[SECURITY] [DLA 330-1] unzip security update
Package: unzip Version: 6.0-4+deb6u3 CVE ID : CVE-2015-7696 CVE-2015-7697 Debian Bug : 802160 802162 Gustavo Grieco discovered with a fuzzer that unzip was vulnerable to a heap overflow and to a denial of service with specially crafted password-protected ZIP archives. For the Debian 6 squeeze, these issues haven been fixed in unzip 6.0-4+deb6u3. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 331-1] polarssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: polarssl Version: 1.2.9-1~deb6u5 CVE ID : CVE-2015-5291 A flaw was found in PolarSSl and mbed TLS: When the client creates its ClientHello message, due to insufficient bounds checking it can overflow the heap-based buffer containing the message while writing some extensions. Two extensions in particular could be used by a remote attacker to trigger the overflow: the session ticket extension and the server name indication (SNI) extension. Although most of the vulnerable code is not present in the Squeeze version, this upload contains at least a length check for incoming data. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJWKSZPXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHiHcQAIicP5CPmmE++EXGv0F0UoJ/ kXEwKY6VW7DiwCXRDDe+x/TPBH7qZhlcgX7MICqyutjE4zQ8zliLGzsdTBjULNia Cour2eUUMyDgb+Smes1Vk7n9fxlVRhDpQlrdg80vbkc9X7uzybmsvBv33sitVfcX DzBObaQYn/wjqj28wIIlRTG3DwMq4ejnP9/OvFCaX7BCYmmvNHMJ5KR79jCGOSKM mI3ZeaZTXhyG1Doip/D5unFgtdob6n6ZOjPqKT1RiSiEo1vDKxUfwtNozoFVPydq PHSO2fIGah4tGqZ8HNQlq69WdoIuT0x/aKC+/XkoG8pBzbT9HRPmQxSF+mI4MicH iaLvGsJ5R6iy0bQ6DpGdz3m+JGU5zPLzdt2oqWxIe9v/OJO/Xq9Dr/pwCBXqwNUi nic5OlNpMpCBdrBx0SFRMdP75eIMkWebMcDmeTxeo+hS0sNqkuakxEkUrofxG+5X YC6u3IQ6gjbfC0YKAexLWUXTSmpu7n8H2MB6HO5Fxpn8pfEsUeIYCEu7OYtDAK5m heDqwvdXXFd308bUq0p0i3SLRJyyfBcrTbBf2LieJB1o43UMJcf9ncRQrPP82JyH jBMZPq/+P34TZJan0upTIhxjGWdwusnxzGvseGApSMoHpFDP7k7SYV5zwt34hOFJ xCueS/Ec/oteeXYAjzt5 =wgpM -END PGP SIGNATURE-
[SECURITY] [DLA 332-1] optipng security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: optipng Version: 0.6.4-1+deb6u11 CVE ID : CVE-2015-7801 Gustavo Grieco discovered a use-after-free causing an invalid/double free in optipng 0.6.4. For Debian 6 Squeeze, this issue has been fixed in optipng version 0.6.4-1+deb6u11. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWKTciAAoJEB6VPifUMR5YKhIP/jE5sfJZbATpWsEKYNwGKrBt v9gAhNYO7SFRAMA+olDk3wFA3v2SuFx/bHBJFDGbm+ac5l8QnNQnhTbVhfEMIjq6 GCmy6hpcWs3te0hq61GKDZX+Gt+BckFN21MWWWAr70jz1XINepDnkPOmwPyTqb6U V/GUXMqULjceLww1NL+ouWKcHdBq1+SVGuOlZ6OWrz11MjItvZYSoQ+DSJX5JY27 ElMQ6IN7RUhfyJCt2oudT8o+1N7MwK66EDnVNb36saYVUTdHc5gAthMDb5g0ijjG sy0wNXgFHPr04ZINmhD47sqtQ92PUNU2qi8z+S4WTO/qQ7drdDLkU3dG768m/Kzy J69/ovwxlB8B0JizO9vAxwX7+cpNPlks4KVhJ/A3img3YQKfxzGT7jFqLq+I/qzf 86+wKz7uYBQMNdfB5c7n30giJKdW+sorLWlpeuIBkywkgwdrmF816nsfNl/8DI7H ytjGTKHRr/oyTTuxLXfqmCUX1VtQXHWwCw127cT1k6xiOPYoK6rVqoM7ug4XBjlY u25nsaTfY8q22wiIF08qQtYDN3ygZYYAIF1gwdcxODxv5vDS7R5NEuDwAHQgJWch zufcoVu3rcWXGlN/ZG14g8k5XXsJB5Zj5TpM9hW9TvXpr7bsIhqPQQTp2Nk5qMeR ryZVdZSBFS6BGSI9ys1N =YAd1 -END PGP SIGNATURE-