353-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

September 05, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openslp-dfsg

CVE ID : CVE-2015-5177

Debian Bug : 795429

 

Qinghao Tang of QIHU 360 discovered a double free flaw in OpenSLP, an

implementation of the IETF Service Location Protocol. This could allow

remote attackers to cause a denial of service (crash).

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.2.1-9+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.2.1-10+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.2.1-11.

 

We recommend that you upgrade your openslp-dfsg packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV6v81AAoJEK+lG9bN5XPLCZEQAIqcadDeke6OIXqgMglx9j/V

F4f1+kuaETjjNJDZ0/+1Hz7X7PA6CsWzyLeOuXd6UKQAiyeSg9IedFahlt8gQvCw

zSVxXo12c//OG4bVG2q8bKRpPLp7/BtT6FUTmKKdSY5+zxJNPjZxa8KqF3cq5qZu

HhrpJObetJZbzZp5TxWHJnv1cSS0zazv6eADDkutOcWV8H/+ifBBKyxdYIkFt5//

Q1pooWwTJSzsN9yUp+r7jCI5vO9QeboH2nIt/LKRmZ3f24jkT7Q9oIkty0BPXY+j

VoI2bDNofQPXXee+hVwVAMbL3BfrugZd2aR9QDPgwWGNBVJ/Dxu4+ohwVyZQcNE3

fxYGDdh5piixfter916zorgveTNhKsz4FASbO7XOu1vhTIsawmAYESN90fhdpG1O

MgrtYD3F7rOwdjF/CNjSJCW7IVqcxqGzZBA4luecZIB71GY4QXUxQjMNjawsnLV/

VTgN47/KiSPSFUItLmBamds7kMt+vFW2ytj0iyBS+jYq9aLLKKCf50+mxs+hs6j0

1yg//tv7ln5aW9573Z3i94jaaZqGBnwYyp+tSgMVtHfMXpT8V74G7WN9FNkWfy9a

Fg6zfakSRA6zYAHPRJ58Ndp5OKonUvwjVIY5ma1Q87C8CRXt8pEOW7zlLfBRbnwH

nPXHGVSY8QG4Bg+w3Ljj

=FB78

-----END PGP SIGNATURE-----

Link to post
Share on other sites

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 8: 8.2 released press@debian.org

September 5th, 2015 https://www.debian.o...s/2015/20150905

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the second update of its

stable distribution Debian 8 (codename "jessie"). This update mainly

adds corrections for security problems to the stable release, along with

a few adjustments for serious problems. Security advisories were

published separately and are referenced where applicable.

 

Please note that this update does not constitute a new version of Debian

8 but only updates some of the packages included. There is no need to

throw away old "jessie" CDs or DVDs but only to update via an up-to-date

Debian mirror after an installation, to cause any out of date packages

to be updated.

 

Those who frequently install updates from security.debian.org won't have

to update many packages and most updates from security.debian.org are

included in this update.

 

New installation media and CD and DVD images containing updated packages

will be available soon at the regular locations.

 

Upgrading to this revision online is usually done by pointing the

aptitude (or apt) package tool (see the sources.list(5) manual page) to

one of Debian's many FTP or HTTP mirrors. A comprehensive list of

mirrors is available at:

 

https://www.debian.org/mirror/list

 

 

 

Miscellaneous Bugfixes

----------------------

 

This stable update adds a few important corrections to the following

packages:

 

+---------------------------+-----------------------------------------+

| Package | Reason |

+---------------------------+-----------------------------------------+

| akonadi [1] | Fix a bug that caused old files to be |

| | kept when they should be removed |

| | |

| apache2 [2] | Fix conffile logic for wheezy to jessie |

| | upgrades; fix -D[efined] or <Define>[d] |

| | variables lifetime accross restarts; |

| | mpm_event: Fix process deadlock when |

| | shutting down a worker; mpm_event: Fix |

| | crashes due to various race conditions |

| | |

| apt [3] | Parse specific-arch dependencies |

| | correctly on single-arch systems; |

| | remove "first package seen is native |

| | package" assumption; fix endless loop |

| | in apt-get update that can cause all |

| | disk space to be used |

| | |

| bareos [4] | Fix backup corruption on multi-volume |

| | jobs; add autopkgtests |

| | |

| base-files [5] | Update for the point release |

| | |

| binutils-mingw-w64 [6] | Apply upstream fix to handle Visual |

| | Studio DLLs |

| | |

| bird [7] | Correctly migrate bird6.conf from bird6 |

| | package |

| | |

| cron [8] | Cron.service: Use KillMode=process to |

| | kill only the daemon, not running jobs |

| | |

| cross-gcc [9] | Require bash in rules.template makefile |

| | |

| dbus [10] | Fix a memory leak when |

| | GetConnectionCredentials is called; |

| | stop dbus-monitor replying to |

| | org.freedesktop.DBus.Peer messages, |

| | including those that another process |

| | should have replied to |

| | |

| debian-installer [11] | Add image for Seagate DockStar; add |

| | symlinks for OpenRD variants; append |

| | DTB for LaCie NAS devices that require |

| | it |

| | |

| debian-installer- | Set the menu icon text in the source |

| launcher [12] | package to read "Install Debian |

| | jessie" |

| | |

| debian-installer-netboot- | Rebuild against new debian-installer |

| images [13] | |

| | |

| designate [14] | Fix mDNS DoS through incorrect handling |

| | of large RecordSets [CVE-2015-5695] |

| | |

| dovecot [15] | Fix SSL/TLS handshake failures leading |

| | to a crash of the login process with |

| | newer versions of OpenSSL [CVE-2015- |

| | 3420]; fix mbox corruption issue |

| | |

| ejabberd [16] | Fix logging of nicknames in muc logs |

| | and parsing of "ldap_dn_filter" |

| | option; postinst: restart on upgrade; |

| | logrotate: don't signal a non-running |

| | daemon |

| | |

| flash-kernel [17] | Combine i.MX53 QSB and LOCO board |

| | entries, they are the same thing and |

| | the LOCO variant was missing DTB |

| | information, possibly causing issues |

| | during wheezy to jessie upgrades |

| | |

| fusiondirectory [18] | Access javascript libraries via a path |

| | relative to FusionDirectory's base path |

| | |

| glibc [19] | Fix pthread_mutex_trylock with lock |

| | elision; fix gprof entry point on |

| | ppc64el; fix a buffer overflow in |

| | getanswer_r [CVE-2015-1781] |

| | |

| glusterfs [20] | Stop creating UNIX domain sockets as |

| | FIFOs on NFS |

| | |

| gnome-terminal [21] | Open new tabs in working directory, |

| | rather than home directory |

| | |

| gnutls28 [22] | Fix a crash in VIA PadLock asm; fix |

| | GNUTLS-SA-2015-2, which allowed MD5 |

| | signatures (which are disabled by |

| | default) in the ServerKeyExchange |

| | message |

| | |

| gosa [23] | Fix idGenerator for patterns like |

| | {%sn[3-6}-{%givenName[3-6]}; enable |

| | CSV / LDIF import on (non-Debian-Edu) |

| | clean installations by default |

| | |

| groovy2 [24] | Fix remote execution of untrusted code |

| | and possible DoS vulnerability |

| | [CVE-2015-3253] |

| | |

| grub-installer [25] | Correctly propagate grub-installer/ |

| | force-efi-extra-removable to installed |

| | system |

| | |

| gtk+3.0 [26] | Fix several crashes |

| | |

| haproxy [27] | Fix a segfault when parsing a |

| | configuration file containing disabled |

| | proxy sections |

| | |

| how-can-i-help [28] | Use HTTPS to connect to UDD |

| | |

| kic [29] | configure: Do not add -L without |

| | argument to $LIBS |

| | |

| lame [30] | Enable functions with SSE instructions |

| | to maintain their own properly aligned |

| | stack. Fixes crashes when called from |

| | the ocaml bindings |

| | |

| libdatetime-timezone- | New upstream release |

| perl [31] | |

| | |

| libgee-0.8 [32] | Fix default value of --enable- |

| | consistency-check, otherwise a very |

| | expensive debug option is turned on by |

| | default and would make a lot of |

| | applications unusably slow |

| | |

| libio-socket-ssl- | Make PublicSuffix::_default_data thread |

| perl [33] | safe |

| | |

| libisocodes [34] | Fix GLib critical warning if the |

| | environment variable LANGUAGE is not |

| | set |

| | |

| libvirt [35] | Teach virt-aa-helper to use |

| | TEMPLATE.qemu if the domain is kvm or |

| | kqemu; fix crash on live migration; |

| | allow access to libnl-3 configuration; |

| | report original error when QMP probing |

| | fails with new QEMU |

| | |

| linux-ftpd-ssl [36] | Fix " NLST of empty directory results |

| | in segfault" |

| | |

| lynx-cur [37] | Use gnutls_set_default_priority() |

| | instead of a custom priority string, so |

| | fixing GNUTLS-SA-2015-2 in GnuTLS does |

| | not break SSL support in lynx |

| | |

| mesa [38] | Disable asynchronous DMA on radeonsi |

| | which can cause lockups |

| | |

| motif [39] | Disable fix for upstream bug #1565 |

| | which caused segfaults in ddd and xpdf |

| | |

| mozilla-gnome- | Restore compatibility with newer |

| keyring [40] | Iceweasel versions |

| | |

| nbd [41] | Fix authfile parsing |

| | |

| nss [42] | Fix certificate chain generation to |

| | prefer stronger/newer certificates over |

| | weaker/older certs |

| | |

| ocl-icd [43] | Fix "clSVMFree never called in OpenCL |

| | ICD" |

| | |

| pdf.js [44] | Drop xul-ext-pdf.js package since it's |

| | not compatible with iceweasel 38 |

| | |

| postgresql-9.1 [45] | New upstream release |

| | |

| postgresql-9.4 [46] | New upstream release |

| | |

| prosody [47] | Fix CNAME resolution |

| | |

| python-apt [48] | Work around a cyclic reference from |

| | Cache to its methods; LFS fixes; fix |

| | splitting of multi-lines Binary fields |

| | in dsc files; arch-qualify in |

| | compare_to_version_in_cache(); fix |

| | apt.Package.installed_files for multi- |

| | arch packages |

| | |

| python- | Fix S3token incorrect condition |

| keystoneclient [49] | expression for ssl_insecure [CVE-2015- |

| | 1852] |

| | |

| python- | Fix S3Token TLS cert verification |

| keystonemiddleware [50] | option not honored [CVE-2015-1852] |

| | |

| python-reportlab [51] | Correctly handle PNGs containing |

| | transparency |

| | |

| python-swiftclient [52] | Add missing dependency on python-pkg- |

| | resources |

| | |

| r-cran-rcurl [53] | Build-Depend on libcurl4-openssl-dev, |

| | fixing issues with PEM certificate |

| | bundles |

| | |

| rawtherapee [54] | Fix dcraw imput sanitization errors |

| | [CVE-2015-3885] |

| | |

| requestpolicy [55] | Restore compatibility with newer |

| | Iceweasel versions |

| | |

| rsyslog [56] | Disable transactions in ompgsql as they |

| | were not working properly |

| | |

| ruby2.1 [57] | Fix Request hijacking vulnerability in |

| | Rubygems [CVE-2015-3900] |

| | |

| syslinux [58] | Fix booting on some Chromebooks |

| | |

| systemd [59] | Disable default DNS servers in systemd- |

| | resolve; use strictly versioned |

| | dependendency on libsystemd-dev for the |

| | transitional dev packages; udev: |

| | Increase udev event timeout to 180s |

| | |

| tabmixplus [60] | Restore compatibility with newer |

| | Iceweasel versions |

| | |

| tcpdump [61] | Fix -Z confirmation log being sent to |

| | stdout, where it can get mixed with |

| | pcap stream data if '-w -' is used |

| | |

| torrus [62] | Revert broken patch refresh, thereby |

| | fixing rrdup_notify |

| | |

| tzdata [63] | New upstream release |

| | |

| ufraw [64] | Fix buffer overflow in ljpeg_start |

| | [CVE-2015-3885] |

| | |

| unattended-upgrades [65] | Make optional automatic-reboot work |

| | again; really fix adding of jessie- |

| | security |

| | |

| wesnoth-1.10 [66] | Disallow inclusion of .pbl files from |

| | WML [CVE-2015-5069, CVE-2015-5070] |

| | |

| xemacs21 [67] | Conflict against old transitional |

| | packages to make absolutely sure that |

| | they are removed before we try to |

| | upgrade; remove dependency from support |

| | to binary package since the binary |

| | package already has the equivalent |

| | dependency |

| | |

| xserver-xorg-video- | Don't pretend to support rotation |

| modesetting [68] | |

| | |

+---------------------------+-----------------------------------------+

 

1: https://packages.deb...org/src:akonadi

2: https://packages.deb...org/src:apache2

3: https://packages.debian.org/src:apt

4: https://packages.debian.org/src:bareos

5: https://packages.deb.../src:base-files

6: https://packages.deb...utils-mingw-w64

7: https://packages.debian.org/src:bird

8: https://packages.debian.org/src:cron

9: https://packages.deb...g/src:cross-gcc

10: https://packages.debian.org/src:dbus

11: https://packages.deb...ebian-installer

12: https://packages.deb...taller-launcher

13: https://packages.deb...-netboot-images

14: https://packages.deb...g/src:designate

15: https://packages.deb...org/src:dovecot

16: https://packages.deb...rg/src:ejabberd

17: https://packages.deb...rc:flash-kernel

18: https://packages.deb...fusiondirectory

19: https://packages.debian.org/src:glibc

20: https://packages.deb...g/src:glusterfs

21: https://packages.deb...:gnome-terminal

22: https://packages.deb...rg/src:gnutls28

23: https://packages.debian.org/src:gosa

24: https://packages.deb...org/src:groovy2

25: https://packages.deb...:grub-installer

26: https://packages.deb...org/src:gtk 3.0

27: https://packages.deb...org/src:haproxy

28: https://packages.deb...:how-can-i-help

29: https://packages.debian.org/src:kic

30: https://packages.debian.org/src:lame

31: https://packages.deb...e-timezone-perl

32: https://packages.deb.../src:libgee-0.8

33: https://packages.deb...socket-ssl-perl

34: https://packages.deb...src:libisocodes

35: https://packages.deb...org/src:libvirt

36: https://packages.deb...:linux-ftpd-ssl

37: https://packages.deb...rg/src:lynx-cur

38: https://packages.debian.org/src:mesa

39: https://packages.debian.org/src:motif

40: https://packages.deb...a-gnome-keyring

41: https://packages.debian.org/src:nbd

42: https://packages.debian.org/src:nss

43: https://packages.deb...org/src:ocl-icd

44: https://packages.debian.org/src:pdf.js

45: https://packages.deb...:postgresql-9.1

46: https://packages.deb...:postgresql-9.4

47: https://packages.deb...org/src:prosody

48: https://packages.deb.../src:python-apt

49: https://packages.deb...-keystoneclient

50: https://packages.deb...stonemiddleware

51: https://packages.deb...ython-reportlab

52: https://packages.deb...hon-swiftclient

53: https://packages.deb...rc:r-cran-rcurl

54: https://packages.deb...src:rawtherapee

55: https://packages.deb...c:requestpolicy

56: https://packages.deb...org/src:rsyslog

57: https://packages.deb...org/src:ruby2.1

58: https://packages.deb...rg/src:syslinux

59: https://packages.deb...org/src:systemd

60: https://packages.deb.../src:tabmixplus

61: https://packages.deb...org/src:tcpdump

62: https://packages.debian.org/src:torrus

63: https://packages.debian.org/src:tzdata

64: https://packages.debian.org/src:ufraw

65: https://packages.deb...tended-upgrades

66: https://packages.deb...rc:wesnoth-1.10

67: https://packages.deb...rg/src:xemacs21

68: https://packages.deb...deo-modesetting

 

Security Updates

----------------

 

This revision adds the following security updates to the stable release.

The Security Team has already released an advisory for each of these

updates:

 

+----------------+---------------------------+

| Advisory ID | Package |

+----------------+---------------------------+

| DSA-3260 [69] | iceweasel [70] |

| | |

| DSA-3276 [71] | symfony [72] |

| | |

| DSA-3277 [73] | wireshark [74] |

| | |

| DSA-3278 [75] | libapache-mod-jk [76] |

| | |

| DSA-3279 [77] | redis [78] |

| | |

| DSA-3282 [79] | strongswan [80] |

| | |

| DSA-3283 [81] | cups [82] |

| | |

| DSA-3284 [83] | qemu [84] |

| | |

| DSA-3286 [85] | xen [86] |

| | |

| DSA-3287 [87] | openssl [88] |

| | |

| DSA-3288 [89] | libav [90] |

| | |

| DSA-3289 [91] | p7zip [92] |

| | |

| DSA-3291 [93] | drupal7 [94] |

| | |

| DSA-3292 [95] | cinder [96] |

| | |

| DSA-3293 [97] | pyjwt [98] |

| | |

| DSA-3294 [99] | wireshark [100] |

| | |

| DSA-3295 [101] | cacti [102] |

| | |

| DSA-3296 [103] | libcrypto++ [104] |

| | |

| DSA-3297 [105] | unattended-upgrades [106] |

| | |

| DSA-3298 [107] | jackrabbit [108] |

| | |

| DSA-3299 [109] | stunnel4 [110] |

| | |

| DSA-3300 [111] | iceweasel [112] |

| | |

| DSA-3301 [113] | haproxy [114] |

| | |

| DSA-3302 [115] | libwmf [116] |

| | |

| DSA-3303 [117] | cups-filters [118] |

| | |

| DSA-3304 [119] | bind9 [120] |

| | |

| DSA-3305 [121] | python-django [122] |

| | |

| DSA-3306 [123] | pdns [124] |

| | |

| DSA-3307 [125] | pdns-recursor [126] |

| | |

| DSA-3308 [127] | mysql-5.5 [128] |

| | |

| DSA-3309 [129] | tidy [130] |

| | |

| DSA-3310 [131] | freexl [132] |

| | |

| DSA-3312 [133] | cacti [134] |

| | |

| DSA-3313 [135] | linux [136] |

| | |

| DSA-3315 [137] | chromium-browser [138] |

| | |

| DSA-3317 [139] | lxc [140] |

| | |

| DSA-3318 [141] | expat [142] |

| | |

| DSA-3319 [143] | bind9 [144] |

| | |

| DSA-3320 [145] | openafs [146] |

| | |

| DSA-3321 [147] | opensaml2 [148] |

| | |

| DSA-3321 [149] | xmltooling [150] |

| | |

| DSA-3322 [151] | ruby-rack [152] |

| | |

| DSA-3323 [153] | icu [154] |

| | |

| DSA-3325 [155] | apache2 [156] |

| | |

| DSA-3326 [157] | ghostscript [158] |

| | |

| DSA-3328 [159] | wordpress [160] |

| | |

| DSA-3329 [161] | linux [162] |

| | |

| DSA-3330 [163] | activemq [164] |

| | |

| DSA-3331 [165] | subversion [166] |

| | |

| DSA-3332 [167] | wordpress [168] |

| | |

| DSA-3333 [169] | iceweasel [170] |

| | |

| DSA-3334 [171] | gnutls28 [172] |

| | |

| DSA-3335 [173] | request-tracker4 [174] |

| | |

| DSA-3336 [175] | nss [176] |

| | |

| DSA-3337 [177] | gdk-pixbuf [178] |

| | |

| DSA-3338 [179] | python-django [180] |

| | |

| DSA-3340 [181] | zendframework [182] |

| | |

| DSA-3341 [183] | conntrack [184] |

| | |

| DSA-3342 [185] | vlc [186] |

| | |

| DSA-3343 [187] | twig [188] |

| | |

| DSA-3345 [189] | iceweasel [190] |

| | |

+----------------+---------------------------+

 

69: https://www.debian.o...y/2015/dsa-3260

70: https://packages.deb...g/src:iceweasel

71: https://www.debian.o...y/2015/dsa-3276

72: https://packages.deb...org/src:symfony

73: https://www.debian.o...y/2015/dsa-3277

74: https://packages.deb...g/src:wireshark

75: https://www.debian.o...y/2015/dsa-3278

76: https://packages.deb...ibapache-mod-jk

77: https://www.debian.o...y/2015/dsa-3279

78: https://packages.debian.org/src:redis

79: https://www.debian.o...y/2015/dsa-3282

80: https://packages.deb.../src:strongswan

81: https://www.debian.o...y/2015/dsa-3283

82: https://packages.debian.org/src:cups

83: https://www.debian.o...y/2015/dsa-3284

84: https://packages.debian.org/src:qemu

85: https://www.debian.o...y/2015/dsa-3286

86: https://packages.debian.org/src:xen

87: https://www.debian.o...y/2015/dsa-3287

88: https://packages.deb...org/src:openssl

89: https://www.debian.o...y/2015/dsa-3288

90: https://packages.debian.org/src:libav

91: https://www.debian.o...y/2015/dsa-3289

92: https://packages.debian.org/src:p7zip

93: https://www.debian.o...y/2015/dsa-3291

94: https://packages.deb...org/src:drupal7

95: https://www.debian.o...y/2015/dsa-3292

96: https://packages.debian.org/src:cinder

97: https://www.debian.o...y/2015/dsa-3293

98: https://packages.debian.org/src:pyjwt

99: https://www.debian.o...y/2015/dsa-3294

100: https://packages.deb...g/src:wireshark

101: https://www.debian.o...y/2015/dsa-3295

102: https://packages.debian.org/src:cacti

103: https://www.debian.o...y/2015/dsa-3296

104: https://packages.deb...src:libcrypto

105: https://www.debian.o...y/2015/dsa-3297

106: https://packages.deb...tended-upgrades

107: https://www.debian.o...y/2015/dsa-3298

108: https://packages.deb.../src:jackrabbit

109: https://www.debian.o...y/2015/dsa-3299

110: https://packages.deb...rg/src:stunnel4

111: https://www.debian.o...y/2015/dsa-3300

112: https://packages.deb...g/src:iceweasel

113: https://www.debian.o...y/2015/dsa-3301

114: https://packages.deb...org/src:haproxy

115: https://www.debian.o...y/2015/dsa-3302

116: https://packages.debian.org/src:libwmf

117: https://www.debian.o...y/2015/dsa-3303

118: https://packages.deb...rc:cups-filters

119: https://www.debian.o...y/2015/dsa-3304

120: https://packages.debian.org/src:bind9

121: https://www.debian.o...y/2015/dsa-3305

122: https://packages.deb...c:python-django

123: https://www.debian.o...y/2015/dsa-3306

124: https://packages.debian.org/src:pdns

125: https://www.debian.o...y/2015/dsa-3307

126: https://packages.deb...c:pdns-recursor

127: https://www.debian.o...y/2015/dsa-3308

128: https://packages.deb...g/src:mysql-5.5

129: https://www.debian.o...y/2015/dsa-3309

130: https://packages.debian.org/src:tidy

131: https://www.debian.o...y/2015/dsa-3310

132: https://packages.debian.org/src:freexl

133: https://www.debian.o...y/2015/dsa-3312

134: https://packages.debian.org/src:cacti

135: https://www.debian.o...y/2015/dsa-3313

136: https://packages.debian.org/src:linux

137: https://www.debian.o...y/2015/dsa-3315

138: https://packages.deb...hromium-browser

139: https://www.debian.o...y/2015/dsa-3317

140: https://packages.debian.org/src:lxc

141: https://www.debian.o...y/2015/dsa-3318

142: https://packages.debian.org/src:expat

143: https://www.debian.o...y/2015/dsa-3319

144: https://packages.debian.org/src:bind9

145: https://www.debian.o...y/2015/dsa-3320

146: https://packages.deb...org/src:openafs

147: https://www.debian.o...y/2015/dsa-3321

148: https://packages.deb...g/src:opensaml2

149: https://www.debian.o...y/2015/dsa-3321

150: https://packages.deb.../src:xmltooling

151: https://www.debian.o...y/2015/dsa-3322

152: https://packages.deb...g/src:ruby-rack

153: https://www.debian.o...y/2015/dsa-3323

154: https://packages.debian.org/src:icu

155: https://www.debian.o...y/2015/dsa-3325

156: https://packages.deb...org/src:apache2

157: https://www.debian.o...y/2015/dsa-3326

158: https://packages.deb...src:ghostscript

159: https://www.debian.o...y/2015/dsa-3328

160: https://packages.deb...g/src:wordpress

161: https://www.debian.o...y/2015/dsa-3329

162: https://packages.debian.org/src:linux

163: https://www.debian.o...y/2015/dsa-3330

164: https://packages.deb...rg/src:activemq

165: https://www.debian.o...y/2015/dsa-3331

166: https://packages.deb.../src:subversion

167: https://www.debian.o...y/2015/dsa-3332

168: https://packages.deb...g/src:wordpress

169: https://www.debian.o...y/2015/dsa-3333

170: https://packages.deb...g/src:iceweasel

171: https://www.debian.o...y/2015/dsa-3334

172: https://packages.deb...rg/src:gnutls28

173: https://www.debian.o...y/2015/dsa-3335

174: https://packages.deb...equest-tracker4

175: https://www.debian.o...y/2015/dsa-3336

176: https://packages.debian.org/src:nss

177: https://www.debian.o...y/2015/dsa-3337

178: https://packages.deb.../src:gdk-pixbuf

179: https://www.debian.o...y/2015/dsa-3338

180: https://packages.deb...c:python-django

181: https://www.debian.o...y/2015/dsa-3340

182: https://packages.deb...c:zendframework

183: https://www.debian.o...y/2015/dsa-3341

184: https://packages.deb...g/src:conntrack

185: https://www.debian.o...y/2015/dsa-3342

186: https://packages.debian.org/src:vlc

187: https://www.debian.o...y/2015/dsa-3343

188: https://packages.debian.org/src:twig

189: https://www.debian.o...y/2015/dsa-3345

190: https://packages.deb...g/src:iceweasel

 

Removed packages

----------------

 

The following packages were removed due to circumstances beyond our

control:

 

+----------------------------+-----------------------------------------+

| Package | Reason |

+----------------------------+-----------------------------------------+

| criu [191] | Fast-moving target, too difficult to |

| | keep updated |

| | |

| dactyl [192] | Incompatible with newer Iceweasel |

| | versions |

| | |

| fullscreen-extension [193] | Incompatible with newer Iceweasel |

| | versions |

| | |

| netty3.1 [194] | Dependency for non-present jetty |

| | |

| php-zend-xml [195] | Security issues; useless in Debian |

| | |

| rubyfilter [196] | Broken (empty) package |

| | |

+----------------------------+-----------------------------------------+

 

191: https://packages.debian.org/src:criu

192: https://packages.debian.org/src:dactyl

193: https://packages.deb...creen-extension

194: https://packages.deb...rg/src:netty3.1

195: https://packages.deb...rc:php-zend-xml

196: https://packages.deb.../src:rubyfilter

 

Debian Installer

----------------

 

URLs

----

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.or...essie/ChangeLog

 

 

The current stable distribution:

 

http://ftp.debian.or...n/dists/stable/

 

 

Proposed updates to the stable distribution:

 

http://ftp.debian.or...roposed-updates

 

 

stable distribution information (release notes, errata etc.):

 

https://www.debian.o...eleases/stable/

 

 

Security announcements and information:

 

https://security.debian.org/ [197]

 

197: https://www.debian.org/security/

 

 

About Debian

------------

 

The Debian Project is an association of Free Software developers who

volunteer their time and effort in order to produce the completely free

operating system Debian.

 

 

Contact Information

-------------------

 

For further information, please visit the Debian web pages at

https://www.debian.org/, send mail to <press@debian.org>, or contact the

stable release team at <debian-release@lists.debian.org>.

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3355-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

September 10, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libvdpau

CVE ID : CVE-2015-5198 CVE-2015-5199 CVE-2015-5200

Debian Bug : 797895

 

Florian Weimer of Red Hat Product Security discovered that libvdpau, the

VDPAU wrapper library, did not properly validate environment variables,

allowing local attackers to gain additional privileges.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 0.4.1-7+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.8-3+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 1.1.1-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.1.1-1.

 

We recommend that you upgrade your libvdpau packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV8UE8AAoJEK+lG9bN5XPLd6YP/R1bGtDqgFix0QlePO4zBfNU

uWkPYYlQNihDd+0m2DnOvKD9m934aeArwoj4hDcu8lwxkX+3TGeFbiHM6fo+kz2P

zVZmBt3K11TUzJ9hQcJNpw0E7JpYfBeBFVTMiFwE1An2JG+GDGwlOY9jq69/n++r

+lk2unQ9e4SF2nynSDfuakU95RpcYBaSUgOjttQrOlh5wQJVldRhyltUBfNcinD6

PlIEF9Hr0PVboFfL6q5W+hGPDElGQAYRn6M2ISz/en3/IADe3r7uJlLwLGcahr5J

I3dejzgGif2eSigidkagsUuevwbotznDcBo58xRMc3R/a7QYI6fVEwaK3s3xCC/V

5wv0aABatKaXO8T/95yKXGJ5O12zqlzIhiup3vWENhh1hqwKy6Tv44Zl21YzigdR

qfloo5poqKhK3vXQVgeaANy6sjTVGFzWQX5Tk1TTDB1Oh4iFMqFBBj0qXYnT9nEt

6n5X4FX/oRAnBmhhsp9YLVZwpZ3QofUE1m33vuMKkjLCAXveXrvdapBqDtnXhXsA

ov49RIilPH2xDG4OSWquJG2Ua4nMKPVhZ/St2wQJ5SP2nVZ6fmKv2Mq3IgHjCcMY

a/TALnJgn+l/GKE7hm0PlJ+jwMLobtO4uJotoeMgpsZJT9qyVCg5Y50R+fYKe1+2

uGCGEq0U8v5y7asmernY

=YTzO

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3356-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 12, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openldap

CVE ID : CVE-2015-6908

Debian Bug : 798622

 

Denis Andzakovic discovered that OpenLDAP, a free implementation of the

Lightweight Directory Access Protocol, does not properly handle BER

data. An unauthenticated remote attacker can use this flaw to cause a

denial of service (slapd daemon crash) via a specially crafted packet.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 2.4.31-2+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.4.40+dfsg-1+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.4.42+dfsg-2.

 

We recommend that you upgrade your openldap packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV87FJAAoJEAVMuPMTQ89EQg0P/3PLqJ6BGTe82TdHFblTXOo5

7Un/Wyn/vlpZmxvvyK2V0aUyaxHMxJF4epkkxYuw1aezkLTL0N4TJD340BKg07yL

shEPGarzr8Uz09vtiXwGkVbdN9Vy3O+EnAsUeWri5msi7gvi16p7lWKRE+sFlJUB

Tc4tMP4DtT60gTh+nhnEPPzqZ1fN8/Q2hjfMo4OypZJiMShRyA+/8a5BO9MtRFt5

MlM8j7N6WWujevvaQruYvZMlRhiX3y1Nj6Qs4tI1K516LwvWKxSB6E/i0DvRlXng

AK3XcG63XpEk5Xvyn0r2IqQ2BPHguKpyZBknP0t6WZuVSDKBnDPWkyn6IFd5mIbi

v7ASefpqdMeoyMbO9geLDnjA4QLwzf+D/FHHFaiS6RvRCecYQpQ+zFKaElAK80Af

fnsc69cwkwP3QGgke0yZNwFAlGNjnYpZA/kbkuajWhvDJ7ORzcUCDeJl/aM8Ewd6

hONkpCBt9ZkEP2NXiO8nh2OUnxob6apFrdRizrXg0z+FWcjFLjWzzZDfQ61Bc9P3

kW0LpedsteYv+ALhLG/vmrXhNQu6vX/alPiIsyaKXvENb3VMxMqpweEhuvLRNpKl

uTeKN+c1p+tT1jFfTe97UspRPnkmUqHuvBAPjifFr5ul7JSXzpo/gm3n1C3xXRuW

JzjOveySpH1hwGsrmXSR

=kj8y

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3357-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : vzctl

CVE ID : not yet available

 

It was discovered that vzctl, a set of control tools for the OpenVZ

server virtualisation solution, determined the storage layout of

containers based on the presense of an XML file inside the container.

An attacker with local root privileges in a simfs-based container

could gain control over ploop-based containers. Further information on

the prerequites of such an attack can be found at

https://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c

 

The oldstable distribution (wheezy) is not affected.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.8-1+deb8u2. During the update existing configurations are

automatically updated.

 

For the testing distribution (stretch), this problem has been fixed

in version 4.9.4-2.

 

For the unstable distribution (sid), this problem has been fixed in

version 4.9.4-2.

 

We recommend that you upgrade your vzctl packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJV9XVNAAoJEBDCk7bDfE42wH8QAKu1HMclVr6qaMzXLzdKJnFh

vToZwqzLqcG7wcMMBDEjWDxvJqkUqaJNs1h2RVgy3hwoOo/rZA1tM0+rsubXxXai

b5TN30vexwkMC+DHmJ7UcdP+CZSFfOv6iLXjP7BTVC+th/CrT+wlaaXlawar7oFn

GebJtggNOCLiRRCG16xP+Hg0fPASYe7M7JlgkwugVBJKL0gd5PYdgifsqgplCSIG

FTELm3rl9hhPveO4owBpEfC/o2EURSrzJs/6wgYfr2tKq56udiRD2egGYVMMCsFT

vd8ufZcjXl0yHwH1UdY4rzncCwRNjf/SICFmfAsRiRDSc4GB45x5+bdYosywcjdR

QEiHPwVsoFD6vvo3yVYkANoO9r20qS+lEV8gbYE/sZua6lWvYqG3ezh+FseyJxNK

mLJHy16TA5mhvqFwb4kX1i1pmsxhcC0nzfN+5kPMZM65t5jUSZ/Ctsq+NqiLXQ74

aBMabN6GdlseksaR7jbzQsbkng1PRAfZfRMExsXI1lyK1nln0tQ7P8PGIcjwWHX9

Y9u+Zsa/73sDfIir/kIqHvqIwfLHBObjUQYNThIMO8iRssdPtuj7MvYhPcecy+Dy

uXp3hdqATIEo0tHf9tJT3zL9SJJxAc3c/wRvLuk+eFvFlgC1Gkb5Koc1BJpyn2hB

wRhAME+VvMLR9Tg7c5LS

=MiSK

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3358-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php5

CVE ID : CVE-2015-6834 CVE-2015-6835 CVE-2015-6836 CVE-2015-6837

CVE-2015-6838

 

Several vulnerabilities were found in PHP, a general-purpose scripting

language commonly used for web application development.

 

The vulnerabilities are addressed by upgrading PHP to new upstream

versions (5.4.45 and 5.6.13), which include additional bug fixes. Please

refer to the upstream changelog for more information:

 

https://php.net/ChangeLog-5.php#5.4.45

https://php.net/ChangeLog-5.php#5.6.13

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 5.4.45-0+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 5.6.13+dfsg-0+deb8u1.

 

We recommend that you upgrade your php5 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV9Y63AAoJEAVMuPMTQ89EVioP/j9LN6C/27AuDTvbdxOosyv7

Rk1Q2JdoP/O/QCE3phgb45cYAPswUpUeqpCoP0vv7wUqAvDPTeM9PKDM6n2Trkof

8gL0egtUUGk1YM5SyJ6QaSHvnB5p+1DbCgGwglH+PAMtAU3PvNS/jAsddGH+lh3f

WcxTvKVHyifIOm3/3WDJ3t+Suco79wCIqlz7FqBCmF5Cxavbg4Imh1umQYntSBKl

GqncvtBju087sKpIN72MjgBXnbjsUqi4aJpSaULET9FfYxaJQi1Jbd0U7AX5g2n2

FWqccvNT6V5YZ/q4fPMUymP5d9P5fopzCMCmaXf+PRxNRkpvnaph1x5mW/NvFt/N

KW3e7lUeXIHvtJDqd6LTdv3dU8nfeiIaiAiN4ES9mFJ3kv7XCl2zmi8/CZrNFIhR

5oao8+YHMVkcA6pYfLm0EN8xJwF3sNo77cxdYjcmNKi0lEy32dd502jgwVSaEISU

78clABh+SNODCsywutnn7WF0QgbYWPbFL17vfoS7IcWFUSN3xjuAOgSPGUBEYA96

pCGA1wBOg72K1PTaAjrowqa3T7qyCA7tbygk69rR9CVouJeTZXSGYX23CWl16x2Y

MOI6ynhyV2LEfAUyjz/prvABRL9A74hnFVhY5ThLcFH3EyS3KgZZ6qX+u6U3G6iB

2btYznTmaTe0EspBeqTX

=w0ar

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3359-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : virtualbox

CVE ID : CVE-2015-2594

 

This update fixes an unspecified security issue in VirtualBox related to

guests using bridged networking via WiFi. Oracle no longer provides

information on specific security vulnerabilities in VirtualBox. To still

support users of the already released Debian releases we've decided to

update these to the respective 4.1.40 and 4.3.30 bugfix releases.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 4.1.40-dfsg-1+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.3.30-dfsg-1+deb8u1.

 

For the testing distribution (stretch), this problem has been fixed

in version 4.3.30-dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 4.3.30-dfsg-1.

 

We recommend that you upgrade your virtualbox packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJV9dKWAAoJEBDCk7bDfE42u/YP/0bVVFMRv1BJxedTuwec6HDI

83SdgmFO0UeHRcB0PUHJingoPXR61Odo0EYUWNcBHikXiLlJSs+ENL8pxoi3gHmv

/nI8kCN5Jh3XRURi3x9LHt27t1jj9AREhQ9FxhNmFvIuhPSpb9RdIGBJppcVauJH

0zphwuBp0XHeQ59ogg2weJ5SsCWgwpTKBOreHoCUzYyI37evTLKWHPtNl8CeMU95

8qQ/qdS1vd1B+WxAjM7jFfpnlEp+seWiytms1LE14ttfFSy7eBuLnfaHznRc95RQ

nFp64DS3MFJLE36EnwNf3/OdREhsMJJzSCRJj1QgyH0WM5AnnN3HmipEnb/HPAKy

jvv7382EMJgrTOO6hXLW81yXdeeb1/nA0Ev0wtfmgWfQcufs9Gj1WHZFMkh5rC0s

PmzCm1KtTGQDliLQlnGYowp4azpcVJjmfSFjMT54tjXGBWUHu5jN8SE2q8tBZ3ar

Cd3/2p6KFjg5sgEx0L5fyoe5ST/Dkzv0OQgBYUBo8ftdOqkuNZgwjq/VRjL0dZyg

5I91/4e7lgB5ejzA7SQWhw95EktQsHsg3X1+X8GyN+u0b5vAQFziPdqb7osJWlrC

vSAl/Ny0KelEDJj5G11JHj6CGZFCYkuxDXI31PR7pp8KuCRnERh54AzXNpC/Os10

CYakiKrD1QJwF5/Au2Fh

=UrEY

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3360-1 security@debian.org

https://www.debian.org/security/ Laszlo Boszormenyi (GCS)

September 15, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icu

CVE ID : CVE-2015-1270

Debian Bug : 798647

 

It was discovered that the International Components for Unicode (ICU)

library mishandles converter names starting with x- , which allows

remote attackers to cause a denial of service (read of uninitialized

memory) or possibly have unspecified other impact via a crafted file.

 

For the stable distribution (jessie), this problem has been fixed in

version 52.1-8+deb8u3.

 

For the testing distribution (stretch), this problem has been fixed

in version 55.1-5.

 

For the unstable distribution (sid), this problem has been fixed in

version 55.1-5.

 

We recommend that you upgrade your icu packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV+ELBAAoJEK+lG9bN5XPLC24QAIXycfVpH1VzrqIOi7IzkmXf

aCJ9B+m/BWSmnEfVVm42w3u0gGd7wQZSbMi5azEdHYpec6g9Defc4XfVp8ngD9Gk

37Gha8gZZ4Sbxc1tXwMwwwyP2+E+6QDrNzniSwtCNgk4UV9VUSGCNhLJBva5tV1Y

JSeFVHTpl/Urj7CwdRYvlMIbVCTvcnS0FJ34LeylnXTa5k4Z2ZyO5o6a7Gd8YsAD

mGJ2VWA0axNgXXpGhazLfRPQ2PauLfqWN0VpMualqejMPZd2ABRUxrZ7eUuG4AGx

u0HsGnQAQrMn9ZUChTjX8HpDW7OH39B0Z0nVlSITeC4L5gK8SY5lHgmg8zV/Uk1L

jzTwsZty2wfyxsti8XXlY9UHKNcUjB+8bg8WdftzC765HCiNJOXJCGHeklIiHqk7

T5K2H7YuNPMqMuaqgYE7zbgu3JVY9ixNk9DV9aEsgDGjrcs9OXC5U0mkV/++VHlC

ebpcKw02aVEl2Yf7MbX+M0cLiCHo3RM56LQUa02SivwBC5gWULwaSKaRSasoEWEP

knrBzmC5rdyztXipe2undXFyJuACBAuemP8eQSLY7tpFecc52KKnKMN2lru9hzAj

CSXmOvUwwZGmKdwTCMM9RepCoqpNv7Y21ejxCAzUiZ9vjlzVEdRdIeUri/UqGm+E

24PlDUC7o0eS12jqWAVx

=ADH3

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3362-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu-kvm

CVE ID : CVE-2015-5278 CVE-2015-5279 CVE-2015-6815 CVE-2015-6855

 

Several vulnerabilities were discovered in qemu-kvm, a full

virtualization solution on x86 hardware.

 

CVE-2015-5278

 

Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in

the NE2000 NIC emulation. A privileged guest user could use this

flaw to mount a denial of service (QEMU process crash).

 

CVE-2015-5279

 

Qinghao Tang of QIHU 360 Inc. discovered a heap buffer overflow flaw

in the NE2000 NIC emulation. A privileged guest user could use this

flaw to mount a denial of service (QEMU process crash), or

potentially to execute arbitrary code on the host with the

privileges of the hosting QEMU process.

 

CVE-2015-6815

 

Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in

the e1000 NIC emulation. A privileged guest user could use this flaw

to mount a denial of service (QEMU process crash).

 

CVE-2015-6855

 

Qinghao Tang of QIHU 360 Inc. discovered a flaw in the IDE

subsystem in QEMU occurring while executing IDE's

WIN_READ_NATIVE_MAX command to determine the maximum size of a

drive. A privileged guest user could use this flaw to mount a

denial of service (QEMU process crash).

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.1.2+dfsg-6+deb7u11.

 

We recommend that you upgrade your qemu-kvm packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV/G8LAAoJEAVMuPMTQ89EBW0P/R+Gc/di08JOEyai7DregXfn

NDss2LyL4xI2v5VVEhgCYpY3WA8DOi2bc3UqgmzMAEwAhpUTkhtc2NX1wQU/rba1

Lf44lBPPuUKP/nYcz1CSn0xQHTGla7R0qpgYetdLDwSiN4rnHIDreSpSVWXh4R3H

NrAf5pIRPmnOGRuNkx907ptZ9SD26we1fcpZaKv43kjnmlmrul1OEgYdrbXw+qQc

xT36dZSSxq3bfpiKQFAWwNt/Jp+2CaNysVJyBIGM2PZ1H33IQtwcr0ub06sZOQIU

btOgVmICIMXtZF0/OcxusOkS8t097tBM/v+f+WrwG17Y46QomD0gK0f2tYq5MW8U

PbWmZem0Lkv+EThTDCay1DR060YhUmaKHG6PHgJMRSAzGK9ElMxHNuJUdjwJQjgI

cvfJK0Z6GGhx3x+1BOMNwU877JLlFJhkPVN2CpP8NYNxT0Sk5ripvioUI11p2ZjC

IiOgitLApZmI9IQ9AZWulriNf5sMIZyAgyVfebZ1vIjd8M/XQiTdmGkAFgGDodni

DNdY4x8/efFRTqfaKC0XnE5m8LO1qX1YwyaCBIM9Ky+e6k2HpbEbrqPdx+HXr+WN

WkytBnj7REnQMK0JDC/iU5SvlqVj8OOwKyyEVmtF9rtZIbWWKdE64FKuWhTZPpGB

r7Q3etxkoWtKMowCVOrA

=c8Zw

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3361-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu

CVE ID : CVE-2015-5278 CVE-2015-5279 CVE-2015-6815 CVE-2015-6855

Debian Bug : 798101 799073 799074

 

Several vulnerabilities were discovered in qemu, a fast processor

emulator.

 

CVE-2015-5278

 

Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in

the NE2000 NIC emulation. A privileged guest user could use this

flaw to mount a denial of service (QEMU process crash).

 

CVE-2015-5279

 

Qinghao Tang of QIHU 360 Inc. discovered a heap buffer overflow flaw

in the NE2000 NIC emulation. A privileged guest user could use this

flaw to mount a denial of service (QEMU process crash), or

potentially to execute arbitrary code on the host with the

privileges of the hosting QEMU process.

 

CVE-2015-6815

 

Qinghao Tang of QIHU 360 Inc. discovered an infinite loop issue in

the e1000 NIC emulation. A privileged guest user could use this flaw

to mount a denial of service (QEMU process crash).

 

CVE-2015-6855

 

Qinghao Tang of QIHU 360 Inc. discovered a flaw in the IDE

subsystem in QEMU occurring while executing IDE's

WIN_READ_NATIVE_MAX command to determine the maximum size of a

drive. A privileged guest user could use this flaw to mount a

denial of service (QEMU process crash).

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.1.2+dfsg-6a+deb7u11.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:2.1+dfsg-12+deb8u4.

 

For the testing distribution (stretch), these problems have been fixed

in version 1:2.4+dfsg-3 or earlier.

 

For the unstable distribution (sid), these problems have been fixed in

version 1:2.4+dfsg-3 or earlier.

 

We recommend that you upgrade your qemu packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJV/G8AAAoJEAVMuPMTQ89EUy8P+gOnG8kS8F8Ns74XfK5u15p1

TwjsPvTR2tYzhhMrpe2a0JchL56ckjIKpcl3Ei7BDXOhDJ98PP8jBE2fJVYNHjkV

+cAkq2PJSb2kQU+F8Vu7y4UfImqLBgFZy8yNNfBOm4xYrSPON6Qg/FA+3wtUzMZy

FaNt5RbXjhpA/9FTTxu5iLpZ2M47QHfSXhdKRheffmMu0qYqG884i94YpHGiZqMK

vvxj1XJWJngtiU4e+koIF04mmKmx6bt8G+zob3mtzHp3BTBCXWx46W6TasbrdlTL

HDZO+x7Gh1Qmdivd1nhmWhQ+PzlsreJI3vXt27BvhgHvDIARhTk552qMU1pTC1Tc

DEup7AGX+vdMVogHsARuaDELq9qakSLhFv/4WwVkjKce7I6YiCwxDsYQ5LgbSwK7

C8aCt+tBsLRDqyutPj4vUd2yL8ttfyUQiQIQ6Prsy0ipgQ/rFWJVYdF+93qMqdaF

27Zy78YUq9rvja402znoK1YA+VT77c9cZ5nyYt42qXID9o2o+y95KgAunZu/Bu7K

chrbvwjkOvY5d2EiAUTeKj25m/YlounwlBUd2DJ7oDz4vVypAjZ2ivkBvbi6Ul1q

iKKAa36E24BZvvd8WKHZxdt1Ozz6UBDwPjvzOxwRc1R5EA+Xrv+uw1vbL+/A5/pK

WtWJPzBssz1iIXWmMgJg

=SSFZ

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3365-1 security@debian.org

https://www.debian.o... Moritz Muehlenhoff

September 23, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : iceweasel

CVE ID : CVE-2015-4500 CVE-2015-4506 CVE-2015-4509 CVE-2015-4511

CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521

CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176

CVE-2015-7177 CVE-2015-7180

 

Multiple security issues have been found in Iceweasel, Debian's version

of the Mozilla Firefox web browser: Multiple memory safety errors,

integer overflows, buffer overflows, use-after-frees and other

implementation errors may lead to the execution of arbitrary code,

information disclosure or denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 38.3.0esr-1~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 38.3.0esr-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 38.3.0esr-1.

 

We recommend that you upgrade your iceweasel packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJWAtexAAoJEBDCk7bDfE420WkP+wQLIly4wTsLbs+dAH4Fl4QC

c8mbh77JoOE6ixc33tHNSd33ez/niEGgj+dKO4Ufjr2paV1lARW9uIrNctrLhTj8

unQ8snV8JorUAtFhx59fbuVBK9ud/eKdYfij1GdFX1d7emHnMwNS8lNydEiSwSDZ

YgqtwjezenqTeBqCck+5nJITYdnKnjh8oYTWbaIG4pBsnb+SiQ61Ty+HSWHq/Thn

fY8sC05V6uGKLGdSrtiPRwjtFwwtU+wvTYkIyvubALndtWXp242/S6VA0YUfHuRV

NjJdtOJoT4oTGmEjHiWIuGzUzr9AvOabISuSOWe/AqPNbM/OaUAMbwJ1mYkqpl/f

OCbfyebApTBgTS8VQoaYDdlcNfTV9R5CT6W7mkSChtDxi/v0b7/WxCiiOcz48W6t

mMI/ITS8Lqquazi5OBN1IUf6KuDThMZ14Qr8amLrxzYE5DGGuNiNob49atiODKRY

H/Fi5NwiBwobh8kbEJ/C36Vd7vXT/nVsEMbNolf2oJp3YY5f/ry5y0BljWsdMlhY

KaU06pg5weGglUQ9AjFsC/H7SkDYiCVGRFTtklXnRi6ViqYYNAjiA7ok1GuORiQp

WpUqCjbfEB4rsa4LHriKjSIF0Z8J0MiOjeRWyDczAMvPPC7EnOpHxtx6RZWUsbaM

b1uu6t0exV1M3IB4JhJw

=5p7h

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3366-1 security@debian.org

https://www.debian.o... Salvatore Bonaccorso

September 23, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : rpcbind

CVE ID : CVE-2015-7236

Debian Bug : 799307

 

A remotely triggerable use-after-free vulnerability was found in

rpcbind, a server that converts RPC program numbers into universal

addresses. A remote attacker can take advantage of this flaw to mount a

denial of service (rpcbind crash).

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 0.2.0-8+deb7u1.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.2.1-6+deb8u1.

 

We recommend that you upgrade your rpcbind packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWAwzQAAoJEAVMuPMTQ89E9VEP/2IDBmO1aXqMkPafv7Oty7pa

hRBzyaDuHLx4cAyxf42uPVtEcqp1aZWF2JCLKgPtn1AkY6n2h1R4ZOgB7KxF3sjy

Ll930/0ezZ1mkTcQcsAyQd7V1wEa1tAKal9ltlXRwyoHrA81fPsAQ3AwijHzkXjC

F2JSNsStRtNazA3mnL1XA+xVLc4HcI7hOVTkEGLGAQ5V8yQUOikd7kSUUlnhefs+

fxlVbdEY1hlh+bp63xcQzc3pofTuSLwGuBlCv+Dw4GViahjLokuDtNC4Hiic052R

6/WvU1KnfO6rTgXl9zpQ32S1NhnZd7BlWRWl/4BMFPGDxd/Rbdct2hJPcGtiO731

+6wMT+VEio2Os2oX2/EJ2K0BmGovWJzOKfkbCYDxENZHURpuEtLF68Z3Gz/y5+Pd

0NXCpqctEmzf4BPD+dl+W7HGguKSxB8zlDkvDv3KP9Lc7BmPtmRECbJyG/lm6bTs

G9XRHJtk0N/PuyXPxqkc7AsUa30aBIl09or8MWow/qagmDFqU2bbB2YZ/02RShLA

va42dlHYYkiKv93sdi6WOWmMBAE51urXq7kNsnPqx8Yd2lbTH2MO+L+O4IKKpeQw

wyzkAlC1v+dLxwT+8lVPbvyHQIkHw294/PHJ7RGl2YO5V8RFg8SDpaIajKfTninC

KqAwj5LtmRojqIlrqXDM

=72mN

-----END PGP SIGNATURE-----

Link to post
Share on other sites
  • 2 weeks later...
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3370-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

October 06, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : freetype

CVE ID : CVE-2014-9745 CVE-2014-9746 CVE-2014-9747

Debian Bug : 798619 798620

 

It was discovered that FreeType did not properly handle some malformed

inputs. This could allow remote attackers to cause a denial of service

(crash) via crafted font files.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 2.4.9-1.1+deb7u2.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.5.2-3+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.6-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.6-1.

 

We recommend that you upgrade your freetype packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQIcBAEBCgAGBQJWFEKhAAoJEK+lG9bN5XPLKtMQAJtWTPcCAHdO8B+iCZn9ZVa1

xOW7qCfnUtRbvUiDzaJoq8MymyitH8eou8MJzKTFSNqMFoabZGThPZV4icteCc/3

tKHLS2AYVdmwAkujUTvcdXELj5+Aml021MjTaZ8NdcVrlkROsaLq7TdJHqATzV7D

poih5ZlWfB5zE8FjjtvQSiAxmUUfAaRqI8Y703CHbOVdxXer73X3wutZlplos4WS

271vezyFg0n/+S8MYNyMpw96tCRtpDrcPr+QMEubvO+75Upo4VAhgEYdauvVzGkt

bttSUHtQkr8sJJMML9tTEi8ePokKAsB8ycDK40ekUAvtKXdtTn/fDn4MCG444Qok

pgraupdwlvba1atFSRpHWyiuxmwSV1APpVQsYGUL5btCmJAN90QgnF3FUtNUtrSP

UAahIIarzOdA2jo6j9KvleVvobILcuEyszldSX/0xd2By9VUp/pGyg359cEpzTZ/

rbcHY3e1/qUnLQjAf1xLfvmSpz6Ohls/LiJ2lL75YGaSz8Dn37wZ1qC3LgVtmYqz

R5H72yV4hyS+crK0OcHQQbh0GTCgpykzVKJIoUtYjHsVIiAcpe3DUhSeLsiI5QQk

bcesdq9Xu9/chAouqspOrRPxub+3x4pa7kZdziQb8smUfTnfN1rkHvGOWGBaPJig

RsbyppVhJ4GCBm3atunH

=AUFn

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3369-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

October 06, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : zendframework

CVE ID : CVE-2015-5723

 

Multiple vulnerabilities were discovered in Zend Framework, a PHP

framework:

 

CVE-2015-5723

 

It was discovered that due to incorrect permissions masks when

creating directories, local attackers could potentially execute

arbitrary code or escalate privileges.

 

ZF2015-08 (no CVE assigned)

 

Chris Kings-Lynne discovered an SQL injection vector caused by

missing null byte filtering in the MS SQL PDO backend, and a similar

issue was also found in the SQLite backend.

 

For the oldstable distribution (wheezy), this problem has been fixed

in version 1.11.13-1.1+deb7u4.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.12.9+dfsg-2+deb8u4.

 

For the testing distribution (stretch), this problem has been fixed

in version 1.12.16+dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.12.16+dfsg-1.

 

We recommend that you upgrade your zendframework packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQIcBAEBCgAGBQJWFD26AAoJEK+lG9bN5XPLz6cQAIM30gKcGVPWVIVUJMHy6Fm7

SwQDQX0KR89LU9M5UycZIg1z6wa4pghpt/WlN/IICFdNIKbYM8G+yhegRXXjtDoA

PUXSPMGl4NTMIm/wYDb472spdMICmCWGzAsRFOfPR32j2IpFA+k0zIGYzi88E5kD

3AN7AsniD2uXw4CYwYXkfj2jHt7EdJ3IY77DaP4+PRxm34+XHx3KjXKKypAt+n9v

zB5c/5TcWKRk97oflytfTyfyAiLymb/qJhJ7u3MyyksLY4840PdNBrURYgnaQw32

+OcKpI1PnGn5mF2dDC+xoMDhTGSmOwvTKduonnYFr4quiVLanZWUY3tcaKm4LnuV

nRZqwidPSqjBHydc0rMh8pNmY4Oif9yp+3pkTZ2BWytJXjO9820YwHB4JW4q8FUs

1BQUANpN+H3ni86vJfztq1eBELXlSL5RrAT5xUBxg41dKQ8nQFBZHKlesLSM7jS2

8yzisnBVusLNBFlwFA7NaOQN/M5+KeAcs/brQbimnwHIB7Rm1niBRi5f55TQhTa0

Hj3xYevbN96w4tMtJ27pjpdJN+fD5V8K428c5xcz9eeTIYmMAQ6ZvxAMGtPGRQAK

J17kQjZRDQUD4TWLwFRMM20gkaKAbyyUdf2Rt0maFd4vwotwSq0eE8cCVrT/qFKO

EtTOarIu7EP4RoLimeEC

=bury

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3371-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 09, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : spice

CVE ID : CVE-2015-5260 CVE-2015-5261

Debian Bug : 801089 801091

 

Frediano Ziglio of Red Hat discovered several vulnerabilities in spice,

a SPICE protocol client and server library. A malicious guest can

exploit these flaws to cause a denial of service (QEMU process crash),

execute arbitrary code on the host with the privileges of the hosting

QEMU process or read and write arbitrary memory locations on the host.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 0.11.0-1+deb7u2.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.12.5-1+deb8u2.

 

For the unstable distribution (sid), these problems have been fixed in

version 0.12.5-1.3.

 

We recommend that you upgrade your spice packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWGAWsAAoJEAVMuPMTQ89ETQQP/ipLkOB1y5LAKpD7Hym3qudp

xCqd+3A9wptKN8WC2SBdvxFEXeb8I20PPbhkq5Th/S0taUbjx+dLg6OgK+4Ff7fv

//E9QRsgcDUpFcV25l4dOxXVX0iRSBnN+QZnCZND5yOy3ON7rEEXV2lvOidIRCst

sX+j2U2WZQCDQdY9xebSaF/tCR6mLMDE6WmMzz12dqW4A18HkiI9gXKsPSAPfAeY

mMz39Zn5oiHptRzmE2VAGyyU8xW1VQbqj1QEE3nO4Pyk+49DG43djVK02bqrO9P4

u8cNhWhPYC3/QtB+sZJopFrQy4kxaNdtd8Ov1FKCW+HQC9tSwx/sW5VNvAJjHNU1

ZQAz+oCb65gQ74QuUd56srHuad+mlzPkyQTw6k5eHgMlUrxH/tkNp2xUMk0dl9D7

WMqKYQjpndMbDZiuqHv+pNhGCz4AHjVWMiYNZA7uBpU4vTowZafb0FA/C/M6MTEw

zUyac6dJDkSgw0hPRN6z1nyhigMLjvbzZVbR3NwTCcYeMBRzW4EHsh+C4AOPlQKh

mN6bNw45VSsxE3QFrxT5uh9AftQT6ljsJw06jbUSWT0DtIX8/egJLKWFs1ebMMjY

ENnthiWjSFEc6nB3w843todHd6VjCVF54JimEeH4Y0Dv8PGdyRtn4o1Znff+S56M

n14mCmekUHD7/xjyIVOO

=EfnH

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- ------------------------------

-------------------------------------------

Debian Security Advisory DSA-3372-1 security@debian.org

https://www.debian.org/security/ Ben Hutchings

October 13, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2015-2925 CVE-2015-5257 CVE-2015-5283 CVE-2015-7613

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service, unauthorised

information disclosure or unauthorised information modification.

 

CVE-2015-2925

 

Jann Horn discovered that when a subdirectory of a filesystem was

bind-mounted into a chroot or mount namespace, a user that should

be confined to that chroot or namespace could access the whole of

that filesystem if they had write permission on an ancestor of

the subdirectory. This is not a common configuration for wheezy,

and the issue has previously been fixed for jessie.

 

CVE-2015-5257

 

Moein Ghasemzadeh of Istuary Innovation Labs reported that a USB

device could cause a denial of service (crash) by imitating a

Whiteheat USB serial device but presenting a smaller number of

endpoints.

 

CVE-2015-5283

 

Marcelo Ricardo Leitner discovered that creating multiple SCTP

sockets at the same time could cause a denial of service (crash)

if the sctp module had not previously been loaded. This issue

only affects jessie.

 

CVE-2015-7613

 

Dmitry Vyukov discovered that System V IPC objects (message queues

and shared memory segments) were made accessible before their

ownership and other attributes were fully initialised. If a local

user can race against another user or service creating a new IPC

object, this may result in unauthorised information disclosure,

unauthorised information modification, denial of service and/or

privilege escalation.

 

A similar issue existed with System V semaphore arrays, but was

less severe because they were always cleared before being fully

initialised.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 3.2.68-1+deb7u5.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.16.7-ckt11-1+deb8u5.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.2.3-1 or earlier versions.

 

We recommend that you upgrade your linux packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWHNTSAAoJEAVMuPMTQ89E7EsP/Rm9NNOIoIh+TY4TnKwPJmKa

tuGLWWOZ/yI90MR7wl9JLWSDBT0DD4fV5LKNp2p3ClV+1nMIbEEkcSOMgWyVtsHT

CKjb8XvYmEm8174E1XcaEQ+ZWiQdpFwe7VABsIhVfD2G2QqXHoIiLFjjnuyiN6qw

ZU/69j1nTfimoyoMyXThsAb93rWQii7/8baQ5LRVHXhipJeudq0mbAKY0GSFAXQa

b6ZmFzXx9/XTLkXGl5m/XFddbEaBo5UGTx1L5GDvjgb4iaQPih8df58aV4GLNGq9

cyjZpZKSuhj2CNPK84fqUo+LlX867NdyC2e3M8uf7S9KYCWsqbl8qByiGLIebYOl

yS0rXVret4Fa+9UqvuNSbp2iIx4g3vu/awUKOs9/nlz/OCBlFpQMbypeRUJi+eu5

99gDNAwZgym/77qnQKBVy2mWuDoYWn3eqg3JluwSZyDV8G+5QhEEesOcsF5U21rA

2RcTRpP6byh6m8IZQ6hDssoG0z8fuVIhwVo8yJ6P4dLf2rMbi/RNmxY6AYEFWYwW

3mTF6hwXG7J7qIMFIXy4Fuh/ea7AqYQtGfpvcnclSPd8BGESS/ySp+jMcOVQnOM/

dis38moi1fYpPAtgz2X9w3FexSy2+fMb/15xgBW0aay0isoqK5GwE1Am3Ed5LO54

Q7gz4VJxXxGKu6+N6nbg

=Hht/

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3373-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 18, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : owncloud

CVE ID : CVE-2015-4716 CVE-2015-4717 CVE-2015-4718 CVE-2015-5953

CVE-2015-5954 CVE-2015-6500 CVE-2015-6670 CVE-2015-7699

Debian Bug : 800126

 

Multiple vulnerabilities were discovered in ownCloud, a cloud storage

web service for files, music, contacts, calendars and many more. These

flaws may lead to the execution of arbitrary code, authorization bypass,

information disclosure, cross-site scripting or denial of service.

 

For the stable distribution (jessie), these problems have been fixed in

version 7.0.4+dfsg-4~deb8u3.

 

For the testing distribution (stretch), these problems have been fixed

in version 7.0.10~dfsg-2 or earlier versions.

 

For the unstable distribution (sid), these problems have been fixed in

version 7.0.10~dfsg-2 or earlier versions.

 

We recommend that you upgrade your owncloud packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWI6MYAAoJEAVMuPMTQ89EnbEP/A9DPQ1tc0sfuCIftdJ47ws/

7JFSk/diT1TOJhA6jTEN7V4bHZXitUGwVxoM1AyB7YNf3puNp3LITUXJ0sH3ELhi

XxvrsJqwianWsDvAFDtG1K0WXgC10hWsv/f2GqRkpFycbOd6xcqioewHAicS5rJt

Rmfdbf0DmZEN4v9nhHr64DqXGmmu9igWPZuX4qZ4MjakD+724+s8/OWv0kuv6Xr4

pIM2QTjtZKZBmQd5I+JTFjX7rAz9paYRXYVQXoxmBhry4YGBHEfeomv3pknRUrFr

3pKLLbt8ixfImzLxIILftRnCZwHISqJmVE4jPD5i9U9YkIS+Ga8Z9+asslrgnddy

WTwIKN/Gwe12n5BKZ8n8jcpAfBP1F164HEfGqLjKAQJzJCDCy/tsKjQUQaueFhie

6A4ORmG3MgC0pfaJe+xh9NLoyO2Hi0huekU5z1BN2klDz5c690Ls8GJVx3MPjc2o

fOfVweifDKM3xGsw6e5gDDbioOnEic7v/x7E15VeqYP4rMyRbEt/nxQoXaMt0OM3

EblI7F+7npNH+PoYzLRWdXT1PiYWiZurq+uqhM0TKjAqNLZ1lXXvibehTJKQOxwn

O7I7Thg3jrjVQaj13zy8l0zUFXRByV01nzF+0xhOceGKoi1OaroEJ1+17pv4V9ob

MFyvPGb0pNnJIsQmMefT

=TkN9

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3375-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

October 19, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

CVE ID : CVE-2015-5714 CVE-2015-5715

Debian Bug : 799140

 

Several vulnerabilities have been fixed in Wordpress, the popular

blogging engine.

 

CVE-2015-5714

 

A cross-site scripting vulnerability when processing shortcode tags

has been discovered.

 

The issue has been fixed by not allowing unclosed HTML elements in

attributes.

 

CVE-2015-5715

 

A vulnerability has been discovered, allowing users without proper

permissions to publish private posts and make them sticky.

 

The issue has been fixed in the XMLRPC code of Wordpress by not

allowing private posts to be sticky.

 

Other issue(s)

 

A cross-site scripting vulnerability in user list tables has been

discovered.

 

The issue has been fixed by URL-escaping email addresses in those

user lists.

 

For the oldstable distribution (wheezy), these problems will be fixed

in later update.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.1+dfsg-1+deb8u5.

 

For the testing distribution (stretch), these problems have been fixed

in version 4.3.1+dfsg-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.3.1+dfsg-1.

 

We recommend that you upgrade your wordpress packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

 

iQEcBAEBCgAGBQJWJU/4AAoJEG3bU/KmdcClwJkH+wbyIKtik3ASrpO/TqULYail

PYwhsEcb58PjFLn5IEqvXXaAi6FANhcllNwennROd5rqNvSZjPNXjkHge+PV64RO

T1rsT4G1MnM2e9CQvRzT3HQP0JC3u/79IvDkGsUfJjMbG/juBcZH4F69VHD/hN8x

rg9ChCEkKjAKAgJIfVU95H4N64iYEsbuRA9d6gJTGqfOw6KcSdNgpeQVRUSn1pjV

ZxabKmG6NFdFaKjo6Ql1FN9yg5bY0u2rNVH7exR+ce19H5N4QY22yqdF5iMNmYb+

3F6UgfTjYXV3PYoyPkoYTbdpcopoWQpCjh/dasjyX0yD06O9F2fW4Ht6UUOxbw8=

=sToZ

-----END PGP SIGNATURE-----

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3374-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 19, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.4

CVE ID : CVE-2015-5288 CVE-2015-5289

 

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL

database system.

 

CVE-2015-5288

 

Josh Kupershmidt discovered a vulnerability in the crypt() function

in the pgCrypto extension. Certain invalid salt arguments can cause

the server to crash or to disclose a few bytes of server memory.

 

CVE-2015-5289

 

Oskari Saarenmaa discovered that json or jsonb input values

constructed from arbitrary user input can crash the PostgreSQL

server and cause a denial of service.

 

For the stable distribution (jessie), these problems have been fixed in

version 9.4.5-0+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 9.4.5-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 9.4.5-1.

 

We recommend that you upgrade your postgresql-9.4 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWJQ6uAAoJEAVMuPMTQ89EgeYP/2ddc78SvGZvp0bvW8k9QReb

lPZuARqC1lmtLY51rDEM43aFDWwM01TpnoRvYyVXcphsalK16Sz0Ho7m20gqGrSj

RGNwG2zSQFcyU1OWINdEgmV10x/ufSrbyHQyf4m5hS9luMRlIGbGXV/DbSqvDF90

kNZ0NXz/g8iVOAf+9h+i6R5X6tPTAWgrj+X6IBngMi0jntvA30kAknUc73cnfrmG

YzxblZp5eMyf56EbXecbUfMz1751wxNxbp97HuQLv29KJ/FtYr8fwC1fJqmKje9S

ngqwrJw0RQphviZ2+QxaKk+7f+VuJdfRUqPKHUau62Uxk096rVRVD1p+wAGkLW7o

PoDqx3DrF05QnoqlxyIjAJ2Lkt9CW9RyGTDwxAzdq2VQ9jnxSoKmjGkVLMSf1T+t

Ljo3z3HSi+NYQJBwegD+Uy66dKwJ8au4qL+XkGpT9dnw40iryM9Li01w9H9tJYOE

Jea+ppT53JUWjA1EEz64qVEjlbFmp/sp4J1ggXTpp9pX06i88DJZ+9ff2PU/JLZa

Br6WnK6RgCbaIIAwjUBCb1qxUNFiJBfeD1fymhcEhudvd3tKRQHC0NPouNHw3VwE

s7sRCaNnS4s/wuYpJr+nxu3HR3CQgnPVTibISg6GLNBEBTWQGfbDhdUPTyAO2yZN

y/szRjAt/4yVhJiIZd+X

=sz5D

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3376-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

October 20, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2015-1303 CVE-2015-1304 CVE-2015-6755 CVE-2015-6756

CVE-2015-6757 CVE-2015-6758 CVE-2015-6759 CVE-2015-6760

CVE-2015-6761 CVE-2015-6762 CVE-2015-6763

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2015-1303

 

Mariusz Mlynski discovered a way to bypass the Same Origin Policy

in the DOM implementation.

 

CVE-2015-1304

 

Mariusz Mlynski discovered a way to bypass the Same Origin Policy

in the v8 javascript library.

 

CVE-2015-6755

 

Mariusz Mlynski discovered a way to bypass the Same Origin Policy

in blink/webkit.

 

CVE-2015-6756

 

A use-after-free issue was found in the pdfium library.

 

CVE-2015-6757

 

Collin Payne found a use-after-free issue in the ServiceWorker

implementation.

 

CVE-2015-6758

 

Atte Kettunen found an issue in the pdfium library.

 

CVE-2015-6759

 

Muneaki Nishimura discovered an information leak.

 

CVE-2015-6760

 

Ronald Crane discovered a logic error in the ANGLE library

involving lost device events.

 

CVE-2015-6761

 

Aki Helin and Khalil Zhani discovered a memory corruption issue in

the ffmpeg library.

 

CVE-2015-6762

 

Muneaki Nishimura discovered a way to bypass the Same Origin Policy

in the CSS implementation.

 

CVE-2015-6763

 

The chrome 46 development team found and fixed various issues

during internal auditing. Also multiple issues were fixed in

the v8 javascript library, version 4.6.85.23.

 

For the stable distribution (jessie), these problems have been fixed in

version 46.0.2490.71-1~deb8u1.

 

For the testing (stretch) and unstable (sid) distributions, these

problems have been fixed in version 46.0.2490.71-1.

 

We recommend that you upgrade your chromium-browser packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQQcBAEBCgAGBQJWJwEHAAoJELjWss0C1vRzawcf/2VLLVk0XIIvX6TajYjXf+O+

MFWcbB/EVhdMcF3JTekflcv/LRbYq2TnqWPb0W/AM7hOCWbk4mgD6stbe7l/j2QW

0o3FZkL7pCJL72kvXPxGdvHFs+Qhemrd8AAS9nIqWnqGGcTSC2IdFOLEXec77an7

pvQCjT6g/gBb2ywbip7Pv9G3n6oMGTwcBAklm+7So6OjZZpcFrfEqkv8a9zgqH6B

iSaoMws7iYaBisKn/5ot91lLbDIuRkSX8RfbG7b6s2v9WiN8bzPZUUJYpsBxf7m/

BY7bZYqpMhjDOEMQJ8NedgHnLabjpBXJi7gn444eHS9VGDgEBtduCJhUQ7oqq/Bl

PEZdBardMDwmV/DSDKGH0WHsAzmDInk5Bd9/yqNspIl0azYaEownEg5mQeU06G3Z

oIXX6l+hYzMRrLPEachAdHUyz7PhYU9X5uPUDtpkaGuJsylh2vyW5pGTumhdf/nt

ae6VRy5p57HD7atQc+lesNUbO5225QFwaBRf3t/e/nHyYWZHZS9hFWyPha1EGpEy

wuYYnjhSTh/kThEjDkROz3ayNod6NRJ8BkUfsgoj+Ui1cUASFdJtih/S2k70YM1e

mvq5P3kHEUrYVvHpM+m9ZyzbwcluQKS4he3WGlSTEAyS8BIoohZb6QQO+lTOYo2/

qjqBYRhe2GMlW8AYynjQsSdQcHpBxX+qH4kS5+C5swH7c7NogZo7KWdPENW8LQgP

irXB/u+RMbje5X3Qec/pG85vX196r+UUUQNV2ZFIlXbqgKGHWEeJ3+cNulJE2xet

XI5pthBmzxEG0Xpw2OOkjkpRg0W7C0QBlNRbCqsk6KhobhxapoqNmkb2BTxbAs8r

wqrL8R+c0JM0dYH+PuZeZmOyL3XJxHU9cCJUn2f0oCrBKLLSG9gj0v1a5ntqSEjH

A00PXcXq8IXXnIu+xXe6fU3RxcVY0YykKkZKkh003gRItOC45PBP3/gu3KRStNpB

zz4iL2jq4uwEPPgWAGS9BQrDgWaRxDnJPuF0C+uwfdTPLclHSKLewWbgH2zPa5ff

XV60fxw6PM3VyGO1lCfEOVoHHt1jtN9JlM14SuNLaC+y/jFqcVVJJOdqGKAjAqNk

O7fep+G46EPkpy9zTeM+CuekDdU8lClq8caLEC03zQK0C+0QA50zCRxJ6yBzpr8+

DstSjRoqCJLPbFTpHtMK9MEcEXXOyw+9d7/wF9sexNMhq0ONGs0KNFPb+H4dSG+A

LeYtlrgELMQYhWq2y4CB/5EKlljDY99axy/HyICfaRejcTPs6a6x7+vyrcoCcAAm

Co9vSkn7QQJKB942+uOPmcd9bjDhboLrBARbN8q4Rk0tYMYUqa2mwnyYAnSq1xE=

=OCPh

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3378-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 24, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gdk-pixbuf

CVE ID : CVE-2015-7673 CVE-2015-7674

 

Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit

for image loading and pixel buffer manipulation. The Common

Vulnerabilities and Exposures project identifies the following problems:

 

CVE-2015-7673

 

Gustavo Grieco discovered a heap overflow in the processing of TGA

images which may result in the execution of arbitrary code or denial

of service (process crash) if a malformed image is opened.

 

CVE-2015-7674

 

Gustavo Grieco discovered an integer overflow flaw in the processing

of GIF images which may result in the execution of arbitrary code or

denial of service (process crash) if a malformed image is opened.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 2.26.1-1+deb7u2.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.31.1-2+deb8u3.

 

For the testing distribution (stretch), these problems have been fixed

in version 2.32.1-1 or earlier.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.32.1-1 or earlier.

 

We recommend that you upgrade your gdk-pixbuf packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWK+1uAAoJEAVMuPMTQ89EK28P/Rj6Wzv8+M8b++1TGlBtOJIk

TjDm7/+V/j7VGX7yBNqunDbpr9r5+u74IcWhEPUC3+XUBfSbxMb5ykPqFdolKDlm

T1NjGb8enrErfqarBf0lZuSiykM1cc+uz+yx08Rw1XiW/APTCq3CzJTdcO8dBeOZ

Aj65w4qeoghbdyPYWNVaC5abYeng6YSDztBzaq9VROHXPRHPzWWIE+VvJXtViZV9

I0rtgXOHwn2SVrMXKpbD96NDQgIOtT+IefTMu1CR3NWxVZsx7K6yfqR0D6wXRdre

8MtLtbqHPvmavq5wA/IBYkDzNKA79K6FoSiFx3bRDHFvEGV2UI+FtczMsB1U+dX/

wVGR84i7ZzRtqYBjALozwBzUfD0r2SlqiCOevVBqLNTtkH/DfeQrsluhMLvH4ecA

LdafwXz6CtisoeVaUoJ6bO8mLmKS1v2MrqPQsQdJsdnfeZoAjU1jZbU2IBeJEQYr

ObYUZwpdztjO7Ki/Gz535rQ0u30+NZpXn1IwSFh+gevODOv0C0Ajld7ia4RLHCom

HC4TL68eoy2/MJdcM0BTYfYC0qbrdIpBrU56zjQtX7ybb8d8ojswH7iWYfUkNJW7

lJoN8QRjlLEzMb6/UgjPcann72jYie9UEOQySutsrX2mMlQT5vdPlsuii1N5B21H

TTLhaE2DoNUz39sPtqCd

=CY0a

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3381-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

October 27, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openjdk-7

CVE ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806

CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843

CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872

CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893

CVE-2015-4903 CVE-2015-4911

 

Several vulnerabilities have been discovered in OpenJDK, an

implementation of the Oracle Java platform, resulting in the execution

of arbitrary code, breakouts of the Java sandbox, information disclosure,

or denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 7u85-2.6.1-6~deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 7u85-2.6.1-5~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 7u85-2.6.1-5.

 

We recommend that you upgrade your openjdk-7 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJWL+qJAAoJEBDCk7bDfE42IcwQAKluKaRPoESGU926FkHW9wkh

KPtPNxuJLhBE4P8QjMc7D66UtOPC4Nj2FcbKg1Ab8KTMWHMP3HWQCu7SXPUHvuz2

hGdeZdr5NvU7+XFAu+bHzwYQjsYD2r138/YS5cDJkbVxVcr9019Hrq6qfSp7EK2p

5byNdzklLHtE+UwEZk9QWIUEbh7XjANhPqCPssb3K4cLunjPPZiovJnsoW0FFRBG

1BrmhRkYjyIemmtalLzbJAzK9fUZRa84No2Kxhbw1hwusX1RaQ2waSzrv3q7e5UL

/x81JzKepPEGJMRxwlhRhBPzOIHGwLO0yJee+Hk6tE/1gPV8o7Oov0MTZTd2NK5h

zlXBR8NLqrOUaeb699Bt0r1XBhm5a5zClt7WyhXkJyJgSLQOqMM/ASqmmt/SCPp8

SUlC4yxVkjC+jLxIMi3jc3u8gCyVA8AiqhHM6qPArRiVlvDntt1U6yETM5G2XBrl

Ot2KXg73OMlU8Wx5vsnCyHCU3sCR3O9KMktcNzxwkTBZY9KUnzntXS6X5sg2KleN

o369nwL8t4b4pPSP8EhQl3b7ItLYxWnW9gVm8WCdgD1h1zGts/HqieDLwxOIcbPg

rS/h4qMoy10Fm/hw37Wrp2Wp35A0ISSS6/lGbzc/gKibSM0nfRnK55bKHy5wV2Bi

oD3cv9AWKXwmswI5aBdk

=ynOp

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3382-1 security@debian.org

https://www.debian.org/security/ Thijs Kinkhorst

October 28, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : phpmyadmin

CVE ID : CVE-2014-8958 CVE-2014-9218 CVE-2015-2206 CVE-2015-3902

CVE-2015-3903 CVE-2015-6830 CVE-2015-7873

Debian Bug : 774194

 

Several issues have been fixed in phpMyAdmin, the web administration

tool for MySQL.

 

CVE-2014-8958 (Wheezy only)

 

Multiple cross-site scripting (XSS) vulnerabilities.

 

CVE-2014-9218 (Wheezy only)

 

Denial of service (resource consumption) via a long password.

 

CVE-2015-2206

 

Risk of BREACH attack due to reflected parameter.

 

CVE-2015-3902

 

XSRF/CSRF vulnerability in phpMyAdmin setup.

 

CVE-2015-3903 (Jessie only)

 

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

 

CVE-2015-6830 (Jessie only)

 

Vulnerability that allows bypassing the reCaptcha test.

 

CVE-2015-7873 (Jessie only)

 

Content spoofing vulnerability when redirecting user to an

external site.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 4:3.4.11.1-2+deb7u2.

 

For the stable distribution (jessie), these problems have been fixed in

version 4:4.2.12-2+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 4:4.5.1-1.

 

We recommend that you upgrade your phpmyadmin packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQEcBAEBCAAGBQJWMSaoAAoJEFb2GnlAHawE38gH/17ApZkCRkPGlgcsT0k53STP

tOF0BHzUMd9W5QzRYySm0lrBuN7/b5VWBJ4xhOpMupJnaOWseSXNg3AJbD+H9Uof

lGRimzWxF+8JF+G1VhZn+uk2+iXJd3sLmlAmK73Q4b+7WVHlByHtnzxvmjvu1JnX

M8ODorRzRxVZTvNI9vaZpq3S/YIHAi8ddHrEFnJQJ3QHt039g3QZFyNvcgdm/3L+

h+F2GpjLjTOjxaLDHXVMxxeTW25q1j4Afp09MKm8Jo5j43aMLTplUNQy5Rn5ngHn

CLXJdgiBG8VT1BeBTvWw3lmUc3DlzjvhtWubxidXxmK1cZij2k9GBEqfjxYdFIQ=

=nqkO

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3332-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 29, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

Debian Bug : 803100

 

The patch applied for CVE-2015-5622 in DSA-3332-1 contained a faulty

hunk. This update corrects that problem. For reference, the relevant

part of the original advisory text follows.

 

Several vulnerabilities have been fixed in Wordpress, the popular

blogging engine.

 

CVE-2015-5622

 

The robustness of the shortcodes HTML tags filter has been

improved. The parsing is a bit more strict, which may affect

your installation. This is the corrected version of the patch

that needed to be reverted in DSA 3328-2.

 

For the stable distribution (jessie), this problem has been fixed in

version 4.1+dfsg-1+deb8u6.

 

We recommend that you upgrade your wordpress packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWMmrSAAoJEAVMuPMTQ89Eh5oQAJtVcUyWIvpuBMFUtU98C7wR

ByLLS/ZmRobusmK1p6MJHpT/ZKC03VIFR4Rcoz1pYhynnIRJfi29xrZDZMjMox5B

fLRhSQgFi9TVAF1CeZfYEJCs3ryMpDurUEdNeRzYZUzCIuhRDh6GJ1l6fuxgMdsG

lDLOGzBVX6d/OGmnUhqaHzjaF0TgGoJwXvz1dwShJUNkF0k72mp6Aam/WY5/2Xl7

TJTFwCU1S0Egfnwv7Ry7r2cAOl1RG7cWu6aYxEZb/5HKbvXjSaz2FKZ4r5ISXt9x

mtDXqooc8YzG7grOEROP0wU1fvOkV6+fwex6pdf4HImocu6onFH8QUTKG0B3knGQ

MbY4JX271Kug5mmH2+qGjVuduj4sAgqjgjsEJo3QBvYpmFkYyWZK7tfH/Vr4tbJc

/B+bwOsAquGaMQyYS0oN9vYfGdMXKKRWdNrWw2zjwiiRu+CTq1WUF/s64Y2wemYW

DFkbAbeqPsB1s6whZ9f6e7YP9irTF1G+ZPT04Tao68DeMcAIVSMUQQfWbiPBbfNT

oF4RaEo5WPAM2MmKVHBFvftf5sJ6EDh2oP9Sj9Jsm3/EZMiAW+Wxh/LImbl150ix

uA5X8PmET+cQeTANhi95stSV8dqtD6Toctbb7gqFffU+Efutu7ATmITbatLWMxbc

qjarCb4+JW+9n/UNHR45

=SvqH

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3383-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 29, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5714 CVE-2015-5715

CVE-2015-5731 CVE-2015-5732 CVE-2015-5734 CVE-2015-7989

Debian Bug : 794560 799140

 

Several vulnerabilities were discovered in Wordpress, a web blogging

tool. The Common Vulnerabilities and Exposures project identifies the

following problems:

 

CVE-2015-2213

 

SQL Injection allowed a remote attacker to compromise the site.

 

CVE-2015-5622

 

The robustness of the shortcodes HTML tags filter has been improved.

The parsing is a bit more strict, which may affect your

installation.

 

CVE-2015-5714

 

A cross-site scripting vulnerability when processing shortcode tags.

 

CVE-2015-5715

 

A vulnerability has been discovered, allowing users without proper

permissions to publish private posts and make them sticky.

 

CVE-2015-5731

 

An attacker could lock a post that was being edited.

 

CVE-2015-5732

 

Cross-site scripting in a widget title allows an attacker to steal

sensitive information.

 

CVE-2015-5734

 

Fix some broken links in the legacy theme preview.

 

CVE-2015-7989

 

A cross-site scripting vulnerability in user list tables.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 3.6.1+dfsg-1~deb7u8.

 

For the stable distribution (jessie), these problems have been fixed

in version 4.1+dfsg-1+deb8u5 or earlier in DSA-3332-1 and DSA-3375-1.

 

For the testing distribution (stretch), these problems have been fixed

in version 4.3.1+dfsg-1 or earlier versions.

 

For the unstable distribution (sid), these problems have been fixed in

version 4.3.1+dfsg-1 or earlier versions.

 

We recommend that you upgrade your wordpress packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWMnsdAAoJEAVMuPMTQ89EFPcP/A3VbZDqEascbeqz9697903V

P1HIPO1T6hMjsugFKomcPnw4OH3Tmwz/bCLmDQt/3jDoAZ69SA9Oo2z7ABVd8191

4sNp1Vl05vG+NzS3Mqtpi4SEnxxgHYYfOL9Mw6ROeYls/M5XIPZHU4iKg6c0JdbG

4l3dVPpfFRphh+fzxPyTkJkGvSDhewgpscxi/fPBmIA+FqTqC2XF2x214EAU+xbM

U9NwsMh+TZy/AsZeSnpZU60Hx5z8LiALDZnK4EYBHTOTbsw2zA3J3dAhIIbYysR2

CUgzbMvXQllo4oXcP+goyNrIih+Lxn+XHQHJ/F35KbN04hf1K+zYtdsazVHColJI

egyKRMftC+N50nxE5jr1VdiAo3oMTHvxgwBTWcLqEC5ToNTRnzbDk3bEZ6ckCKFD

sawkuwEiZU/4PUhvwRIjGh7+MqkEuh3RgqKJrxZkfY1usVebSR722ypWfV4bWnau

ggQB72P8UyFbpR0gtHsXssr5hXykk8S8WOGw1pYsQWCRVuDxXuKwbSX5iv6g8L0b

yI1IDpHORtwguU7C2x+FHxyx7m+x5n+MJz0eB8S0ofFmKlgtVzz0laa2nsTVebfW

WMrX0P9PNhiKWlEiTYNXCBwyww/BpzY1dubWcwGIaVF39YqSCyHxkFU0iXarMpGR

UKMbiI7nLcXS45yBw/nj=4z0J

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3384-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

October 29, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : virtualbox

CVE ID : CVE-2015-4813 CVE-2015-4896

 

Two vulnerabilities have been discovered in VirtualBox, an x86

virtualisation solution.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 4.1.42-dfsg-1+deb7u1.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.3.32-dfsg-1+deb8u2.

 

For the testing distribution (stretch), these problems have been fixed

in version 5.0.8-dfsg-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 5.0.8-dfsg-1.

 

We recommend that you upgrade your virtualbox packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBAgAGBQJWMpn0AAoJEBDCk7bDfE42m6EQALJRXlvIFuegT32tnscGz72s

SoTDlkKR2mjEuPF2LRRg8j4QkObYXLwLZFp4/xd0ptrimtxggXIZ/dyHY06ApcKc

jix6OOcvmxmJm5eqJMI+MeDoqo6/VbTWiX3AVaLSzXRD230ygo/G+o+mug8ethLa

HISPqu4CQgoNwANwxZcbEXg16ZenFwZYhK4Jaj4Mcqv21bWK+7HWdfoxSU4B1RRh

djRrTEe5pl+HqZ2Ap0dglgu9G8idJWtKblkg1o633zNDApUZ2jK4LilxKwNGb1sM

PJL614xXvIXQQSj9hscncbbidtjj44FalvPed4AwpKIS6+Fanh9UL4liyL7uX8KH

/XC84xD61OegLuUkJjYHx4RuEZpACiOIiEZp+zHzZyBLgiWKfVlMGOxAPNit6z+3

y0GZNVU0mfy+VtDIEZVw1SveWURuLGPXAG5AUmveCtN9BA3QoxZFv9xc006q93GW

I+izCGOTAEbnHEZd010ijerpZUJPT49PfWehxRQiVdhCXR3N2ZfKaNq5e2qQjNrh

kjxn1ntyQbivjCNuXox+iQm9G3xoujhfVG7ZzJMfgeVAEtwmtH7lJfD2fhzqfBBR

32R7RTvud6vc1WFEjo4FiyIhx7qifWiwBCdNzF+Iw558wu3vUVPTBdEXqbJOg7Ix

a7OZOtGG/7UaOAdTHbET

=tfQY

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3385-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 31, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mariadb-10.0

CVE ID : CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816

CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836

CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879

CVE-2015-4895 CVE-2015-4913

Debian Bug : 802874

 

Several issues have been discovered in the MariaDB database server. The

vulnerabilities are addressed by upgrading MariaDB to the new upstream

version 10.0.22. Please see the MariaDB 10.0 Release Notes for further

details:

 

https://mariadb.com/kb/en/mariadb/mariadb-10021-release-notes/

https://mariadb.com/kb/en/mariadb/mariadb-10022-release-notes/

 

For the stable distribution (jessie), these problems have been fixed in

version 10.0.22-0+deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 10.0.22-1 or earlier.

 

We recommend that you upgrade your mariadb-10.0 packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWNHiiAAoJEAVMuPMTQ89EZPYP/RXpOeexYDO8fVmrsaHrfGr/

AlJow4CASc7pRIAlpzyCJYwtNx/EWZ+B7LjCDSywoMTcb71JAYs3/ZkRf0zFQect

zTu+tGU346+OFQ4oVrC7nD7YBr2ufqbIfwH+r0aWhwunVtFz8QRka6b8qkjF7zdp

nkIIjJCuexvMeEfAtnoipsaIC8J2PHqXUVDJJuRlOLdZHfDdNcX6LHE5NBj6vdlN

yOiYuSoB5RIM3NWeQSr817hUjIQ5maHE914dqyTzJ/H6hUcDM29hh6QRiOHw2I84

KNV7lECnsBlMJiv2AQcvdBTLdxfb8wSyaNrdzM4MZbbUBX/CbGwo14YI74yllLfm

KLmvrlHVgF7UEjECTbG+vz0FL7I1Jx4tz+xAT/1v8STUONjyBpzkwfTuyQiDasBg

C0ZfnPIWphpSHzaahpAWrn8lWvE3/zKD9Yp8ayw2iTOtCHsmGrszMmLORKdyM04g

RsVY+ppVIz2buN8qd9zPk2j1yE9C0GITPj8+gS0YdzFLgWIAbQ9Vx8adzl3PfnTH

MgWaaNBbIYYrnH9n8c/BRzN6OL8iXu+IjZpvBoAP/sBhzOGSISGkdGgfUAP8s5Df

1GM+m5+5QR14cFqBEaZvA2JDhYmMQGtMSnpKy9DpNMhbIHC7ZLa8GexiOYjXGQQH

MxamLc9qvdnNQXd2usnu

=BdYx

-----END PGP SIGNATURE-----

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3386-1 security@debian.org

https://www.debian.org/security/ Laszlo Boszormenyi (GCS)

October 31, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : unzip

CVE ID : CVE-2015-7696 CVE-2015-7697

Debian Bug : 802160 802162

 

Two vulnerabilities have been found in unzip, a de-archiver for .zip

files. The Common Vulnerabilities and Exposures project identifies the

following problems:

 

CVE-2015-7696

 

Gustavo Grieco discovered that unzip incorrectly handled certain

password protected archives. If a user or automated system were

tricked into processing a specially crafted zip archive, an attacker

could possibly execute arbitrary code.

 

CVE-2015-7697

 

Gustavo Grieco discovered that unzip incorrectly handled certain

malformed archives. If a user or automated system were tricked into

processing a specially crafted zip archive, an attacker could

possibly cause unzip to hang, resulting in a denial of service.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 6.0-8+deb7u4.

 

For the stable distribution (jessie), these problems have been fixed in

version 6.0-16+deb8u1.

 

For the testing distribution (stretch), these problems have been fixed

in version 6.0-19.

 

For the unstable distribution (sid), these problems have been fixed in

version 6.0-19.

 

We recommend that you upgrade your unzip packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iQIcBAEBCgAGBQJWNNHRAAoJEAVMuPMTQ89EvjgP/A6mLOMG2pXEfa/3WvpgmMe+

7jA86FckGWadkhei42rPXdDsfvnDL/zZuKmgLmmRendL6kWJF2qjrqTnLoQdlVA/

oQhWqUGKMkCtdWNYEhdohU7JAjbfO9kd3/NohRX0gts4YMskGJzuFVpktUqHDrEZ

pI8LJiHfLrO1QdkC91NC4ikB2shuppQVzUpbaJQPJI7/LWLX1k3AIc7DOd3YEAg9

MTuLChTahz/0hgb1cJnTyXwsSlOVWuuHiBsqUu5nx//NIAXRPnM3gwGTlfu8qviJ

PrhQ6SSYP5jlyI05DrVUMEOjHXncs421W81HFjimQ1vvX53NmCLcOqJyTKbm5Ivc

wr6MNlXrMIXICfKvZFJblqDGqoQ5dbtWGCoxciz+eIIJZ5XHXND3EA+k7e126MO2

Cbo4M51bqz8UWez/aNlCsRM/y+eXASyun4G/rk5lw7NCV84HPlVNRbetgRk8AD/P

kDxmcjWGiQ8coLNnTQCAp76NC/uHhYmAnIPlaRx/r5v3252K1UwMRVqVBWh0TJhL

IgJr/W1QvUlcfoudykcl+EXGBV2bypEagoYW1qCEu5PepyfOgC3TcWhf5IZrg82h

X734kq2p0Xd8Rg0a3WYLig3sG4mnpgiPzqwsYDLk1wIxQfC53SwOHXHl/VusXMwT

PI2zEAEef3Fqx15wRZcX

=K/48

-----END PGP SIGNATURE-----

Link to post
Share on other sites
securitybreach
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3387-1 security@debian.org

https://www.debian.org/security/ Florian Weimer

November 01, 2015 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openafs

CVE ID : CVE-2015-7762 CVE-2015-7763

 

John Stumpo discovered that OpenAFS, a distributed file system, does

not fully initialize certain network packets before transmitting them.

This can lead to a disclosure of the plaintext of previously processed

packets.

 

For the oldstable distribution (wheezy), these problems have been fixed

in version 1.6.1-3+deb7u5.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.6.9-2+deb8u4.

 

For the testing distribution (stretch) and the unstable distribution

(sid), these problems have been fixed in version 1.6.15-1.

 

We recommend that you upgrade your openafs packages.

 

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

 

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.10 (GNU/Linux)

 

iQEcBAEBAgAGBQJWNommAAoJEL97/wQC1SS+srQH/RvDXYvuCj/ud7W8r+TRAO/m

kPW/p4JTbglFIEaMjJzp4vyiCZhnI3GtHWpcUxuhT9Hi7KT6qZ9jaMxXC6LqwJap

O/DGPX3hYSjxHessxbHbBvH042LHkhtrf1ynhVDyQFuD72bALsluX1EbdvyedoM8

rhR4di3Jxbb/jWcutUfEBeHTgEoF8HP5NKbR4IPt7YFES6XODzUyJ5yw8MqCI30P

LiCFf9JcMD+7z8J78T1xxrvjNxulge/PNZmeSDuKJU4/EpmJU9++9mk9TFpqlKF+

2F3NpxaXYA6dOU92k1/SVglRN7rjsd5/IxnIXVdhq/DMOTkoniIxtaVShIxgVVU=

=DtUn

-----END PGP SIGNATURE-----

Link to post
Share on other sites

×
×
  • Create New...