[SECURITY] [DSA 3327-1] squid3 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3327-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 03, 2015   https://www.debian.org/security/faq
- -

Package: squid3
CVE ID : CVE-2015-5400
Debian Bug : 793128

Alex Rousskov of The Measurement Factory discovered that Squid3, a fully
featured web proxy cache, does not correctly handle CONNECT method peer
responses when configured with cache_peer and operating on explicit
proxy traffic. This could allow remote clients to gain unrestricted
access through a gateway proxy to its backend proxy.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.1.20-2.2+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 3.4.8-6+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.5.6-1.

We recommend that you upgrade your squid3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJVv86kAAoJEAVMuPMTQ89EKdMP/3uVJrVDZAMdx7BNfQn9G+Pr
JkbXtWxwatbzvzErfWWEBBcom8muODusQ8z6qhjdArLwJ3UILdHpw1gYK7wn8HDR
F+/5VsvgclleVBfYPjvG24Uw7imWiD0Squfl2NVQDATdBv85gmQiiF8O0akSa0vc
VD30k/HbB4zc/OvmXiPV+vLNGbbpfWDbcLUuEjEHcEtK/VavVySvwfaDGAclwcJT
1L0Yy/c1grYcrdj5P/JmkSItB9x0+RLTwMfU4Q+dj7DAOKDSEgD/3umogb22S8rj
rn+JcIC7fxWZhQIZb/Q4+ZiePE27nk2hFICE1szkUtd55xSWt6rDtESuhWOkXBPG
NGL65xuQ35rai46X3jJ6XOLt22DORj4o/PpHrDk7ftInHfhPRxzL8rlV6xgfK+7M
Kxj1XOcUE+PyXe7vpzUb4XioO5e6EiJVpIUDLErMeccUFB3Dy6tHBiwkn7iXPu/b
jKt+gH8qVQgQKTgs2qI/ygnAYhU06ifnDRMfP06YaVHVjFE6h0zxYtvoMOjqFo5K
7jS95J+nQD5T6URFvFdeeFmetfNnUkb704e4pI0KXOypwq5MQUZJr56+DToDYDXj
760+sAsNZmB2jGZuzJEHdQRAB0wJxtLC7RiR84ZiYvmFhE2w1sSj3TnIhNPZI8t2
c1jHRhiJZT4Y8WfUl5l3
=ma/b
-END PGP SIGNATURE-

[SECURITY] [DSA 3328-1] wordpress security update

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3328-1   secur...@debian.org
https://www.debian.org/security/  Thijs Kinkhorst
August 04, 2015   https://www.debian.org/security/faq
- -

Package: wordpress
CVE ID : CVE-2015-3429 CVE-2015-5622 CVE-2015-5623
Debian Bug : 784603

Several vulnerabilities have been found in Wordpress, the popular
blogging engine.

CVE-2015-3429

The file example.html in the Genericicons icon font package and
twentyfifteen Wordpress theme allowed for cross site scripting.

CVE-2015-5622

The robustness of the shortcodes HTML tags filter has been
improved. The parsing is a bit more strict, which may affect
your installation.

CVE-2015-5623

A cross site scripting vulnerability allowed users with the
Contributor or Author role to elevate their privileges.

The oldstable distribution (wheezy) is only affected by CVE-2015-5622.
This less critical issue will be fixed at a later time.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 4.2.3+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJVwGDMAAoJEFb2GnlAHawEFsIH/RvaJbgXs3PFAKgpaPBk53+V
nBM/AZ3ismh8cwzrtdJFkrPu8UlpvODKS6I7fIiYYSc8/+zCg4iM9SoSr/HJuJ9Y
4bSEnQQq3k6JHxMt9CnZWi/lGvsrubEUuT9gVk8UjIm8dVNeqceuAzmpZSeD8IjB
GutG3zmt9JMZssX/2DRChEUymQwluBIEJEIbi4+7FLuaV7KB2epDR9vPTq+X4ieR
EiFOGpMjz3Gy1xRnh1f6kO59bnN3/655K4QIIf13DEQQ8peARkEu7j98Yoswfstl
BV0RbT3gDvxQSfxitNpIRtbLFOtl8D0c6zxQjyCLPYiSJ1wzQwyj0lMTC+tByzA=
=ELh1
-END PGP SIGNATURE-

Mozilla extensions: a security nightmare

[Stefan Kanthak]

Hi @ll,

Mozilla Thunderbird 38 and newer installs and activates per default
the 'Lightning' extension.

Since extensions live in the (Firefox and) Thunderbird profiles
(which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
(at least for Windows) with a DLL and some Javascript, Thunderbird
with 'Lightning' violates one of the mandatory and basic requirements
of the now 20 year old "Designed for Windows" guidelines and breaks a
security boundary: applications must be installed in %ProgramFiles%
where they are protected against tampering by unprivileged users (and
of course malware running in their user accounts too) since only
privileged users can write there.

Code installed in %APPDATA% (or any other user-writable location) is
but not protected against tampering.
This is a fundamental flaw of (not only) Mozilla's extensions, and a
security nightmare.

Separation of code from (user) data also allows to use whitelisting
(see  for
example) to secure Windows desktops and servers: users (and of course
Windows too) don't need to run code stored in their user profiles,
they only need to run the installed programs/applications, so unwanted
software including malware can easily be blocked from running.

JFTR: current software separates code from data in virtual memory and
  uses "write xor execute" or "data execution prevention" to
  prevent both tampering of code and execution of data.
  The same separation and protection can and of course needs to be
  applied to code and data stored in the file system too!

The Lightning extension for Windows but defeats the tamper protection
and code/data separation provided by Windows:

1. its calbasecomps.dll can be replaced or overwritten with an
   arbitrary DLL which DllMain() is executed every time this DLL is
   loaded;

2. its (XUL/chrome) Javascripts can be replaced or overwritten and
   used to load and call arbitrary DLLs via js-ctypes.

   Only non-XUL/chrome Javascript is less critical since its execution
   is confined by (Firefox and) Thunderbird and subject to the
   restrictions imposed by these programs for non-XUL/chrome Javascript.


Mitigation(s):
~~

Disable profile local installation of extensions in Mozilla products,
enable ONLY application global installation of extensions.

stay tuned
Stefan Kanthak

[SECURITY] [DSA 3328-2] wordpress regression update

[Thijs Kinkhorst]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -
Debian Security Advisory DSA-3328-2   secur...@debian.org
https://www.debian.org/security/  Thijs Kinkhorst
August 04, 2015   https://www.debian.org/security/faq
- -

Package: wordpress
CVE ID : CVE-2015-3429 CVE-2015-5622 CVE-2015-5623
Debian Bug : 784603

The security update for wordpress in DSA 3328 contained a regression.
The patch for issue CVE-2015-5622 was faulty. A new package version
has been released that backs this patch out pending resolution of
the problem.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u3.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJVwNuMAAoJEFb2GnlAHawE0S8H/jLJaFxSgvfDKbCKALAEHBCu
oG7gJfmoDhkrI1jvoxR+W32A2iGEProZKKIsYJB/axnTr7xKMTgDOeYAEAcdvKVY
SYFUB2JdPxciJDlmSByhQp7+oZ3feAHmjm6M7Zd8YDjEJD1Eqc9kJQGU53fbd4mM
1GS+cUEJNh8x7B65l9THCbJUzja09Ue2uD3EZtLVwIoohOQYmTmqfuT6gbqEJADU
lKaD+6olTqNW3kfh0YsumTdRsTUph6vNb1SPf+RxX84nQN77zp7cxwFy7mh8gp/F
yATEdtR6T6GNoHTW5YIw+E+smUnn3UGOIgoEj74Wr3GUL5a6OHNF1a6K+qVlG6A=
=MQxl
-END PGP SIGNATURE-