[SECURITY] [DSA 4615-1] spamassassin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4615-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - - Package: spamassassin CVE ID : CVE-2020-1930 CVE-2020-1931 Debian Bug : 950258 Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u3. For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u2. We recommend that you upgrade your spamassassin packages. For the detailed security status of spamassassin please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spamassassin Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4105NfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RZdQ//YC1bNKYMg+iNpCWvleaAOwtrXPvCC08wUbDb2GVcr14Hsj9/23mUiaN5 XnWSk4v7iT0ZAc9SNkeHx8Jasy7m6z581eFcQoorZTfZG63a0iLsOh5bsJ45OLKL OKu6jPtcNOZ12OtKVUCltbA375juyApSOQIiCn25jKA1wrcn0ATYEVpOC0Rr47rN dkW+YMGqTV169XRGRktUgD38UFODxsOw3fTMT/HVXSfawBOF1rnOgUUwo1prjRUB mjIHAmPKoej9trdQuLWxvmVzJ0tXRgnISy+evrktpceAIuRBbMPpklkVA0yk31dE egIhPyIQDDAs2MuKaK4L8uVZLcUfqtAiwW70phi8aNmDxz8IgTOGCQqLJKdfuUl+ x2ltBmyLkHZNTlW32PDqysVxjRfwxsWQ8yLetuXEYlnkc5CiVaPj5tSyGHBHQInX 5KTZNBtxCdPLDxwg7JdON5Me1cmmx+Ad1PiHHYUy4qSrmXGTakMKsAboUitmN3ws yBQIqiieqLjpI7aJEs+LfDO0KPuPOQd+rf9vNo5TiYLEfgmuu1wvs8kRUikQgneD uNy+fNpZjp3ZYNMUHP3NdciiFu+TQ0nXx/6XPjAN/t4F/DEePyqv2SULWbEGEEI+ EZobZBmW5BpVAI4FNzthEpQiZool+05TC8zWR/wfJJcbCEXW+nI= =1DOD -END PGP SIGNATURE-
[SECURITY] [DSA 4614-1] sudo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4614-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - - Package: sudo CVE ID : CVE-2019-18634 Debian Bug : 950371 Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges. Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html . For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2. For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26. We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl41cVhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QaKg//TnJPVomILAWCWCSHNUuzuH9c0tBli4KtTw+5QeFwcAeareJbleatZqJh CHi9WI8Dl7nnE0V1mKOgE1pXhrV1WJQrMHidocDo7Aejiyn4EU31HxHsAYv+RvqN E4nNRckP1PEoL9JpGHUMOI3O8mvB+2Nnds0ihy8P+WcZxlxVw+CQuK2omFBhdlwr pgdfBq3khgz5mBx5pzdxIrs9fgJA5Txr+LaOHm06ZL9cP1FTcBK31t1RllKy4bjK bg+igCLVTTqU/8Sydc65UM+rHgx4ljG7bCFWJ3GuRJeeXm1vavfjmCXh8x2ezd3K EsB+FxHDdGpKqwi4bFqWUjijOqaElqAAu/q+xZYzzXZSfIynB5YNfL8tVuq4fsL3 MQdUU/0fZZD5RJW5B2uxppVoHZ15IhG2kRqZK4unCzCcwmXdgKTM+eA6wEp0ib7o Ol3mAWIdUcYzDuKFZU1Ry+62Przm9NX0XXh86Hrigk1oEWcq0iusgGiPPgp4j0mF JjTXAU2fdR5abzLCxkMDKiv+2UnU93/V+4JBLrTijWal2zl9DwD0i+OQVK9ZNxW1 mgj+n7D5iyDNF9ptkP3/0hiL1ITHpWhcbEBAYaNFLD1kv3brNGMNsZzpIXVC6NU9 2KK/2DNyetqnZkmNOt0JQ+G0JFyfouauXi1qr0qCc8PK/f5mLBQ= =d97L -END PGP SIGNATURE-
[SECURITY] [DSA 4613-1] libidn2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4613-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - - Package: libidn2 CVE ID : CVE-2019-18224 Debian Bug : 942895 A heap-based buffer overflow vulnerability was discovered in the idn2_to_ascii_4i() function in libidn2, the GNU library for Internationalized Domain Names (IDNs), which could result in denial of service, or the execution of arbitrary code when processing a long domain string. For the stable distribution (buster), this problem has been fixed in version 2.0.5-1+deb10u1. We recommend that you upgrade your libidn2 packages. For the detailed security status of libidn2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libidn2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl40uPpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S/gw/9GW1HtnA4GMzDtDp5SMs8IvzKTzBuxwF+NfuO6TJAF1rZhkjylvhR24zm 24zclQQ/MUF3/j7wa8ududelVNCE69DejrG1a1cFZvHDru38EE5oPBhZUtsk9H6G Ohxo+Yu1WDD7tHVWqjK5A05W4m/e9wBH5S9HwuznDRJ2c2dniNmCaQG5AFo7Xbdh QgNKfqyveNSqV/hwns7QXsECg0Md+1sjP022kI7jy6g4oUis1vRS85ptYAZW9zZL 7A/xAMEfnXI4LP5c85axCfjPHcv43u1rC/h4c45siEuq0BttqcPDRDvNpceibxQj VtujfKWAVlTPWeLiEjzEzRXBdJLigJPZjCyDlT5lK8D/CUE/oLpoMAxEOFufk3wk vgHlD5nNVJMXEFL1vDo8RGoiNOBavO1pXuxCHZDEo5leOBI3YLoWm04AF5KWHdJB nDEfsO0rXix28yhmWhu2YfazbkINcxU0gKPOz6Le+vIy88/0EcrFATyyrpl9aEaj VX6PYZxJ6JtwUvwruEBWiciJV5KxR7HHUZ6eGd7HKcSYIUz889QjLApiuzhjieMp WbumsmAXpXKUq03ro/F7c6rH7rli/AP+HHytH2XL2mOzXAItT4kcThXXvxf1g6md sfeB2hLUKTdbujHzHU8vB1Wn2yVtCA7XiI2BGJRa/WG//zhkAT8= =aq9M -END PGP SIGNATURE-
[SECURITY] [DSA 4619-1] libxmlrpc3-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4619-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq - - Package: libxmlrpc3-java CVE ID : CVE-2019-17570 Debian Bug : 949089 Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property. For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1. For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1. We recommend that you upgrade your libxmlrpc3-java packages. For the detailed security status of libxmlrpc3-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxmlrpc3-java Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl48hNhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TKMQ//VAIMT+y/PGlPLV5C2P82ZxHCNwKYwkPT7s9nI/jvqVH5CkL0kGjvW5Ng eFpZTW6hPMboDrUkSltRTawlYlwlMP1am8whOEL7EwZXYi5s3iixSZCI8lafDDT7 VyQ+ELFu0y5Y+WZtECvdZDLDVzWggCW+ZeQFK9WRFT32GrevAb/BFyDlHMGKREFq m9iQQ8D4+dPqOnF/RecCiohITV2++AECr8x4WzOHq/QCkYl/5PbQlZ9JGA1unDTC dt5wsjWLUGmwEW0Iy9h0AzlvuMfGnQ/5KkOu1ZfYwf2c5V7FXEg+Jj7M3ai+X+9f 6pcj+FyAUBD2dgS8psKSO4LbtGYDt826HZ/KxAp7W6gd5v1l3kEzKQsAsvQwaaxi X68AgwkXs94X1yiAAjAdAFc7js1aJr+1/aSzN0JP7jWX1SjWmLquEolKuOQF2pH2 enFo/TQixaLGrs3h5Oh41+a0i4kSBqxV1LiNMLaI9k8lOMlMaadJtkCF6umHh7SX bACOeVlVS25vnk/Bn9xgr5JyPTQdeR8VfZVgld2N5vOlfNIrRJcy/mqJfv5OmuG8 kTIsFP/ON/NMuyvDy6xfY3B+cVZzw9K2hmD41k6oRcaKjvYqWToDXZSaNT+wzHcc aqbVSHlL/jS7+1gRFsCX50p/JmtLGhlZtCF0FXhLamM7glyhLXk= =lpO+ -END PGP SIGNATURE-
[SECURITY] [DSA 4618-1] libexif security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4618-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq - - Package: libexif CVE ID : CVE-2019-9278 Debian Bug : 945948 An out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse EXIF files, which could result in denial of service, or potentially the execution of arbitrary code if specially crafted image files are processed. For the oldstable distribution (stretch), this problem has been fixed in version 0.6.21-2+deb9u1. For the stable distribution (buster), this problem has been fixed in version 0.6.21-5.1+deb10u1. We recommend that you upgrade your libexif packages. For the detailed security status of libexif please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libexif Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl48gb9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RaQQ/+Ks1VwBoS6ylCfSseCTvrq4bsq3QCPJXWZ6YV2TkFZOHc4D6l52KKFvlZ aenjHIC7HJ6XgasxeBq/RUnmLvF3h0wVh4Ej2RZPYqrZKv43coJmpYYyT9RiRpQt CDWNLhRcvOzFx0HiQrVR16KJxYMIPDmhDR8jbCC9dGAPgSX8CmGNUCkiNFbSAbEu iFjQmAyhaAPMp/8LIkAQ3vT1TqH4bxRqXkQdoi+UiD8DJS/KN9DX1AopPCsLTdGH Bry+hIgkbhuEqW1sLNcXTjFYmA3UQvfQrtV0O+i30z03W0Ae64QiIZxyd/vuBpJh yeZxMVjmKhtOdSnh111l9PN3R232lw+3I3RMzapcXh+uj3kBrKKdOtuPrEoZbNU9 6GuzsxRaeLGWwqldCYKfHrlIBdFboCgcxSadmTSK+27rLsd6kMbIRb3tAcN9QVWT LNwNjMnddYo9bMfKls1kxT2ExsV4Uo8gynp1pUJk4twmYqbn690vDGWXGXpkZqpQ dkLoBYJzOig/4KzxA/T7CQ+W8hRfvov50VqRrnIp909VXHKktABXfwvkPgOBRC7a vChKdUajFO0ktUhkWWvUlua8iIPKOStWXA+HP9+cb3Svi2zk6ZSodgA12l+/SviJ 2FE5b+hzkxX2y3+mSFATqeURtCkur/4yEOA+eqeXrRBTIQ3Mskg= =q4iv -END PGP SIGNATURE-
[SECURITY] [DSA 4624-1] evince security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4624-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 14, 2020 https://www.debian.org/security/faq - - Package: evince CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006 Debian Bug : 927820 Several vulnerabilities were discovered in evince, a simple multi-page document viewer. CVE-2017-1000159 Tobias Mueller reported that the DVI exporter in evince is susceptible to a command injection vulnerability via specially crafted filenames. CVE-2019-11459 Andy Nguyen reported that the tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend did not handle errors from TIFFReadRGBAImageOriented(), leading to disclosure of uninitialized memory when processing TIFF image files. CVE-2019-1010006 A buffer overflow vulnerability in the tiff backend could lead to denial of service, or potentially the execution of arbitrary code if a specially crafted PDF file is opened. For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459. We recommend that you upgrade your evince packages. For the detailed security status of evince please refer to its security tracker page at: https://security-tracker.debian.org/tracker/evince Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5HJltfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TDaRAAmBX8fGuGLGCkCa7bZSdnOknK+SbsWBDP+S9WrPI4I/RgScv42gNb3TtB JNxZBmD4pWkmHbADErn6/aPiJpaysZKBfHQQ7Qlib2nlGFvUWdww1IMhMFVvPs5I 9NgekbqI3C4/LylcpMs/ri9viMZoio1omovlB66t3mLSRmcEU9/bra9mA3iZ7wGB gW83jzoMXHbcrcyV4Fpv6yJrIE8huIZtooKzxkNReQiuqJo7DandByAEw1q3ivlj x3f6atTfni76yoUsoHQ23f4G9PgVnl3r2lit9bsE8PudUUjKMd/a4o4awahbvwbL v9Yq8ybq1SieoVE+MB2mNUa1KOTpCkkQki89ftLTxwbI5wksPw72Qpd7qewvIPJy RhBS7Ca3BFfMvSkAgyL3sVtCPT+KAS47At9gNpQ+4IqqEvWlAoVoXx/eXpxP2174 qo2s4TT9LTJRkBpDFwueWof0PBoOgubXtvSE9es4kFJXJITeOJtbArE8qTmQcOQy 8Ve4TZCbA3lvzBLxmKhetnFarSZm+6Fc+caINYh26WxG8aFKtG0nfRow6Y6tNMrK /l3KWU+nO18bezPt1yxVdfB1urnggMxRbP055CfR9JaTP5wYPF8FA/9h5UzzAAvC Y0EfdRXNbEkUZWY0iAUlKrgQyvXMZAP0r/OOkVKeoqFljWvaeQU= =yY0k -END PGP SIGNATURE-
[SECURITY] [DSA 2631-1] squid3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2630-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 24, 2013 http://www.debian.org/security/faq - - Package: squid3 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-5643 CVE-2013-0189 Debian Bug : 696187 Squid3, a fully featured Web proxy cache, is prone to a denial of service attack due to memory consumption caused by memory leaks in cachemgr.cgi: CVE-2012-5643 squid's cachemgr.cgi was vulnerable to excessive resource use. A remote attacker could exploit this flaw to perform a denial of service attack on the server and other hosted services. CVE-2013-0189 The original patch for CVE-2012-5643 was incomplete. A remote attacker still could exploit this flaw to perform a denial of service attack. For the stable distribution (squeeze), these problems have been fixed in version 3.1.6-1.2+squeeze3. For the testing distribution (wheezy), these problems have been fixed in version 3.1.20-2.1. For the unstable distribution (sid), these problems have been fixed in version 3.1.20-2.1. We recommend that you upgrade your squid3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEp8EUACgkQXm3vHE4uylqX2ACfVzLUYmz1xSlRJUcshNB/W6zv KpIAoOVRw++ez+vx95H+dgN9vYG3he5p =OrsC -END PGP SIGNATURE-
[SECURITY] [DSA 2635-1] cfingerd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2635-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 1, 2013 http://www.debian.org/security/faq - - Package: cfingerd Vulnerability : buffer overflow Problem type : remote Debian-specific: yes CVE ID : CVE-2013-1049 Debian Bug : 700098 Malcolm Scott discovered a remote-exploitable buffer overflow in the rfc1413 (ident) client of cfingerd, a configurable finger daemon. This vulnerability was introduced in a previously applied patch to the cfingerd package in 1.4.3-3. For the stable distribution (squeeze), this problem has been fixed in version 1.4.3-3+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1.4.3-3.1. For the unstable distribution (sid), this problem has been fixed in version 1.4.3-3.1. We recommend that you upgrade your cfingerd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEwkvcACgkQHYflSXNkfP9JrQCgn9OvGbuCNaeAhGvNXN1ixB8t pNMAn3DnIkSK+l7PT74quAXdschWlyRP =BouY -END PGP SIGNATURE-
[SECURITY] [DSA 2641-1] perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2641-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 09, 2013 http://www.debian.org/security/faq - - Package: perl Vulnerability : rehashing flaw Problem type : remote Debian-specific: no CVE ID : CVE-2013-1667 Debian Bug : 702296 Yves Orton discovered a flaw in the rehashing code of Perl. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Specifically an attacker could create a set of keys of a hash causing a denial of service via memory exhaustion. For the stable distribution (squeeze), this problem has been fixed in version 5.10.1-17squeeze6. For the testing distribution (wheezy), and the unstable distribution (sid), this problem has been fixed in version 5.14.2-19. We recommend that you upgrade your perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRO01lAAoJEFb2GnlAHawEoVAH/2g7orgxovXN2SRAwDsaw1pD MYIx/E9rPl+BEjEqlYOKC4SImJoB2+pIv4p913jvZnknMU8e1U8TBqPEXdl7f9Ko oXucxiv2LWSf67c1yV5BY7OIeIG9vsxfn1YuS0CmmxlyzBoxUSM+ZQ6SrHg9JRgc 1L5LOnAPF70u/dwlRIO8hy3kmXazvCcbNRc4FDPvk+pFXu1aiNwNGOC+LGou9JGA ZdSs7YqFlR/gBGKxI4oESZMj5XT/JnTqePyJX8oLQa5D+WRnj5C9v1oBeinjUCpz eUxz222nY/cOJOv6AoA/f3YBrf2k4Xh1IRfZZ8Dr1EhKgwkOk8V9PDuAmZ9ciC0= =T27A -END PGP SIGNATURE-
[SECURITY] [DSA 2640-1] zoneminder security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2640-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 14, 2013 http://www.debian.org/security/faq - - Package: zoneminder Vulnerability : several issues Problem type : remote Debian-specific: no CVE ID : CVE-2013-0232 CVE-2013-0332 Debian Bug : 698910 700912 Multiple vulnerabilities were discovered in zoneminder, a Linux video camera security and surveillance solution. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-0232 Brendan Coles discovered that zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user. CVE-2013-0332 zoneminder is prone to a local file inclusion vulnerability. Remote attackers could examine files on the system running zoneminder. For the stable distribution (squeeze), these problems have been fixed in version 1.24.2-8+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 1.25.0-4. For the unstable distribution (sid), these problems have been fixed in version 1.25.0-4. We recommend that you upgrade your zoneminder packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFCERAACgkQXm3vHE4uylqVCQCg0iXjoGGmBmhknkn2UMsTh+iF crcAnjC/D4FwozZkfPHdilBd+wen14t9 =638X -END PGP SIGNATURE-
[SECURITY] [DSA 2641-2] libapache2-mod-perl2 update related to DSA 2641-1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2641-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 20, 2013 http://www.debian.org/security/faq - - Package: libapache2-mod-perl2 Debian Bug : 702821 The security fix applied to the perl package due to CVE-2013-1667 introduced a test failure in libapache2-mod-perl2 source package specific to the rehash mechanism in Perl. See Debian Bug #702821 for details. This update fixes that problem. For reference, the original advisory text for perl follows. Yves Orton discovered a flaw in the rehashing code of Perl. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Specifically an attacker could create a set of keys of a hash causing a denial of service via memory exhaustion. For the stable distribution (squeeze), this problem has been fixed in version 2.0.4-7+squeeze1. For the testing distribution (wheezy) this problem has been fixed in version 2.0.7-3. For the unstable distribution (sid), this problem has been fixed in version 2.0.7-3. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFKCX8ACgkQXm3vHE4uylrc/ACeOQ2DHYjQKT1YE2o59Sml7CBf PJ4AoI4vtXgQCIjq1PYUXPNhEYp5Gfoe =H9kO -END PGP SIGNATURE-
[SECURITY] [DSA 2651-1] smokeping security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2651-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 20, 2013 http://www.debian.org/security/faq - - Package: smokeping Vulnerability : cross-site scripting vulnerability Problem type : remote Debian-specific: no CVE ID : CVE-2012-0790 Debian Bug : 659899 A cross-site scripting vulnerability was discovered in smokeping, a latency logging and graphing system. Input passed to the "displaymode" parameter was not properly sanitized. An attacker could use this flaw to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. For the stable distribution (squeeze), this problem has been fixed in version 2.3.6-5+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 2.6.7-1. For the unstable distribution (sid), this problem has been fixed in version 2.6.7-1. We recommend that you upgrade your smokeping packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFKNLQACgkQXm3vHE4uylq7CwCgye7/+ER5c0HpU2/5dOBdZuSm l4gAoKI6RrCumcP3rJDtlDO9mJmdYZUB =aqLM -END PGP SIGNATURE-
[SECURITY] [DSA 2656-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2656-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 30, 2013 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-2266 Debian Bug : 704174 Matthew Horsfall of Dyn, Inc. discovered that BIND, a DNS server, is prone to a denial of service vulnerability. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze10. For the testing distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu1. For the unstable distribution (sid), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu1. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBCgAGBQJRVwfuAAoJEG3bU/KmdcClTN8H/RFFGZtUqsNOL2f1h37luA37 ue0ijzAQewC+BSYn6sGTYItmiPDMU5Ok5m6LdYI5U5f/+47FBUcIQJv569zI5IKt J7gKlsNXCAQfV0eYZu0FctfSMn23QoKBSBF7j5PTwW6RiP2PvcocRa/lvYmT2GIU K6F5/Gmfk8VQRyCbsy26T7J3d3PuKIKYV2LGTUvKhIJKPhokrm5nESBTrE/0nmW7 9I/PSqK35nTiLyCBZinY0G3xl6UhrlQxxqHCryrFVZQVkOn8pUR06tulkJsx6rHW k8GgPkPk5w0oPs5VEk9WfLLgFX+ukvGS+DWFZyIT7lMPvQ2ac8aGDjpm0bu6Ys8= =7ACF -END PGP SIGNATURE-
[SECURITY] [DSA 2654-1] libxslt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2654-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 03, 2013 http://www.debian.org/security/faq - - Package: libxslt Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2012-6139 Debian Bug : 703933 Nicolas Gregoire discovered that libxslt, an XSLT processing runtime library, is prone to denial of service vulnerabilities via crafted xsl stylesheets. For the stable distribution (squeeze), this problem has been fixed in version 1.1.26-6+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 1.1.26-14.1. For the unstable distribution (sid), this problem has been fixed in version 1.1.26-14.1. We recommend that you upgrade your libxslt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlFcqU8ACgkQYy49rUbZzlptIwCghnah1/6yrUqfvxoJYXCtYmCd DegAoJzXB7az2y4oFJeI2kndNmVwQXuy =Bdxn -END PGP SIGNATURE-
[SECURITY] [DSA 2659-1] libapache-mod-security security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2659-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 09, 2013 http://www.debian.org/security/faq - - Package: libapache-mod-security Vulnerability : XML external entity processing vulnerability Problem type : remote Debian-specific: no CVE ID : CVE-2013-1915 Debian Bug : 704625 Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed. This update introduces a SecXmlExternalEntity option which is 'Off' by default. This will disable the ability of libxml2 to load external entities. For the stable distribution (squeeze), this problem has been fixed in version 2.5.12-1+squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 2.6.6-6 of the modsecurity-apache package. For the unstable distribution (sid), this problem has been fixed in version 2.6.6-6 of the modsecurity-package package. We recommend that you upgrade your libapache-mod-security packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRZaYhAAoJEFb2GnlAHawEJcEH/jTa0h4YLeFM1Ethm17Xnspt krXt5vaRbuj1QauO/dPLpnSWDUDIESB3sdL/vxxUbRhFWIbGg2aQHreWFPxONBnk KzqYXefKhbMjJFRBTKZfv/9j0f2fHHy5xfvZjYPeISpCQVqfiD3bzETY0Z9mvq19 zbrgj9YXCIg6ZdnxF1Q3p0K3wx83uuUcFFk02PfYTtPO+hlzDjkNkq1vn2XKxlAc P1aWePly4Ii4DlFwnXaWGVzQiiosELd4aqQzZfqeRsSDbk+MBEwH9z/xyjrAsNOI s/Bvfk4Cxa0I6BqrIEqGcLPW0Gt3td9LdltGDSSD3SokpMUO7ANIrYHKHe+GKfA= =bgvz -END PGP SIGNATURE-
[SECURITY] [DSA 2662-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2662-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 18, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1917 CVE-2013-1919 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1917 The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified. This can be used by malicious or buggy user space to cause the entire host to crash. CVE-2013-1919 Various IRQ related access control operations may not have the intended effect, potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. This can be used by malicious or buggy stub domains kernels to mount a denial of service attack possibly affecting the whole system. For the stable distribution (squeeze), these problems have been fixed in version 4.0.1-5.9. For the testing distribution (wheezy) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRcAS2AAoJEL97/wQC1SS+Iv8H/jgF59tOvl0f5ybpS1nOjnim ISDrxnkODEyfDlA9org+o1M61gTPyU8bT0QvjjUfeVKh5y0FewmrVoFYdlE9slI2 Q4vOwf4paQd0D/VcQWVLnTRNoHALIFq/V3WXgpo7Fk7ffXZkjQgdOE7MviX8SfLh gvl6hobIuVeEiDMWROkESpim5UjxX5Xh6X4g9C1a3o82nCxKyv55/SWz4lpCqbxV CNyKt3Qo6IdbHkKVFSasYZhb1oPtiGAMuIFyOhmRXmpZRSyfomuJI4HJlUgs0rZ3 j4ki0LjETq3DfwY5eP2gDPaE2aPc5TgUJC9kmOtUviRFIAWjU0LFwN/y3hZVRVg= =7t1v -END PGP SIGNATURE-
[SECURITY] [DSA 2660-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2660-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 20, 2013 http://www.debian.org/security/faq - - Package: curl Vulnerability : exposure of sensitive information Problem type : remote Debian-specific: no CVE ID : CVE-2013-1944 Debian Bug : 705274 Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. Due to a bug in the tailmatch function when matching domain names, it was possible that cookies set for a domain 'ample.com' could accidentally also be sent by libcurl when communicating with 'example.com'. Both curl the command line tool and applications using the libcurl library are vulnerable. For the stable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy2. For the unstable distribution (sid), this problem has been fixed in version 7.29.0-2.1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRcqt6AAoJEFb2GnlAHawEJsgH/RFAPpyxjMJs5IUbnaGBB17w p3sfg7uC92mYHvUcXb2tXLzJTJ7QBWZTbvo9Dnr0r72WU9AJCmOZ3FiSrU6hlLZG QommSJgi+614IjQV6IcYIs5MM4Ne/KNBAcz31ROr5xqRNLQo4N6cxBj9NKnsi1Ut f6xrQInVKp5WNx3qMGtxAKfVrCMcMRM0OTW+ASJI1r4smVSVdUBrJSkk0mg08jZG QQeAXtOOSbkahKpwcgGETgU+l1MTYkgjSZwwRtWJUbdPSeUrNl8SHM9Fa7h1c/j9 b/2odiynlhXYyOkj1PyPaNireEBsLOCY2xRZH27fZGh6AXFC07KS6Io4NYnDfJQ= =MBDd -END PGP SIGNATURE-
[SECURITY] [DSA 2664-1] stunnel4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2664-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 2, 2013http://www.debian.org/security/faq - - Package: stunnel4 Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-1762 Debian Bug : 702267 Stunnel, a program designed to work as an universal SSL tunnel for network daemons, is prone to a buffer overflow vulnerability when using the Microsoft NT LAN Manager (NTLM) authentication ("protocolAuthentication = NTLM") together with the 'connect' protocol method ("protocol = connect"). With these prerequisites and using stunnel4 in SSL client mode ("client = yes") on a 64bit host, an attacker could possibly execute arbitrary code with the privileges of the stunnel process, if the attacker can either control the specified proxy server or perform man-in-the-middle attacks on the tcp session between stunnel and the proxy sever. Note that for the testing distribution (wheezy) and the unstable distribution (sid), stunnel4 is compiled with stack smashing protection enabled, which should help protect against arbitrary code execution. For the stable distribution (squeeze), this problem has been fixed in version 3:4.29-1+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 3:4.53-1.1. For the unstable distribution (sid), this problem has been fixed in version 3:4.53-1.1. We recommend that you upgrade your stunnel4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRgp6PAAoJEFb2GnlAHawE7DwIAJskgGuHuBXUqkRmOdhKQJC2 AfqPFpO/fBjyTvY4Cx/M0nUSOA/4kz0/gG12col4/rZxgitJqsfDTgNa9k2xohdO frWdlOIUmF6dbQKzx9nfcRQC5yTDgUPdEp2daLre6CtOm5rldoKktdTmznLe3/73 H6WbI+WZqjGgohQQwb2RdaPE4SsKmjIefXFajh71mmQgw5YvythhM0fgkGpgJT4A 6U+CCNweEk8VgEJwkHSjdKvUbeRb7c3aRi7GX18w6dFtCbHWNSkqBIBU9JHn5PlZ jflCaOg1G3W7yVyobJqNFxskv65wbMnurx5UoUjfnaRLXcwE26Da98jKDV/Toqg= =HwjK -END PGP SIGNATURE-
[SECURITY] [DSA 2666-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2666-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 12, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1918 CVE-2013-1952 CVE-2013-1964 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1918 (XSA 45) Several long latency operations are not preemptible Some page table manipulation operations for PV guests were not made preemptible, allowing a malicious or buggy PV guest kernel to mount a denial of service attack affecting the whole system. CVE-2013-1952 (XSA 49) VT-d interrupt remapping source validation flaw for bridges Due to missing source validation on interrupt remapping table entries for MSI interrupts set up by bridge devices, a malicious domain with access to such a device, can mount a denial of service attack affecting the whole system. CVE-2013-1964 (XSA 50) grant table hypercall acquire/release imbalance When releasing a particular, non-transitive grant after doing a grant copy operation Xen incorrectly releases an unrelated grant reference, leading possibly to a crash of the host system. Furthermore information leakage or privilege escalation cannot be ruled out. For the oldstable distribution (squeeze), these problems have been fixed in version 4.0.1-5.11. For the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u1. For the testing distribution (jessie), these problems have been fixed in version 4.1.4-4. For the unstable distribution (sid), these problems have been fixed in version 4.1.4-4. Note that for the stable (wheezy), testing and unstable distribution, CVE-2013-1964 (XSA 50) was already fixed in version 4.1.4-3. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGPnpQACgkQXm3vHE4uylrs9ACfee38DGGOYWz4iDO2bw2IQicP yl0AoIQTH3e+MWQDUdmAT3OOIQb9EMLV =FOiN -END PGP SIGNATURE-
[SECURITY] [DSA 2702-1] telepathy-gabble security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2702-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 03, 2013 http://www.debian.org/security/faq - - Package: telepathy-gabble Vulnerability : TLS verification bypass Problem type : remote Debian-specific: no CVE ID : CVE-2013-1431 Maksim Otstavnov discovered that the Wocky submodule used by telepathy-gabble, the Jabber/XMPP connection manager for the Telepathy framework, does not respect the tls-required flag on legacy Jabber servers. A network intermediary could use this vulnerability to bypass TLS verification and perform a man-in-the-middle attack. For the oldstable distribution (squeeze), this problem has been fixed in version 0.9.15-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 0.16.5-1+deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 0.16.6-1. We recommend that you upgrade your telepathy-gabble packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRrN7oAAoJEHidbwV/2GP+w7UQAPdyY+3efgaylM7RFwzpI46R zoGZBdjOBNwjKMIKRC2T77R8UOk5IAHCxTTW0SPI4gfbAktIP+w9TTMd5KnpIyH3 7ATwATgEVbtaNdLLLlGd5mBy3GbJ/FbshJcpk8K5vKMGMgQDrzLO87N+zW4XwTda JuaRl0s9n7enFADtDNZggYX/2KFNft2t4FVHJFjN3kX64oeTJ+E77oeD2J+pt5+T Dv+MlL2+cmE0jNzKIEvRQ8fudNCeHlfkfAT24vxlHUnj/JXxl9jxtGFiFDurvc7j 5d18QvvJAL2MtcTxMqbdeiYW3Xf2aVKg/E+a9DfEqM6DHEKwNy8+rezvAuB4Evlv 6PTA5y8+L0ML2jgYGdyVYT9QKcLmbrXRJEB12x7qF/nDEi2Hem+I5lhwe9pxGAZV TVO99XWUZ4ynS8NSMCnGOlwBy7hQlTP/DHlAlSRv9M+rcjyAPNXZXXKQXsA1e8f6 K7xYlhzde1mjBjWL+qaaNyaBYpNsczjFwHs3BZVeWHzXtIp8UkRs8/Q1GUbE9q80 OyFgFMIViY4Th1Gasvf6Whnkf0oysm1DdIyor1lvDphnTRYFl+KVumaTYyTtyq19 reOK8uK4+R+809xa7uX3a0bZbTbPD3IAKfyf1ohUnUW+RgAKelMgCw1E2msfa/XT uUo0CA7JK1ajStmkolxg =nfk7 -END PGP SIGNATURE-
[SECURITY] [DSA 2703-1] subversion security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2703-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 09, 2013 http://www.debian.org/security/faq - - Package: subversion Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1968 CVE-2013-2112 Debian Bug : 711033 Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1968 Subversion repositories with the FSFS repository data store format can be corrupted by newline characters in filenames. A remote attacker with a malicious client could use this flaw to disrupt the service for other users using that repository. CVE-2013-2112 Subversion's svnserve server process may exit when an incoming TCP connection is closed early in the connection process. A remote attacker can cause svnserve to exit and thus deny service to users of the server. For the oldstable distribution (squeeze), these problems have been fixed in version 1.6.12dfsg-7. For the stable distribution (wheezy), these problems have been fixed in version 1.6.17dfsg-4+deb7u3. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your subversion packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRtB5GAAoJEHidbwV/2GP+I8UP/RuShUL3wDaLm8YTM2JlKCHy iaed1q3/kecWdYDRVc3JI6tudURQFvn5lrPKC2G62YUTEiZ4DnkOn8T+697XSxwN 6Mwie3+awcuhgOp54JQk+J4GnvV8GCky1uHVLmkzRy8C9dYTxwy2vPp1xo6na9VC 939MLCfqdYte+CHiQBrsVcTVKu91vPfCGaHpAZNNkAUkXzBFD5J24CIafiLyxAwI TeIh+ZNS1mRb90TXc2hYrWj4UIWGEnsi6MHHHrbOWAaZhMdthHhu39kp92mbWzVS JRYlkW/HtmKzLm/raTmMSPoorSmG4k2t6ZrNLSS4wAHunaayMCMyrPS24BoT87lX b+Lbx0VDTqo8rrBUyyClJE6DnHBN+8g7rcn8R8Q20nLVuSbn1uUVmcECvio31vh2 jfm3ATxCDG0W25IjIOxMlfEuah9H5CEWyDi06TOlfEyWe+UCAzzwKQa+fXK1gtwK S7pv0PInYh0YCtkfByUAiyfwGAMTU28LoNXigpAKk+18bdbHGTGBnFPk1rhyJbku UCttBXs3Fg/b7wy2vgb7253X9opQ/tuz85m8CwzVscviBV7PDKPSXJ4FP9+Rba8m 0/0jYdNSEcRvOFPy++PnvNoNG8x9Phl3y9oajOJF1rujN3FdW9jsiGsnXMOQjFSB TKPLcvqvqnW71dcw/pP8 =Tnvw -END PGP SIGNATURE-
[SECURITY] [DSA 2710-1] xml-security-c security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2710-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 18, 2013 http://www.debian.org/security/faq - - Package: xml-security-c Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-2153 CVE-2013-2154 CVE-2013-2155 CVE-2013-2156 James Forshaw from Context Information Security discovered several vulnerabilities in xml-security-c, an implementation of the XML Digital Security specification. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-2153 The implementation of XML digital signatures in the Santuario-C++ library is vulnerable to a spoofing issue allowing an attacker to reuse existing signatures with arbitrary content. CVE-2013-2154 A stack overflow, possibly leading to arbitrary code execution, exists in the processing of malformed XPointer expressions in the XML Signature Reference processing code. CVE-2013-2155 A bug in the processing of the output length of an HMAC-based XML Signature would cause a denial of service when processing specially chosen input. CVE-2013-2156 A heap overflow exists in the processing of the PrefixList attribute optionally used in conjunction with Exclusive Canonicalization, potentially allowing arbitary code execution. For the oldstable distribution (squeeze), these problems have been fixed in version 1.5.1-3+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.6.1-5+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.6.1-6. We recommend that you upgrade your xml-security-c packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRwHydAAoJEHidbwV/2GP+4yoP/Rnk79Cvk1G7JKQXvnwyaRWm rXg8dxNz2RihzscmdS5t7EdZem3Xp1vAdVzgXlQK9Ll8DbqtMXgvM3/CburBHtn5 2CXJyryJ5YtK9758JQLjjE5zS74AWMgEUFcu5zBjAC9BX5XWRVRa67yovi8xsync sDiQTsVPSe8IWJ1N2Le70qA/2Bmzf7E+EPYig8kEFa3dEb3+KJ2d2e/mJbexv0CJ FNZTVyHRD2Q/kiB74IUyUBuuyw1gMAj+tdEmucdMgzAU6dBvoP+p5/uLXWoeTez6 X0TJqglbMPSod1LQrMdd4kzo5LZ8P1EjS2S7I6oq5n4kUcw4WLrSmxCDMXci52um WwFk8r4LdnXYDaBeuNtO0Z0TeJ3YaFuoOMzZadVgqqU7TX6DzOYC1q+dj0TxYXjD 2Fxu8/18mU9qO4oADVkk/OpsLday4br+HOvzAJXfySh65sLP39PyYeDMZp+BAJ4S Z2enVfaVz7p/oBardDElD5E1qiLo+tC8meFwJ7yJhwJuzOh9qYDjCa0dXD1ZcYso vqAxnnW4RTerY4dpvsFuZCcKcDzfh3Pf4M2MkBiJ8ZHw6t1BAjOPb7XcSYzmmoEu s2L+yhZrxd5iDjMZ1SwOhds5k/rg7sIibi0HZgtjmm/CRxLhMDDl6iqJEHv7jB/x /6laY6ryAuw5RTWhC6Ae =jPyl -END PGP SIGNATURE-
[SECURITY] [DSA 2713-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2713-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 24, 2013 http://www.debian.org/security/faq - - Package: curl Vulnerability : heap overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-2174 Timo Sirainen discovered that cURL, an URL transfer library, is prone to a heap overflow vulnerability due to bad checking of the input data in the curl_easy_unescape function. The curl command line tool is not affected by this problem as it doesn't use the curl_easy_unescape function. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy3. For the unstable distribution (sid), this problem has been fixed in version 7.31.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRyLSvAAoJEHidbwV/2GP+ix8P/jeD+HKIwcp/PMb1EYk7ftlL Y0aNTYugxBdQNo7CAAS0/7EbW4u5QeKp0a+583KcmFbWDXdAxW6oktcuYbyoLJzU nunpACCKqiviRLeXHRp6Sw8JVBvqbPM/FsqxfV74edqegENTW4TBqn7rkQEy9DAN GQ8vwzHBY4CvlndUOnIKeyWdIW6yu/fVjjCDtn6rNVw4WLYj4JbQuss/1trHd0gr iQNefWsCK+YHpEz2XAnt1BuCvuDGjGR/iIaUJiO2X4+XxOjdQnXkkdCdX71wnNxc ppr7duxSakLKMf/i/DB5aNZSAFXvK3lp9SSY/r8CHNaa39JNk7o1uyMnyv+8iJKD Rq8iyh9t2uht4N7xzwy+N4xCIKEiLtCftSRtxeGOMgx1rY++Wo/68T8XZPcOuYDF eMoEx1v6+ZKi8e/cakgUZ86QGWCs2KbTkYV5hTIIBc0rqJQPkRmOlcIM9/yD7Sz4 fMw4X2HQZA+pG+yh/YemedeMa4xA9TdYBMgKqkly3nsfFDHSQALIOsxcvpxZDGds RaEta1Mv9Xly/3H2Oef1SRUXergQexFONAZqvmus/WtgyxUwncCnCsKDGRScRzT2 YD7y/nf8ZysTZGuVszdbcD5wkHWY3nNy4Y1mSXIOGnbJtZj1Zbh18zMQ4phX1m9i JrVF5sEb2x+jznGeZNzm =3QpJ -END PGP SIGNATURE-
[SECURITY] [DSA 2717-1] xml-security-c security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2717-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 28, 2013 http://www.debian.org/security/faq - - Package: xml-security-c Vulnerability : heap overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-2210 Debian Bug : 714241 Jon Erickson of iSIGHT Partners Labs discovered a heap overflow in xml-security-c, an implementation of the XML Digital Security specification. The fix to address CVE-2013-2154 introduced the possibility of a heap overflow in the processing of malformed XPointer expressions in the XML Signature Reference processing code, possibly leading to arbitrary code execution. For the oldstable distribution (squeeze), this problem has been fixed in version 1.5.1-3+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 1.6.1-5+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.6.1-7. We recommend that you upgrade your xml-security-c packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJRzaDrAAoJEHidbwV/2GP+ypYQAKE0uiu5ldrC60pukEYiU1d8 epTenJbhaYhzb2FxKETjMtLI+46nooId6ptCCWXwwVZ1PfhaaTO6CJkPuk9MJTZa K8Du0hfa8aNp6Ahp+3/zEEnnwvRVW2EoFB7BHXc1DOY+fmGuSoL1Yty5jwAiOJd3 NjcuJMWcJk8TtYEYH3JsNQiJVliR67YlxgYKnpFKfCtJu/NeVxgFZymz6u6bkeVU 19XZW+xOypFGPi0H3w5sZEd5OZIo7lhettUHg1IJOAVulX3f7Ad1cxOhtns2HJoq 3qpcKm9iMr5aQ0c1qKFWhdiMecrxBd7TOjsPJ1lBpm6j5mT0uKgfTq/oPvh6jLHN bnhBdV65wkhb13umgGLwxoHDdk0Gd1prTy9i3lAnJrXCptZ3Ye4vIjNfOk7DMnV4 iy4fj+Maky5U1EzdOcst0NkMkk/Nx71QVdwDd5D/6pMVogNDpYm9jHrjkkhrH2Hq vZ3ja9SnRL8qXK7zPWZ3Ub2CjcJLxtN9p0tK4M9U/4DalIZry0gAASiy3887FS2h Z9Y1TN8Sga3LMKL2FzYzERlt0wsHpilDqVUcPxBk7p5pA65TjRHIxK9fxoFwownD yPU+nb70th8vyU9jJH/+sidPau07Zk1sqxS79Ndf1z9YD1/KyMU7lOIkVXH4KNO4 Fa+JknxCcr25IQJXNB31 =fVio -END PGP SIGNATURE-
[SECURITY] [DSA 2728-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2728-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 27, 2013 http://www.debian.org/security/faq - - Package: bind9 Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-4854 Debian Bug : 717936 Maxim Shudrak and the HP Zero Day Initiative reported a denial of service vulnerability in BIND, a DNS server. A specially crafted query that includes malformed rdata can cause named daemon to terminate with an assertion failure while rejecting the malformed query. For the oldstable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze11. For the stable distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJR88b0AAoJEHidbwV/2GP+QfIQAPhGEyGnmOvY8n5v0LJTMDFz kbPlzk+8nWg0uQJdHW6s4la+QaYvGKm8tFYVgoq3wNhofd522wMZCjHe0u7q9u5i 3UXC6xTgEwrLZqiHGxJg2UUuPB68ruH0GZHuaUaVTMjVkHFpN8trjysT+SSSBTzA qQwOX7VDe+yeJWG8JF6e7aK5CFcUcd6gAyS3md7XgrPL+jP37eBZIE9xVB4Wwcx/ Z+IJPgjN2ztaBNQqUFxHRlXqjNrzIlwu1J6Dd+lZPL5m+/7mkd1RblqcrU3f1ghL e6dNM56OGEGNZK/H1SIw5BvkcQEyQg+ihmon2qsKusd7ai5ABA1A2NauPWI7BL6/ At6sR+DF2F/EdsaR9GaTf4bH/ZwwDdTlALteUmg49tyn/IQoY9zjRQr0i9RgGbAy dXbmX06axEu9sHb1iv+wWtL97FcWkwSp+FUXNRrc4AynO34syIlS/mj8BPb8lFAO Bzv+DAou3Vzm0u8H1EO57m9p3N/2CIAYhkjqrIfN7W7dVJeA4+59bTRgnFCeSp1D jtbCI9lh+5frj9A6e/JHVw7rrv/gqqgl2pTgYETqEAPBC/MvlIULyUqwb5mzVGDF RF29M0G79I/9dc1qAyleykYOG4la6GDJ2Mi2x1MmGt1RH5gvjXFk+rkkb322X8Og 7rvrc70Mm/ZcvSa+k4zl =U27+ -END PGP SIGNATURE-
[SECURITY] [DSA 2733-1] otrs2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2733-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 02, 2013http://www.debian.org/security/faq - - Package: otrs2 Vulnerability : SQL injection Problem type : remote Debian-specific: no CVE ID : CVE-2013-4717 It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise user-supplied data that is used on SQL queries. An attacker with a valid agent login could exploit this issue to craft SQL queries by injecting arbitrary SQL code through manipulated URLs. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.9+dfsg1-3+squeeze4. This update also provides fixes for CVE-2012-4751, CVE-2013-2625 and CVE-2013-4088, which were all fixed for stable already. For the stable distribution (wheezy), this problem has been fixed in version 3.1.7+dfsg1-8+deb7u3. For the testing distribution (jessie), this problem has been fixed in version 3.2.9-1. For the unstable distribution (sid), this problem has been fixed in version 3.2.9-1. We recommend that you upgrade your otrs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJR/BD2AAoJEHidbwV/2GP+eHIQAMDZ7Q/0lFFurEfNoa+0uS5e kW4lOIggjajvhnmZ95zlOQEBlHz/yXUwGoVnX8CvYyjXz0bqrPQc6QWOk5y0Wm1q ETKQIOeUXXFpDL7ZLiXvoWpy8RgQskhCiqmraVBsGKKLeZRnTT9yz31sTtWJ5RjK umkN1a4mPIFtJboPJRq/JCw9sDU1Fldn/XGcqFQel/u1z5w11ef1Dfo7o6crvEJa 6PwxKIQNaDxapZxlPaAoFycRlQ96DJ1et1bVg7c9AwqFyhgbubihKAlJ8WFZMk9F 8+N+kuZB/HE/pp1PVpyWBm7mUelBzBaGFnpohAZpSE6Yc/sPLrFt/E7PJ6XpAw1K HCSKQw64twUK5hBxvrG/soyFrHxieVo2NtGLLPOsxQWH/Dud6BgFK3BH4QCImo9m dul0OEui6cxt2edCyoLhAMcnq4kLcY9wKYrZMvwQrCJEKBlR5AzgELBwzm2wm6JP 2uOBK8g+Spy9oT3eBgxUHIztsrN7nDUIbfdgUpjpd9U4ywbVfOBfBtlAEF377rAh qR8muzXnGlrrssZE1ALgdHn6hXCYkFPnQPPraQ5olbwDWTZIkGi4257KTxvB5mry TAXwd1JDIhwSZ+J5QEp2VgxhAO0HAEk0keUOhyf4z3b8DJJDxN/frB0BmijohwSL aSH+yPNXIEwyNDeoHOJ2 =binX -END PGP SIGNATURE-
[SECURITY] [DSA 2736-1] putty security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2736-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 11, 2013http://www.debian.org/security/faq - - Package: putty Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 Debian Bug : 718779 Several vulnerabilities where discovered in PuTTY, a Telnet/SSH client for X. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-4206 Mark Wooding discovered a heap-corrupting buffer underrun bug in the modmul function which performs modular multiplication. As the modmul function is called during validation of any DSA signature received by PuTTY, including during the initial key exchange phase, a malicious server could exploit this vulnerability before the client has received and verified a host key signature. An attack to this vulnerability can thus be performed by a man-in-the-middle between the SSH client and server, and the normal host key protections against man-in-the-middle attacks are bypassed. CVE-2013-4207 It was discovered that non-coprime values in DSA signatures can cause a buffer overflow in the calculation code of modular inverses when verifying a DSA signature. Such a signature is invalid. This bug however applies to any DSA signature received by PuTTY, including during the initial key exchange phase and thus it can be exploited by a malicious server before the client has received and verified a host key signature. CVE-2013-4208 It was discovered that private keys were left in memory after being used by PuTTY tools. CVE-2013-4852 Gergely Eberhardt from SEARCH-LAB Ltd. discovered that PuTTY is vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication due to improper bounds checking of the length parameter received from the SSH server. A remote attacker could use this vulnerability to mount a local denial of service attack by crashing the putty client. Additionally this update backports some general proactive potentially security-relevant tightening from upstream. For the oldstable distribution (squeeze), these problems have been fixed in version 0.60+2010-02-20-1+squeeze2. This update also provides a fix for CVE-2011-4607, which was fixed for stable already. For the stable distribution (wheezy), these problems have been fixed in version 0.62-9+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 0.63-1. We recommend that you upgrade your putty packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSB+lQAAoJEHidbwV/2GP+6HUQAIGHk0ctuvUFNpPgZtZwGA9W iX2oysndnZLXZmc1zkXhwvPo5fg/+PjdOvYn0cHfrgVb2wXMPAwIAjUwTZ+p2SbF PwaXbjUr3sUJxQLdFoGNytfFeiUtQNj0/r/ylmQB77bgFKSI9iFnveYeNKc51Shb ApaFKIueuYgrPUTt8KquloNvNryuLa0AjhveWsIDdFQVGW6ipAe70T2BohX5QIwh ehzom1sFbEgJpqdPUt6sR7vyBj+mhg9atp3wCQkEJFq5uhrDEL6OrCwpZJ1oClMP a0LSPwESz4iWUzL3eTgB7ENIcAelBQ4LWnVhuTxpaRGoHizmkId6ueMBD9ezJrmH +/vDsBMQLxZuWP1SG7rEoEjJTsJEVQ/D7vu+s6cDuiliOr8IJ/2oXy0WQCDxinCI l7iJaCQcxcGWY5LmW9tO94GW6ptSUW4aROKLt12u1X4VkKjLpyzkGWNNvK4H6vHg 6orNaN8evpEVjj9ZF7Gq93e79ldhSjuj7ZZPcWmZNHdefxT+wxuXUB7flTXSRhlk RaTC5SrqRlmGSUkm0HaRc61iTh/VZbj1Zw+M+mNw1VwTTUbFOH7gWThkbjWr/yC1 HJpGe4Cpdm+289ci50Z/IVC7rKe0QsGW4tvpeS3N3lsvEVLj/skg/UIAnr86zU65 1VnEAudwqB82viZ0ci+C =nzel -END PGP SIGNATURE-
[SECURITY] [DSA 2740-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2740-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2013http://www.debian.org/security/faq - - Package: python-django Vulnerability : cross-site scripting vulnerability Problem type : remote Debian-specific: no Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The is_safe_url utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed querystrings, worked as intended for HTTP and HTTPS URLs, but permitted redirects to other schemes, such as javascript:. The is_safe_url function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS, to prevent cross-site scripting attacks through redirecting to other schemes. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze6. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 1.5.2-1. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSF54KAAoJEHidbwV/2GP+Q0UP/1epNJcIUv9J5/p7efJVaOUI AtjvCuXVQ/RYWZm5v/0Vg+Vsalx8UEXihStmM93uwT/jb9Xhpe7vvBbUnb2F9ijr TFVyzkrg5hnMurONLsjf5gvXfv/EHQ3r0wIoLBBwUGik8tpSNDrc3YaFAT0ZyI3a n1Yb9XKp0qXKcd+pBAWEy/exHCcYhJ/bCVqG5xHMgAtkpD+RSVhTiWR0J+PpEufe 9VvFMXk8VR2gD9jk3eNZGy6vVemcY1HURAb2u6Utr1SFd1wsUQZ/ejkkISZ4c/cv QefllwtxoSuYR0TXzJdz8oDmBVr/DpZCAP0TqrpqLzor7Dyc2SHMTfbLTM7mgbIB U5K3og4ErOSturPCHXNZaId2dU5fDlmt4nFiZldFRc8EwTKcJycXv3Ub2cbgO8AO rpCC2GjageWKDkS2EfnQdTsjWHITL4gONu+QgEU0CceU9ylElzWIcPaSHaVF5UnE OnMSpiWsuES1UFdTMbArPd1IPc3xKba/u+ue1tnnMhvpQmpQMoNrJwIZz259C+u9 /o6SZwguYB2PTgFt2U8lj1/tKWl3pErWkN3I+L1bZ32Fpjh9idAIkQxDDG+ch+yB XHler6fu6axQwn51r0kFHdunEbRH3Ul0Yq810mD36SG4NHRp4BFrk7Ykv01vA0YK taq9A59tvxzUBf1qZ0fL =S66t -END PGP SIGNATURE-
[SECURITY] [DSA 2755-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2755-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 11, 2013 http://www.debian.org/security/faq - - Package: python-django Vulnerability : directory traversal Problem type : remote Debian-specific: no CVE ID : CVE-2013-4315 Rainer Koirikivi discovered a directory traversal vulnerability with 'ssi' template tags in python-django, a high-level Python web development framework. It was shown that the handling of the 'ALLOWED_INCLUDE_ROOTS' setting, used to represent allowed prefixes for the {% ssi %} template tag, is vulnerable to a directory traversal attack, by specifying a file path which begins as the absolute path of a directory in 'ALLOWED_INCLUDE_ROOTS', and then uses relative paths to break free. To exploit this vulnerability an attacker must be in a position to alter templates on the site, or the site to be attacked must have one or more templates making use of the 'ssi' tag, and must allow some form of unsanitized user input to be used as an argument to the 'ssi' tag. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze7. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSMHpjAAoJEHidbwV/2GP+skUQAJkFYm+/zsBdAXEvwEHIExpc a8gSK9kgMC6122RewmfNy9RYB3gI2CZ/C50ImMVu5Ksw9XXasP1tomj2Y2xICCHk Jwx8hCiSPNfNgL7rt0F05Tp3BlkLMi666sSUQD3Etz7xUasN0UiZskdMe1FUukLT Fa0+qfWq7soEHIsoeWj0nhkRYy11BKETOFddlSE6CE/tsRBqVb/ZQbrlAg4+W8kx FtCVanN3tHNAcj4V+Q2KujxWDsY6mqSm0TY/5tavkc1pOIilz8sTZqdfMbmaZuhv ap0w7yW94prHEQvhYGlMdFn2BSDC8YadqGDr3p+K98jRNkVe7OST47gD3tGnRq8F CgRZCV0cNnpS8Al4JtAJ0Z6xaphrXd4/fYyQrRqcvSZ2U686Yz6f7XiMnJWzBSVH Y59+2gi+yg4p3SwinF3uSCXOXFoijvu2xP/FNySf/tnhWtz/o3zeCXwRu02Rk1gu Fd9tqPVvCgV69JCVk6pCC+q7Q1iqEmvyCloI/Z7mpnk43SiKezkbsFg/tgvD7ORD DYMbXX+LxYIbr635OvemE/cumBgcCyKH7qIMFhccjL0sXwH0cyeTEVen+YbpfnG2 wLx6TVUr2R7H93M6V/iByEThx0QyTpE7QgKNjI6mbJ4FtnBdIUgl6d0jsW+q2uoL ZuKaa8ELJZMOm1wlhQZh =W3/5 -END PGP SIGNATURE-
[SECURITY] [DSA 2758-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2758-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 17, 2013 http://www.debian.org/security/faq - - Package: python-django Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-1443 Debian Bug : 723043 It was discovered that python-django, a high-level Python web develompent framework, is prone to a denial of service vulnerability via large passwords. A non-authenticated remote attacker could mount a denial of service by submitting arbitrarily large passwords, tying up server resources in the expensive computation of the corresponding hashes to verify the password. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.3-3+squeeze8. For the stable distribution (wheezy), this problem has been fixed in version 1.4.5-1+deb7u4. For the unstable distribution (sid), this problem has been fixed in version 1.5.4-1. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSOJ/pAAoJEHidbwV/2GP+G1sP/RjyId0sDXuCUkDdkMyVS31+ 5Hn5Gi5k9KtSAXD6hvVg8kvBWDJRonVUXuJ4cA2YwLtf8sdS7cI0SW/9w1xujnFS TGvh2+Ghs8mxEeWj8pkHRUcoUdO985Z23GbSHYehC9JARZ0mFxLXCHwdJ8d1gLK3 7ZeV94KFx6z4dAA2zXZ3C87NN8ZTtiZfBeG1kvj+EnDMeOr2o72HgQShrLLONmBw 3s37LVgXNyoQyWt1Dt00axKfahe1eBdZd3Ex5iDfhciWgLgRmkmjFK+FgI4DwOHU B4QY4dUhv+t4LX24IQuk3g/1omxpDZR/CXJaZ7Sdm3Xc2dbgqnQohExa5Dw7bwZ/ iGhQmfMPpUxSzYw2dSsygbBbxfRq2aVvxb7iFf2XJMXdQrrt7rVtqDR28HTdfFZ8 SLrzHlGSfcRqf+vlq3UqDCxjd+OHewFej6ZOmRYWV6vK4Uh9pmFmrPLJHg4EdDlr 67ZnvHVguF0YdpP3hi8N5pN5nNGUCwyt/lJxiDu6fESvIM/l/joa6MXVpEIb7Ej/ 4ncefHu5fHLRlevKhOtu6SRvEUKAKZK7VZfdrC59S0r+AkNmRhO/XXM9Utm+8eLo 1zoufD+JS2S6ReNq/5K4TQHS+cy2qbBE6PtecDcVwiF4xrb9PJzd2fYUZ3dLdTkj e/HUma7XNVNT3NvkHnnq =OcAM -END PGP SIGNATURE-
[SECURITY] [DSA 2763-1] pyopenssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2763-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso September 24, 2013 http://www.debian.org/security/faq - - Package: pyopenssl Vulnerability : hostname check bypassing Problem type : remote Debian-specific: no CVE ID : CVE-2013-4314 Debian Bug : 722055 It was discovered that PyOpenSSL, a Python wrapper around the OpenSSL library, does not properly handle certificates with NULL characters in the Subject Alternative Name field. A remote attacker in the position to obtain a certificate for 'www.foo.org\0.example.com' from a CA that a SSL client trusts, could use this to spoof 'www.foo.org' and conduct man-in-the-middle attacks between the PyOpenSSL-using client and the SSL server. For the oldstable distribution (squeeze), this problem has been fixed in version 0.10-1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 0.13-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.13-2.1. We recommend that you upgrade your pyopenssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSQcLoAAoJEHidbwV/2GP+BxUQAIVJbtpOvqPJlYxuBPdYSzRI 53N4nTbCZC9hTmDWCbmwH6yL1I2Iev7E6MHAuRZKJ2rRjrctF7r3cDNCPpCkLtNK 517MzzSPe7nmmhFHYNiDQIQeIb3bdKGiSGd5eTgvYzWtVFKqRQ8FHDkYYZjc5+y3 360CZAo3lRbkv5i2oKNPMvTQjXitQxAJjzTM4FKAsY5b1QHwsbtShaQHLza7QjUE AFWC5lW8aMFSK05IrBKs9vfEWsoiVkJjr/BjVEGR1KipI24eb4Yq3tOTlY6fWIyP vq6u5zSbg3N3hU1LFL3pg7ghH7dLovPCLxUycVfZjUy9tD8pRRj+rKbnqyok9ITk gKxhQORQXBw7f2cC9Yk7eFF4a0nNxUxYlfCNIEm+9Bvf3oRn37bfelJyiElGG/HM RpdjZRAsp81Sup+Rk0uEvDsLxb0Pl/4EfQNO7p2/pIXSqe5cDHy8NoIJPWEpJN9o hdKn3kaSuZPv4Z/KAMa2pyW8+bCkh4BwMZ/NloHkYZ9XodhFWFPGjd3vS+1PW3Mg +PKapJZNN563dosK+kqXrUaa2oU4fl4xxXPZPolETEuYxRV7+FKKwS2jlISTTpvF toFjeXUEUssjTcFOgYdg/tYODv1nLiOO1OyQkEhIGAJkvFWaVocgst1z9J8RxEMr YyEEGT5b+gT9Cvj1REjx =fCjj -END PGP SIGNATURE-
[SECURITY] [DSA 2768-1] icedtea-web security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2768-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 04, 2013 http://www.debian.org/security/faq - - Package: icedtea-web Vulnerability : heap-based buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-4349 Debian Bug : 723118 A heap-based buffer overflow vulnerability was found in icedtea-web, a web browser plugin for running applets written in the Java programming language. If a user were tricked into opening a malicious website, an attacker could cause the plugin to crash or possibly execute arbitrary code as the user invoking the program. This problem was initially discovered by Arthur Gerkis and got assigned CVE-2012-4540. Fixes where applied in the 1.1, 1.2 and 1.3 branches but not to the 1.4 branch. For the stable distribution (wheezy), this problem has been fixed in version 1.4-3~deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.4-3.1. We recommend that you upgrade your icedtea-web packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSTxaqAAoJEHidbwV/2GP+HfgP+wf59ry+IIJS/kRakSEyKhkq uluoY3ehHCS9aUa/LEpq8LqORPQlE3pgqc6bX/CIU0AmTHwko7Lnv48UoUyEMyEB aoUj19F3rGUqVFMXJ+TX5Qfj1V+1HIIOmSa5DUHK00Ci3jgzmeDh68eeHEZU9V6T 18ialPWektVK6fgz6ApNEik4NB7XpPyJM1w5CnRdutM0iFQpA0SkBhjYgijlLuId aOs9jZi2naTCLkdmO+Ik3mGWrB7yl94O0vQ30pn2/NgPmuCxI1mL1ZD/udXwgyN2 x5COg8YXrQnG3pYcXDfBibJ5Ldvhr2Wz+RuVs2uYVKk6dIFRsdGJaQbogwbvM/3K znJi6h8Mop96xWJg2To/A8+Go57h0+YCN8SeK+hcw5j/EcCUmODeO9MR+nAjX6Jd 3yaiTlomj4vtw+dd4EiP6P8aDg/omVAHVWRJ49yD9RUI4iMz4ID3OXYVnPMCasWv FBJ+/TFhegrl65NFQf8Ak5a1eSlT2ipo4C8vKZ6i/JpsM8JFD18MesTKRyMMgsT1 mAVoAooQpTZU4bkUmNjk3yYvdtdwZmBlB8CKT+611CoE4VKjHG1GTEvf8hNAB1uC jxSdjiPIF0Lpmly7TtsFAB5qIZT8jsP3EJnDvQXt2+omeFUEunVur4HteNRjFsNp WNbWfbGezfANjvMGVegj =V9dh -END PGP SIGNATURE-
[SECURITY] [DSA-2769-1] kfreebsd-9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - -- Debian Security Advisory DSA-2769-1secur...@debian.org http://www.debian.org/security/ Aurelien Jarno October 08, 2013http://www.debian.org/security/faq - -- Package: kfreebsd-9 Vulnerability : privilege escalation/denial of service Problem type : local Debian-specific: no CVE Id(s) : CVE-2013-5691 CVE-2013-5710 Several vulnerabilities have been discovered in the FreeBSD kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-5691 Loganaden Velvindron and Gleb Smirnoff discovered that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK ioctl requests do not perform input validation or verify the caller's credentials. Unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with the above ioctl requests or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer. CVE-2013-5710 Konstantin Belousov discovered that the nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same. If multiple nullfs views into the same filesystem are mounted in different locations, a user may gain write access to files which are nominally on a read-only filesystem. For the stable distribution (wheezy), these problems have been fixed in version 9.0-10+deb70.4. We recommend that you upgrade your kfreebsd-9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSVBQuAAoJEAVMuPMTQ89Eir0P/1Hu/Xib8vTYqVCF7tvzfX/l VsJhH0DHCq8trFJfxYhKTJ7/RYw+GCjgzs2VtMQ2Gw39uTLS0Id6kAi6FAmhFeFW mQsqY/35qPZeReiOly8bTAEW0j0PGWsmThM4TJUp2vvmN2CyuzsdbAM2YMcLyJnq G/rjhVNiv1ZLx8OsUfKmegZvZNxZLB3/aEaeRyzigRG+G9NdkvFzlxMi2sXj/5+P 6ix9heBBkUywWJy5EKucZVW53eucC42t2XBmknNAfivJnwFxi1vIOpcN1h/re4Lm TnfDnLIoILKEC13s+1askMuNzwH+528Xy7D8X9ktPNZaXVk+VVJyqaUA5xB19/yk ma94I7u5jpN9BDMO4HhL7gCw3nC7d0OJikBQS6PXOGOqCfI7MGJ1DoC4+iHvo5AP pfvjri4g6av4Eq35bAwsYn+fRPQ4ExHVBbxgdj214eSr1OORh62CeL14jkghwDwj y0MuZHlRFruDPsKsdcS9BosRwRtKW4Og/OqBwCPoNTsk2ktVmcY9xYiE4tHVBSJD BxJgW5aTB9OP7Pnp3q672/zwg3AsHpc7eHDLtXM/+Sy7TLwmvKft8o+706/F6v/U Zh400iVW3AYoC3DHRnSx8yHZGQjyFeReU+n2zQnSoA00AB/9Ky8onhvj6OXmPT2v 5/h7SHTVx03hOmSdS4gA =ra1O -END PGP SIGNATURE-
[SECURITY] [DSA 2770-1] torque security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2770-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 09, 2013 http://www.debian.org/security/faq - - Package: torque Vulnerability : authentication bypass Problem type : remote Debian-specific: no CVE ID : CVE-2013-4319 Debian Bug : 722306 John Fitzpatrick of MWR InfoSecurity discovered an authentication bypass vulnerability in torque, a PBS-derived batch processing queueing system. The torque authentication model revolves around the use of privileged ports. If a request is not made from a privileged port then it is assumed not to be trusted or authenticated. It was found that pbs_mom does not perform a check to ensure that connections are established from a privileged port. A user who can run jobs or login to a node running pbs_server or pbs_mom can exploit this vulnerability to remotely execute code as root on the cluster by submitting a command directly to a pbs_mom daemon to queue and run a job. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your torque packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBCgAGBQJSVWfFAAoJEAVMuPMTQ89E6Z8P/20uNyrICGD4ut8gjo9SN91S rCH5IfPwaIqS9cwZBkoqlRKxSc54d5eO7dlSGeOEpuB5KExYHi/h9KmS/Ja31pUO nCZ9onijhiyIr7d1+7YIVQpBXA7E3QxDXC5462ZtCuM9OPwFO22yspQKq9TfI2U+ hAhuRPnb6J7+7i8WQubpOLGynhuy4EJaYBTNiL7i9Z/Na7iWKRTHioFb92y4Y/pT sFpQ1r5EMVDzmJ8UzmyrWbdWMumKKoiGzgBCan9UKtkX2l4i8wjmc3ypifox+1zo lJqoBXh0PFrRtyHYwFAAU2oujuNdxgTwBD9al7Jip/0FHtEbhGum1VwIx9t95JrZ PsrjWjXZWdydRQHflBoGj3pKxD0UPH+OcEWgXpR8gGsID0g17muKRIuztAwFtrbR yLOpV0sobzR5GWaBFfwbIf+zziljqNKhXe1DgAjjegUuWD9Y4HP0H2pb42bp5ybx L9avUTjn9GOz428cAuj2PBLPaBLrtlvXePgjk88sl+Gf6Dt1SWqtH5niFgQtwhfV XFwIG6zBhCJp6jW2CyZxXHMkWgOWTAIOTb7B4R77y8MTyAnK/Ua30x4DFAaF4qli ARF6BsI3h6VjU835sDPJlaPHu+0KwM5Q7xOswuNtxyNYsuxVD2+ap+e0zIYlEod0 aO3eNNSfeTDJq1B2aD54 =0S9S -END PGP SIGNATURE-
[SECURITY] [DSA 2778-1] libapache2-mod-fcgid security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2778-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 12, 2013 http://www.debian.org/security/faq - - Package: libapache2-mod-fcgid Vulnerability : heap-based buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-4365 Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1:2.3.6-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 1:2.3.6-1.2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 1:2.3.9-1. We recommend that you upgrade your libapache2-mod-fcgid packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSWHsQAAoJEAVMuPMTQ89ErSUQAJYBriFZIkIOLf1MqWCBrYdO sg3pLRurqikUwKb+57SSpkAPt8UYWLujUunrb8ONW1K7bOIg4MzW1oJIPYZx95JG eMSLCd4o3BjyF4rXyqw3y8LM+d19DXB1Blhq8BHsl1SA9PHyqDwq7TXX24Oxpfbe TI9OEn/qDekvP2XJJ0kT3y6Ny8I44117d+yaMlDWc0Y56DE2rkHM0Px6wa/IPJ10 6NxuXKbNFzg9L+Pmifuji79N5325JITQmaoqfQeFxcgoVyqwzfW/kzWmRpcQDeqW 4M+Z8XuuEoyCt7qK/qf1i2tbO6nclGCZmMWfz9NyGpsbgHUiW8tlm/KcZZKqKWFb 2QJ2oVXNbEZwDP5ah4iywjeNitu/Ccr+dLVRAr+5QrswW3FUX/zH+mW5pPUNcOWA tt+fnryd0EynVnH25jE5qS5j57iZ8KT+w/cAGUcQWrbrokDjQ5choBcG47XkAhL5 omHJ7pzA9Jol3Dx6gpu+eRJmKTqRBCEclVb3186vCv8gb0hxFmJobWkxCQXxEVN7 GCnD65UHBkJg2j7rDmC/z/1bewMqQYEszqSAY8d2O0gddB881g1ADcThRx7Lk5Er 4i8E413umowNT0oMvqKxhnXVTYVIbqXt94ARCEvHH1P/H8ioRwqz5nRX+87LrlWD 2MJ1Sch8sDPeOeFTwLdM =FYJO -END PGP SIGNATURE-
[SECURITY] [DSA 2783-2] librack-ruby regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - -- Debian Security Advisory DSA-2783-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 24, 2013 http://www.debian.org/security/faq - -- Package: librack-ruby Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-5036 CVE-2013-0183 CVE-2013-0184 CVE-2013-0263 Debian Bug : 653963 698440 700226 The update of librack-ruby in DSA-2783-1 also addressed CVE-2013-0183. The patch applied breaks rails applications like redmine (see Debian Bug #727187). Updated packages are available to address this problem. For reference, the original advisory text follows: Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface. The Common Vulnerabilites and Exposures project identifies the following vulnerabilities: CVE-2011-5036 Rack computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. CVE-2013-0184 Vulnerability in Rack::Auth::AbstractRequest allows remote attackers to cause a denial of service via unknown vectors. CVE-2013-0263 Rack::Session::Cookie allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. For the oldstable distribution (squeeze), these problems have been fixed in version 1.1.0-4+squeeze1. The stable, testing and unstable distributions do not contain the librack-ruby package. They have already been addressed in version 1.4.1-2.1 of the ruby-rack package. We recommend that you upgrade your librack-ruby packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSaXS+AAoJEAVMuPMTQ89EmmEP/jR1XHtOt+qIbRe68DkmR3T+ c13FpFVTh2Q2jGiPWtLeUox25Zr6XN3ZtOVlOXbJpJbT51rFqf5KeVU+2EO9bukA /UIvMmU7SNqE14vmCLBhhZfbjzlB7phtVtfqY2SMryeRW0KV8L2daljtSzJpb36D O6tRdCaS1O6LsNoCu4gV5o1j9sS7HenoG7f3zyXlPQvPOLkbqZoZseJkG5rlrFmu z8TYVxPLXalAOSYRa09ckJm9e5L91/zl3JXKbB4Amn/sjLrE/3aT0ipFX2FHNVCb IRIlyTRIcrfKzuPabGwf/HdJDKu3LqeoJXjc9OytT5XHoBzHyMRg3imI/evPInUB r0F14/mCZgI7R7HWRYL9YI7oI3M1SLXXoVjT04dZJWFkIuetypfeNAn7gmWE+B5K iX8OqswZceOj9FTJuDxZAur9nowc9leDP9xXwlpa10z6N380ax3vrYRhXWwaW5io tuq5YTQN9tW3N2L0oDTmZQVCZFHqJMojEq/2rogAymBIp4TPvxrSEn0p9kHpfrur 8+/QKYPmGXZ7SXXxlnPQDrqhFAcsobl62+obfuFXOquC+J+Snk5JJQ3I0on2qq4X 6ZqfX4bA5IGnA2cohar5QpyE4QY0Rrc8EnylNkkZufLbhwin+eIYwHXz3Dbuj8uX PfBHzdV0zkVpegKYbiBw =HGaa -END PGP SIGNATURE-
[SECURITY] [DSA 2787-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2787-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso October 27, 2013 http://www.debian.org/security/faq - - Package: roundcube Vulnerability : design error Problem type : remote Debian-specific: no CVE ID : CVE-2013-6172 Debian Bug : 727668 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution. roundcube in the oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 0.7.2-9+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your roundcube packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSbNQmAAoJEAVMuPMTQ89E6zYP/0tlZhlEgadu7xvTauny/zim RV2WCJFLmRMCGZYhCiOJ2ND50fAnn62CdO+vnWN3JH5FH0KIngLmtGfrq+EPjLwj rFPGMPKRDZRag8oV3SeKbsHlrcMHS5H/B9GhILst3+32pbwoBE7aH5+wTMYHshsF TK0whlv73RZge6njPfzqvdkSoIgCLYx4Mc+pXP/pC+wOaSiD/gMjKBh51DoOwpnB r7rfs7wmy4Ke1Ljsw35LceX64kCP8YC9d7FUPZc8SxUKEk3eojrhnSzpDUBt+Pvl /S8nAbCbbrosh464szwXL4w6gcZIDDJgvy3u3aTn+XvRCoK6cr8RrdMbBQibR1Xb 9hCdieOs0pkNbBI4yE6bivztAolHlfAwvsgFPcMv3fM26gAsSOC8SRrzRqQrqqqk 1jfUqJETE+W0FkjmZa4W6JiDm78ZP4DNFQCrITRaealMgo2dh2uKua/4PmaBwjJ/ /lrukur5D6mCcLxFEpRA9TwDYVcvWE3cCVL9WhaMBNRJWiuKuaamOujO7jPtzga8 uJZWGKQNTd4rB6WHN4uN2wqltPH3lOIxvOd+2Uu9P9mDwQkgfrQ0s/hwjB3dpPWO vNqHSeK2j8RZPDD4reulRFC4vEbI3MCXOUcyc+JqgI9Pa61Y0qrM6PwWyoPTDROr PGySE+o+FGBjlugiGG51 =CNJm -END PGP SIGNATURE-
[SECURITY] [DSA 2790-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2790-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 02, 2013 http://www.debian.org/security/faq - - Package: nss Vulnerability : uninitialized memory read Problem type : remote Debian-specific: no CVE ID : CVE-2013-1739 Debian Bug : 726473 A flaw was found in the way the Mozilla Network Security Service library (nss) read uninitialized data when there was a decryption failure. A remote attacker could use this flaw to cause a denial of service (application crash) for applications linked with the nss library. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 2:3.14.4-1. The packages in the stable distribution were updated to the latest patch release 3.14.4 of the library to also include a regression bugfix for a flaw that affects the libpkix certificate verification cache. More information can be found via: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes For the testing distribution (jessie), this problem has been fixed in version 2:3.15.2-1. For the unstable distribution (sid), this problem has been fixed in version 2:3.15.2-1. We recommend that you upgrade your nss packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSdJSfAAoJEAVMuPMTQ89EolAQAKJMoAA1k5jKzEa6sXzt2nut Osw/Km/Jio6qBQdUMc40QeRWjy3dCNtufE6t+ffRH/NUg/ZREE+5YPbKYuZXqKVQ LJ+7CUlv8FClKafoW1UvHjPmj8lfTFjI1e31dh4KgOkqanZ2ufVwWETolvEoEkTs gySXv1z5e0/OgpSHx9pHmJbYmC+p4+fex/eK3OrCGynQNh1MAarcetiXVl4QnbFe uJ5YE4jdJGJ4p746b1zVKGKLNKtVW5cT6h4HMZ6EHLBbGAfi35i+Qa9ZdQMS1ncC 3xssfmmGVR+J8hzyMNx3USCHRe5CjqOIsR0oaEcmijO/m/7w+GSzk0jIYxI9PgyV RmRf+sLoSBSvlaFHTfaqOF/vPJXL1S7vPkMNWJ/pQQk8QueEsTdH+FzZh99aQ1eP IMHd2GYF3sgD8LjafxFBkXLVDTgfR3LilMOAZHGVM6+jFySeGiv80ywGnvlWuuV4 2fDNiOFClDeziECezCQSxsizC2TZ9jHyB7NcxxhYt40w5q66i8UhLBWXwKjXLRco FVvAHIs8RfSlHDvIag2+TttSuTuQ20zAS83lXMsA2UyP4PLGGpRg6mPcfs4TgGN3 69oq4YaySp6dxvu8WcxdMQWMKj4LamT+XUch6q44euNystg1MNILK7tgGeFti0Mk vSnOSXPCRrlLrCsHVR2/ =4pBK -END PGP SIGNATURE-
[SECURITY] [DSA 2792-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2792-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 04, 2013 http://www.debian.org/security/faq - - Package: wireshark Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6336 CVE-2013-6337 CVE-2013-6338 CVE-2013-6340 Multiple vulnerabilities were discovered in the dissectors for IEEE 802.15.4, NBAP, SIP and TCP, which could result in denial of service. The oldstable distribution (squeeze) is only affected by CVE-2013-6340. This problem has been fixed in version 1.2.11-6+squeeze13. For the stable distribution (wheezy), these problems have been fixed in version 1.8.2-5wheezy7. For the unstable distribution (sid), these problems have been fixed in version 1.10.3-1. We recommend that you upgrade your wireshark packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSd94bAAoJEAVMuPMTQ89EefwQAJZxpySsNYON/X7CqHGnMOmj yTVTRKB6//C0TLVuLMbrLi1rtcjPMVkdsiZtdc5BYZNOTy8hMcoXL2wIA7W5JL7/ ZLrbfFSrdkzLPHXxs2icMJQxoM4+tJxvVp5MrFWQYswIlHCC/4XhtUqIggimAOAX ivxpeYe5Kfex5AGROFXi/I0e/C3hRW0ClEuIzQxba86KswjrhvAmPfoyVoWWffQq 3EX7/mFwXi6QQtvCY08z1QRFFNyIYhkG1M6dAj2gze5/7cofHzQY1UIgSUUDP28X F0YA9rj2tECyvJzkqTeiSFCv2/G3E+OGO6LOBG6rYTwJs1nFF0xIdwXbnpO7GDgY rv6gtsu//7oaaS2PRVON0sHUJUgVnwEfi8cZWCFy40ZhF4jtp93DR5RH2PNlwZOC WkIrrPELxlS7kWOvxjmVlZfAjhQscObumHuRTcEJY0mxNHufLKU0d+K5jvIvijpB G2jJ8QOAvoV2HgIDbCKWvkkb9PIx+1mp7KGDrzr6BvTuxxxbjwRgM5WjNSLaYLUn k8e/8Vy+joo1Jnj8sKSkkcglRqEh+tjpIcLoSLDo8WDpc7ZDR7Kn4CHBjDuWSDdk xHRw8nUAuYPgrjkr/4iKJgcavoMGpETEewYVaKUUbzQwQ5H/Lup2MU6eAVgpXYbN /+XONLaI4kCuVk04fJBd =DYub -END PGP SIGNATURE-
[SECURITY] [DSA 2794-1] spip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2794-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 10, 2013 http://www.debian.org/security/faq - - Package: spip Vulnerability : several Problem type : remote Debian-specific: no Debian Bug : 729172 Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site request forgery on logout, cross-site scripting on author page, and PHP injection. For the oldstable distribution (squeeze), these problems have been fixed in version 2.1.1-3squeeze7. For the stable distribution (wheezy), these problems have been fixed in version 2.1.17-1+deb7u2. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 2.1.24-1. For the experimental distribution, these problems have been fixed in version 3.0.12-1. We recommend that you upgrade your spip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSf81MAAoJEAVMuPMTQ89E/vYQAIlFrnkS8B29u6ub8qVnm79W CXCwAbm+J2SmBSgTBoF9ne54Ea0CTdUr7cTQsp72dpcZ9z/n6zWiiayVwrn98TEH yGUs1PJMsRq2uO/9gOywqgl8euMuT7qjfU851tJlZiJY5U5d+J2s6wK8ZbPNuZ8H pcJUhz/+cuTMSxM4h/gpqoHBbsyEFAioYdAcew/FmeKaNb3x13tuMIy/WlCsyM8l O8r831dK8lShncxieHFLIJAi4k0S8oHfHOjUTNelNmK6gokAGqHwDcQAteqOMi/I XGIfyThXhPPLI/USTinR64TRezFKtE9YQs9JGwUgt3qOkuxTg2f0zk5rSujXYSh8 SHRV3YQAVvJY/jKiHHOByxU6JjNk+OdZ2UgtgkiG/Axeld4JDf8BRee1xb1Z9X7L ikSQIOD6uvpnc7k0GDM9XQIasWt9zniV5U0OwRNhCmw6Kbq4ZNIpAxklo6GGUrOA 9+nl42Z9nFriwDoJaSoxVhg54wKaG55D9hoZhGK8IHT9vRVazK+DArVkdzl/XQoL bPsPpkmv+sbiuY8Wdp7XQAK1Yn0l2Yo0rZHGb4DYISuk+W+Y7kOF9P/yz9W3L1J0 VlHA0IE1bI0bW0oUfznXdmzA7aAw8K62huJLntB8ew94AQzRWibcAdVQRgcYWpqk MpAcnoCn4uoICsGSrtQ4 =RQB4 -END PGP SIGNATURE-
[SECURITY] [DSA 2796-1] torque security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2796-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 13, 2013 http://www.debian.org/security/faq - - Package: torque Vulnerability : arbitrary code execution Problem type : remote Debian-specific: no CVE ID : CVE-2013-4495 Debian Bug : 729333 Matt Ezell from Oak Ridge National Labs reported a vulnerability in torque, a PBS-derived batch processing queueing system. A user could submit executable shell commands on the tail of what is passed with the -M switch for qsub. This was later passed to a pipe, making it possible for these commands to be executed as root on the pbs_server. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 2.4.16+dfsg-1.3. We recommend that you upgrade your torque packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSg9JgAAoJEAVMuPMTQ89EqOIP/Au7xN2tw30qBBOtnlyDxonv Dqn5FxfAyxvsrBuD4uB4wOELNR8UiqHn1xWcRBLHTP5DJonhAHMH3VeCFJIjfj0a vUcnzu0SnChvrT1OaZEF7M7RzOzT03ylSKwA5ED6U7ZuXOPqWPSXI+hzDhjLuThf S6hrw4yAc9RI6uoMQIK5HHbPf8EwjhO+ep/cXPH7KizCw64xdpqBrkEqNvPS851C m7CjfiGp2nOMLcdr0MUA62P/tRn9PYcCrNLcVge+2TXAtZ4gWctCxd3iud4R8Abt EYnzv8uckW1/yhTyd4l2wc5U34Xbf6O6ZbuQwt9ZzF/s4XNCaX26BLcwTNWYYOmy +YnRW+QqBsiTXIS3W2uTW9w93iwgkP7t087tZx6enllxplqkkI8GNX7bWNXA2lcY iQuCLfxzsNYkhNiGkuf4NgglUbcMEw4D8V4vuHoTAVSwemLLY2ghkwSCLW1ZUHTb wI0gDJPSFp10Z3CORSHJghFX5LH25HgrKDJ4S0Waz5WjBRT21r4Li/bsYHGOMht2 jAyQ3H1Ahfk4KK/IKu5V/q6UoYMtX5On2ozCfTdUa/fLvvQHzDj6zHLmWa+ob3Xg yH+T0Fsj+laxky1N+QeYnN2uMPiAsxKsR1RLvoZk2dniStdldkwR37Pmv9jlFjnf RFqk8VMbBlX9kb5qxPdq =z3T1 -END PGP SIGNATURE-
[SECURITY] [DSA 2798-2] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2798-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 20, 2013 http://www.debian.org/security/faq - - Package: curl Vulnerability : unchecked ssl certificate host name Problem type : remote Debian-specific: no CVE ID : CVE-2013-4545 The update for curl in DSA-2798-1 uncovered a regression affecting the curl command line tool behaviour (#729965). This update disables host verification too when using the --insecure option. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze6. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy6. For the testing (jessie) and unstable (sid) distributions, the curl command line tool behaves as expected with the --insecure option. For reference the original advisory text follows. Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain. The default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default. For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze5. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy5. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 7.33.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSjTSeAAoJEAVMuPMTQ89E+bMP/jxYqQsDtXJxFvefUBDI4Mki 3j6l+WsSd+GhEx/Sp7CYpUYmNjfybYZl2MdXeOfyB3czF3saBhpEo4/wXeLEJuQD PjA52GRvnfE4/pDnAIcHhbkfrI2MSJMU+NUpC2d2Zy2YAgQoeSBftSb91xZ9B1SI jbuiKNrSgIgcusBSmNFCXb4TdkCVhGi37B7J7NO9rPR6n6yBvX1xsIEJYOGJeMxL S9OWwbmcwjCdN6feNVK99YgfmEmRGLTpMosAmJSNN4KXa+OSr+g9Y+NHkve+CYy/ GmKX/MInXaWdcRk4LoyEdQ8idhWdJEdPe7ZEoLttSGnfLUyXBzTVKbK5Ugx6RYM8 1NbKYZVGYfQAOwjIbKgGn0F5eQDi+OiXh1JleyLa7y8pvk+7tq6pOKAsa9H2rDsn nVTVzOs6qIDdjESndLEUNG+JJJpkpB/MOAfdAx4KHKS7GQ+quMg99azUdSmDRFbC EN8XA8JrC0LOSeUJiiZTdRgOpjlTKgXUHKrr9Z0Ft/U/uWxK9pX5nTcaw/WwI+vQ Ms7yx0i0WrTvGkTXLHx+JeGrPcvjNxX8muTEq07ZkceDjZIefmZs0J139Xd+OSn1 M506eYcVgf4WNj8swR0h20S8eTA0BsNxXVOHmn113bwd95GxaTM4pKtANHuKLV3l Jq399e4/SnX3FWtSPFuK =v0Ra -END PGP SIGNATURE-
[SECURITY] [DSA 2801-1] libhttp-body-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2801-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 21, 2013 http://www.debian.org/security/faq - - Package: libhttp-body-perl Vulnerability : design error Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-4407 Debian Bug : 721634 Jonathan Dolle reported a design error in HTTP::Body, a Perl module for processing data from HTTP POST requests. The HTTP body multipart parser creates temporary files which preserve the suffix of the uploaded file. An attacker able to upload files to a service that uses HTTP::Body::Multipart could potentially execute commands on the server if these temporary filenames are used in subsequent commands without further checks. This update restricts the possible suffixes used for the created temporary files. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 1.11-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.17-2. For the unstable distribution (sid), this problem has been fixed in version 1.17-2. We recommend that you upgrade your libhttp-body-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSjmzVAAoJEAVMuPMTQ89EohYP/3SXgsSktgNceshKqtTAJYNY 7d9hWD846df/VAYHxc60YYQeMBo9wMvUpT6azjvSrD0pePg/Ddq+41tuyUQoo3kF kWAJ7JUikXxOHmRLAyh4n+1HyaKLFCCWzZ8OJAwHYKivSxp8ajnvhcy9xMkwNxcK p3b3ne4ETCN3SyuAbYxtz5NlrsEPcTOtr3HXQyoKw6oWGWid+NI/QdoXmmUkfPwc eK6OkzOmSHot/pQJob5S9QqzvxYJ4MQy2QmxJNXC6HBelFRWkpSrbiPvBCo0ZmL+ LInSH6lwllICFoQ7uaUZZujLX4DHICRqs5ArAjtem/3QcAzpXdd4QajTcdUjkqWh fqYdULjmC22uZFI3zJszqX+4PjcFGw76lDl/1/db5QRW7G44W1KvP7nkswn0xNyT mWw4hHp66O6O4FYsWxPG4mct+DbrZ7YAgeVf+hi5kdD4gSz++UOkkKsnFQg+V1et yAvgas8RcEvqvgAZfdkOKAVhBEIKJ6YVbgTMcX+APtSOT0Fyn46vLfi9KNcU8t53 P0jZSAMJ3aSQajNGFnaQykzyny+OErR/Nqyk+4P7Ej0cd2v5VH2ZRCQaFpRBPLgz XhqHnXMMK6Uy4pOV5xj8eEzwi4ANc4uFffbCpdoMS66Is+tQhK8RVZSVTollBi+u pCJcZivWPDoBmLgd5ZGJ =bWvp -END PGP SIGNATURE-
[SECURITY] [DSA 2800-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2800-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso November 25, 2013 http://www.debian.org/security/faq - - Package: nss Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-5605 Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 3.12.8-1+squeeze7. For the stable distribution (wheezy), this problem has been fixed in version 2:3.14.5-1. For the testing distribution (jessie), this problem has been fixed in version 2:3.15.3-1. For the unstable distribution (sid), this problem has been fixed in version 2:3.15.3-1. We recommend that you upgrade your nss packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSk6prAAoJEAVMuPMTQ89ElaEP/0P2asJjRPsE1nNcJfi9F/N1 tmjVoGtEPRHDF56MDnJaTxiUOttfXDv7b0N5fdLcptjIoz+EmMOIsoAGtAM3jLHy OluWh0S0xi47T7ClVysERsGC/KhKyTQMSnCDcx5yYb3urS6w+A+npJnxdus2eKau IhIbY59nEiz1fDij0WrW8+4dXaA3meRMp/dxzI26oXMbLY0FFzOqDyi5F8oJ1uU+ 2Ynje1WhtTcH4bXcxoBJJqu+HG1oHiPd4mc2Wpasu3KTuGju1P9mv1VenrO6qSnR NXnqU6ugi79QxOLSD7tB/OA76uGvkaQZ9pc5CSYi4gYwiX0O1rnWI3t5FXx++f6p vGcGUv2W/YNx/y5dvtpXlOFesK/nH3dvEJuUKNRhnoRABZ2H+ietUUR0uJkuzRyh 5ClPBlMWHho2aLMLTVRJLKS9NnTiTA7hGLSO6XBjRhLGXIVF/dIg/hZtEpRzWSqF Zx4c0tIFW3wEY0yg8SMzMJcD1SHSgGXJN2NfpGRRP+AK8RrlMazo6gdiwa47afns N4EcvGFBiu4h2ZnqkZC6s/15mGnH4QuEaRGF87Ax1ekbPpMEBafaeteeMZ2oLGV9 xL2F4ks5Gj6KKdN+jowyr4ZZ/J9ANsYBKGONOlrKwUkiAn9ORU6qxxwJW0KVRwAe cepySQ+PmtTtyd4tiPO/ =aPVh -END PGP SIGNATURE-
[SECURITY] [DSA 2809-1] ruby1.8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2809-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 04, 2013 http://www.debian.org/security/faq - - Package: ruby1.8 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1821 CVE-2013-4073 CVE-2013-4164 Debian Bug : 702526 714541 730189 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1821 Ben Murphy discovered that unrestricted entity expansion in REXML can lead to a Denial of Service by consuming all host memory. CVE-2013-4073 William (B.J.) Snow Orvis discovered a vulnerability in the hostname checking in Ruby's SSL client that could allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate issued by a trusted certification authority. CVE-2013-4164 Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. For the oldstable distribution (squeeze), these problems have been fixed in version 1.8.7.302-2squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 1.8.7.358-7.1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1.8.7.358-9. We recommend that you upgrade your ruby1.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSn55AAAoJEAVMuPMTQ89EKpcP/ROwTK5keLHdzpwMu5DXCanq vkOWJ3ccPC+Dn5Iz8Fe1i6TtB+XxeF5ZLtmJ6WzANKTuEbteJOXyYBpYwxn0KVp2 dONlNbpfcb0MjyVb+mSCiBzT/VAx3WyODqWNCz5H/yChp5OtOIFqOcRJd8THjqIR uzzqpu0nvD2h8kR/jKD696liO8izHDfJOYbhpAHXqyUpCqA5kxtlHZFO3nVDPr4y e3qVNQ15rCJ77NcUocaLffDAgbcTUeMcQLmYg1EHjX767wqpzMCeZEwsf4jK4iAc J+pmQSpc3dokq8OCRUtgteSbkHkvxR9MkjoSP87R4/SuywoYkDbcUfQSQ8Hav73J T/l/MXU25fpcChopxfET52ZBT/Qt5K1i74EyXAl6B3sX1LhpzPqbpvFEr8rQhcU3 flEhgCaPc10q2v7pg8UvttVGkmJ8nwNxnbjmTnzbZAY1RqhcUK9qo/xG1T/EJopj 1WIDgOdg88v+YkRrdOOZwRkzOiZLS2wbltgEs6tecMyxP79+zzsoxs1uzKQz4I+H Y+ie9PS2xp8zf1x6VXlMoZRXWhdiY1rm7t3QXJNuQBCvDAPxEUwJEf6FK7d9QzY5 VkLtng309vQiZ2CUwADOglBpMyaSVPMs/GlPoUVd75mb0N5SNJksmLxAOKhs1WRc n2j7oQpxX5W0l0N7WV7q =VeHD -END PGP SIGNATURE-
[SECURITY] [DSA 2810-1] ruby1.9.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2810-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 04, 2013 http://www.debian.org/security/faq - - Package: ruby1.9.1 Vulnerability : heap overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-4164 Debian Bug : 730178 Charlie Somerville discovered that Ruby incorrectly handled floating point number conversion. If an application using Ruby accepted untrusted input strings and converted them to floating point numbers, an attacker able to provide such input could cause the application to crash or, possibly, execute arbitrary code with the privileges of the application. For the oldstable distribution (squeeze), this problem has been fixed in version 1.9.2.0-2+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 1.9.3.194-8.1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.9.3.484-1. We recommend that you upgrade your ruby1.9.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSn6paAAoJEAVMuPMTQ89EppAP/3gJqyFH2O8X54DRK9kWPegb Y02HT+HhDvCIxTRsMZFndelL2Q5ATvajMfygBxIGhp/Um72uoS6SvSX1qsB2KM+o wWG2L/NeuV9x2QlJIoMpAC1BFSMHSUz+s1/DypkaoXyM0NaczLHxqOBHTc8OcGM5 8o+TfalFNBvwiJB9JpSqODMZqRVJwLISHtm8d5PTIqwJ+s4NRq9q+URZzWLArSmI bne2ZX/I7ZJF5bljMfS2DybSZiGd0EOY7j1Wh9FMQOBFWcaGC7LtAKL/GixHs6aq 2ac0sWFd0osQdMlmQ4raTkeP9wqmxxA6r8t1IGvBQskn0wpwP49PA3ZbsWWW7M3F qwnIuRen+Qqpr5K0rcmB4NUmTSbC9CRYeRVlgulJHOQk3H+RDOCMtyr61Pb4yA0+ U9Cb6iytERXqz6gXve4CNX8HgojTj8UF+RwELmh6c8oOp4bawvW/43iZDjkyyPyL EE7rXAraEaHGa94kkfPO0ijLQB9jcPJOECatNtj62FYEgmAIDxBNnEfWxGgXFC1p jxvUmLbliVMQ7RnWDkrtthnm/7zS9iHZ9/JAhVbKwITxlCvZGjG84Iaofb5UW+wR nZw5lL6YydwrXPJoj0ZpWrPobMSZ/aATp0kiS5IJdLTwyZqoapVRXCZHhOmbyeh4 J2FfysOY3Wmx7cLiM6Bb =5fWg -END PGP SIGNATURE-
[SECURITY] [DSA 2814-1] varnish security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2814-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 09, 2013 http://www.debian.org/security/faq - - Package: varnish Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-4484 Debian Bug : 728989 A denial of service vulnerability was reported in varnish, a state of the art, high-performance web accelerator. With some configurations of varnish a remote attacker could mount a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. For the oldstable distribution (squeeze), this problem has been fixed in version 2.1.3-8+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 3.0.2-2+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.0.5-1. We recommend that you upgrade your varnish packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSpfg2AAoJEAVMuPMTQ89EDMgP/RvQOW2J6oQ9aPrTD1t4EoXS Af1aADwLiQ6+2yRLEkFJaC3X3vBykFNHH0JniwDqQRKNE17MSZGFZpzCJVU1l1I/ e9xKKSENY17QLSLTBKX2fzXpO6TeU/jYIq/NID6G+PDcDPwP0tfVdZhQcphmUoEs yrTPjW/CFFOXhEqMG+rlCL9zJA4lRrEt80CIKgpQw/c7DZcxGn34qG8rhlOiXlYu xdyXeHxWZXsIxhIq5xvlk8++VooDpQm5ElpHBNjgQBqRXTFRo5EAJzIgTdUbopJE dmJntf+Hy2KZBvx9j+NHjrtbFWwEKM44eC1hYmJTg2RWa/H9CwrGgc2hhcPoiYX0 2hWvj3soP/Pf8fYtMNUW5O6rTyi3YfLXJQVH6p0lRsK/tPcEgRRqiabLiIVlRcc6 4OJ5h7tWMfBYOQzyWs3i6thyJFa7mTJGht0lI4kg/txt58pG+PP6BGylMYlwZtYl /ZsYsb1F1vwRm1G2wdB7j34YryENgdqVZAlF1scABJ2xLbRND9xGhcY4NXZxkE9X szsInEtu1OEy8jWUGzaGqEVMMn05jLpsk9MNV68qGU8qloNfxtYnR6xDHmhRozv/ rIHWuLEkuxLAbHEHg9oi8tv1L8uCQq2lCYS3N7wswZg40CD4Tm5vf4Yioyv/oz2H GyHEwYj1T49z8TivpTPm =bn70 -END PGP SIGNATURE-
[SECURITY] [DSA 2815-1] munin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2815-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 09, 2013 http://www.debian.org/security/faq - - Package: munin Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-6048 CVE-2013-6359 Christoph Biedl discovered two denial of service vulnerabilities in munin, a network-wide graphing framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-6048 The Munin::Master::Node module of munin does not properly validate certain data a node sends. A malicious node might exploit this to drive the munin-html process into an infinite loop with memory exhaustion on the munin master. CVE-2013-6359 A malicious node, with a plugin enabled using "multigraph" as a multigraph service name, can abort data collection for the entire node the plugin runs on. For the stable distribution (wheezy), these problems have been fixed in version 2.0.6-4+deb7u2. For the testing distribution (jessie), these problems have been fixed in version 2.0.18-1. For the unstable distribution (sid), these problems have been fixed in version 2.0.18-1. We recommend that you upgrade your munin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSpkCOAAoJEAVMuPMTQ89EMV8P/R+S4LjASU572SZQuYgYbz/I xEV4VD96c7rP3wbHQLdPLYhq3gbm6RbluH3nIwV5h4txplkaPEiL1YsQ/1QO3n89 hcpwBS9uOPijofDVVe0+CwfkESZF2sn4nOeWwnb7ZBqyALjMxyedMZTP7PVx3NQb VEV4k9LSkCmUfPTaaJJVv7xlKoX4kYm3zKfykyYiWEsotXqyloMpc8jluld+qULl MpTbwyhZLxF4Iw49mzwHdItQjXxfy0W76YwydCziXFjeotNvn+GoXG2mRzNhBGl4 Hlvu/9vfJZ37EI/pDV59KiqPBAexEO4rp/aHMJUOT9gMRnZ2MKCluGviquDHH1z6 8tkM0t5NmaT8JWzGsPF4H/TcJRmCP+KXDpU/T+lH2NI2F1i9qFei1b3rBGXuhVyy gZTtd/r9LYeBDWIUALWfpAIQrXnjEKlLWak8Z/7BtkrZlNV3I1KEaWgm6i16DlJw x+QavEPYErolOtQZNAfPVItXBDwYswC4Y4fcA2vQR0aR8ftvPqGqVRmE3b5kUops iIsdLSh+T2Ha5+0a95mWTefRRqME5cxbFbQyKdG/ZSHxJIICJD+ye/MS1p25awxE alpS4Mqp+yHfOfpyrA1hpPRtSCAAIZByoh8Gb5lMGb9TVMq7Ufy24HwTki1/fYI9 TcOtwDcyQn6CZL9x7nva =dUQV -END PGP SIGNATURE-
[SECURITY] [DSA 2818-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2818-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 16, 2013 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1861 CVE-2013-2162 CVE-2013-3783 CVE-2013-3793 CVE-2013-3802 CVE-2013-3804 CVE-2013-3809 CVE-2013-3812 CVE-2013-3839 CVE-2013-5807 Debian Bug : 711600 732306 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.33, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-32.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-33.html In addition this update fixes two issues affecting specifically the mysql-5.5 Debian package: A race condition in the post-installation script of the mysql-server-5.5 package creates the configuration file "/etc/mysql/debian.cnf" with world-readable permissions before restricting the permissions, which allows local users to read the file and obtain sensitive information such as credentials for the debian-sys-maint to perform administration tasks. (CVE-2013-2162) Matthias Reichl reported that the mysql-5.5 package misses the patches applied previous in Debian's mysql-5.1 to drop the database "test" and the permissions that allow anonymous access, without a password, from localhost to the "test" database and any databases starting with "test_". This update reintroduces these patches for the mysql-5.5 package. Existing databases and permissions are not touched. Please refer to the NEWS file provided with this update for further information. For the stable distribution (wheezy), these problems have been fixed in version 5.5.33+dfsg-0+wheezy1. For the unstable distribution (sid), the Debian specific problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSryLPAAoJEAVMuPMTQ89EcUgP/3rFEb0ydpw8hOvzrXHqzPUR YYAXDJbXwhGhh280DeYOFkDu5Xd28LYWsne0o+gwd+Csp2Q3lcVfzULUb3j7ddl1 Jlfd5FxXFTcIPXqVo6RmOgf7GOl77bg+sCeIqNrjaPBsBIzZQmoTHjfXQTKqKiZF WMwMnIVoeCdY23LYosnel5MXfiHaPpqGDhUkeoFnJ4m2+hfvHbM3Pj+3IjgwAvF+ p0tiMfvjJ9muVsj4xDnGk9z4JlDONoohqiv5mtL2NNY6bV6T6aTo74SadnKsp6dU ug0KeuwDtVe7l1Mzq8O0qCJHEEfHfZ1IsvoPAwndN8yqXbHQ8pU/9vyz+5LxGb6z VkGkGVzypSI8u6B+zGYBa54zrKO5DaS/YAlKU+wkWSdH9RcdMoHTYOlMBh8wQXoW mfnIZ6V4pv1Usm5xiZpQU6BrJaWWyDqZPdlK8oLplKkKJFHsQz7tjZylO64HGR3X tEu8qjfWblPR37gWY3FRErN1zIDiRzt6LK67achBdCZ4WxG18f2KQRDbgZzx5n9Z lblYgEYFK1EXE5rutHe9nwKkDS9DfSRuybty6WCqcmLBEIu8vDoHbDXR683UNsCT 84AwQrv7/QfugQHWpEA7nabDprrKK9TM3hjdQjqlelX3/kLpAQYkTxDSJ6uINH0H gubK4/5nmK0zX7OoNwWt =5UEA -END PGP SIGNATURE-
[SECURITY] [DSA 2824-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2824-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 19, 2013 http://www.debian.org/security/faq - - Package: curl Vulnerability : unchecked tls/ssl certificate host name Problem type : remote Debian-specific: no CVE ID : CVE-2013-6422 Marc Deslauriers discovered that curl, a file retrieval tool, would mistakenly skip verifying the CN and SAN name fields when digital signature verification was disabled in the libcurl GnuTLS backend. The default configuration for the curl package is not affected by this issue since the digital signature verification is enabled by default. The oldstable distribution (squeeze) is not affected by this problem. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy7. For the unstable distribution (sid), this problem has been fixed in version 7.34.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJSsz7uAAoJEAVMuPMTQ89EUL0P/3q6ONK4nK45k35+zxbcEUBA FrDS5AgVxSXf8J6RWtamnaQAZ4q0zwLLYm7rK0TuClzXf5DuwLOtTjmlXsA1OaP2 2/35FNHhPAv0NDkaMlg5GB3rZpKc76HNFJC20RT6CxsE504IfCUYil3j3ArMKr9X ohGWaAfjmPMzvopSTOFDyeLRz7nC3AG4rTfdEenEdjivrTeum7JuH10Orxkj7maz bZ5ywhxh7MPvn3QjK39MHDWf56pJg0vUoGvSUQ/8gTlPMXpjTC6XXANwoH0hcOx+ jit9c2cA/2euY9N/aX6HXc39tnzPFGXh0fF1LJW3I27DQEZWeBJCJac+njA5frjF zEbC1ss/8BcgQ8/NZPHM0WJqufE2CLiklOYh5ZIbRBgzfL7vgTVFjb2StazMUgH/ iGaiJYwszNrVz0AoCJtaZLGBxxZFCDdjVeFqsc0uUWUoW8Y1n1eqLKg/AgMANuUc qGPaVLhlkoWnIwj/28eiT6rosriQ2ojp0igpIr1iabFGe5ewFx93Kfzl3UKMqYh8 Z0iNIz4AYt+P/jQxh/Xjpw4p+yYExyx1n0f5rscp3tFx6JtMvJKFwUbVabTvO7QL SEGQajyc8Vj9d6Q6zYWe/LbP4BBx9HWyfXHQrukDb+9w3ZcQ92IlNDEKUYsdRjiR jd+9YksjvKXjEzGQGf4t =JY3g -END PGP SIGNATURE-
[SECURITY] [DSA 2827-1] libcommons-fileupload-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2827-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 24, 2013 http://www.debian.org/security/faq - - Package: libcommons-fileupload-java Vulnerability : arbitrary file upload via deserialization Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-2186 Debian Bug : 726601 It was discovered that Apache Commons FileUpload, a package to make it easy to add robust, high-performance, file upload capability to servlets and web applications, incorrectly handled file names with NULL bytes in serialized instances. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.2-1+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 1.2.2-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.3-2.1. For the unstable distribution (sid), this problem has been fixed in version 1.3-2.1. We recommend that you upgrade your libcommons-fileupload-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSuR2NAAoJEAVMuPMTQ89E6s0P/1gU0HVBSy+C3Tvr0KejOcEx H0wKOV1JuVbS2b3fKvX4xtgRU2RlZQeIvdH8qUs56ireymC8p0al1DtWQbNRLjZP dyVFq3h4IGh/bNtvG8n5yppqcO9amwbaDMDwan3208ZIfAE+AULj+JBGXYSpE75z XppPhATYPZ8zkG23GkufQ4/+vKivT3iLgoQ2YfO/aSU5Ondp0pUB+RP3GlOhXskl y6cAQZDOEqcTJslJML7WwnVp4/WGxHyvoD0RRrocdy4fzzf+pWw62T4foogVwz/6 UyX2WEcZO78jGbU5+vlKc8D3N8mv6ZRNSW6GZOslND8XSCJlWBbHWTWq0f6TgTM7 eYCMKpSzASrSbFXmZmnMsQfcX6tbsngF6DA3ZK1bT5LIHCo0BAJsR2fI3oWXOn8V H3rh/L6JOzviVBrp4MkRYDiafg8gpvCIRB8OhuSsIWt++ZmMvVFLRXuVb/sltNhH ee51WoZ0hRzSGxhs/M8Uob7X+wF/vc/FMp/QLIWlSy1CTa5GpDncRp5zebXXeXh2 7iezihfmm9fXx6Rlre3BAkCZuKbYosMZ4fjuR6W2wVHFbIGmaOMKD3oXhmmYbxky qR1S4yEqsV3dPNLBfCPLlOu8ZvzIBr1A8guWKoAdZSqe8ziUF4RFhGGCFboBWqvL uDDYBO1IxsANMl3+Xhbw =PBof -END PGP SIGNATURE-
[SECURITY] [DSA 2828-1] drupal6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2828-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso December 28, 2013 http://www.debian.org/security/faq - - Package: drupal6 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-6385 CVE-2013-6386 Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework: vulnerabilities due to optimistic cross-site request forgery protection, insecure pseudo random number generation, code execution and incorrect security token validation. In order to avoid the remote code execution vulnerability, it is recommended to create a .htaccess file (or an equivalent configuration directive in case you are not using Apache to serve your Drupal sites) in each of your sites' "files" directories (both public and private, in case you have both configured). Please refer to the NEWS file provided with this update and the upstream advisory at https://drupal.org/SA-CORE-2013-003 for further information. For the oldstable distribution (squeeze), these problems have been fixed in version 6.29-1. We recommend that you upgrade your drupal6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSvqTxAAoJEAVMuPMTQ89EaHEP/AxpHBG5If4gp5eRN4DmD130 kiFMQ/nLsWCZjERT2+t1/plrhXWprLKowphduX06mvZJC725rbXPFWbo76mL6nxv 9cdQbsVBa4y5SovrY7MRNpNeP2u+BoH0P6qR5EGSFB6JwKggI5bjBBNpsA9T9bbK PqvNGz8F/gZKiL/QT28VJjJ2YlqHJ+ZE5aNk5LjKjLCyZLAlVSzVZF7IcOuKS1by wLJQhIsznlzUIw4P7Zz8xWPRaf5nKgEx3s6dhrS8qE2lEDBsXEBsn8+hTPcz7HqW yE7S/3RJR3r/6lNdHc+6J2wX6CcR0AFfbCRuqHPWkWjrCImpLZ2JVCa4IdnAINyY iiyHtIAWjtz0SPgprBtNFghJdUnYlhlsm82aF1iciNxSkpln9DGM1cvF5MS342OQ pCh5/P38qRQo5ZapGC/tyLfvXuB6DxiapdV/zA9DcdtEqavRg3x1jFZkQPVTTR29 u5O+r/V37/y/cvZFy6UHihOLGxJO8W9cXPPgcxy3VXYri2ENQCHwSUYiH/WqaOgo MAn04I7Pt177qobibB8wFOeiy3R4KtJQ4CezDz3SiTC+aHSKsDOqx+i/5zDw5kqN la2/Mub30Sbm5mP4YMXA2Cg1vwSFkxKJIrQDYUDdGTuOFyKPb0yGZY6I+MIHkpl4 MIBvmuN6queWnTgN/Wkx =/ko2 -END PGP SIGNATURE-
[SECURITY] [DSA 2832-1] memcached security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2832-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 01, 2014 http://www.debian.org/security/faq - - Package: memcached Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-4971 CVE-2013-7239 Debian Bug : 706426 733643 Multiple vulnerabilities have been found in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2011-4971 Stefan Bucur reported that memcached could be caused to crash by sending a specially crafted packet. CVE-2013-7239 It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials. For the oldstable distribution (squeeze), these problems have been fixed in version 1.4.5-1+deb6u1. Note that the patch for CVE-2013-7239 was not applied for the oldstable distribution as SASL support is not enabled in this version. This update also provides the fix for CVE-2013-0179 which was fixed for stable already. For the stable distribution (wheezy), these problems have been fixed in version 1.4.13-0.2+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your memcached packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSw/k7AAoJEAVMuPMTQ89EN9cP/2+3NUmG98Jp4GXewX4KnXeJ Us08m4dlTyNEjVu3z8vAJ9iIvu28zyiYwKp6msyyc0155D6hNmmxkNfhGI/IgDBi QPo2AZrvWvTafztNyRzyBKzQHK3DlM9LEGYZC6rOpNWEF2xv1lT6vwWDj/fZRDiA 6pqGX/iERk/9EK4WeXi1KlTNzzOJJOQkN4NeoQEeUWec5s6V0/fOKoVccbKI9pOE 8UXL1Hqz3BK9YsNu8a5qadrSZ/3fRSHcmz3Drt7pyVpmJw4jzB126TZF8UJsLspQ 28wxOYISYJJvNXBJZM5oEjjssokzZw3Y1UYljY2Jc4sTUwLcWIQxM36AvlRrZ8Yj 0YoaA3UMfYeEtcPsv24/f8r8gEZsq4cVPatHBm4Ke/rmMttYiuX3n2iVfLiYdE6S ByfMZ4Rqk17SzUf6TCjsfomU45SGjtOzIEKwXBNBSGjK6Lej8zqKffNhvCH3ZwoH t0JS4qAr5EWdSuZkLLEtAu91qTGLJlxsPZk7odWyYA+Oe6c1Mobm2+PpfXgY0v/L H0ktTng+g/glH/3pnDzvBNthjLE8mN2ioFBEH5WFBiN2hZnGck2WXGzjWG4B9cAO gqFPlp+gP0m6ZmE1CyYdhR8ZgLhb+WZ8LbldYAIDWkA303gvnE5Enmn2NXrtFbBN LM+/KdVYzK4ZrVccPtkb =tx8/ -END PGP SIGNATURE-
[SECURITY] [DSA 2834-1] typo3-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2834-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 01, 2014 http://www.debian.org/security/faq - - Package: typo3-src Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-7073 CVE-2013-7074 CVE-2013-7075 CVE-2013-7076 CVE-2013-7078 CVE-2013-7079 CVE-2013-7080 CVE-2013-7081 Debian Bug : 731999 Several vulnerabilities were discovered in TYPO3, a content management system. This update addresses cross-site scripting, information disclosure, mass assignment, open redirection and insecure unserialize vulnerabilities and corresponds to TYPO3-CORE-SA-2013-004. For the oldstable distribution (squeeze), these problems have been fixed in version 4.3.9+dfsg1-1+squeeze9. For the stable distribution (wheezy), these problems have been fixed in version 4.5.19+dfsg1-5+wheezy2. For the testing distribution (jessie), these problems have been fixed in version 4.5.32+dfsg1-1. For the unstable distribution (sid), these problems have been fixed in version 4.5.32+dfsg1-1. We recommend that you upgrade your typo3-src packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSxD/nAAoJEAVMuPMTQ89EEewP+QE0HI7cMfcvfCO2GpmSq+ZX OgE2PuiIrBaMf9NtUvrWnVWMQRJiLjyejLsFpjGA3BIZAxue9N5WpzoPG9m8Np4c wdsk9a91lzj6vppYVYUnL0U8VmlxDU8mEfzdA39cRbqBzH3R6BfXqtDlDFnuYQvp B65Dn+79Cquch6j0UjoGdCPBAQeINFBJqEk5DjRgZaxJb6kASFXdbthn1XFaXa/o h79yKub2hsXhnmZ6tB8nATPw8jIOm4gkMSNHQHaT46bQVGolgQxqLPOxRE6LMvef bxYWM8oSp/QEYDXyCfHcNwKBOJlUNWH5kjK6uGWpqQ018Ms8Xmo6fQ8qwcwUeFMb bOm5wMuoROZDOm+j5gjfThJ0gkF0A1VIhxXua5w6HkTClI/HvIyKfgCt6DODLUbq 7PgJTsw26ppRR3kvenSIxWW/fc+LvFIN/sKx31v4QnY6c4au369a34fROwpCkzAH HtoC4Fj51r8I/ArLW0+wkyZZaliwKgZQtgGpWGsv+HQ0rwmlltTIXEEFd2fgKDL3 X5KXqN7+X/MhCih3ZAQ4sDGPxAG/iYL5Inz6mnVMie1Sa156bm2t+0EM5hOhJnIj JEfI6+49d6dk4ie9QdNpJ0C35DmlbsgyPgStl0fYMJtyQsfmrH5lFXHUJNS1Gow3 H+EE3f2WZLx6/YNR9dyS =LnMg -END PGP SIGNATURE-
[SECURITY] [DSA 2839-1] spice security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2839-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 08, 2014 http://www.debian.org/security/faq - - Package: spice Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-4130 CVE-2013-4282 Debian Bug : 717030 728314 Multiple vulnerabilities have been found in spice, a SPICE protocol client and server library. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2013-4130 David Gibson of Red Hat discovered that SPICE incorrectly handled certain network errors. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. CVE-2013-4282 Tomas Jamrisko of Red Hat discovered that SPICE incorrectly handled long passwords in SPICE tickets. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. Applications acting as a SPICE server must be restarted for this update to take effect. For the stable distribution (wheezy), these problems have been fixed in version 0.11.0-1+deb7u1. For the testing distribution (jessie), these problems have been fixed in version 0.12.4-0nocelt2. For the unstable distribution (sid), these problems have been fixed in version 0.12.4-0nocelt2. We recommend that you upgrade your spice packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSzWHvAAoJEAVMuPMTQ89ECeMP/RKh+Bulij5HYH8l9VSvud9w P8Gavk71gDVe82bGIwrzTe5/TiomsecoyS+0Bha8pVymtQT5pigTReZDKKlRg5Ht 6Vo2YyMadoZr76g2js5AEgVPsZsx+ASj0PtdLGm6zl6czVuYIyAoUSRJKwHBkClc B9latcQcWppsVvfxhz7kG205TNqB9xxyo+yMVUxvW6SmwQ75jQyOubVP2hwQisZB 2Cbf78oFulJduLrcQRYNF6r9cb8+F6JX7H3w5GzpWjqbXauGtZgU2aQFmweCTPUY u7GxpwUgebZyeWuI8uqbzcu91cVtRD3o5yyopNtQgGBGORXmn6h1jvxwirFEiSy2 DZC5UljqOdK+SrPPdjPlGfB1oF8xhchJyVyYIsk7Ge8ouR0BJDBGYJPCqTeGRCkw D5TQWC4mRtyIC+guZnm9BK+o6aW8DRte5OqBNA2iMsI06hTyMbHOnpUMJnSKKQQh zDFuhN1ZFOmfhBXbHC56+zk86zvBXTE/vUv1gRiIrqWzgrWOods/S3e84z1BNF3s r2smYSCD/JgXHH3M9FQ7315C0E7GAamNYYpgVeQJW700Z6asuXUvusLA/Q6tpkFV 7TkFl8iouzd0Ao8OB15FdsdjMAEpP8vlxuoQOrzcd7llio9O0JlDmai2TENTMv9v 0gO6v7k8T0JTGZvW/CZF =odYS -END PGP SIGNATURE-
[SECURITY] [DSA 2840-1] srtp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2840-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 10, 2014 http://www.debian.org/security/faq - - Package: srtp Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-2139 Debian Bug : 711163 Fernando Russ from Groundworks Technologies reported a buffer overflow flaw in srtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), in how the crypto_policy_set_from_profile_for_rtp() function applies cryptographic profiles to an srtp_policy. A remote attacker could exploit this vulnerability to crash an application linked against libsrtp, resulting in a denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1.4.4~dfsg-6+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 1.4.4+20100615~dfsg-2+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.4.5~20130609~dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.4.5~20130609~dfsg-1. We recommend that you upgrade your srtp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS0DBmAAoJEAVMuPMTQ89EDZoP+wX3KQU/9dnk67ngLC9c9asr /i/zUaerW5rDG/pQkf94VAER+qac0TMZXN17bZzEvoui02lYU/kcSqNrmWx02J1C +nzi3X8+BwcZcZnUYbpv4681iJDKOOcEsM8pNvQjavhiNHF78wL1QNstbMbv/HHT EB8Q+eP4EJOmYwnHthOeT8yeDMQMlpsGtdXShvJe/LphtFBZn9WqPNnvoQiI0kVo b2yWLtS+7UdeWSEgChoKnBx7pUVR/Eyyl9ncuHA3qNc1wWrIWAGVIanqHN5GJl07 KTwYn+dPrln/YabbhZASwU7Re8tSARN/mFbvT74xqjJ91EgTyHY82N0G0XAo0wxb XCnOfN9oWsO1Fr6W1VnQyJ795wLxlAm02TT7gj/So17WM9MK6Xy5Fx7a/PwUwz8T EqoB6xuZLdlVzGc8GeDL80sBhZ4VGgrjC7dxhTMfyU7tDCvrxaHeuDtAbGrEZIb8 VTVPyN/vB3kCCEyRWWoY2q6GWH21iRNGLhKRoqb4zsMebwFBsfWYaGiL5sGyATzD YmgT5Q0HfoTboQBfHSzZRHDNWFBVUOfY64Ut8QSiE7hFySjxrNqxctNt1OQEZZGZ juMCd5GrXRnfkIPS/iIHoNWcg5YCjc1pEI/MbeSSQXA75zJI/HVOKJUSm6uTQ7Ar xumHO0//mQ8zM/zWYSSG =6Cvs -END PGP SIGNATURE-
[SECURITY] [DSA 2843-1] graphviz security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2843-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 13, 2014 http://www.debian.org/security/faq - - Package: graphviz Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2014-0978 CVE-2014-1236 Debian Bug : 734745 Two buffer overflow vulnerabilities were reported in Graphviz, a rich collection of graph drawing tools. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2014-0978 It was discovered that user-supplied input used in the yyerror() function in lib/cgraph/scan.l is not bound-checked before beeing copied into an insufficiently sized memory buffer. A context-dependent attacker could supply a specially crafted input file containing a long line to cause a stack-based buffer overlow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code. CVE-2014-1236 Sebastian Krahmer reported an overflow condition in the chkNum() function in lib/cgraph/scan.l that is triggered as the used regular expression accepts an arbitrary long digit list. With a specially crafted input file, a context-dependent attacker can cause a stack-based buffer overflow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 2.26.3-5+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 2.26.3-14+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your graphviz packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS1F2EAAoJEAVMuPMTQ89EWBwQAISt7imnmeVUWImsvIT7r/pa WWoN0n8/MWvkyjEmBKHDETbh4sN+7J6Ri7U03m/aK6jJ//Z+uAbYi7GRAOwf2xV0 qyw0xcHlu4G0Z+ECZyXZ+2+vXFV/1D5+5nZpc47xqGhudd0IQQ2JstWwOAHmJmyi gYN3qsfXW0i3uhBAaZjnfhxfymoq6y9OMRUM7KCNABB+/uBJ1VbZfvnGsTUDas0x lvK1RyPnm3qHfEP9M8OS1DZWo3CJDuNS1CxJAaPvoGZwSzTCJ0UxuOEp6dTDWfO6 nCE4jfKtoJvzAHZqJNVuY0uEYUB++1AEyu9g9uFxvMaDMS3GxMh9kaihKl7SspR9 YXjtnzburBcBdDsbrCkXsyC+yxtW+h1GqI7F6lh9oT32ap3FZsP9zukUP9z/JL8z rY8T9xKiotBUw6nlL8aaPBBEXPEDNGGbAiPDriyiAhPPYxoZI24IjYlfcjS3ucip LqgTGttnboymyYhyVIQNkNxhB1Nu+OasYN9zwmiBvmncjSB5lAIQ6B7EOWMMqV2m z/ifZHMbt4E1BIvCTG6mnK7BmAxFHKIkQdEPqxQ59x+uzJbtaiIsi/fS5v2GXJhr Pk69Jjskt1t84pLqujbPqtvS6P5fatfQLILWFTTa+PSTNJ3TzlhRtwbMXwRgcbvi +6lL8C17nOZb5lIyB8BP =9P+C -END PGP SIGNATURE-
[SECURITY] [DSA 2831-2] puppet regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2831-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 17, 2014 http://www.debian.org/security/faq - - Package: puppet Vulnerability : regression Debian-specific: no Debian Bug : 73 The fix for CVE-2013-4969 contained a regression affecting the default file mode if none is specified on a file resource. The oldstable distribution (squeeze) is not affected by this regression. For the stable distribution (wheezy), this problem has been fixed in version 2.7.23-1~deb7u3. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 3.4.2-1. For reference, the original advisory text follows. An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system. For the oldstable distribution (squeeze), this problem has been fixed in version 2.6.2-5+squeeze9. For the stable distribution (wheezy), this problem has been fixed in version 2.7.23-1~deb7u2. For the testing distribution (jessie), this problem has been fixed in version 3.4.1-1. For the unstable distribution (sid), this problem has been fixed in version 3.4.1-1. We recommend that you upgrade your puppet packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS2VDIAAoJEAVMuPMTQ89EJDIP/3s1z5/F0jY78IgzvH4smp9z XJp7zWClZgRbHP8OdRPaEFd5EGVfaWR+Utvp0c68fY5dqKsTWGePg8E8PayDYItx 9yABFBfTlorbThWSbd9wLJ4XazcdsAzA4GvFB5VqVoy0DuqMq9un96+F+D/wlngN awnBSJCt+BDEoKrUee6YMVqeHFlMITdC/kYbs+ZkuaQ21YBhO31En27jtE69DrHU HWq5rCywN+0IDpbkJ5RLkGRlya1pGW+j1pSXLyj5tGsOSclZzItkbvoJb0053VnG fDc1Q920ZRplOn3GXvyFkdjLEbTg2JcSVn5veIX1OTZ7KwT0Bp6n+iyqa3j9FdtG fhY78b92Eba7K3hWHhddN72K4mXY0y5W4DDOoK1HLWWo1oq8g+pUSHhSj/WVfFkv xEgJRSb2bsiEiwkMjAWwQGUjuhpna1/nQIiwKayL6EPcjuIa6k0mdgr9+DnHUEZJ Rb1WWyjaRs/15/6Jxcx7BsOy/EpgSq1mvwsLI8nZE4DSHSBj+BGnDojJ3iLXTSL2 yvxZTLa2iCm/+CsLMQTVRvJylxE4Sn7aelOpGPrfdFUBI9YpTmgcDJ7gQ8qcr7Tx Zi4efYc4j89t87U9APIS1uNxSarEULYsNF8V31JDqWR1N6Y65viaH6Hrp9Le3eqr XlcH6Q25UYFJG/57YG1M =aCWc -END PGP SIGNATURE-
[SECURITY] [DSA 2847-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2847-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 20, 2014 http://www.debian.org/security/faq - - Package: drupal7 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2014-1475 CVE-2014-1476 Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. CVE-2014-1476 Matt Vance and Damien Tournoud reported an access bypass vulnerability in the taxonomy module. Under certain circumstances, unpublished content can appear on listing pages provided by the taxonomy module and will be visible to users who should not have permission to see it. These fixes require extra updates to the database which can be done from the administration pages. Furthermore this update introduces a new security hardening element for the form API. Please refer to the upstream advisory at https://drupal.org/SA-CORE-2014-001 for further information. For the stable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u2. For the testing distribution (jessie), these problems have been fixed in version 7.26-1. For the unstable distribution (sid), these problems have been fixed in version 7.26-1. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS3aWyAAoJEAVMuPMTQ89E5dIP/jqGEGwV+imuSDbtZ5lgRY/+ IulXy6UkE9mtvO7o1i7TULJRQ+fC1QcMcukctkYEufhChDHMCoYw8vmcVr0Vug+C zVMdaETRxb+YwCnlGnSkpY80GKRE21BaTzUPrYbDW/Hqtzr8qH5/eEFPWA6wfB3C XjnUgZGPd7d44r4wXINbSdE66gtfHzvlfvM3QdiceVqSgR9jVcV5e1Wf0oG36tik qGsQJ6/nukUIgYxVSVx89xhFUFCgYtNzq42EB4p7nc6Zo6hYePuC0tbWzpVUD9jH kQipKkdnq+vnU1wYbgQ5odY7RGLenlGGDO1mQA4jXbGUEofQEOjS2jTznozSh8/m 8Qv9pfXkGhcIb7SFNjKgnDBL/6gua8vQwKwogeSVOxBRVuSGLXloe6w7kMqOoCu9 CE4zqIJPyISG9YRkEpkwB+o1SlVIYeIWxzrnjQkYxhcXAutPbCSF0iGTcTXdycPG /hQkh6rmCdZfUaCfPfgIobdp++8gHv/mmBbKtDUJl20I8hy4Yxq1lBdJoxTQ3jcp uGM00sUgIw3Nvxe34QS4zNmLZAyhiY2i6MYjEDyaWO4puoyp9ntWw6GSKDk9iU+3 MX+6oiJ5W/oqDWzVtfntOkYRFR7+GLEPTXrt2Ip64BqseOPbUEhhB0duDzc+yMjZ 8OMRqxQTnQI7VTAXvWmG =lAm7 -END PGP SIGNATURE-
[SECURITY] [DSA 2848-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2848-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 23, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-5891 CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0420 CVE-2014-0437 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.35. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-34.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-35.html http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.35+dfsg-0+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 5.5.35+dfsg-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS4Tb/AAoJEAVMuPMTQ89ET1kP/1XFwa9nlAU1CUOVZc5kBuAV EgQVQRKpfclCqZ1nKpxb5oNlEkU8EyT1JRmQ0bK9Hwqt61hBIbt5S3aKnvWyA+oC dGIKBeaLbhbRcPGUiDbF2eSiqh+f+QNAypoc5cDDlcQBXPA667KNeP3on0ZUts/m RY7dzJmrh013TDdhaKvUxq86lOZgUxwvWAtjJjnEzKMPSM9d3nueVtKwge/H4YJh KULTysQa5MAAQmKQ03mkbKRbBZ3UKo74xwgGeKctFLsysKeivY/WQSFPBexnwBx+ ZbU1XK3t5zfVyWLkSzL5aqKchFWxmTGnMSdEnRmz/zotiSeLTsT8KErdtREbu5zP 3Ixe9PtpgLoJ6QRDiJUVNrZTnSJ2GOmDHMAtWUhqLYzGjKviM1JiqdVusOpzvODI Go8XApADvUG5JrPO1oZR+1CfcX3RaYWJDJQbwJ7s9uU9ATIc+y5HWUkGGRES8CBG iMUJDe3Wwxic/wS2r/SJkBlhINHy7CrOzGic+blF3+qXcH4R5qcCcfGmQ/EmKpqo nC2mfqCIu7mnQq7VrmGbEJOdohm4g43iQz8Dwckl9aTYuu+vG2UzTYRKUhx+jLhZ e4PGso/Sm5X4nMgqo8GEEqhO3z4VrtWrsH0NewSrfn8XYz9hyMd1cQgVjV4H0M7u iWdDB6CHFSSuL7O919Pd =AfR1 -END PGP SIGNATURE-
[SECURITY] [DSA 2850-1] libyaml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2850-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 31, 2014 http://www.debian.org/security/faq - - Package: libyaml Vulnerability : heap-based buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-6393 Debian Bug : 737076 Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 0.1.4-3. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS7BSkAAoJEAVMuPMTQ89EIUcP/16A9xfaagrDXKn2+FDi4S7+ wXeDpEp0J0n5eAAepEJ3DQmHLAk5hNZLUgvoXSQurzXR3lBQ0vyybCaztH7aOZd2 cYHKu9aRPWyeBsAB6mB4aHZM+FoGu/xHLZL8uqNlVtb4SNQdSmcKB8H0SFKFJ+Nl CU6UMtiN250DDkX+LBuc6Prpu2xonu/hBZ7FaElbvrGSTyjvt3sQBWqckG3ilgJb L2cyDBlptWF/+0vzJ9Q7g5xMVNL+d0oT341OpLPGu0eP8Nz4dxSqIFTK/v6nTFPR 2ngKg5zMBb2plxmMhronLspzx52LVdZmAx2TGBlCLW67i8SBG7SCCKoq3RAE5wBw nk0pV3O2fWjrHM1nkcWmht2hNtvdggKhIUUDROg7QfvATL2NVXW1qZphYH/v9YXy M17W2/4VFKfsZSw9yZKOtUnSY6LnTp5i/nafz5BTh57Gd5Z9GczVfQYZ6b0Rc95O uslDBfwNYAu4gffSDR6Umzuo8j+74OzFJu4bZunZFRWzYQ5Xa5GtovNjY+j0uf5l 1iTVDUMrSvbzHng9gd9iW4kueo5lEI5bhmcxK7dM4XLoSOhYuvH/qYvojvxNnPM7 1AwZqfMoJyMryB/R0QT3osoCEOtQw7yt+2/HpwWcCmLt6p39f9je3n8iOEo3RMMW cESz6UblNfsUm5n3zYPi =6Zgd -END PGP SIGNATURE-
[SECURITY] [DSA 2851-1] drupal6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2851-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 02, 2014 http://www.debian.org/security/faq - - Package: drupal6 Vulnerability : impersonation Problem type : remote Debian-specific: no CVE ID : CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts. These fixes require extra updates to the database which can be done from the administration pages. For the oldstable distribution (squeeze), this problem has been fixed in version 6.30-1. We recommend that you upgrade your drupal6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS7qNRAAoJEAVMuPMTQ89EYqoP+wUL/5MNsjxndj/ospigHtTS GzPc9HGxU7FYHKn2b8+rkdpXrbHer1CV+tO8aNj74oEf7ogfpq+VnPxzfyUkTt+U q11pYx5R+mAfTbRktMcQJDCxKvwfd/nwWSCnlDNHaA8YlvPmLIPHXlUR5NEVJLAy aixManZInNlkwNxLmBoC4vuy8boa5lD3iV6YzQk61utJsgshLytVZIxAnA1hz+kl GEwubJHjop0j4Aqc8hZYvHWjJYHoNANYGAT8TRZ2fhgjkNEqKbooU6BME1MxxgeI 9hnB7xj37tR2T+p6KVaNIg3zeM1LVrbqKFALszkxqZFgpIIaesPGCLAfn0UCCqL1 vMHW0G4mzytL0F8hG11XbW3rJCkddleIy+2nKur5YA5dkYINve9GhX8MWG40wxXc RQmou8HbFQcQZ8X9aNmWb1VMBnJkmw5M4ldp/J3vceRvPbpTer5a0U/0637AmGgD ipe9Zv2JahhEZmbT+stdC+3YH5VXeUB6BQf0/xhbb01XYFT7c8FAe3z0vwKaq+6Q S6OzU9TzscX6NVIYx+KYSDinlsocv5yatDBttucBRr/NBvUhLQYmTQr5g2STZmEZ Hlyob+PKW49Fax8qVmlilSkQ9A9+D7C7eskl6nmS/CFzfLaHsj+EDGEU6sSp67Jf R/h1N5OfP462uBf1vXMG =D+VD -END PGP SIGNATURE-
[SECURITY] [DSA 2860-1] parcimonie security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2860-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 11, 2014 http://www.debian.org/security/faq - - Package: parcimonie Vulnerability : information disclosure CVE ID : CVE-2014-1921 Debian Bug : 738134 Holger Levsen discovered that parcimonie, a privacy-friendly helper to refresh a GnuPG keyring, is affected by a design problem that undermines the usefulness of this piece of software in the intended threat model. When using parcimonie with a large keyring (1000 public keys or more), it would always sleep exactly ten minutes between two key fetches. This can probably be used by an adversary who can watch enough key fetches to correlate multiple key fetches with each other, which is what parcimonie aims at protecting against. Smaller keyrings are affected to a smaller degree. This problem is slightly mitigated when using a HKP(s) pool as the configured GnuPG keyserver. For the stable distribution (wheezy), this problem has been fixed in version 0.7.1-1+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.8.1-1. We recommend that you upgrade your parcimonie packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS+o1qAAoJEAVMuPMTQ89ETXcQAJEdl0FJxcIn9/da5PrFYSav b4dJ4OfCWWGdhiLh/REuSeDFUvjQJrgWF/2LaEi6Hz22r9W8K3mZc8ZMnJgvcudn uqS1Z6LUI3Y4xwfh+mdpG5FbdXX4xxzB5EJ1I7+4hXo2YiqtUNAbsZJqzh5gkF2/ cd+RMoOHG7yGMx9jmc3c766hN8c9+wK2Nad2Y7WyRC6l4AWSg5pqWfjMcYh0GXc9 ANQPzS3b+ajJd2RNtTNM05rShq0ic1BJ4RZJjfWthzCWj/3tkYjiLxPrUpuUYqa9 5n6Xq8Jt+EWhCv7P7R0R+VVhX11Ywt5JyjJwTbF6DWrjqwLIc+4jHb3Ww44FZMgK +ODCq6zU3PsIC/HCqfk6YhCa/2MeO++mtCYBVdu6Px2IE5cFe8/ubH2j2rxusyX7 m0ZWopXvLIJgXzTyDwH5M1c0N2wUkLlhywi33z8ySk0yqZnM0rtiAIvGsBsBkoNx DjOJfRSJAmmIGf+7iP+QcsK/ULgt8rvNR2s2OZOmvRoe+Qsp56wYpazDYkSize1f a/PNMA5i9tEWXAm2dL/j/Lg8hL+txxPnluYAyzm2galn/hne/oUlivOW9T/RP4e8 8QOoTyurEukp1/z1SHRMj0bkG2W1ICOnoij8J4NPzdtJ+trMj1ZlMZAbT53X3HEO iqolODfCHkE/z33xBdeX =aX8i -END PGP SIGNATURE-
[SECURITY] [DSA 2850-2] libyaml regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2850-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 12, 2014 http://www.debian.org/security/faq - - Package: libyaml Vulnerability : regression Debian Bug : 738587 The security update released in DSA-2850-1 for libyaml introduced a regression in libyaml failing to parse a subset of valid yaml documents. For reference the original advisory text follows. Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u3. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS+zTJAAoJEAVMuPMTQ89EuPwP/3fnkxZLkgdy++jOKsR1XYwR S/GYbdJT8x5xghudJoUyi5JiEMpecaDhaayDPbEOjl/BJXO2nwxRdxMk5aaQLEYP kOSBwKgI2SOVi0rCzr0SbtMHv5VQ3+L5f4s4aGiU8R67tITTf3++pDId23lpaMmy FzS6PZSJLgj0mw2YbnYU8eaYky1s0itMX6leBsvXpNck/d0cvKMBn0HJ1DMKEB/A wVq1q5DErkmLVJRjOW4hhe5AayQNV2nXdufzOpXNUwld/bDc2924i0lNKaHHgix9 KovQYbc9uJWLxIyeN2iVPomX3eqNRdMKYfHWYR40sBt0BOj0YpcGuXi4ZYztpaY/ YlZjaGPCWnIKTcuX9a5tlswPDNXSKjlZW8T4vqDvKFXtBzMz16S4AJzjDJvY2btk UQWsppf9Td6yEDZcD9w0aSBkQrV9bX2sFn0xiDUiIpgeeGOPPw1LQvW0xVbNaqpy Fp6N7d4YimAdwfpPT+RbTuF/unLPtpEQru7xWM1mLdtO0dHRqGbExsY758Bad0Me bG2zYIFwlMFDzDM79mgm3CPreqzRxYanlS1iiNbf0mlj/3LixH5JrNJLkHHXK7g/ 01qqc3ZbY+s+CbVB/tbZ1WnB4b6/L3w1U1uI0//wku1w18xO1RLj/0fcWp2xfHaR ICQuHEzKHquT6INOeF/s =xHlV -END PGP SIGNATURE-
[SECURITY] [DSA 2861-1] file security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2861-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 16, 2014 http://www.debian.org/security/faq - - Package: file Vulnerability : denial of service CVE ID : CVE-2014-1943 Debian Bug : 738832 It was discovered that file, a file type classification tool, contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files. The Common Vulnerabilities and Exposures project ID CVE-2014-1943 has been assigned to identify this flaw. Additionally, other well-crafted files might result in long computation times (while using 100% CPU) and overlong results. For the oldstable distribution (squeeze), this problem has been fixed in version 5.04-5+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 5.11-2+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTAMYgAAoJEAVMuPMTQ89EPNgP/11eRauizW+E7pGfWAHuem5s IlNcn3sygrkrxz8uts6l51plw+FCfrGyzRVnZAvTDkDWqkRP8zGsEK/i+Qv/Su9M 2zn0vvovYwunlxoXSax6MqO29jZ1vSOg2CvFAcwCB7kXPSKmw3oWU9Cg3z6pjR/h Tuc0bbQzxp8ztx5P7rIzJqgsaGRhKA+qBhRl2sC9iufJOiJfDn+urI0NOvgTrhxV BNsB14pKXJodXVS/qexsKip4PpEyB/MJRpaXnWkXahe5KmAMsCXspYev6+Nni5BZ BaNk/oxzG9NP21MJOWViI+tGTkPkMWCGMJtaP4iuWjgYEKNUvXL0aO8bsoxbqV39 kKHiiEQdy4a3gii2bYBxJJC92PXex5eI7Dx948xeZKJGHopIqUggovIK0uTP8vsI f+ZaLB7Ul1Vf4FdhcCBEy3S1vZ40nREkOCx/u2UVecSCNmKpbZxnoDpS7kN0w28J wUVFNRVNOEq9ml8L2IG4GFEMlphsfRMDjDwykjp9T4MhoPu5uYHArKf4JM4qcHyt 2HO9l+kxaoHk0umfP3tWozEHGFXpHnyNj6zxUU4//qeUI9UiXUWnJOlv69VbjjYB 7odV735kuGvEyEllLVOH9p2sRZU9N2TR07aSS80/uoE9RV7GtAvFc662zyVzITkW gDJIsrUMBJJB87Sjeig3 =Ixdh -END PGP SIGNATURE-
[SECURITY] [DSA 2866-1] gnutls26 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2866-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 22, 2014 http://www.debian.org/security/faq - - Package: gnutls26 Vulnerability : certificate verification flaw CVE ID : CVE-2014-1959 Suman Jana reported that GnuTLS, deviating from the documented behavior, considers a version 1 intermediate certificate as a CA certificate by default. The oldstable distribution (squeeze) is not affected by this problem as X.509 version 1 trusted CA certificates are not allowed by default. For the stable distribution (wheezy), this problem has been fixed in version 2.12.20-8. For the testing distribution (jessie) and the unstable distribution (sid), this problem has been fixed in version 2.12.23-12. We recommend that you upgrade your gnutls26 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTCJpIAAoJEAVMuPMTQ89ENKsP/0U5OlOKscI6S77zSumwwguJ aGxspTy/1nt72SOHPXht5+K8qb/pK3EbeDQHW8YJbumTmBvetmT39/jBSRnk/Zv2 RbqvtCbwWsDKbAc8GRzLkQmDgOm5UYaddwuqNqy7fflfeY41AZ+oa/9q7YzF+02q NhISglKhO0Ncew9zO9b0Lcn+lFei/qTNi5vXM0D6/4lPU3Do22H+Z0BF2bhKM/+D CeOxp0ay5uVzpWfce+R4zM1tSd2boNjn9IV9q428Jv5X5jYN8OjXw1oiw2ugAJR+ I0fJuzDRSijBkS4Yv07j+LFxVsd/qOmbhusXGNbVvjXAyawZ1OsvG6SeQHGt1hyS QGm3CCq88NQcJHPm5uWsB0Dke9PlN9kkf9tg+5iWSOJKKNi1tq2J6fE6csDBmeOS +XRax940SKwlEt4OHOw07stIdamtzW158M+9bcguuhcxnuJdGdwB4KyePnCIpHjM 1ZqpFu+Kq6cH9YA9KDqXOpELhPgFBofcLF/inV8q1KfGda/zsxGcQPd8el1hcUM5 9RZsqbpKwRMzftzHrpFHTjlbf1LD7hv9TGaWCaHQwMupkkILRKLjfbr5hs1dBLFi ROvurcDVxCDVTsg95i6n+NU8MgpL7Y/XIKLofD11d7zPomHiyqjS67XfPb358x3H vqT4zksPENR45BKtmi3J =smH4 -END PGP SIGNATURE-
[SECURITY] [DSA 2867-1] otrs2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2867-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 23, 2014 http://www.debian.org/security/faq - - Package: otrs2 Vulnerability : several CVE ID : CVE-2014-1471 CVE-2014-1694 Several vulnerabilities were discovered in otrs2, the Open Ticket Request System. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-1471 Norihiro Tanaka reported missing challenge token checks. An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to these missing checks. CVE-2014-1694 Karsten Nielsen from Vasgard GmbH discovered that an attacker with a valid customer or agent login could inject SQL code through the ticket search URL. For the oldstable distribution (squeeze), these problems have been fixed in version 2.4.9+dfsg1-3+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 3.1.7+dfsg1-8+deb7u4. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 3.3.4-1. We recommend that you upgrade your otrs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTClzdAAoJEAVMuPMTQ89EkjoP/RbBPM2R1xYqnVkV4Wf9njsJ IKTBGnER1miZ6PlDq6YCxKNkWTLBfflLf4AvpkX7kH6Frh19o6FJYxQ1/qvESfJh zuuOT2fi5b66C2XhYXzsAJ+0fCcnCJSrBcWB8vwhrCqICptwp4TzIQ5WAzBRB3pL cA/DRM/UgT+jZXb68cl27zOJL0D9E8MnOpSImrjh3+Sz3dgeG2UOmE8ZLcaGagDk 04dS5LDEOGRwIjC4+vKU113M4KWW5waP3PgChwBZwr3rjYFo69pZT619QYxoP70g mZtKem30AHBFflqDhhN4b5POtRGpq9WLH3iDNK7RO7DyeE2gs+QN5C5w6Anw8IgH 4ePu4gWwru4F3lCu6jRc06MKqxy35tJLZvcsQY/IOKhV3e1YxfmOuNqEk0VqWCEG rWwOrNaAcRGBE9FFLYsCSFCrkbkrkb/BP6Lz7QZrxRUhz23M1Qj6SKJr3zPX9FPc yCaKn+zhC7tW9gub7Ko0KPv4e5IQJBaBVnnx8ls2c71PQi1RZ9A6a2sdMi8Queir 3fzGK0+pxBcqX1OHHlU3/ScVAAZRBGvLcL8CY23l36wIJ0DSEfnkvQtIVlhk/axZ n40aczl/oAYzU4WmR7iESAA0eNYkUDiR3WyT66Df5Ipq0WXOk8P4826/fhkmM94J Qi2eEVijIJqIo/HjZ51Z =/RNB -END PGP SIGNATURE-
[SECURITY] [DSA 2868-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2868-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 02, 2014 http://www.debian.org/security/faq - - Package: php5 Vulnerability : denial of service CVE ID : CVE-2014-1943 Debian Bug : 739012 It was discovered that file, a file type classification tool, contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files. The Common Vulnerabilities and Exposures project ID CVE-2014-1943 has been assigned to identify this flaw. Additionally, other well-crafted files might result in long computation times (while using 100% CPU) and overlong results. This update corrects this flaw in the copy that is embedded in the php5 package. For the oldstable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze19. For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u8. For the testing distribution (jessie) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTE4OYAAoJEAVMuPMTQ89E9scP/2ELpBpznx8xj8Ffb4v4fvH1 Q0+Q/OAEsDE9fksB9Zz63yI6Teq1bAzCXcDWyFyEcI8NQoEBm9DViNEJDcgQ7Ru2 08U0mCmNyhD2SVicymAtMwvM3PiMMUAVrS0taXJJK7GBtgGr58DFRPzMZJt+B892 JerdIW6PFXwyM8Bx+1T+67n0RbEF9B6DuEEDKVIjioapGGr724THcMQsbZABg8xU N6CfE7q3hSGfm9hE4lsh+BTtcg4HKLOzxi4mPDaLNErx8FPDT8BlSc70yPrrPwmu +6VhHCstuQ+HO00gBa6XuY5jAEnVkGCeToRFg+DEaETnHspV3DczFlCZlvvnb90m N+jNbd0N5VVMbiIl9ZebKNd6ofLtGxp6A1dzAYufaUNIqDWRUVe4DSTBu6qX8ori rPVXFqmMogRCWL5GYSOU7s5j4/UovkSn+A8smwdrMwhrLAwa0XalJWcASlgqdVTf VAMLyWm7qLT/0XbbHlojDbjXciEK6yPhRF4cif82DAXd79zOLEZDojiRS8z1+sbD 2gz8QCR+bJ8EFCHAnBBWUxbmZ78dwqdVZocXKij8UMvQpsxMKSOBe6kEvmsBTiu/ uEsxk5sbktMz0ns/hfpRlYmsy2WQti5OoWc/y45TtttMzKNU0tk+lnSpwCVuL7MJ YQru+aqScOFb3et8iLV9 =/aN/ -END PGP SIGNATURE-
[SECURITY] [DSA 2870-1] libyaml-libyaml-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2870-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 08, 2014 http://www.debian.org/security/faq - - Package: libyaml-libyaml-perl Vulnerability : heap-based buffer overflow CVE ID : CVE-2013-6393 Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. This update corrects this flaw in the copy that is embedded in the libyaml-libyaml-perl package. For the oldstable distribution (squeeze), this problem has been fixed in version 0.33-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 0.38-3+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 0.41-4. For the unstable distribution (sid), this problem has been fixed in version 0.41-4. We recommend that you upgrade your libyaml-libyaml-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTGxHlAAoJEAVMuPMTQ89EbtQQAKD9QG9kNJTuFl0P777wSyAR gQzzFjOGPP+p9Q3OWewXK2Xfk6fb6eBRk2vI3TZ63XD3KPPebhfMvRGHILp1jscI hab6pHbp2Bs6PcX+ahEUfVhnv+7J+RxNEjjl5RWMIznUCM6G5tX4xjAbaKTnAUSZ cbGHc3agtNXxQLGdW1eLedIZjWqVtkPQ3q7UbGl8dXbP8s1XWc0N+LJZDskFYfUT /99qX122gFOpNPI9YGuosa+I5J0LWCJz/+qN00wx5K5uipsV52wgR4Kq+xMLV545 A1sPTpNiNkOrIvXQiWLP6JrLV39gb0G09dBCn6veCmhiagBvkSY5A8/wWphiG9k1 OKpwqYp1rFxWEpCgImU3TqiZutIM/yKopJPa+Lz4ZAb6yI62411hati7f6gqdYk1 GU3cJsPMQQ4Xz7Uj0po2gZ76UNo5skYsdOdunQv3foWDVoRNkHB1BbTsrQFBUD3u zbih3vhLmK01lvgNYDTyhJodtCfRJumMn6o0zaWBEYOVpD7GzwABxECyDwSe626D bs8QXWPuK5DaJ/XkntmswRkeJ3NBsGVwaZUszmTPCLLX/XEPDQls1yuYnPCUvo/4 +hNTlkEwpzW1x1G1Kpd7m2j7KsS6xpAgnt90B0RHPrTtS63xEGIgk3Z5301yxzcE OjzJ2ZxxdRIEU6fMgC0W =fvig -END PGP SIGNATURE-
[SECURITY] [DSA 2873-1] file security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2873-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 11, 2014 http://www.debian.org/security/faq - - Package: file Vulnerability : several CVE ID : CVE-2014-2270 Debian Bug : 703993 Several vulnerabilities have been found in file, a file type classification tool. Aaron Reffett reported a flaw in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. When processing a defective or intentionally prepared PE executable which contains invalid offset information, the file_strncmp routine will access memory that is out of bounds, causing file to crash. The Common Vulnerabilities and Exposures project ID CVE-2014-2270 has been assigned to identify this flaw. Mike Frysinger reported that file's rule for detecting AWK scripts significantly slows down file. The regular expression to detect AWK files contained two star operators, which could be exploited to cause excessive backtracking in the regex engine. For the oldstable distribution (squeeze), these problems have been fixed in version 5.04-5+squeeze4. For the stable distribution (wheezy), these problems have been fixed in version 5.11-2+deb7u2. For the testing distribution (jessie), these problems have been fixed in version 1:5.17-1. For the unstable distribution (sid), these problems have been fixed in version 1:5.17-1. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTH3t1AAoJEAVMuPMTQ89EmTYP/Ak8+mTumYv3xlNXhvUstsBN IAFXKVn9fDQj7zpLgnoZwW5qAVCCg6leh4C5f2lCRgIVuuPBkmfSOeUjnIY6Vg/S HvuEUXoVhJ/HWCGu5u+t7KrggtH6yUIgWIN8CM++Ufivid2W1V8AFuqgwuSmbudf Yc35lq5AUy4VHuk2kDhYzUvlUf2UCjEQe43FAIe1CzyjiSXiKWIszkPo6TZjOxIf 372ZnjrY7f+aPsW4B6qkytPgYVnmym08urs8yzGH0RQF3Nmx/hk7xaR5xkdsKQ+z 868H3jQZxJUf6YxCb7U58aeVEKwDHRo+u6W3TxwRTyaNreQCK32KJODw7/AQsASP c5A4Sr77Tl+IXDx+zkECFQWt35qJtBL1IIyhGNbVelr8EgpsrhHMnv0iWEKhmweM Sf3czFYd/r23s24HGFosQkYcx6VicvvRodqFLjNZS9vCqe3e7HJ6wBygDjjk2vw1 UXOz46op1g3b0MoSEI4ihuXn7xzhb523VPePZbAOyn8bH89zagWm6V1nQ6jsLQ2A m/NctoEbUYXXHd09ur7BSUVEE/196rsutH39e+Ms7tzoRBgUBaXPuzcyzYgngz/G BZ3dLz8JLuK2nTW9h0pL+NGexNO50o/wKs0I9ON+QTL6m4Md7Ff1dDowUOdBWpDd 1MZF2p4X9YDoBVTtek+n =Wumm -END PGP SIGNATURE-
[SECURITY] [DSA 2873-2] file regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2873-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 24, 2014 http://www.debian.org/security/faq - - Package: file Debian Bug : 742262 742265 It was discovered that the recent file update, DSA-2873-1, introduced a regression in the recognition of Perl scripts containing BEGIN code blocks. For the oldstable distribution (squeeze), this problem has been fixed in version 5.04-5+squeeze5. For the stable distribution (wheezy), this problem has been fixed in version 5.11-2+deb7u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTMISkAAoJEAVMuPMTQ89ELnoP/36yaLZkAE2tjBgKXWDbqdv6 qWJblQJQQtFUjuNPoMN1FW/4w7qL3SfyhGKkcoWArP5h1yKAYhShOW55HaHExBDQ oZfSoxGo6IWN0FYsmch1LUMQnISv86m0B5xKmx7CRPyzxUsvJ4RdbavbSxHgs7LM VVVExcTUYh1D17pZQ0vj+daNVYTGt36zXZbVIJgvlT/BVcKQwxJz4jpvtTEN4ZWY O3+OvEfOEu2n9lzhxApLnaq7gG9u72Ak0vQeWluuRmCohJ3CsKVrbdkhNc+aCXYB c8xBI33ckEJb/01RDBIr0L1Ex1K2gMQV72QL3mXI1kF4BPPakVW4xhyKlGXGFlhs 52EWLKVREDncOpUeNQIuM7S9xjM0NWVWhwnORoHYD7k2/CXjZcrMYnlT/luKdFzu 1Aa62K7I5xMjQx6IaeP9mw3NolHxT9tToAJnsReTKbyl3hfs4C7zWb+goITritqE C4xuXwaTvZkwD1m60CpmPUV2jej9pwOw/XP5YWQXMroN+QkrUr4vFzHybK+p6vy2 0ucg5ykAEIUT0sB5LLD0+4pQpT9yeoFiFxd+V6aT8ixf52M0tBR8dN3gvf2X+cQs R7Tz1wM0f02g34zQFYrMMvmLSF5mIukeTKBLmXyhR5Dj2moOJ5+aLKhcpgRxAlr+ IG4G9Ljxj5Be2tuPQIe2 =AgWX -END PGP SIGNATURE-
[SECURITY] [DSA 2884-1] libyaml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2884-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 26, 2014 http://www.debian.org/security/faq - - Package: libyaml CVE ID : CVE-2014-2525 Debian Bug : 742732 Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u4. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u4. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTMy+yAAoJEAVMuPMTQ89E1McP/1xehR/bgSW0FmyhpnPjG1rQ yXyr7yTsz0jt1fxlzcsx3pWUqNmm5VQ9JvurCNuzjD1Fwc3918xVAAD7lNwCCP6M xyWKeNTxx4Tq6ZwsmJ4soBvMryGhPNWFvhDNsTeZVuDBiDmUylR1J0vmPUfRdSBm 6iPi0Gbxh6nZcIssCmdfTR6oe9vPu136KROX2D9JPbRGotfIHu84Q80KV4OiPRZ2 lXZX3Mg7k74VztOxvzKSQ3C93acH2a4FEgXNtS+VnjF/U1ACeDEg3KjKXPPZmlYp ro3WFsdG/ENmhG7kE7t3yURUu9QRVTmXscazy5FnML+y3sbr27FPmw6cXo/ewF1y I71z7DKhIiW7SNcZobhKq54RKh9FCg3nVOMnb/iZK9eKZtZiwLmEALpq+ivaXpm8 WMD5GJQPVbzooQ4EUmsQlQ1UoZkXS5CPU5dXAGF5uZXAosaLYTnzFGEQybAyjRG/ sb2tn11vHjQ4wn8DCM+kyiDI03hI7IC6Prpuf7XiwXIk9nsfQXTFzBA78l2iJfCz UQgv01Yv3pffecZtosI4/DSvprX4L5enTn+zDQCnhWu//eFqqLtnUjwXuwORhN/j aW1SEmlD+MSiZq9lZyb2B1IpCJHY48h2WaAwJb5m7L9HuTFUJPkdqdJnyDQXw+1y qfFeeBmUxXFDHpxdSzGB =63I8 -END PGP SIGNATURE-
[SECURITY] [DSA 2885-1] libyaml-libyaml-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2885-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 26, 2014 http://www.debian.org/security/faq - - Package: libyaml-libyaml-perl CVE ID : CVE-2014-2525 Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. This update corrects this flaw in the copy that is embedded in the libyaml-libyaml-perl package. For the oldstable distribution (squeeze), this problem has been fixed in version 0.33-1+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 0.38-3+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 0.41-5. We recommend that you upgrade your libyaml-libyaml-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTMzAiAAoJEAVMuPMTQ89E6G4P/14Qr/oZjfgcQBw2g249Vxho oNmieBsOvxgPvU+6kyrp7Zt+jIOzLSCWFVfGU8oQRjCHQRfNRHHKhGVq6s8u8/uW H9bXhFBqh4VfxaFkdEdw6SVKwR6eOOy86wx5Rziwy7EYVE45TlkdT7Z23EYO1AA+ k3ggzOx6DDeG5QKB0dAxoZQ+UuTmsbOSchuNQiRS6QyvA0KcUeZdICOOKUJTC/fH Cu61mLj5cjT+xGzRXlZP/vCh1rGRP6MjVtRS6kkDtoadcHzPI7ogTNSADqU6ox2I tKd2nGP163bBb9zvO2TJBM2j2HWCs06tXs79a1q9gAn78RxXfOTNW16WbivFX3Gy O4YBFBwtm5vwaa58jPFASxbpVidJbFtrS/h6vyzlieUbQDNSy8qbvqbmkAKEJdsK traApuNTNjAEvPLUQv8mIZwfbXEXU60N8gk/PSe9fBWNUpp7HdhT3okWkax8KXvy CTyKSODlTjzRsY17eSMcIU1X6bFxMNrv5fBbDHfiHwmFDixjrjVWOaL92+7usxea cj5Ns+zTrUDAE1xuGbYv2GX0Qhy+d8S6J01L54wjFivwhO3PvIRwQ1lpxFPhpkLB uZg1yAepheJGWYZXerHmvX+DEmIAYqTMJYD441jrECiZ7vLgpJ7ETuXrxk3+nZho GUUh3wY2FCUc6V/Iueih =hEn9 -END PGP SIGNATURE-
[SECURITY] [DSA 2892-1] a2ps security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2892-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 31, 2014 http://www.debian.org/security/faq - - Package: a2ps CVE ID : CVE-2001-1593 CVE-2014-0466 Debian Bug : 737385 742902 Several vulnerabilities have been found in a2ps, an 'Anything to PostScript' converter and pretty-printer. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2001-1593 The spy_user function which is called when a2ps is invoked with the --debug flag insecurely used temporary files. CVE-2014-0466 Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps. For the oldstable distribution (squeeze), these problems have been fixed in version 1:4.14-1.1+deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 1:4.14-1.1+deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your a2ps packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTObeuAAoJEAVMuPMTQ89EBqYQAJgxKiy7rdpDuREQT1P+qfKU 1N6HSTM64JofXmqbhnvzl3OZilVNDmBBz5X2d2AECMirEh3Pua5LuTsnsrvoxwya 39YA6OcDjbvYyKcOzK224PdavHXbDB/2vGtH0ZD8eVQs13CCaqTrAOMS7XlvJH/7 i+0vk+K6Lte4VaJejcEwONZFyU3OpYS6Mv4Cg3XBCofmc1aoa7MWTvrc9Hb6I6W1 ZmGN/+PdfkEzcD9E05MCXkED5MQ37sDUveGtsYR2zUGwYCNvXtRz1XHjZrH0MpAT Gr7wD+P+43W9U/zxx6JZCotTbm6Pf/1JLiMkNNFifN2b1I4gsc50sJHi4FKWZPuH 3xAGn2r7LpyS64YfIpZpeDL8HimUvJ1X61F+ps10eR5r3+ie8Mqh02GsjHSBiuCe v1Bd7jO+UfVbMiiRMusZbWuyKwVBFmTMg6W/IDydNbFxPomOHoCu7+iThuWFsBK+ to5gHf7KVe296avCSTsArNu6wtZvb3bk1pn0cP2goHA8xLR6N3Wq8P4O0sGHi7gY 85i3YG9DqPbwX4Rn5BGJ1wldvan+pkyGZWy4YeIYDQFmFq4afwgzBsKMgKKY+/5z 8XjLs/6jZeYMJgZA/8AKkAJ80S2AZFcecEzbCHHZ88MDcNF18/8iQHPADC8qoi2d pV4efGOmVB4tEc/WK6vd =tDck -END PGP SIGNATURE-
[SECURITY] [DSA 2894-1] openssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2894-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 05, 2014 http://www.debian.org/security/faq - - Package: openssh CVE ID : CVE-2014-2532 CVE-2014-2653 Debian Bug : 742513 Two vulnerabilities were discovered in OpenSSH, an implementation of the SSH protocol suite. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-2532 Jann Horn discovered that OpenSSH incorrectly handled wildcards in AcceptEnv lines. A remote attacker could use this issue to trick OpenSSH into accepting any environment variable that contains the characters before the wildcard character. CVE-2014-2653 Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate. Note that a host verification prompt is still displayed before connecting. For the oldstable distribution (squeeze), these problems have been fixed in version 1:5.5p1-6+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 1:6.0p1-4+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 1:6.6p1-1. We recommend that you upgrade your openssh packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTQBt1AAoJEAVMuPMTQ89EW6wP/16+vX4eonWhIwSikUV4YlRY XolJsgh/fnbADeNxB36jJYfBsHo+0+lFRhOlyy6KKT/DR5CvLYAhmd7cTdkAG7Jz glnnxdAcE7sTwOEwo0sAXuR7zLmf+R6I2gfhqCpbcekNVrlELaZ1aLPdy/hZKYiY wFjgEx5o7QrD6awm0I6xQvl6mOL4Jn3mbWY/GLl78kF6aT46HQqHfvf47kTnEnNe AcLSxGuEQ31g5rbk0ResapwHKrijvxi0HYYOCtapovLdDA6kPTO372ZjAtYWEcCh rfGlwGwJfrh9XxLP6qpnUsGdT6pfrzw3tbz4gmXGIceWGKsMwlf7nt8wc1apw9wd 8+SitIvj+2oTIo1Uq7e2fgf4U8H8J9QO3qW1xksCezIwsVNjGYfrRYJJ7/RW951Z YAvd4943+k6jc5rHCNXzU1gRmJuoVqbXSUMx5+2URDfrUwg4V7DayfP3gbVkolBl cFDpiikLwjtrRJxq/lzT6H8lx0mr+znSrTOpLdmCPR04dskavLgTtiwXfTKT/VgI BlTG7L323dg5b0ft8IDI3rTHZCyojq8sCddAsNjjiHjCODFduiNjk2fthcCroOm7 OX4UwW2jKJK97v528nOwi2gSU3O+p6057sBjJOvt8kzE4e78pKSGiVs2PW8qbN8c e795KU5lGqlsdH4F7cZP =LT3M -END PGP SIGNATURE-
[SECURITY] [DSA 2896-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2896-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 07, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-0160 Debian Bug : 743883 A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5. For the testing distribution (jessie), this problem has been fixed in version 1.0.1g-1. For the unstable distribution (sid), this problem has been fixed in version 1.0.1g-1. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTQxo1AAoJEAVMuPMTQ89ETBUP/0uAYS84ABbzCu16ZTHuCwk5 uVounKYCUbTVKxr/cTU8LzMbJo8Bhj3yQ47GUak6DlxzxVfsDXiEp2Q0/HV552Dm gIoFQ1VpsQlCrmKLI1bINN9FYq28lAsfoo9xg4qtt/XrXzBfW98mlrQji/t4GBk2 ZYuRZxSDmrdNBH9QHzEESFZa4dDznDs2ZRqj9TjrFc3UM3tzsA22DR5N0hVjygQH v/zud7A289u+cHG8SmnSI61y4+SCHcqHDegQhNmQkVBDL7M8Jsdgh8ocLsWQnn6f Fn63upGG44sh4MaTXSShNbJAcXiYdIBr0S6yjISxH49G28aEAgl//JsvgIS7zRua lvW/dYQ2QrgkBjixwLmPoggRaWjSUZ/pUrobVcPGkmXXIC2ee5YSFwEL3Lp/idOW 8u86A2mdVVVRmaP1xTRBKDzQ526T2JheulvCOBjWAk4APQDTd7yAaF4QJWr8SmCl CGL9AH2Rs+Y8Kt9jjXgz53Nl93DUMasSRtiQTBIanPGFokmyj10nmUw2XswZjExK 6Mi/hjFmLPn4oPZNn3q0ibFoFSoh8TNkvdlpAeUXeuVriOl4e246hitMaHz+1EUb oXHfSJOLdJRt/q0K7uOYzp7CwHILqPAohdDAG6QDFhZ+RxLo8nA8s4eALq75oHtV 7CY2KZqDzude99PH/N4B =G+xD -END PGP SIGNATURE-
[SECURITY] [DSA 2896-2] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2896-2 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 08, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-0160 This revision to the recent OpenSSL update, DSA-2896-1, checks for some services that may use OpenSSL in a way that they expose the vulnerability. Such services are proposed to be restarted during the upgrade to help in the actual deployment of the fix. The list of services that are checked is not comprehensive. For a more detailed check, it is recommended to use the checkrestart tool from the debian-goodies package. Note that client applications also need to be restarted. In case of doubt a full system restart is recommended. For reference, the original advisory text follows. A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker. This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory. All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible. According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time. The oldstable distribution (squeeze) is not affected by this vulnerability. For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u6. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTQ/sNAAoJEAVMuPMTQ89EsEYP/0u8fG6OS/RDFgaARZeEDNGc NfqSY6xcCRXxhgdxyq72HH0aU4TeYCTqMlD+AAcCLq8Y2hJ4hU/1rXwDlndgwUnj NS0lkrwji0tVfX13A0iRFT0xf60dAUISd5EfcjJAwmZ9e4hHqCGgaMNpezmy5tUl M0SgVptlxRaG4mISUeuHlvyMZ36bNwtEnnYL9vm2xBkMwzgotpcwDznrfbxRo9kx VsIkXD5tmyFzvhPOYikE4ROVY62HKpwssWV2oaHK6xKSVPSyqUvuNCzPTV8nh8PC Ndlwhqt1On4ui03pcbB5Ms2wPHEnu7IxJCci84P6XBH5XQ+dLTEmb8EIOsmteell pLRJUAyFoyAQAilgNw2A1fiUHJn58jLmLmW3b0ce9ZfrLcNtnpBuqHHuWZZLZij0 CWA8etYEmj8d80+ERqw0A3BpSxt5RKuKVLGq8iqypWmIlBaTBCJWwwp+lXVEvPbi 4JxPfo9NYnS0wzgZMC96PGAQq5Dw9yf9weV4PE2ZaxH3vHYNc+7DDmsUF44a7/qN rXKU6cliIs1syIT7q4Br7Xn9FNyfoY9cwhGintC5u20+8mewLnTDjmHUOKQJuXOo eQAPZOSgQZRQ+u40Hg93BXHU8dMkZ329huodQeR7RTlpPK3iM7lXxi+yd7bkvEwQ pkSzcpXQmGsZ3Vp9wC58 =VRqT -END PGP SIGNATURE-
[SECURITY] [DSA 2901-1] wordpress security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2901-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 12, 2014 http://www.debian.org/security/faq - - Package: wordpress CVE ID : CVE-2014-0165 CVE-2014-0166 Debian Bug : 744018 Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0165 A user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-higher role. CVE-2014-0166 Jon Cave of the WordPress security team discovered that the wp_validate_auth_cookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies, allowing a remote attacker to obtain access via a forged cookie. For the oldstable distribution (squeeze), these problems have been fixed in version 3.6.1+dfsg-1~deb6u2. For the stable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u2. For the testing distribution (jessie), these problems have been fixed in version 3.8.2+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 3.8.2+dfsg-1. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTSaAGAAoJEAVMuPMTQ89E16kP/1qPSwTsXOAOcRW0si9TILJQ dJfqgQNhaUom4c0Z1+OtGVV7i0APlznGFCK2xX3KVyAGP9OWKbc+jiYAkGYmMskh 5+Vk4La4g8qrDQjc3D82q+dW8KgO8oPPCVX6nF5FpPcliMykCs6Zlx+XcGtgBmTM EnRs2fIA2dVWI/N1gV8+yOrYoU4ixUfWqUdI1qgn5r310JN0pVVYLPD/rwjUmj3w /m2qM35tK0+cpSpPbN+P0KJSucVGRVvZKsMIJF+lbD9jM59Ig2GWgLFIti76C7Sz D1kLb9lCUBFB/5qvRa76ljYLG/U1tQHNP8QqDddohHxm+nmyT6lMvFhYOH+TJBh/ Y6xFPaZLsLwQmz2T6z355C8itJhhdclU1gRmnNHHBCWe1LtJi52x8sLhotkSbN6T nD/K6iv/gwOal4jgHjeLo9vkepbOWI6cZ3uZpxnZScfTS383LIFJ8DijCEnu5FPx BJAb7HtQyYjCM5BJjzy0bP6b/EyHR49iuQ+WIAFhgiBkBqBON2q+ipGMgPs7EJBN mc1TfO9IYBBJJYbep4UDho4wOYhzR6308PBm5kRWd6E7D+K5otJkKIsL76iTHDSc 846Mo9bi55jrRHSCMHwzqTKp1bj4PTsAlY//bYTevyye6zSfDxok6951k0qVMFSA SV9zn6ftutk6v9J25cpr =ewsD -END PGP SIGNATURE-
[SECURITY] [DSA 2902-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2902-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 13, 2014 http://www.debian.org/security/faq - - Package: curl CVE ID : CVE-2014-0138 CVE-2014-0139 Debian Bug : 742728 Two vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0138 Steve Holme discovered that libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. CVE-2014-0139 Richard Moore from Westpoint Ltd. reported that libcurl does not behave compliant to RFC 2828 under certain conditions and incorrectly validates wildcard SSL certificates containing literal IP addresses. For the oldstable distribution (squeeze), these problems have been fixed in version 7.21.0-2.1+squeeze8. For the stable distribution (wheezy), these problems have been fixed in version 7.26.0-1+wheezy9. For the testing distribution (jessie), these problems have been fixed in version 7.36.0-1. For the unstable distribution (sid), these problems have been fixed in version 7.36.0-1. We recommend that you upgrade your curl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTSkcrAAoJEAVMuPMTQ89EJ/kQAI+bhYW6omGFeiXjY2dzZlJv oNrtpIiF73jwmQ35dKRbfNhl4rM1FHDoFN5TPWVN5nGdH3nxMmccsAUNFCz2R3z8 4L8qWGtJrAvwkUCYq8eVTVVlrW8G1wZgc/Eyzv2agenRgCuUl5YqqUd841ee2nGd BkDhnzASyk0iZL13FVWLj4jz7q/YUVh9+r1bS/gRKH2cGWjTgOthyUb2iPXUw37a 3/FMfTzj2n+1qbsTbTaP5HSIOX43is98PKbS0H+o11MOaeOxt2BAz1lM/Z/yGz+W eNnimJyM4dN1eUkhz8qXLkFVicBYp0ttYcUBDyQgQpE2IF29ULL4g9ZxeV0fraai EwbkoI5SYKeQFN3LQ8Q7iGqh+vyuUEkGXAGAnTrt/8xi0Gm42gMercYGHH6M/Qtq pGsaqrbMn793N8oSimiuhdbU3KN3UQo6fUYXzAqcjhnw1bdozz69ZWnuRo06j+yZ 87E8NrF+z1DkLba/e9CINAdGhFisu5LK5hS0mLLRk3MqoLIRe0AbmxsGwQRB2N3Z KGMphBKdcf/KiPRbqdTKzm7sDvjqiLuDfjxqu4BDIqZs5P/AHyETyeL6AgS2quws 0I1ufW452CdauJ00uHl7q0m2nd733bhuiHMCJ0boU+EQHJYLV0sj3U4vwGWRcIb6 8aoI57o9zT39JlGFWwbU =hzeM -END PGP SIGNATURE-
[SECURITY] [DSA 2909-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2909-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 18, 2014 http://www.debian.org/security/faq - - Package: qemu CVE ID : CVE-2014-0150 Debian Bug : 744221 Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process. For the oldstable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-3squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 1.1.2+dfsg-6a+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.7.0+dfsg-8. For the unstable distribution (sid), this problem has been fixed in version 1.7.0+dfsg-8. We recommend that you upgrade your qemu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTUMceAAoJEAVMuPMTQ89ER1MP/2u7L5p57jd00nMGz3Hj1QAG ZGQaunTpkvm6qasUSPfMzI3PyQHCErFg9Bs7nsj4AQMcZER/67TaE8qWn96eHO/S YSJum00wyzSlKGkwhFnvc8GbcTKyky3g59mS30z0Zzwj0Ogc6wWGb0CYJBuCQFcr u27RlC3Skdm+CgHBXrW5gsPGZXR4yfHcJctNA5nDoCyR9RKr+xtn9rOzO0aJN585 piACeK/rXHnlkztSVp+pROy1NhSxq1c5oYPJ/eLT7kfK7sHw/FDnzEARCz7DXrV+ NNpprH7K31336FtpSz1iBuwHuuIw8e92wHarMrA3gLGU+eTZLqEyG6jaNqHwV5K7 NQyN76MAL1XMr09Kb4rKIYAMPIZsUBDc9PGKoriI7S7g2wgOvSnr45IpAtl/WpCv GVSqsA+JVbil15vWEiOVVFLvaCIYxsW+fadU5EI5z3vrMgjXrlurHbGzoXgP44V6 3JfRi9EDI0Zs3/A4Y5DIpXRGslEcHdhZuzB0kRmZzU871+EHnmvayDduz0r6+grD RSXaqeMyiEt8lMnK9k5cx2AZrlOPMEC4EuRR7K/j6nr/l6+4u1xiQq6SVZNua1At yDxiFY6Jkkd9QRYr5VL/lowjHdTC7nFvj/56ZFpEMRB4wtCOv0LpC1rgjHnE2iTS RfaFtODKuUNyp8p7EyU5 =HXIq -END PGP SIGNATURE-
[SECURITY] [DSA 2910-1] qemu-kvm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2910-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 18, 2014 http://www.debian.org/security/faq - - Package: qemu-kvm CVE ID : CVE-2014-0150 Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process. For the oldstable distribution (squeeze), this problem has been fixed in version 0.12.5+dfsg-5+squeeze11. For the stable distribution (wheezy), this problem has been fixed in version 1.1.2+dfsg-6+deb7u1. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTUMc9AAoJEAVMuPMTQ89EfC8P/jmDbn79xiGo4I0VtzsHbh43 PxnBgJC/raHWJU74P6Fz9oGBro7CBC4QmzR9iC+NO1AnwOWgkhty0yRD3rk2ezPw +poOup4ByEihHc+pzPdMgfqUaYcsfP0Wa+CQfHFeh9i21Zp7666rZtEdlQrpy5xA Yb4Cy4WiFMR0Ih1KNI1jiHIqX6MXSyj01ZIQpHHDhRI5K0x7bDPaTkVRKE9nvBEi CdhkjSHwFzREMq+r62muwIk1mQz891HxEXNKSyeAvZS3oSFaa+sQHfDV/IxCiP+v F/ys47HXE+P1WeOzUhkEW3hM2H6gk7Kv87uxZx5pCxAJKbVgj+QXOKHS2oMxtrTe CYhsdqoKl37OBcE8T6K/PpUMrcw1fT81foKottB0I9VnSXHwj41hd6WhIiZAKK/R 0ofZQHoV54tvcvBu4N5VLuepgIlrOyf+BslSrtFgiB3W4F7K/djUCrnvlgxJO22z LMH73mHS3pM4EsmBc43dCYaQTTV/3xmWn6WFZYFL1hyKBuQUmoKSfeYhYUvnq+tm bCu+MrqeoxCRB052eQlPvriKWmkw4EfFOBc/zSD+h4f/OEhvYSmHzWqfR6MzWFA6 Lyyuv/mUzzGqBXuTutZJn7NVqtWneQ75xqAwy90HBI8Buld73OzuVm9ZHV+34Sjc n7S2AQXWYThCjqEUIkAI =G8ms -END PGP SIGNATURE-
[SECURITY] [DSA 2901-3] wordpress regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2901-3 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 21, 2014 http://www.debian.org/security/faq - - Package: wordpress CVE ID : CVE-2014-0165 CVE-2014-0166 Debian Bug : 744018 The update of wordpress in DSA-2901-2 introduced a wrong versioned dependency on libjs-cropper, making the package uninstallable in the oldstable distribution (squeeze). This update corrects that problem. For reference the original advisory text follows. Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0165 A user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-higher role. CVE-2014-0166 Jon Cave of the WordPress security team discovered that the wp_validate_auth_cookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies, allowing a remote attacker to obtain access via a forged cookie. For the oldstable distribution (squeeze), this problem has been fixed in version 3.6.1+dfsg-1~deb6u4. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTVLUPAAoJEAVMuPMTQ89EqdwP/3ayqSSOrZAYJSJO4U39wvUz +H9BnPCkXQmqB0jL1nh8VjDC6lm9FFcK+Nm04Kd2Ema1S2pjnmfj/rZ4ektKc2Bx 4gXX7NjfAGUt+cl+9Wl8KdUJ1a+N7jLkkRxNxEItQ9cradxMbsAHZl7+oLBcAjW2 l4Mj6eya8amumDHfVbe7a/+4ex1t6Jslk0EQPCRsDOrbXPHtctvzfX8LxBtfY/XH /ZZhXW6VsGKaZ2AfuM+tilYbPjTMqdvnCL6YrfiGStftdvlywELJw7Hnb1x9p83A E2FGcRsjCVuy2R5zvOcPIqJJG853t8wdRe3z+xfV/tONzUnuywa1GRm/c284d+Yx Gs8nW8+dtujIwSeGdubLwEOBc7HHvhk4/UPQpc3T6ricaupp2k42oLhB5kP3D2e9 fwNTFjULFVzrf7kfA8imroOkOPI5C57UMOTHrjdjzlPFAQC2DiUJx2UTtz/i42Ck HOay7x/0DSe5NrENdrVwZ558Z4PW8NBvrBPOrAXeJhdVzelfbpESaJoiM/lhUm0f T0o8H6dESm6rUlhxLxZoowTtOzg/qeduSdU7mhSGYhKYLplMv5kCGCak3z23UVGK CLWJsKVEf8lxOn/Rzd5z8o/wqrWqLf0uRF0xQrqCCzyplV9cZXNOz/oaIu64Ajo4 r5vIZoPqbIGSopbSOae2 =bnMQ -END PGP SIGNATURE-
[SECURITY] [DSA 2914-1] drupal6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2914-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 25, 2014 http://www.debian.org/security/faq - - Package: drupal6 CVE ID : CVE-2014-2983 An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time. This security update introduces small API changes, see the upstream advisory at https://drupal.org/SA-CORE-2014-002 for further information. For the oldstable distribution (squeeze), this problem has been fixed in version 6.31-1. We recommend that you upgrade your drupal6 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTWsKuAAoJEAVMuPMTQ89E1hUP/RgYcJW/SmmetZOm8zTGT4Ky MoMWmXqVha0GAQ+H92YN+VMgN3PH3hiSoj3efsV90IrbL1YFLq4PEHJDZkqkqzfa Z13P9hdirqSLNboFFG2mMleqzYFzwnb/eZlq2gDOvClDuPlnUh5k9tr+K784vT39 SSgeE43BurSqSI7BL3dUaNkmxbh/J8Uy7nza/uqfHgmD8RmhLedtppq7XHzpTlOV NM30uKJakVdIcNeNAvY9D1oqmhyOJq1X3LUO6w6bQIJEbxa0ptKBUm4Q2HgEa5yK axWpbd3tj3oWiGlugx041DFPBbHsCCsnZWpHFEpHblPM2dU6x9Om7HUQIvj/KW4W O+04U0WiKEXcqZjFermI4ge3LYl5+1gSZS5S31SLDd9t2IZ4TGeJG47qLESyD/iy XyS0wwO8uKIxg6yf8DhaiClWTgj3mBarG4AQ3UjC21Mhpcpt8DMBlTSWFfumhMkp R3nY6FlROgXISjuTXpK0hFaIMYWbRHfwF5Sb5/8Bhptloptxd7aDci4rvsK921KN GNKxHp1RccKyr57cGsru8vEMYUQoSaTdJpqKElg8dTKJ2BNh9bUhs6HzlL3d2sq6 bZuTk28QNhrYrhvnSNhsze1izXE6Tfc2EiIk39MwkJrlMMIejPJ+7UOvcRllazMU Oo0mTSnjqwyxkWTZkqGz =8tx1 -END PGP SIGNATURE-
[SECURITY] [DSA 2913-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2913-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso April 25, 2014 http://www.debian.org/security/faq - - Package: drupal7 CVE ID : CVE-2014-2983 An information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time. This security update introduces small API changes, see the upstream advisory at https://drupal.org/SA-CORE-2014-002 for further information. For the stable distribution (wheezy), this problem has been fixed in version 7.14-2+deb7u4. For the testing distribution (jessie), this problem has been fixed in version 7.27-1. For the unstable distribution (sid), this problem has been fixed in version 7.27-1. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTWsKlAAoJEAVMuPMTQ89EuQQQAIaTKR7e4si6wHYA7IK0jDgE KuukKyrRhWghAZSLTyvNoRAAGL+Ay9tTj67T5jtNQ5RSpZ9fMgb4Q/GPqpp/Lkr3 tkENeFHlGXszQFyg7JZ1KCc+rvNTncESWC0auad/kGNURdvWgpSvofuyLcobEnPV Ga6uyVFeFLfUfNZUWOQAA7ujHx4BtGXwEb+snJhyiFYVm8GhBfD0Viwzdn6AqLG9 mTadwarYjLBnvvOO5AInXpqGfGUDYrsv9UfbY1gdZFm2TLWvgj4ZRPPczbclms1f rXKl4SIsyFOBsPm1nfaZ8equFui+zOZjX63awqWHn1qY3tu0KWVom6RxdKmwrSHx iGkX/cLbHJFr2HxSgbbnQd4TmhcMm/5gJa103ZvLfMYbhugAGXNaPj+ffi4wtYb9 Z3TAB6LWEfrOUeoFCFLAmSo23JyhFIGHoC58FSEw0LmbePc+zP5vIbyEKAy1FE6I ia7D/ljfV85aloicbuoWIbdgJztlDx2oj4pYugJF1Xg9R2AQKtmubbJG//j+n3pV 2d1TxQye4hBijxDkdSwKKoezW/1hgplRLeyIVFEb/gwZyoyNQuVJCpr4UBKca+98 YBDjqsiFoLtorXnY0Nmz1i7h6VkR1qr+gT6tBg352wLCU8exLqBl+zBluke6TacX lYsr0BeDNSniXKQ/VGue =d/kF -END PGP SIGNATURE-
[SECURITY] [DSA 2919-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2919-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 03, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2014-0001 CVE-2014-0384 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2438 CVE-2014-2440 Debian Bug : 737596 744910 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.37. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-36.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-37.html http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.37-0+wheezy1. For the testing distribution (jessie), these problems have been fixed in version 5.5.37-1. For the unstable distribution (sid), these problems have been fixed in version 5.5.37-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTZKMTAAoJEAVMuPMTQ89EEjwP/RnbHaJeN9D/0HcqRjDFsN/a 3I6WlLAebdW9jJDX5y+ynJ/dMPx9uzQcmACmzYGl8LNbUaqGiCyiBhpVI0jGXzql FaPR79uaKtqEOFZIpw0a+fwc7J85/Q7kid6201csAWvij02gEkw07ddQP4MbZlC/ Z87eosw070HwJqVYEkZTaK+9sae+U2LhfjaLaXsRdphn5SN0f0m8vAKUggEmuERI GxXLSEojDr0GeCwlUgKiu7jbizmNOOBfHWm/0tXhsGev9vkWVv2va9Zr0J5gcTM/ B2NcGSPkbGmDo0qaltL9R0YA0nbM85z1h4ABkT8ckEhT7i9MHXfc4n2OWcB1uV3G K/1iFWD61nHPfFqXfoYMDNEAuykJnxB2aNnAWZfo59Er0kUCO/8cPLfwaoL6IUzO h/8xEtcHKvH7Uqx9Hme23z4oDwYoUVfcQQd08alEsA6FVU4JEuGXxLFiJufcs2bj G2kcLXWQDYe+w+qyLYtTKu7iHDxXbyksIcQ7mdAf9kPzSvB1SROojbuWQBjp4UQ+ Qrw/n72EmJj3fgHkJU1VdAS4OtNfdZLSM9vooTmJrp7tjIuXhAzFimDy7nuNbcb4 TtRSnSwrJ0FWoxk94uwggPK5XIoPQ7d0u6ohBXGkhQp298gIDnx+fsHvsslRyQss o4v6AdSgotKNV/oYEuyb =g7vR -END PGP SIGNATURE-
[SECURITY] [DSA 2927-1] libxfont security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2927-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 13, 2014 http://www.debian.org/security/faq - - Package: libxfont CVE ID : CVE-2014-0209 CVE-2014-0210 CVE-2014-0211 Ilja van Sprundel of IOActive discovered several security issues in the X.Org libXfont library, which may allow a local, authenticated user to attempt to raise privileges; or a remote attacker who can control the font server to attempt to execute code with the privileges of the X server. CVE-2014-0209 Integer overflow of allocations in font metadata file parsing could allow a local user who is already authenticated to the X server to overwrite other memory in the heap. CVE-2014-0210 libxfont does not validate length fields when parsing xfs protocol replies allowing to write past the bounds of allocated memory when storing the returned data from the font server. CVE-2014-0211 Integer overflows calculating memory needs for xfs replies could result in allocating too little memory and then writing the returned data from the font server past the end of the allocated buffer. For the oldstable distribution (squeeze), these problems have been fixed in version 1:1.4.1-5. For the stable distribution (wheezy), these problems have been fixed in version 1:1.4.5-4. For the unstable distribution (sid), these problems have been fixed in version 1:1.4.7-2. We recommend that you upgrade your libxfont packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCgAGBQJTcpOwAAoJEAVMuPMTQ89EAMcP/RAQrmwMUCRDwR/Xiz13sc9P w1xR0K2srs3WP/i/EcBn8rWJH+4CnoCDsOeTlyfD2e748FZD1JmKDNFsWxi8t7h7 f7LnuQARbKHbscGiGRe0NFY6cNMDgjINfjMhNZfmxfxWxotNrKvJNBBec0mWKJZT K70Nj0SLKOGQF5zsQQcLjnlzH+UfklQ8druT+ToHx0SiMobQOsV97Go32nTTuGEX R/V+XaX+AdOnJO9GPw7qWI1/2nmrw2E/nHdak3Q7yVICGCSCNGiUfursHVNKYEA5 CEyk3Y0K1Ydb0dycNbEOJDTMZJUE2Nbxd64EZ0zx+bYdxM1Zoyht4Dm8MBRq0FXI K5XZlf4D//TuKNvw5p4cX7sbRlO/guDtKhyvSgUKSIk1ELXSsuYwnU2Eb4lAN/p7 7GKJ+u6UXUO3b7Nz4G8mCqLENPyqAbSh7t0TB/GtZFfZ+VLSBNmuOa7BwnmlPg1J Vcl19w5ua3XkCP86CL4cnsGRycPyt/ml8LSuO3WBhHC1np4t1i/oCOIDYtEJlnRf 9FkN20dxqgc1zKDS7QdJof5q0PKOMjcJ5jUR2l+++BRO+0fQuYoqv38B9WMG7Ljd upRU+64CeljuEcZDYnRAqApRhmHn4Tu8AYP9lqoXIdY/Rpgqo4ytHq70QVeqq68s QspMgBVG6UVqa12tpy+w =cqfo -END PGP SIGNATURE-
[SECURITY] [DSA 2934-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2934-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 19, 2014 http://www.debian.org/security/faq - - Package: python-django CVE ID : CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 CVE-2014-1418 CVE-2014-3730 Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0472 Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() URL resolver function. An attacker able to request a specially crafted view from a Django application could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. CVE-2014-0473 Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. A remote attacker could use this flaw to acquire the CSRF token of a different user and bypass intended CSRF protections in a Django application. CVE-2014-0474 Michael Koziarski discovered that certain Django model field classes did not properly perform type conversion on their arguments, which allows remote attackers to obtain unexpected results. CVE-2014-1418 Michael Nelson, Natalia Bidart and James Westby discovered that cached data in Django could be served to a different session, or to a user with no session at all. An attacker may use this to retrieve private data or poison caches. CVE-2014-3730 Peter Kuma and Gavin Wahl discovered that Django incorrectly validated certain malformed URLs from user input. An attacker may use this to cause unexpected redirects. For the oldstable distribution (squeeze), these problems have been fixed in version 1.2.3-3+squeeze10. For the stable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u7. For the testing distribution (jessie), these problems have been fixed in version 1.6.5-1. For the unstable distribution (sid), these problems have been fixed in version 1.6.5-1. We recommend that you upgrade your python-django packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTemvyAAoJEAVMuPMTQ89EtfQQAJiAPQJLzcGCjp+zvp9JJywJ +/xkbwJOC5B3BDGZ9DOWRZwLSkVVLYA36bpGz/yFursKsTHqP0MshcBh5kvCC7JA uFdX7MQCTz2jh9YmEK3Vqf9Y7xihWBsVuBonVy0m+HmBPB/g34GZJ488XBZMK5E3 omvp0PF4q0+u7O8uE+fk2V+zwYy3HiQkz1ZBifT1Fwd5OYoSV6nXRhJdJbrvHxt0 0XTM9v9YjQLW90GOXUh5IZZ1sx+oF0sS3BHXWpPFVt6w8hZJADSBGQTujnq5rk7L Ph7iRctig3aeb22UToRE/g4OsPtrsSwFIUetg9NVQm41Aov0vlDkR2OUvOAQ8Bax 4vMyH64LU/ti2UjmRmc1MEZsuFkhUcYLUcSupXRYTBbwwHT5Vbbnw+AZR6sJUXPD +mUUp4y/DsVThJlrK0VyMcrpuUK2nCytU6C8VHLTncHj5GSTcXGKwCEyYxsfZCmt HdgEV0/GsObuU/qP86mShfKbWeI+RgKpm4bB9/j6yPu5oQkGWPGk5yd+O2QbRMND QHd4nq1fTZFxYDSI17V8JzAjNbwVsyrigDed571OUBQdTLHarWnh7B9Co0T4oC/b wxRZriEheqvvBnYOtOxAJcoSUb837ztLSCxX79lGAIz4fCKzEvDv+/HNeqdjqdhR 6SkVES2g4mTwHbtQy8Ep =7/zi -END PGP SIGNATURE-
[SECURITY] [DSA 2936-1] torque security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2936-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 23, 2014 http://www.debian.org/security/faq - - Package: torque CVE ID : CVE-2014-0749 Debian Bug : 748827 John Fitzpatrick from MWR Labs reported a stack-based buffer overflow vulnerability in torque, a PBS-derived batch processing queueing system. An unauthenticated remote attacker could exploit this flaw to execute arbitrary code with root privileges. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 2.4.16+dfsg-1.4. We recommend that you upgrade your torque packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTfxKGAAoJEAVMuPMTQ89EQp8QAJnp462bdRlyCSh0flxIxdnF m1TwK9I76qWhbxIF/f6uxFB/AF7lMkLtHzNPvfZr4GwNXNgcb9oTSf4vs1olccwI VfJsvt1vwaAhKjFmTiP8LlnAfL7LPFnOIs7yYVquLZ2pDOYlgOTQURL5sSSiSJ/H 8IjxgvASJMPLF/vQNTBOxOKJhqerloQXmBtHbYuMwglOx4c6K+d8mNTMlB1TO+M2 KO90E5PBq1gK3tJ02XXy4/ykS3bqBaW6U7IvEtzCC8z/yxoqIvZFQwdWKHDjB2wE a6RTzNUD9p24ShXLzabJQGD++H+3VnpECzj+wjh1sQN8pE/2KlzJoIiRfBsce3jt 1mzvMBIJNwhie5VKRqI/KlEl6C+AAMqAIvXORWhO9HYmTcdD8YFpkAF28cW1f++C xwr3V1WKXZQnFHEO02sLoxKXcCinHvTF8C55vVlxZO6Lng06w5Braun46v8i0zGy oq1Tu9kHF7DYsRaENStTBaeaq4SuVKzGxMtFN+HYZDAWxx1uRjZFyShr6BDup6im ROS38IgdV1cuE7v1wnk8YVzxxryao+JYQgItGrsgabC3ojbUEvpUIObMZ6wdyA5Q dMSl6qxQWcQMG5ANmSDmnCUbYXGB0ibL/jUUXOuZCQbcSPABnr+KoQ6BG5BUEgRY 290BbLzaKsviiMhHG0CN =rBXi -END PGP SIGNATURE-
[SECURITY] [DSA 2949-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2949-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 05, 2014 http://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2014-3144 CVE-2014-3145 CVE-2014-3153 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation: CVE-2014-3144 / CVE-2014-3145 A local user can cause a denial of service (system crash) via crafted BPF instructions. CVE-2014-3153 Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. For the stable distribution (wheezy), these problems have been fixed in version 3.2.57-3+deb7u2. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTkFu1AAoJEAVMuPMTQ89EkU8P/3XPmOVUppOUURzEK8T3SwrV wGgGE8Ab51f/bDaI7bzUlQ7q8SkMoPhYbQFYLVcLuMnkKOo4Vgdb5hRHS3BdGnuh UB/X3fzYFZ4NDy07V3LwvSCrTV3gZgB9Mf8HkmohDjeLkBgiTMgcW0K9AAJKqxKY 5vVkvhuufuDB3aX2rtTqoJmOv1kopQB0CI6ESQS2lyu0XeDDibXMAV6N4HIQkasu 5VCr/t6jRbjpBMyENeWzXsGKtllmnGwnwWzkvYg8cpFtZPOeyKtvUBz2a6WdT0u0 x7DLBTIvk7HudBwL9mhOYs9Av1rtnc1Ch9DupJL1XeOew+Bd6o4MXZxTlnJt70JZ U4xb09K607bbMhfTrxkaYp8UMEo1VjeoY3Xi+Qx7qbgVq6BUGko8n93fgYH19/uc q1l3ESDz0bNQneKDNgQJ3es7eVgs4Cxsx+X9R3PxTF5+eH3mtkmJRab7EIgyWYbe Y7JrqX59bMkFRbAHE+9LGYVqbXpBv2Jp3cpeAB0Z/XjGEQY8bRkIYRPE1gz0t+Yn axbkCyfLppAJ3TCnaDEQ658smuMh3donXLevPEN/dIVYzZtXRs32afRutiFysZJa 9azBg91Wi+vX+UDvAn334JnSaaD1OA0WRTq35tDulrZj3Zoo7y/NE6Fk1ibyL8zd 4FS2CjFBWKAMiALb3cTR =EgOI -END PGP SIGNATURE-
[SECURITY] [DSA 2954-1] dovecot security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2954-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 09, 2014 http://www.debian.org/security/faq - - Package: dovecot CVE ID : CVE-2014-3430 Debian Bug : 747549 It was discovered that the Dovecot email server is vulnerable to a denial of service attack against imap/pop3-login processes due to incorrect handling of the closure of inactive SSL/TLS connections. For the stable distribution (wheezy), this problem has been fixed in version 1:2.1.7-7+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1:2.2.13~rc1-1. For the unstable distribution (sid), this problem has been fixed in version 1:2.2.13~rc1-1. We recommend that you upgrade your dovecot packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTlfRZAAoJEAVMuPMTQ89EnisP/26H2tVdVc2/oTdtLLIqWsOX 66SqlmpfX0hwggvyJcMur6plkYkxFX+Ezrmapz7Qte+qnFSIyEOI8xLw+DloAsHg qsWlZQkLcpOixbY0Xk9fziD+Hm+bv/2DauDx7IGMkto5TSumZybJWK0gbWbFuWkg 4dUnU77Nl/VBJoChG1mxx918m1RUdYMCM5/tSxNGB8Eg/hN2oRP3tx35kjnZzr74 DAVbMTcp5I6uC4EhuEqGBiR05tkT4I4a5xJ1/hAO3jOXUjc6QSSu1qRGHhsQx7Am FYzaDDdSzqnj2Pu+aQuVMYFkWCDO65zw3avlOn5qPTiMzRSx1DmdUEJGIA6kGFyL gFu4Kew4U8tmsqPaCEV9YrhvD0rVGBzpTQGgc43Ud1Nd+RUN0sUpR2BM2eYKNt+p j/TH89ihdZE0xCct99gib20Qtzj2yv0FRqVeeIGXSaF2OXI/OLJOh0MHguKPCPIQ pj/+NV3BuX8uu57ogSGO+hm+kGAv+yaHi5bWpDpZpGKDKH1PtSi6oMPlUjubXZ+C cDORh91mFL8nFTcrMvYoSsRW6kBUsBI9uAeOhDjyPAolhADwzE+KJ2Ru1S3vtLyC 7EMccBgtS7W99CZPI+TIwAIlivnCgyBHhX1H7pwgjOaPbQKbVx+Qs6+xQsrCtkVy 4bWkR7B41Z0sAu7YcoE8 =y6t5 -END PGP SIGNATURE-
[SECURITY] [DSA 2961-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2961-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 16, 2014 http://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2014-4049 Debian Bug : 751364 It was discovered that PHP, a general-purpose scripting language commonly used for web application development, is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u11. For the testing distribution (jessie), this problem has been fixed in version 5.6.0~beta4+dfsg-3. For the unstable distribution (sid), this problem has been fixed in version 5.6.0~beta4+dfsg-3. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTn0WdAAoJEAVMuPMTQ89EcOQP/0rczSnIqKQs2hIl1s/zNudK ugpcxiKjHzNyNzY7qSv8uHFTZDUX1LGbBRMFtBfGm1f80hMjq0+JAGNOJCMP1e2I V0L7beyQ+oWz3RJr6XSnp5QfF0BTBLv3rWbuhWMDWu1e0s3B3KU5ubYuvjzDA+U7 mO8Z1eB+KnAMOKQnL2Arpf4P0UTOJXXh/QUaR49iS1+grSzAkge/aSNngn2OKs8V Pt05Aw+MDUp6AlUX6SnIZ4W2dZo4kVXgznb2q9k6GZt4J9bABemSdUDwia64Sr6C EI/U/Sd+zzfg4Qj6OBt5fIvgNgL43PRNGMBWpO2RQ2IeUQYKEqH7azd0e2ysLHr2 zEudtKKb0fynXrfDKWQAf6C42xEeSFqyiYxAysbmVPdfXsUxTKP+aU0aH72BBhAj sVCF1SZR2rirPO+WA/vp3NNyWNAkLpqLQJ4RQsK8k72a2xxodUS5a25vWnPODaFX EW+S1D/BNvwAPr+FKWwZHK7VPNQf7ZvmEix1loyXbeHvSFecs3k28Jx69FAu8HLC bvO2Q+VSVJ/2wuAbxl41BM6wfaJJSEF6mkDu0ki0QExvELMOzjdnDTJjLOMWe12p JQgnjduqD7BoX+lmCf65fru3ufy/fxwKUI2L2/mq2wqYX6CMaW63xVuYVzYgba3x mDUG1TVPSksHPNXUfsvw =dJZx -END PGP SIGNATURE-
[SECURITY] [DSA 2964-1] iodine security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2964-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 21, 2014 http://www.debian.org/security/faq - - Package: iodine CVE ID : CVE-2014-4168 Debian Bug : 751834 Oscar Reparaz discovered an authentication bypass vulnerability in iodine, a tool for tunneling IPv4 data through a DNS server. A remote attacker could provoke a server to accept the rest of the setup or also network traffic by exploiting this flaw. For the stable distribution (wheezy), this problem has been fixed in version 0.6.0~rc1-12+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 0.6.0~rc1-19. For the unstable distribution (sid), this problem has been fixed in version 0.6.0~rc1-19. We recommend that you upgrade your iodine packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTpRRYAAoJEAVMuPMTQ89EX7oP/28EAYBKa3LxEaGXzasuhita vAWi8n+3fV18XMwpfk8XpQhWatXgxLqZzaB1+tt7YG7lGPQofwQm5O7EnOfFmiFd rgHmhoTEx1bJIk/qSGFuQnuHNrvAWmQyXjPo/ZofetP+54osTPtTCILzRclJ0Dcr Ju8Mlt4fNbIPYEBGCNdB4E1obpwrP7DewanHg8Ca6UrFiuXkCRHWysLpzpM1OA9p EkZYAa64cKbeYAYsWh6fsdBOiinOOrorXFgxTRCL7bWy7NTF8jXukhD8G4ITN/kR n+lUTx+MT/pRk53M6EnLnS9aEgyLCXytMxCod4yE57y+/G59q18mdO7jci1cMhKF H9Wc7xvY2STaLRtPxt7RED6V1Lbth6STp638dfO96TBwb8eCLSRu15Up7BTsTTIp cF57PreTSOFyBzonvH0Cs5zXEkSYVpkW+PBvC5K0jpJ56Hs1bxqHapvEtC89E7Zc BQ9OVp4Bys48Bu23HHg+O9xUu5sPJXHD/HVjCiCK9BLucsnJIS6ZfwBeDv4rSfZu WiG3Z0YFE4T1LuYteI9c72asPgu2Sa720i+Tqzpi4dULLkevHNPM8Dxtwo6fAHKn jiTw+FFrcjpyzklQ5wyLx1aDLDbDx2RkTkXtzTMz3GOxAakGznQ/OaBfQyiP1+cj AV7auTYO0B4jy2fVP3Hp =cOY7 -END PGP SIGNATURE-
[SECURITY] [DSA 2967-1] gnupg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2967-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 25, 2014 http://www.debian.org/security/faq - - Package: gnupg CVE ID : CVE-2014-4617 Debian Bug : 752497 Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop. For the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u4. For the unstable distribution (sid), this problem has been fixed in version 1.4.16-1.2. We recommend that you upgrade your gnupg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTqvKaAAoJEAVMuPMTQ89Ei1EP/RjbIo83jhQ0k+gbT1vTk5s9 5N//LKbRZvUDgns8dS7JYwFUo+YCmhcAtTY7iGPAwAkvREKvntpPLK+7kCjEZL6m 2KMCH4srKempLMAHxjgLcH/obNA3Y6QcgS/c7mSPoaw0BAYqOxhVWxBva0pRIx8P i6KT4n6dQ5bRnd+/qLJRuTNZNlBanBpTAXk42wD4LRxSFhMU5K7jILLcP2V/h4Bi X16KZj8rEh7LioQP2eQP3MMQjzEL1rsXM3AX4cIcTRLa79geTFNyjPJdOKlioO23 4lmTfER245GkNK3kKS8DxYKiGUa9JjKuXR37iUr/WPUUZfcOLVNTC/VufnDoXRYO 6a4ZYFI8piZfElIjpEILnAL2fUxBdXcDNIGwKM10FIypUUK9EHY8kmM8Oh1ILz7H oJd/ZfDrfECqGO7xeJ1OAR1mi/rrS4qXD4rkA6JD09GXwCty6uvzMuFI53k+ItIv lriTq3Cvwx5qmnitoOn7n/0l5GHhaMtGMu5ZkQx+cpfPPSLhCohnErvgmVLJ4qTd Gr7Dc1beFXdWAD6aH8vjBasksgym4AAK+PGWzzYjUBwFKnjyhuPzoDsua+xp+MnB UBcrWe60nJEP14Blg6QQBPJxUd93E9l0rjjFJWZY5MY55TnlCvZ07DfaXi/6C0Lc vCvw1DqrKHvf7tDZqylF =udZa -END PGP SIGNATURE-
[SECURITY] [DSA 2968-1] gnupg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2968-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 27, 2014 http://www.debian.org/security/faq - - Package: gnupg2 CVE ID : CVE-2014-4617 Debian Bug : 752498 Jean-Rene Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop. For the stable distribution (wheezy), this problem has been fixed in version 2.0.19-2+deb7u2. For the testing distribution (jessie), this problem has been fixed in version 2.0.24-1. For the unstable distribution (sid), this problem has been fixed in version 2.0.24-1. We recommend that you upgrade your gnupg2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTrSUZAAoJEAVMuPMTQ89ExOEP/1Ycmnphx4Quq4BvlIFM8EbR vhH2tfBSUr4VAgik2AkGKOUTaci6qJLrs9Sf4lGnjobTXFn8+BitNiO3AFn2wIq1 eIqosXZxUflNquCvSyfxjid8MuJk7DOzSca8QENlTQfDKk+5LpWGfKM1I2dKSvOh Q4KTfcQU6nM17Epczj6eAUDqGdX+I5qPBJLTD5Cc+t9eOy2Erdaj+NWUc/lBDjgo oQDw/ytZLzI5AwJoc1dAtQR0pEbNlBXrGOs9p1+8VdZ4V7cNjkPJLtsHZj0d+M8o 0/4IsKQEM4Fzu4nrjTiiLDpf2+tYqHMtst9AzY0Hf1gaZAGA0Sdx5Kvts5zBSfz8 WbiKTZvvLqgkWUOdxqIf9/tT6tbr8vkuNPdtcBnvyIM8fb4MiXcBBbhG03fTgvpr f776rjk6Y3IWHp0RhNBn8Lep4YGExzyoKikTqUjQoHcMGVhCBtcAfTnLlCKc8IVz UPyp0gzv1GTrMeZq8riyLckBpBMTf0i8bEncK/0buyBwDevjdFGSUoBh+hsqtktV dUYNTLpSJoqAAbWCqytiPQ7A6VP5IyuXmUcn1vIFTV9gGFsChpIJFQ/Y298X6xM6 u+Z7NhZjcrvfGy+I7Hcv1q1tHQszdvPJZc46dFBKhpupKA+swvg3iG4FbTxNPOH1 kk6B9YFnYI+Nq2zzcyAr =7fez -END PGP SIGNATURE-
[SECURITY] [DSA 2969-1] libemail-address-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2969-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 27, 2014 http://www.debian.org/security/faq - - Package: libemail-address-perl CVE ID : CVE-2014-0477 Bastian Blank reported a denial of service vulnerability in Email::Address, a Perl module for RFC 2822 address parsing and creation. Email::Address::parse used significant time on parsing empty quoted strings. A remote attacker able to supply specifically crafted input to an application using Email::Address for parsing, could use this flaw to mount a denial of service attack against the application. For the stable distribution (wheezy), this problem has been fixed in version 1.895-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.905-1. For the unstable distribution (sid), this problem has been fixed in version 1.905-1. We recommend that you upgrade your libemail-address-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTrbc/AAoJEAVMuPMTQ89EdL4P/2QLmNtcvcdrx8RUoAa50J2e EagJVN0b5SPtj+jiBEQ1aF89Dn09dvGnhgDac0D2ADq3xAYX3v7Z/ss0wE1+IIf0 c9AFCtlVx5gzrNWBbZHnwksux8/KJowKXLPIu+C68WaZiPeuDpv7H6Nyn/HhgBnY 33Wm9HzmLg+EmvIXBC8jmY0ZEN86n4ax0NOzud79zmNpSjhN/uy1dgRq4BF6cZwt 7wv68y9ZiyKP+9FOsW3A81Zs5TZO2/xqZcZqTiC4YD1se5ggnB+/dYm4IGDe3HJ3 /uA8EhCjxSYE3VoSmcqtVpteko0t6+jBoF7zg0RU8z1ndwU5ClGTetst5qeTuHgm y6aTM87CgsHc2sZbi9sk5e7DSGSSapKPBIBduti5H1iPBVuvMZcNc4FsXeWa+wmt DOCpIz5mOCRRzeAQL73dt2y7nUG0tK+RMXtckus4kNOEEewkKcmlkI8RGw+ttyFt 4YBx0E4nE6Ya4R0swe37A+g0vQAf3Y2qJ/L29qNiL6YDhgtGuoJfg22SAfkJhzWK Qf2thkvRbLyo7dJCG2QAHqHHgdsEWAtvtTwIv8n+6Y9NJuY4P+SzQvp6AbXt85oS XvYp/Jd43XJlEnTvP32f4N7XME1PNPcHQKom7XKCCUsVt/ffYlS0AKW5iJ4eJUS6 D4JVJ+FBLDn9zKyW7FDH =ZR/s -END PGP SIGNATURE-
[SECURITY] [DSA 2971-1] dbus security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2971-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 02, 2014 http://www.debian.org/security/faq - - Package: dbus CVE ID : CVE-2014-3477 CVE-2014-3532 CVE-2014-3533 Several vulnerabilities have been discovered in dbus, an asynchronous inter-process communication system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-3477 Alban Crequy at Collabora Ltd. discovered that dbus-daemon sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service. A local attacker could use this flaw to cause a bus-activated service that is not currently running to attempt to start, and fail, denying other users access to this service. CVE-2014-3532 Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system by sending them a message containing a file descriptor, leading to a denial of service. CVE-2014-3533 Alban Crequy at Collabora Ltd. and Alejandro Martinez Suarez discovered that a malicious process could force services to be disconnected from the D-Bus system by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process, leading to a denial of service. For the stable distribution (wheezy), these problems have been fixed in version 1.6.8-1+deb7u3. For the unstable distribution (sid), these problems have been fixed in version 1.8.6-1. We recommend that you upgrade your dbus packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTtE2UAAoJEAVMuPMTQ89EH/QQAJlApEGPFhqUnkoH12Qwpluy f0tzw9luGd6GbXVm3IR8pBOjZgtC2ZGBUlmE1yN0qvcuuhOM0RTf3VICJ4vStyKp 2xUlmjv32y8G0KCBs0ckk0kNDApa7TNufbuuBa1EFI3BIe6V0TnEyr9oXaKicvuV PCUlaM81h13zDw1x2KfHsMWlJyr8uoM6PLlgicdRvtEJ88URBC9ZIieYXdK8rpsY rBiuE9575AxEPtAXV0FUSF371zKXg+ZR3zV4EocrI9liMPigIwrIoqhCTWXfJ0WH 0iLlhG41SLDNiBG/Hw0vlw8kX9/X+dlHQTRYV+qzSYfiBu4wfk/KRaAR0nPdmt+H ik28WCE5B7zyc7KImAgiruYIl9nfiVcJlJVCPav48x8Cij0+zf3tzYdI3Lo4jQTH /cSCXWs47U0Lsj0xMc8vrhRJq2NDybTJiAzeY929snNR5EBfBwmm9GoZfOlfkIPx yPn/TTX3u8N3SFcys0w9zHpL1lrdqZ8pJGTqErA+WlzcFLKMjGArpY1PxdJD8mAE DLkHWz7yY48WfkaDxfc0iscVqKUPzHsPPVedY31wDCKQjJR36lIkTmyOzKyBoKa1 AyYNQVTKGoxkRsxL/riD57/MprpTqFFHAtDGTw1o3ORZpXbqHnLY5A0QaZPCs3M9 l6ellinwf6MDWjEZ7CPj =gIUw -END PGP SIGNATURE-
[SECURITY] [DSA 2972-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2972-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 06, 2014 http://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2014-4699 Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. For the stable distribution (wheezy), this problem has been fixed in version 3.2.60-1+deb7u1. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTuW7PAAoJEAVMuPMTQ89EryEP/3iUzWWveiBYU6GCWfFEqUMw 5BBcKFkNsxLbWWMXTpAShO9x1VPOQznddYA1qg5rMqvsNjoQFqKJN7d3tMjzYUi4 wVpYnBCsmskXHXYTlkr/43Iafn7v4J7796X6uZiUpvosqXJr6wBdqwo57KjL4IRc K0YlnmU6PrJ2scEEph/czP+c9o3f5MPGhw8YyHN0GFeQmLAc2JdrAZwKCD5Awloj CCH5Wh34km3v/y4HzBDeBeqxp8s610vre/+Crt4aD/HvAf7Dho/uyw1VR5D8vKHH eHvwVX9JYMAsDAuDd7j4xooTh4l9ts3NVivvLK/flFEj+1lLo+WEhZO+MvNt/lRH XOpHLNltAt7LHQZqh07RqJ/Ggf8ieotqiNSCUJJoJy+3FiVvSIvqYbsA0OmvbVY5 c97dxLJSZMjCnPpkMdn8Xh66HGznHbsmT436nngsoneejSpieViNRH4T9rskJylw 6epCTKW/aLbn2+Avju0b3H7s0teiafhWXfNuIk/q6tuu1WDYuqvhimxs94EVWtFz SynAiszxbjnOAGrvsy0EYM+5Kof/VUvPm2Q7supucXbcsVI3ffyEHKoqukAZhAs6 Lx4m6dYQQ3dzbubalFLBoklVqkIGV3+M6aXrLgdcGa+rRBee1+c4ZRXgHjKVAl2L dcifXWXUR3J/5gJbs2yq =Zy2b -END PGP SIGNATURE-
[SECURITY] [DSA 2974-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2974-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 08, 2014 http://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2014-0207 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-4721 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0207 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_read_short_sector() function. CVE-2014-3478 Francisco Alonso of the Red Hat Security Response Team discovered a flaw in the way the truncated pascal string size in the mconvert() function is computed. CVE-2014-3479 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_check_stream_offset() function. CVE-2014-3480 Francisco Alonso of the Red Hat Security Response Team reported an insufficient boundary check in the cdf_count_chain() function. CVE-2014-3487 Francisco Alonso of the Red Hat Security Response Team discovered an incorrect boundary check in the cdf_read_property_info() funtion. CVE-2014-3515 Stefan Esser discovered that the ArrayObject and the SPLObjectStorage unserialize() handler do not verify the type of unserialized data before using it. A remote attacker could use this flaw to execute arbitrary code. CVE-2014-4721 Stefan Esser discovered a type confusion issue affecting phpinfo(), which might allow an attacker to obtain sensitive information from process memory. For the stable distribution (wheezy), these problems have been fixed in version 5.4.4-14+deb7u12. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the testing distribution (jessie), these problems have been fixed in version 5.6.0~rc2+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 5.6.0~rc2+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTvGOcAAoJEAVMuPMTQ89EC90P/RbqBCzbcPKK6S/9sQeSTuDV h3NpP8a9dYZRW0jOoycC0BwmuuO8JfJlUItD02wmiU4Yjjk64d2PDdhkNGKC7MQr dDOboHGBxdmjBrj2HGxDwvqx1soi652aLr8Vvj7w6nWuWZVKF6LyRFc6PLnCLAil RsjDe65+VTf/Ayymp6W+Epdx7H7z8uURRrsPg/kypDEKINSh+WedkW4G/XyQuGWL zBtCHHpAHZqn4gz1pDEveuloFQXmia9GsVH2wLWtZZurtxwLZgYCDuhzAJnNfUzO ihF2rA/8cgxb1808P50QqN8An05uvXABz6YCJPQusgZf/v27CP4xfpFDkDk9yll4 n1Jgw3b9Xui+5qi3VoH7qQ7Ho/scHmEzEs+24iNn5apx3LSbTTCAiThugLCqPzdR oIrOlw0dwFC0fKrpG5TzKHjjzKLpKl8+yjKb7Dudoj4ESh2cQlTT82BrtO+N8rRw 4dWYrt8yH77CFp9tddbHz96BS3bjSasGdBxbhA2Ta83puTo37YfR8xiEl18Wwa5B e1xwAkVgGKdeX0iEr/pqZg99rK6t3URdFKopfmxKnOodDQYu1ygm3GsuWIXtzoSH leAHHOMC6jvSAml3C+Fk5AdihdbT2BvwIySTzJhMZW2kHF4V6HlR3TyDJeSgaKQ4 +ww4LJZzcwUptYveSGum =+AZH -END PGP SIGNATURE-
[SECURITY] [DSA 2981-1] polarssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2981-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 18, 2014 http://www.debian.org/security/faq - - Package: polarssl CVE ID : CVE-2014-4911 Debian Bug : 754655 A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS library, which can be exploited by a remote unauthenticated attacker to mount a denial of service against PolarSSL servers that offer GCM ciphersuites. Potentially clients are affected too if a malicious server decides to execute the denial of service attack against its clients. For the stable distribution (wheezy), this problem has been fixed in version 1.2.9-1~deb7u3. For the testing distribution (jessie), this problem has been fixed in version 1.3.7-2.1. For the unstable distribution (sid), this problem has been fixed in version 1.3.7-2.1. We recommend that you upgrade your polarssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTyTxWAAoJEAVMuPMTQ89EOtgP/jQTbv+uZvjTH1pW9YWdRifE 1u1uqWvBhMySn/SpOi1M8gG8SbI0J3Zf2hhe619GWQTizIGyCsDf912j5EYMPZct U+4GkGZvH6JSREHFHgzsj4Y284mO6tr4gEmx053tx1JyY4ZE4QCDwVWjXUw/jl6e vi68m4vf/ul3Bo0oo4eivkAVewQf8zCf4M/nvpL0vKVRVzBaca8K9tEWNdN5vYvJ MfjF35k6QmHlx1ntr9QwwaUPvuzhDE83CXtdNqKHvIiu31Q1sH7fDWHb+2EXQnJZ qAa9a4Xz/cCNHNDYJdZKMqQ801b/FAE+WpMv/p+iKZJ+b8Qe4hi1jxnZFSCI8s5S IAOiyM/xETZGjqywWxIzU8WBvYVRWZX82wL01Pq0uNMhNpdLC1PAV0ayi//4z0iK Ep6O70bCAqxEUpNv71CWJdP/uZg38PCNiDgnV4Il6bXPVpW13l3nWzDKvQmLepdg 32CJ2b93HG4oB9dK5PrAAXsI4q9H0pJihF4oSzqYrxvtk6kN5QGszTguCWNh0zlg VGgejjww5zKO9vyJdaDoiCn+qBVL08FlTPEMBArulh3R+6D1ih8ftPDlZbNRVQXb FCPqqZRIeIGBMPGGwmaTMrlC3QGjhJILJxqu5/SpCqGlG+/90cYDrlOwB/9oXtNn uDyFK2A4oQPutCpJLH91 =/4R/ -END PGP SIGNATURE-
[SECURITY] [DSA 2985-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2985-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 22, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2014-2494 CVE-2014-4207 CVE-2014-4258 CVE-2014-4260 Debian Bug : 754941 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.38. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-38.html http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.38-0+wheezy1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTzrRNAAoJEAVMuPMTQ89EixUP/2cqn0LO3KluXxfLubv+bryD TwNguwPW2xc3UXNQb37gfJQn4kJh8dJm5tioh+VtvnN9a+kLiqCBroWL02Zx/Uz1 1pCdpOETMImdpTDprot3uyBEaOE17wit3NVA/zNREK+tA0LMnhog7bcbazVRBvZi VAEJ7wM8uelnG/tS+tM7QQcLcWmEYVJOULTdOqDoIut3e8nM2E72+x4Sd1t1gq9w lDy5s05OAEUuk5Cnrn11iApA/EyaT44hwai5dkc9wY3GFP5CdRuRrcSjHbPk68TI GXOSsIThD0T5aqcaYfCDuZb+HcEXx2TX1Gq8Kfr4sAbWu4Yp6iKtLDXzuSVJnM20 BN31TndDONsuG60fM8itFp2qeIcZSjUCXTSSRVIZ9RKPya9ym3bft33bkXqY+ttx sza1eXUIOAMLuXaQdVld2vyvqyDpjBOocG6tInSjzqE2lVAelo/O4SaiWTuo/eve FzeBOAUmTgbJhM+MZ+TBcgDcFrwxb5FTFFx+fKO5AiBfopR5iM1wKffI/60JT6/U fuuAzjjGmQVPi6bARsmGWOl5bdL7iIcIAHBmBAzDONgaJgjxamFW7uyN9U8q+iLP OqlZXIkczIPMYVjxYKqHtepKCSoECPlnbTxMm0oLwCfPN5mzIQUyY2LhPZ+qOTsh 5qf0a0mQ3NwSSfOIh3JG =Cpew -END PGP SIGNATURE-