[SECURITY] [DLA 2263-1] drupal7 security update
Package: drupal7 Version: 7.32-1+deb8u19 CVE ID : CVE-2020-13663 Debian Bug : CVE-2020-13663 - Drupal SA 2020-004 The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. For Debian 8 "Jessie", this problem has been fixed in version 7.32-1+deb8u19. We recommend that you upgrade your drupal7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 2254-1] alpine security update
Package: alpine Version: 2.11+dfsg1-3+deb8u1 CVE ID : CVE-2020-14929 Debian Bug : 963179 CVE-2020-14929 Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do. For Debian 8 "Jessie", this problem has been fixed in version 2.11+dfsg1-3+deb8u1. We recommend that you upgrade your alpine packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1981-1] cpio security update
Package: cpio Version: 2.11+dfsg-4.1+deb8u2 CVE ID : CVE-2019-14866 Debian Bug : #941412 A vulnerability was discovered in the cpio package. CVE-2019-14866 It is possible for an attacker to create a file so when backed up with cpio can generate arbitrary files in the resulting tar archive. When the backup is restored the file is then created with arbitrary permissions. For Debian 8 "Jessie", this problem has been fixed in version 2.11+dfsg-4.1+deb8u2. We recommend that you upgrade your cpio packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1759-1] clamav security update
Package: clamav Version: 0.100.3+dfsg-0+deb8u1 CVE ID : CVE-2019-1787 CVE-2019-1788 CVE-2019-1789 Debian Bug : Out-of-bounds read and write conditions have been fixed in clamav. CVE-2019-1787 An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. CVE-2019-1788 An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application. CVE-2019-1789 An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking. For Debian 8 "Jessie", these problems have been fixed in version 0.100.3+dfsg-0+deb8u1. We recommend that you upgrade your clamav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 971-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: nss Version: 2:3.26-1+debu7u4 CVE ID : CVE-2017-7502 Debian Bug : 863839 CVE-2017-7502 A null pointer dereference vulnerability in NSS was found when server receives empty SSLv2 messages. This issue was introduced with the recent removal of SSLv2 protocol from upstream code in 3.24.0 and introduction of dedicated parser able to handle just sslv2-style hello messages. For Debian 7 "Wheezy", this problem has been fixed in version 2:3.26-1+debu7u4. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJZLydTAAoJEF6Q3PqUJodvB9YQAJKKo/+SEtv854Of/+Jaq2Ya dRDjmYenrtXyU4NmFpOeOIZ6hqAxzna6vgjXM1XEyFmKU5KbXERgZtTA0pVL8ztZ 1FVJcV4X6wD/Tw7B+yVX3Ne3OlmoKWOy9HTPMYfUWnBaYEiUJFie9yIjGiBV1Gfk BzSrf1g5NVxtJ3C2dS4vbYl8uAsoc+btrqcNDUFdZDadKAdvofQ7edubhGhXZ7Uw ZFaSnh9zfL21fOd+C+9VONMtTLAWZPy/sgDm79WVc4Yxl/YU90ERO5YMtYc/eW11 rXMEO40YOMDCF23w/X2SGgPZIFRfBz+92ef4pgpQmXvFlycgdTxkWT/jrTCiYBPh SI7wLIKA6xPYg4PDv92LioMURB90hPeKPiDDOSwwPjsYT8u5J8Cb9+R12OXFXEuh WPQJ8cmLLX1HQbY76ntj0045HbS9NqeojOwHdAyim62abRsNtUfeIx9Uw4AtIcuC 1XMoszTt5FmwW8Oc9nQDQCF2h8k0yEAD1Dx6iWTuc8lmwy3vq7LCAoxYwadB2oKA Fdwepft1Bhy3iYBGPOp8G2+3c64JQFTAJtOWeQt+iFLaTuuKSFgWuuZuYid6Cdc3 tmqY1zeerTSkQfq08Bzt3GEv44DgX2nmSiKqK3t5n8QOn1UifurRQ4Bfn5F97eUo syoX/4AmfBt+QfeqaduS =tphX -END PGP SIGNATURE-
[SECURITY] [DLA 907-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: xen Version: 4.1.6.lts1-6 CVE ID : CVE-2017-7228 Debian Bug : #859560 CVE-2017-7228 (XSA-212) An insufficient check on XENMEM_exchange may allow PV guests to access all of system memory. For Debian 7 "Wheezy", these problems have been fixed in version 4.1.6.lts1-6. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJY+nMwAAoJEF6Q3PqUJodv7nIP/2CIMprXXrpN6GqHeXGecUV0 y3aU93qbGZHWEvO8cDl2NqU4uFAfeQp7NN4IlwwGsmVmSzuwoeQlBNGA7kZiflPZ rEUzGghtahSj9ZUPywgCZ+lqYEhVXIvqK5aVlt7G1YApbqM+QUjszfo5D2kmresh 47ZOVQNDKWED9VjQ6nq4J6tiqlXuLpbdGOeLNrOxqxnMzrpGzjpHXhLNWZjL9w77 3TTiXzv6DjPU4tMYxxjfNWecXm+UO6nBnw8+XEM49TT4VCVmQMhiVeTpzc72wKti eSam3o/rR7bQmmvM0VYrtQuQiUJykw9BccIp2obHbe/r3n6UMJ/dyaGl6ke5lxso D1XzeFMkn66CaAGEcGVRrB7cLQ7gIPzkkQZNQx46v3HavuYkDH2MtQiQdnAK6JN2 1QD0fxDEb2QmoEfj1SRygWEbhtiy3mewVXgHHsSjarqesoa4sCsvPUXO7NLHH2aI tPgOyPXsVJUdyedCnTl5IClZOMRKaP2/+qHgSx//P48TSxa5gzc/6ttWRHkSHPYv yStgtlgi9ZWvuCIvub4ZPdc0SvBrQIvHNILosIlMyHpWjW8zG7k9AcivCfGt9Esj Hl9CfU/GWY9Aw0apO4UGmKHuUtxI0RGdYwljlMxgR8qMIFihQEM8WjHmU8+ADtCy SCoT9Qlcfbe2/ueCZYdt =fJ7P -END PGP SIGNATURE-
[SECURITY] [DLA 867-1] audiofile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: audiofile Version: 0.3.4-2+deb7u1 CVE ID : CVE-2017-6829 CVE-2017-6830 CVE-2017-6831 CVE-2017-6832 CVE-2017-6833 CVE-2017-6834 CVE-2017-6835 CVE-2017-6836 CVE-2017-6837 CVE-2017-6838 CVE-2017-6839 Debian Bug : 857651 Multiple vulnerabilities has been found in audiofile. CVE-2017-6829 Allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6830, CVE-2017-6834, CVE-2017-6831, CVE-2017-6832, CVE-2017-6838, CVE-2017-6839, CVE-2017-6836 Heap-based buffer overflow in that allows remote attackers to cause a denial of service (crash) via a crafted file. CVE-2017-6833, CVE-2017-6835 The runPull function allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a crafted file. CVE-2017-6837 Allows remote attackers to cause a denial of service (crash) via vectors related to a large number of coefficients. For Debian 7 "Wheezy", these problems have been fixed in version 0.3.4-2+deb7u1. We recommend that you upgrade your audiofile packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJY1DieAAoJEF6Q3PqUJodvljAQALxjVFNF0dKzpl5PRVnYGpG2 /5Vu07kADlHlEddDj5gqY8YlFeGEmzymp5DdDnOyGXgJOuAcSQo05eX2K5a0rQ33 fbcArwQLnc3g3AZk/aWrb641vIe8MMcilFJ7IAYh96hz9EbCoIGnxnTlS6Tdcc7g B6wI6MaxZYqZdizvfXMU/8HiMMzY3ha0sJAX3vjZ8DSYoZ8cxZFnRSxDQGiIp+0y RTQTkcoj9V9kPITCY8ctQbEmyArSpAgMACIq/a9DbZHJ45ddYkLqXVrxKLtmXSTX nodn9PX4bMAYVFT3aReFhMS+bnAl07FwHcqRjuiSIibQhW42rR8eEvx82P27caA9 meY3BJRLquDGON3oemW7Oix67IFrUe0di7cp8OKLGtx7aEA/F74EEBtrD+58mte0 67HBzmkfRp/lxzCF62O+pdRRYG9EOU1gIqFBxwWmzrj1ux44q9lKf11Yq8u/ttZE 74aRgGJVzvMrKev2ElWNddx9lWYnfR+OSAZUod+yyvZkaEqsWWiSaVCTngV17um5 h36YtVjzuRIxoAQKaGtK2oASVbTaGY23BW/9oM3hI+p640hSRpcfK+1lGHHTxClI FA7bS7cUDAwSnXUvKpQV8aHlYQ8EYZ3+41G5/8tHIl+joR/+fCu+9lp63x07TeyR Rt+T72GivgHGleEDb4ND =LYNV -END PGP SIGNATURE-
[SECURITY] [DLA 861-1] r-base security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: r-base Version: 2.15.1-4+deb7u1 CVE ID : CVE-2016-8714 Debian Bug : #857466 An exploitable buffer overflow vulnerability exists in the LoadEncoding functionality of the R programming language. A specially crafted R script can cause a buffer overflow resulting in a memory corruption. An attacker can send a malicious R script to trigger this vulnerability. For Debian 7 "Wheezy", this problem has been fixed in version 2.15.1-4+deb7u1. We recommend that you upgrade your r-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYzFqcAAoJEF6Q3PqUJodv9IYP/1k/eC3ZjiqpCxKXeszs6pkn CEiQK+tbSV4iSHE+5FwyU+wQWdh9ZOVkJ+SsH4QI9sYqbAtuY0FhGWst/rE5FH0o lU8vylKKGCwWR28Pyop+v1LlnHhTrEpdeCLaUOfR+MsnI1gzjhYIOdGZvd7PD/eX V+iPHd/un+IJW3hIizEV/+WaNNrleDE/fDf8bmrZF/CVZ5ov90nHmmaCImlK7K7C FxyV7p0AicMgwBnoRq4j6U30RcXoQRIy60HlNxyaqGfyg+lUAPusqYwiGB9a2LhG y8voDxaa5fH4V/1+X4zezYgkgTv1VKU4/Cnr8whKCelbQmbVeJHPdVgUwtQHRyoK 4D0dc1aFvlH9nx2dHTVHEZ6oKNa7h1bT9qTjbhc/GFzWBccf1kjgpwHol1aGpaBL odbfHMvSrV/B7W6fK3PT/7g3y8lvX7HkSW2weQXZCpIXmgVnpAL/wy1MZUrvv/Wt BfMnSpWGGLxOfrINJuc7paXP1fwpNAhwvHyxjgnJ660wQVxB0M8QEKyILjhWdCU8 kTZhnoaiJwJLsuOPE55tDHbnd6H2c1Cgi5M5LYiKQEynklJSZ1fRdy8pKch9yDmG a3DIi6kN3fmFyM2jQ+HVnjHHxovwzTJiU0scM/L/+zbzFnROmHtHX53lnLCgzenG 5Y3JX8kdzu19zAfYcQ6x =9VJG -END PGP SIGNATURE-
[SECURITY] [DLA 854-1] icoutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: icoutils Version: 0.29.1-5deb7u2 CVE ID : CVE-2017-6009 CVE-2017-6010 CVE-2017-6011 Debian Bug : 854054 854050 Icoutils is a set of programs that deal with MS Windows icons and cursors. Resources such as icons and cursors can be extracted from MS Windows executable and library files with wrestool. Three vulnerabilities has been found in these tools. CVE-2017-6009 A buffer overflow was observed in wrestool. CVE-2017-6010 A buffer overflow was observed in the extract_icons function. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash. CVE-2017-6011 An out-of-bounds read leading to a buffer overflow was observed icotool. For Debian 7 "Wheezy", these problems have been fixed in version 0.29.1-5deb7u2. We recommend that you upgrade your icoutils packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYxvvKAAoJEF6Q3PqUJodv9J8QAKxeuWkmEFcIp9QAx6V3WHdm aCZE+Igi0CZdm2P+1x6sTYNeiMbPLqlPRj9j1GTqFwMr8EN/ye/pFQdIYWEkVmMr +r3GWQjiMh8GQTrXEB9nxXUZXbwLRBnq5U5ZxktaACKNJ+Fhy6is/Z7nHTjLu4u9 32SS9Wz1eXYSKpbGrvBk1junO44uG4o4SyUwvemTLw5OYXQtSdqLPiVYYLTmOMtp LGq2U4zBFzk4jqqavBKQVaJZAcrZyBsTsGzMdNPMKXtPPnaRcU52G4zFJP5uCIFl NfWLW0vwGbsoaOyoSnxQpO4b146hcMHW54V4YUEOxFATh6j70tgluGIvDJDa4QYY a6JEe6XEsCwzeV5Ie8hsdgthGuI9n2eYjYoR4Cbv+xDRQrIOm5uUhuLefKXQHqad Ina68qId+2LnRTQ09b69MDzA0/01w5LAMG4ZskROmFxhUXns0FD8IsOMAIwRGYt5 lZ2w1Ip5bAJz8eZ778MPyJKumgJfUMJHiQqqsaGO0EbUmQvYoVCjGJEfudPtCVm/ Lt2phz22UIzIIVuoat+KuKxPpvee2kxuZWJIWH+UEqLV/zZR9y776HOVg+o6OnpY Aeg7sky77jE3XoNCiMAoa6YAdRBPFdNLo/2f5BYwbeRiFdet/uloRKBt3ICIyVtC K//E71gZNut5SRnCoP3x =5S1P -END PGP SIGNATURE-
[SECURITY] [DLA 809-1] tcpdump security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tcpdump Version: 4.9.0-1~deb7u1 CVE ID : CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486 Multiple vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or the execution of arbitrary code. CVE-2016-7922 Buffer overflow in parser. CVE-2016-7923 Buffer overflow in parser. CVE-2016-7924 Buffer overflow in parser. CVE-2016-7925 Buffer overflow in parser. CVE-2016-7926 Buffer overflow in parser. CVE-2016-7927 Buffer overflow in parser. CVE-2016-7928 Buffer overflow in parser. CVE-2016-7929 Buffer overflow in parser. CVE-2016-7930 Buffer overflow in parser. CVE-2016-7931 Buffer overflow in parser. CVE-2016-7932 Buffer overflow in parser. CVE-2016-7933 Buffer overflow in parser. CVE-2016-7934 Buffer overflow in parser. CVE-2016-7935 Buffer overflow in parser. CVE-2016-7936 Buffer overflow in parser. CVE-2016-7937 Buffer overflow in parser. CVE-2016-7938 Buffer overflow in parser. CVE-2016-7939 Buffer overflow in parser. CVE-2016-7940 Buffer overflow in parser. CVE-2016-7973 Buffer overflow in parser. CVE-2016-7974 Buffer overflow in parser. CVE-2016-7975 Buffer overflow in parser. CVE-2016-7983 Buffer overflow in parser. CVE-2016-7984 Buffer overflow in parser. CVE-2016-7985 Buffer overflow in parser. CVE-2016-7986 Buffer overflow in parser. CVE-2016-7992 Buffer overflow in parser. CVE-2016-7993 Buffer overflow in parser. CVE-2016-8574 Buffer overflow in parser. CVE-2016-8575 Buffer overflow in parser. CVE-2017-5202 Buffer overflow in parser. CVE-2017-5203 Buffer overflow in parser. CVE-2017-5204 Buffer overflow in parser. CVE-2017-5205 Buffer overflow in parser. CVE-2017-5341 Buffer overflow in parser. CVE-2017-5342 Buffer overflow in parser. CVE-2017-5482 Buffer overflow in parser. CVE-2017-5483 Buffer overflow in parser. CVE-2017-5484 Buffer overflow in parser. CVE-2017-5485 Buffer overflow in parser. CVE-2017-5486 Buffer overflow in parser. For Debian 7 "Wheezy", these problems have been fixed in version 4.9.0-1~deb7u1. We recommend that you upgrade your tcpdump packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYj7kVAAoJEF6Q3PqUJodv760P/iglBWp9kHkBlTtX3CqZDulq MbOU9fZxjqXeDgo3WIyRd1OCRMoWjIr0NqkYfa/XTqIQTIBSqY4U0yeKe2B90Xeg ZJzVxd8hiY0VZ1e4InlaXObGZWvRUX7kGZ3/zRDTr0CTSvNPG4Mv64+Y/Wrj4Ts9 NnyQmWyiG66571EOYeh+nTL7UVXo3U4HWp9/UJL0b0MmxwbON370qETBcNQvoKmx V1SVWAFsVgtIXHLToSMGGlA0IDhBrvaONOUpwUzzihOTpjJm1Zci7LKRJZc/Sb85 07819v4qTNaONA5q58SBu/rEaI+kufKYBKAhcDfb1iIJ5PUCD8hNafIQSFsTALWX 71gXAGPPA95932PSLfMknudifuOfemsVXqv41M9807Gf0dz4JbLkWUfg8UZIc+EB p+vOWwUqUpXPAD0PmeSxKZkIh+cqKTbODWqYnR0pLIHL1/wzZKsQAmQQgD1RHTMA iloV+4WMBD/bvqR6HSDu+VGSfeIwNZXLxoiTTWL6XoEvv8SpUeNfPxuv6rfAoFeE MgMvOQxu+ae7GVvdVFH5uPNQpCp1YQd3tEnMIpAU0a6NYNDCI9E1rAQOYgpHlTjD lipSE2iF/iMn3AFUpekxw5IL8Qeps1rUe7vsDvOxDtlrTmDtrgu1BBoP1YmbIJ3N Z3+wp0QwMaYEJukmbwHI =/Lay -END PGP SIGNATURE-
[SECURITY] [DLA 789-1] icoutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: icoutils Version: 0.29.1-5deb7u1 CVE ID : CVE-2017-5208 CVE-2017-5331 CVE-2017-5332 CVE-2017-5333 Debian Bug : 850017 Brief introduction CVE-2017-5208 Choongwoo Han reported[0] an exploitable crash in wrestool from icoutils. The command line tools is e.g. used in KDE's metadataparsing. CVE-2017-5331 It turned out that the correction for CVE-2017-5208 was not enough so an additional correction was needed. CVE-2017-5332 But as I see it there are still combinations of the arguments which make the test succeed even though the the memory block identified by offset size is not fully inside memory total_size. CVE-2017-5333 The memory check was not stringent enough on 64 bit systems. For Debian 7 "Wheezy", these problems have been fixed in version 0.29.1-5deb7u1. We recommend that you upgrade your icoutils packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYfosfAAoJEF6Q3PqUJodvDXoP/2zEnTaABMB9aPkCf65KuN2b uPH9C96U2Fs04qYeR7D4unxHCII/KtnaFQ6TJ0w09Yw2ElAAGnwJngrIrAOJt7HJ ZAzSm5FS9UfS2/GpoH9sMF2s0wYThaT3w/nLNbC9+K8zYr0zRnTD/ZMboS5BpaWs 1IwaJamvyy4tLz8RBgfzzqovZXDJvzoIRp2Imub3eP2Nge71eH0ygACFXzKLdH4d nMkKFeeyaGWIdRmL48XfXcRBnq8zL68t5QKpO0TjdFC66QN/0032OYGmt8P4WbDT 3K56GsjdY1PipJnBOjsu4lMCE99jp7bU6ZQTR2m/C4MaYpWZqqgGTT4fOlUk1BaB 0Fj8+w3aCSnQz1g7JsRincEBP5Sju85nTPFb9ZqKKkzti3kb6NYD+OSlOQysq8QO Y7gWDdwoUb5qh5aRyR+CTXczEAmmQsxH40ZV2V+A7CTp9qZCmxo1hZECcfUaSkZA ml7ZT6H3NuF7QPXHWOXuaJpF3F5Tco/3lQ9gCwDZg2TCqCnwg3aApxbKQvoqR6Eo 1xPY9yuMRPhqWGEKpyVLwatU/HnyOECx665EiumVFCzzkcWlVpg8BpGuQgO4uh28 PXowlxHmrWvCta5z+Z64ir5efOyonD1XZX4Sl3LycJL1LfvylfV9jc9ZJPkCVJ4k t0q9Ao7MxbyvvwpyVFZI =I8ic -END PGP SIGNATURE-
[SECURITY] [DLA 775-1] hplip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: hplip Version: 3.12.6-3.1+deb7u2 CVE ID : CVE-2015-0839 Debian Bug : #787353 CVE-2015-0839 The hplip plugin download function verifies the driver using a short-key. This is not secure because it is trivial to generate keys with arbitrary key IDs. For Debian 7 "Wheezy", these problems have been fixed in version 3.12.6-3.1+deb7u2. We recommend that you upgrade your hplip packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYaYw1AAoJEF6Q3PqUJodvRQEP/0NQhRcbGqGPKwKwnsR1tgtv Dc3eHbjvnxB/fYfRkP3cXvkzqc67DCJKXrnHy4lHco7KoyJG1h7ykjmW+ux1eO4O +KTLf+uFXGG7tVukNGHYRsCvggzQCweubvy/LyAkxGhQri93BG4w0Hlmw9JN35c4 T/SIJJmo3V2rU1+3/q2lcr2QW4UR/arLTmgYPqUpoH+5ka9UZozkgY3l3zkYMWSx uKhu94muBe3eucUnne5wKbgMH4lXRc1XlZcI7SctTGsxEFzs0idlix0iKb7WFVHu Y7ffyfnLezJTW5ZFkV0458llEs5H3hEJayoFHEtt8CkJ7GR/eWOrENjfBGNNxNRL GpEuMZjrSXc5y8HfJw81cyh5uBhv7Tw7wva3GuS8qjP/yPZP8thf6/Pxsb6im1uz /6vAVq1a3OmqX0WyGLBBWwk2fQrqaXRPm295CzIq4S6eI4pML0i3CGG0tX7aTomu yjrdzEPG2+DhKctpve6HpAWJz54D99OJRx+/ulZH0ZtgWx+FuGDA4EBg8KYFA1VP iMLByXU6Brgabyjm+SazeF07ap/mbkccRdG+hYMDFPx/FgFnS/Q81D7aPaJ2fL7x wjgLINeyx50QA3FuNzaKeoytHrN892BX3cSx4gxqBeVaMonJUdIyX8KWahP2jIcr A6oQZG0YMOYCExH+85pT =5uH8 -END PGP SIGNATURE-
[SECURITY] [DLA 757-1] phpmyadmin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: phpmyadmin Version: 4:3.4.11.1-2+deb7u7 CVE ID : CVE-2016-4412 CVE-2016-6626 CVE-2016-9849 CVE-2016-9850 CVE-2016-9861 CVE-2016-9864 CVE-2016-9865 Various security issues where found and fixed in phpmyadmin in wheezy. CVE-2016-4412 / PMASA-2016-57 A user can be tricked in following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. CVE-2016-6626 / PMASA-2016-49 In the fix for PMASA-2016-57, we didn't have sufficient checking and was possible to bypass whitelist. CVE-2016-9849 / PMASA-2016-60 Username deny rules bypass (AllowRoot & Others) by using Null Byte. CVE-2016-9850 / PMASA-2016-61 Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. CVE-2016-9861 / PMASA-2016-66 In the fix for PMASA-2016-49, we has buggy checks and was possible to bypass whitelist. CVE-2016-9864 / PMASA-2016-69 Multiple SQL injection vulnerabilities. CVE-2016-9865 / PMASA-2016-70 Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. For Debian 7 "Wheezy", these problems have been fixed in version 4:3.4.11.1-2+deb7u7. We recommend that you upgrade your phpmyadmin packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYXvbIAAoJEF6Q3PqUJodv0JsP/2XsKDhUDjY14qqJj/RyQGk3 8jryj1bvqYNLrvjUiIF/RtfZiMICWfeFUH9cpf/iHdUVfVsBvmeTiLupCdkwQ9e7 lEupoK8gutIqkb5LdcTRwAF0GVFV0CMXkPXav/PIDs2M5Qb2GHGmvS1PVZn/rbBX ejzDBThe5Kjb/A1Frm16LsM3PZX8EzHjcNLPtZgeyree27ShW4lnjZJLdHuuJOZe 2Pj+tNncPytRyNkBcYeyMeCXRKtLc0j3HtNS+EW6SZiifRCr07dgh2rKz0onnq/Q kDxDCL1ypgSytt3qV3e4DRUW9iarZEHZa1zd+gJm4528QyyKogakkfShmXd898sh TZX4rGVdrNI+baXO3zYOglFMoEgk/3uVcJaM6RpCD0ueIpK0A5pntVw4WVxObhcn 2blFNNezLn0THsTjKj7yBR34P8S8bd2iWTG5iH8Ie0TGgj6goCfKKoMhikoVcCE2 pdWz39uf7Idqc2VNDJZVaAJrIlo0IfZqm0I/C2nuinaT9gNtndeOKw2Q7WhmD6tH VCPWAF0yrvC7Vz725KdoluF/mWbXchkriijTPjl+HLfjA/FSbeUhss45cN1/ZOZU mXxBnTT5BmuUmKNgYKB6Iy59mAIYtAQajqoYUSyinNdLEQRK9Vn5lL2BhToGvVJU aydDuht8pz9h90GTxM1u =H1fj -END PGP SIGNATURE-
[SECURITY] [DLA 722-1] irssi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: irssi Version: 0.8.15-5+deb7u1 CVE ID : CVE-2016-7553 Debian Bug : 838762 An information disclosure vulnerability was found in irssi. CVE-2016-7553 Other users on the same machine as the user running irssi with buf.pl loaded may be able to retrieve the whole window contents after /UPGRADE. Furthermore, this dump of the windows contents is never removed afterwards. For Debian 7 "Wheezy", this problems have been fixed in version 0.8.15-5+deb7u1. We recommend that you upgrade your irssi packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYOKhZAAoJEF6Q3PqUJodvpM0QAJoDvOnfaNCy7bR78R4snGYi YPuhK2q1Gt8s/58EJJ4FpumlHcNltqVe6s9Ld7QCWrmigT1P7K3+5uL67O7sgm4a wTkUFJNlpJCslnmbw4akeIp2DgiuavQ1sbv03feODgOGBgq2q1GEmAE2tj83/RQw oMwEuia7kaK2Tj2wQZAyRB6x3ERQACiPvpNu+uCXcMDtKyN2Aa/Ge9oYvihr89ty ZmYd7IoTTxuVNj/JJRYlpUbvUfZGL9pIogiCkZU0mQTV0R0EYcRdi1wjf2UGH3LB 2sZsgBEy2lBtSJJoUY8fYLG4hOmhLuJq80inVBhWnktVMx6G4znCwWaLGBwyupBA bL9qvwO2xqrchVHznY1EEFQEOjX56o7mH4vP8e4VVs1KQCEv4XV0z7Lad+sel8a1 BamofERvw3ydLKlfgWbJ1jg4k1glx9tE6Wp4s5NQZeR/jPbB9wjj1z8IYrHO4uuO 6suEL9WzCnYyQySvBRm2H6QKqTYVbTfwKabUCmPFd0gi+yTDUMvmauUbIAvA1eTq JWKl8ocOaYPf99LazL/5Ot8rSYh4yUb/iUT3ftPZ1HadX+icXOzElPwN+C0asR3L 2cnO6VM6y1cZaJsfcp+bq5QHHRn1KymrUZ/bkEV1VKgxHoX/j+KGIrFg0MbSg/FP 6Q3mTCtf2Q2d+90ELmuu =ukMy -END PGP SIGNATURE-
[SECURITY] [DLA 680-2] bash version number correction
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: bash Version: 4.2+dfsg-0.1+deb7u4 CVE ID : CVE-2016-7543 This is a correction of DLA 680-1 that mentioned that bash 4.2+dfsg-0.1+deb7u3 was corrected. The corrected package version was 4.2+dfsg-0.1+deb7u4. For completeness the text from DLA 680-1 available below with only corrected version information. No other changes. An old attack vector has been corrected in bash (a sh-compatible command language interpreter). CVE-2016-7543 Specially crafted SHELLOPTS+PS4 environment variables in combination with insecure setuid binaries. The setuid binary had to both use setuid() function call in combination with a system() or popen() function call. With this combination it is possible to gain root access. I addition bash have to be the default shell (/bin/sh have to point to bash) for the system to be vulnerable. The default shell in Debian is dash and there are no known setuid binaries in Debian with the, above described, insecure combination. There could however be local software with the, above described, insecure combination that could benefit from this correction. For Debian 7 "Wheezy", this problem have been fixed in version 4.2+dfsg-0.1+deb7u4. We recommend that you upgrade your bash packages. If there are local software that have the insecure combination and do a setuid() to some other user than root, then the update will not correct that problem. That problem have to be addressed in the insecure setuid binary. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYE8aAAAoJEF6Q3PqUJodvMJ8P/00CwrQ8cz+O5aGsZ3TpBdJn u1VbCqieIB2ISgdU5qvdCAlqXnBfBeLlm4n8p/deQlLX8XGri50l8Cx15g+jA8Yz ZzDZnOobH4qYBPuvzYWj150lI+EgUawsZw1qO1TpUDk1GxFqBFXmVmQY9DHfDp18 hiO6rgMtz6E7ravVI9vcdGwy99dKfnWmmvLiQ77GAQHgTjNt1ysxhG9tpKsGJCMD r85XHluZqPLExj82XoS8SC16zrqPpvkgyXZMnnESeGSqCdAFm2bQS5EeDlCLTMjq hehj1Pnuqk2Ziw5YfzGgJzOHQbeiqMlRuENyc8/v5n5/dDoVU3Z4QEtvoPuTYitn tcnGVXBCkqtJ2ew9t0xP5OZzIPYPU6cnvGOMh0SGFd1S6Yw8RvvtjIGPQKD0pS+2 VUu2i5QXycOlOF41nk5yIPphy821IKlFICjRDtSyz79wI//+/xG2HIgja80PB2MA 7jaG9XU+MlI+qZXBZkpfCIiVeMjDHljwYxGpFhYkvoTBS1I9in7Ayeg1eomW5qxI B9BZk86t8dWgwj4gcusQxeJIGTdpTscHBjL7JcZ0bpGIfNA6Co1qRj7haPWvXU64 DHqF7UXOCrdGe93/GpWCdeqq6IAtyy+tn7z73dcIesf2ObmyBVHo3IsVe/WBLbKN OFMQRHNkjWdyRb88HXT1 =H0ou -END PGP SIGNATURE-
[SECURITY] [DLA 680-1] bash security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: bash Version: 4.2+dfsg-0.1+deb7u3 CVE ID : CVE-2016-7543 An old attack vector has been corrected in bash, a sh-compatible command language interpreter. CVE-2016-7543 Specially crafted SHELLOPTS+PS4 environment variables in combination with insecure setuid binaries can result in root privilege escalation. The setuid binary had to both use setuid() function call in combination with a system() or popen() function call. With this combination it is possible to gain root access. I addition bash have to be the default shell (/bin/sh have to point to bash) for the system to be vulnerable. The default shell in Debian is dash and there are no known setuid binaries in Debian with the, above described, insecure combination. There could however be local software with the, above described, insecure combination that could benefit from this correction. For Debian 7 "Wheezy", this problem have been fixed in version 4.2+dfsg-0.1+deb7u3. We recommend that you upgrade your bash packages. If there are local software that have the insecure combination and do a setuid() to some other user than root, then the update will not correct that problem. That problem have to be addressed in the insecure setuid binary. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ------ Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYEQO5AAoJEF6Q3PqUJodvVusP/Amzbzyj2IBaK+aI4oUCiyQW lbaWxmJh4aaEMUUdCr/qxK5H4jJTaklPmyrjVRqSYF0L8LsTI2/oCJXXEmjc7RQD Lxs1BCJLBJqLr/Az2Wdt7rFlrJ5qB9wQ+6E16+pHBUsBt/+lhUkTVjfKOpt7QdGA O2gQPAlsLoIloJxNLVQLEbVQKmQ+mX5Ds19XTkl4XAuYujP2m5/KM0Wav/Rfu/u9 WkHbSJi0eWOeeTHDQqSrRd89t5BfoAZt9TSHgxRlkHI/MXed7315YAeTszCsfZ4c hBXSJBlMVY/W8TMTPYAnlLKK1BmDzsfqyWfQI7/urMJKFVcTZvhFNiKQHDS7l27x QrxRwa76VSkVZ14NEsFIhN7y3a7Pv6L0G8Fq3Ppc30DA40Nzbr5SjE8OZnCxNyoN 8upYTvekJUYWhTdjL0risw2YNby4XDK70EE/cst+uM0i0L/sgJHQ6gCBo02MWh+Q mcRqsmhhFjIjr86Xut3xSc5x8ss6c+Zdt/Q5aQkoyF1STbpbeeHmj0OaMheU9E7O qt6oEIcDv6tA6faF8Wgb7S+NR/Z/Zw1wp2M0/zhIUkp6MAodbU+JoLxlF8z+lbHU /PnLKP/+Pa6nmbImzxV42rUl7wrViRMBEkgw3T0A3p5Cz9XInuJBnwcY4q/wzTBd Mh45aT8YvPvHnEyKffya =/vRu -END PGP SIGNATURE-
[SECURITY] [DLA 676-1] nspr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: nspr Version: 4.12-1+deb7u1 The Network Security Service (NSS) libraries uses environment variables to configure lots of things, some of which refer to file system locations. Others can be degrade the operation of NSS in various ways, forcing compatibility modes and so on. Previously, these environment variables were not ignored SUID binaries. This version of NetScape Portable Runtime Library (NSPR) introduce a new API, PR_GetEnVSecure, to address this. Both NSPR and NSS need to be upgraded to address this problem. For Debian 7 "Wheezy", these problems have been fixed in NSPR version 4.12-1+deb7u1. We recommend that you upgrade your nspr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org \ | o...@inguza.com | | http://inguza.com/ | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYD7LdAAoJEF6Q3PqUJodvn78QAKvztIR7RzHLstO6GKf6vwa6 32hH9Z4lfqFpkEB2b90iWJOMi3ZHX1F3qsHRLzckBvDC5KpnHyrYSNtaZZNrsEbR lz8M2TaUissNrn2AR9dJPMLPHKKMnaButux6HRROtyxuF8b0A686ubhBe9YLkVhB rSeYrMAKNmhOeC5J7312yJSkjkJdeHIO2lrDCQtgRGDA5T/P3IoleMkya8ziDIWv BqpRtHD5hcDCUAG1Lzm9MUObK+5P3SojmZCPDMrhFWfjNjXmw5DZ1GXZTNBQxgIy 6sAtZqFLuTf1xXYwTLm2D69E1WbErxf1PwNHUCJfZM3LnXMMt8HOiuIc++oZxPXP MdSLmPRpbYqFfRMb/FZZ7snL/c03eVUkPRcu5Jok9XYuVI3Kr03jNHSTyRHmUBlt bGVniKGSH2sQeCudZ3F26qLFVht2Vf0dk633euXkWBA6jLQU5rHWrVFSjWMOmKZ6 utiFkfwRU53g7Kumk7q+hYvX6Sv5OQ35O9uXqZNtpwv+AJ5t3sRouXR7+fWln/te sDl9OzilB8cWo//UxSUYpBLa3SKkUo6wCb015nkzTuVtGwzruX0LycjbGstyvwUq LDRz2DpDb1F3l/+jO2+hD8X771Wo/zkapqo8n2RCZ2sD2ka07SvF7IPoRtLIwVkl S+VegyQ2e+Y0MeZftFbH =OSOF -END PGP SIGNATURE-
[SECURITY] [DLA 677-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: nss Version: 3.26-1+debu7u1 The Network Security Service (NSS) libraries uses environment variables to configure lots of things, some of which refer to file system locations. Others can be degrade the operation of NSS in various ways, forcing compatibility modes and so on. Previously, these environment variables were not ignored SUID binaries. This version of NetScape Portable Runtime Library (NSPR) introduce a new API, PR_GetEnVSecure, to address this. Both NSPR and NSS need to be upgraded to address this problem. For Debian 7 "Wheezy", these problems have been fixed in NSS version 3.26-1+debu7u1. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org \ | o...@inguza.com | | http://inguza.com/ | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYD7oiAAoJEF6Q3PqUJodvOCIP/2xKNKiaMwPpcUEBsjj3/XBK F7760JDGnSJckCouer/PMb0mr3nJ3t12T3dM/OUboTjAaJByCGGCKkU1JO1H8oyU 0OFBqFTEh+UYv80KVLPELWjqAdOXX5RtUVED8ObKzJfsrUcHyalBHX/qjgcpKAx2 Cc7ARTveWJzXIhC8Ng657iTh2U2s0zu/1PANnMh8t8q+6L9VzSX1XMOMMQhaBnwo qksrkcHGDyXSl6YzfzSw/XfZwdRvV0Jc/3/mWI2MsLGV2Yn3Lo5T2y0wtwapMUbv Qu/w746cLt4p30MU26+a9lwJbTAswfsFLXm8KiZs7TZXuVkfLefq4rhs5cGj0SV4 n8fqRl8C8NSDnjuAvETffUaHdOyuDET2wgKhg+oZi5Jji3qSwUhsh+XpDJhr3fjS BUB4C6UwwHh9kk6g3WRANm95J2Xf20r1fgFufHG6GzWUyNeZ8UNjDBmBU7afbu0O kyWdHdFodp2OKu5yoO93qBl1dB63KjnE/xQ2ib0c55xHeGM1PO4kPBZ3VQI1k5zB ZbI45trF3KFG1XgyiOs9E0EHErqcrdSkBdz+uh1haCLzeg9ofg9DTVYXPZkBh4A7 aFBQW4kcw0tpuqct2V5VC/4Ad5gyHd2BdXCEjw4qaZCgU3TuI2XgBY+eWTYJIZgK J2Vwsu1Q4htU0P+v+WKR =w98w -END PGP SIGNATURE-
[SECURITY] [DLA 626-1] phpmyadmin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: phpmyadmin Version: 3.4.11.1-2+deb7u6 CVE ID : CVE-2016-6606 CVE-2016-6607 CVE-2016-6609 CVE-2016-6611 CVE-2016-6612 CVE-2016-6613 CVE-2016-6614 CVE-2016-6620 CVE-2016-6622 CVE-2016-6623 CVE-2016-6624 CVE-2016-6630 CVE-2016-6631 Phpmyadmin, a web administration tool for MySQL, had several vulnerabilities reported. CVE-2016-6606 A pair of vulnerabilities were found affecting the way cookies are stored. The decryption of the username/password is vulnerable to a padding oracle attack. The can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. A vulnerability was found where the same initialization vector is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same — but the attacker can not directly decode these values from the cookie as it is still hashed. CVE-2016-6607 Cross site scripting vulnerability in the replication feature CVE-2016-6609 A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. CVE-2016-6611 A specially crafted database and/or table name can be used to trigger an SQL injection attack through the SQL export functionality. CVE-2016-6612 A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. CVE-2016-6613 A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. CVE-2016-6614 A vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. CVE-2016-6620 A vulnerability was reported where some data is passed to the PHP unserialize() function without verification that it's valid serialized data. Due to how the PHP function operates, unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Therefore, a malicious user may be able to manipulate the stored data in a way to exploit this weakness. CVE-2016-6622 An unauthenticated user is able to execute a denial-of-service attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;. CVE-2016-6623 A malicious authorized user can cause a denial-of-service attack on a server by passing large values to a loop. CVE-2016-6624 A vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. CVE-2016-6630 An authenticated user can trigger a denial-of-service attack by entering a very long password at the change password dialog. CVE-2016-6631 A vulnerability was discovered where a user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by shell scripts. For Debian 7 "Wheezy", these problems have been fixed in version 3.4.11.1-2+deb7u6. We recommend that you upgrade your phpmyadmin packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- - Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJX3bNoAAoJEF6Q3PqUJodvFHYP/1AExuJc1420mKWBn1zaQ0Jc UcrbstglsIPf9jwMZhfMm8wG1FnbTDycDdh1W2kFQL3Pmn0Fyr7K5i+ji/1M93sG lefmKxu4zenWpCS7nFxOff/ykIO6xSb2baMYUh0LyAZxqyWiWk1/E/4OVA50kC3H 0DnxLF3cdxV4Lw0kUend7Of2JOZUN52UcXtQMmEhYGptbfiQ84ec5ghgI+gE79wL JYTkPyijLBpues1i9IIB8dZzdByJu1I+gH7POhSIBKJP+U0sYgxCPJE8oXBL
[SECURITY] [DLA 602-1] gnupg security and hardening update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: gnupg Version: 1.4.12-7+deb7u8 CVE ID : CVE-2016-6313 Debian Bug : 834893 CVE-2016-6313 Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of Technology discovered a flaw in the mixing functions of GnuPG's random number generator. An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. A first analysis on the impact of this bug for GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. Bypassing GnuPG key checking: Weaknesses have been found in GnuPG signature validation that attackers could exploit thanks to especially forged public keys and under specific hardware-software conditions. While the underlying problem cannot be solved only by software, GnuPG has been strengthened, avoiding to rely on keyring signature caches when verifying keys. Potential specific attacks are not valid any more with the patch of GnuPG Bypassing GnuPG key checking: Vrije Universiteit Amsterdam and Katholieke Universteit Leuven researchers discovered an attack method, known as Flip Feng Shui, that concerns flaws in GnuPG. Researchers found that under specific hardware-software conditions, attackers could bypass the GnuPG signature validation by using forged public keys. While the underlying problem cannot be solved only by software, GnuPG has been made more robust to avoid relying on keyring signature caches when verifying keys. For Debian 7 "Wheezy", these issues have been addressed in version 1.4.12-7+deb7u8. We recommend that you upgrade your gnupg packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXxJpQAAoJEF6Q3PqUJodvlj8P/0Zr1mgqt3dSLl9UMDziu/ui sIuiZjI06MD4A9hH80GP84T4dRGFn8TO9JsvPzuQoNVBcvXJbG1KPa+L7To/HJzl ip3mFDn8xihgs6NMh0tSD+NZFcfM2v17LFa2y4OhTmkCW9JGOYuP1n6TCp0pi6kF yhGw8DrA0tjiebkmeDWa3sWUqeiqV/U8nRP9yCLI2Ym5sHE7OOI9W3Hi5Ifr8f17 bs8N4fxqWWM/EOaERECWnbcVEEde9DhWaqRWIvYYCLTJFKLRayFro0CJZiEwjI3/ pkaWWbyV3pYkwTqqc39jbbLbY2dGR+A3t5vRhzgMniCtwQZIPqj/ZhOK3u2KN/Sp j2ONWBRDMyc6gGkA7TugwJKWzV1mv7D+F8ZBAiqT1Uyd4eYL8/jDOZQheqsoE5KR wdiyXNoHd5ZqlEo5EBDBZ1r4Vi6EzJFBvaZ0Bsk13hC/qLtBtUzmcD3OrZmxKenp aBLAXo9G5xD0k4HgXs7LXNzb5UIIBsBwAxvwCVUHhuFVQheemy7kX/QfMgKnUkNK QidPT8bhwoibMIkLEn7xlYaRGXskU4FsCr7VVdR+FCBzRzZTika1WB9Q3Q7ZaOAT Qjedp0z8yk8JkUqxbaVnU1VsyoMUJB6llGumxDEVhv7t7P/fWWRrf/SGvKTs4Ksk rH+c9thjjiHXwV2/NEid =vIdw -END PGP SIGNATURE-
[SECURITY] [DLA 600-1] libgcrypt11 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libgcrypt11 Version: 1.5.0-5+deb7u5 CVE ID : CVE-2016-6313 The crypto library libgcrypt11 has a weakness in the random number generator. CVE-2016-6313 Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator. An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. For Debian 7 "Wheezy", these problems have been fixed in version 1.5.0-5+deb7u5. We recommend that you upgrade your libgcrypt11 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXvKl5AAoJEF6Q3PqUJodvbvkQALR2VZ/97JRMMECtxMv3ZBAY 2hEWnycwzglvjUvpJOB7zhIagxvlaVnRQYhCHsmW+L9qL7C/vsr3GFKDlJgOAEGE yIcXGF3AOfblqVKp+lghtY17FCHSx5VzEcriY5wx2ki/Iz3LjZ0z4ICgkrZvhgIB iZpCkidQjKM3oiYoLqoz7ivhEk0trmG81H+GehWTRNK/DvKj9dMZecN3J2Olk/g8 kP6ywOoT+lkohO6pRD8DjA7OSzLU5l6WKybNG/vrB9x1JVzQNzzi48jbq0MoN3No sKcneErajku0IpI+rZJOqPHaHP6yK74yHRU4X6vbcGWL7dzHRg7zX3QwP0td1k5x emDlB5HrzJL/bxSlagrxKtdZDMoLIBfCxJwPRhbbVlsqABhy5btNl5JXHNosGhjU SHWIP/TylWrAHlpjO1AMjcK/AiQbaHQYeA8AqyfY0mojneilmtPGZ2HSLxB969QT HHyeHghhL0fnsQ/c5RfMx+z0yEz0bfKX/NRPP4MrV309aYgUWPpKi7Wmbq4OCOIA 3KCgIQhdFpXJ5HtIQxpo5wfTUx+Pa+VBGkn1Axbke237vwMPJnaAOa/JQCPF5I1r EcdPsrBEDZ0HEFVTLybNfykuC09Rg8xV9npRvZYGchpEvKE+g/p6V3anopIxmbK5 YoOSPcqMtuRr4mQgVzLx =1h0d -END PGP SIGNATURE-
[SECURITY] [DLA 594-1] openssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openssh Version: 6.0p1-4+deb7u6 CVE ID : CVE-2016-6515 Debian Bug : 833823 OpenSSH secure shell client and server had a denial of service vulnerability reported. CVE-2016-6515 The password authentication function in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. For Debian 7 "Wheezy", this problems has been fixed in version 6.0p1-4+deb7u6. We recommend that you upgrade your openssh packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXrkXHAAoJEF6Q3PqUJodvD6AP/0DQVyBM+hH6I8C+6V8CIscZ b7GFhxdPGAXfZqeilXQ8GJlLj5+Aiehl+22xpwUKgC1xB2weFM4F/2nxvEI1thl5 4mK8hnYLIUbBGKgmayyGKH5lvwiuZS7e20jhwc6Stpk3aki4VR4O8oTNfhUPPP4I hGKgTu4w6sh1XglpJ3PkgYbntJkmjUJyVGRRqeDGQrU6KMAww+tV25I4lL02taih rJBSCSylL8fDUw5XhDbfgC04Gv+25X36Atg7pXGKY3nCCAHjblxkF/x80JPuAXR5 ND34od0L5UoWjblo01HoGceROtEnV4b8zVe0CZ+S+zn0Wmxucl/QnNVlyioVnIVf /kpLa0k3FmuPu35isUKiWALyTtLkBcNICjeVUHQdVkrWHzesu4IC3Qa3FK5nCWLJ P1zOqM7UzGfkH5vnav5G0UoM5ZWvgQlc1LB98Kul13+HNmzJ6bk5K2w+ftxat8yD 4o1chRDKW0FDRwsjGxD+nZhDwe0zzpnq5Zoh0XDY0YIOzzvesAkukQeJp+uGmTgO bH92G7uN8tB6/4WmzsgeRcNKw3/fiyKZdLVK+NNU3YVe7n7+om6Wa/E3SGso95Qi Iub6leVjWNLdkPP7jl4hoi3Y8+c7V7d/VRE1+d71aXmM03xCD2V3S47PFfOsvfre 0N9GMDgYKjvxDK+m92pT =sbg3 -END PGP SIGNATURE-
[SECURITY] [DLA 593-1] nettle security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: nettle Version: 2.4-3+deb7u1 CVE ID : CVE-2016-6489 Debian Bug : 832983 The cryptographic library nettle had a potential information leak problem reported. CVE-2016-6489 RSA code is vulnerable to cache sharing related attacks. For Debian 7 "Wheezy", this problems has been fixed in version 2.4-3+deb7u1. We recommend that you upgrade your nettle packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXrMr1AAoJEF6Q3PqUJodvYwkQAJAfBVvn8InntzU+phbdy+Uz I4l9KI0G7kh6aO3nyB/ONkKaCAimkI6Gkf6Md123fdcErHiF0QXHcA4NZjIH++F5 CEivOaRT1QsfZOIBCVvePgUCAXJ6EAHE76lBPRFSExW4Dn/k9Aj8ODZnp3GihpXA Q8aEOEX7ZpiHFOy04z3teAkOpXImWIUrEEUtdQC/gX3VcdwyuCGg2vEMPzGJB+LT GDiswTtmjjVdCC/Vt7MTcjaWNbEQwHNnAFJIKWlfwQlweOssBzHpLYKGfum0TgAY emhg/2IEf0zUFGm7jBQtpgHHbnWpWWuAC0/3oS7KFzgjmvpCAKI+d1/uxFf3xRC2 +8UnV0ZODoG/aOlhvdXw6Z8S5X0AutqwOuLW/kNCkhOkqScgNYKo597/TnB1H39I lh5KgWd3wkvFTjCZBSYEfB6/yO+Ul/HzgPB42pCN4Mmv3PL94Y3s3C3JKGfnbdnq fN2RWXP6EOHRBuKE4YZzkLWR27XhOuzVPhonz3z5wNpe2CuCTs+1qhQ8BkNzkrNC pUs0QG3ExWsWfW5T0Q1CDj2zjtU9qUiXIDdC6DvsUm2vglVEV0jd/thDEKnnQmAK EIBj7KySsXWzb3H0hN1VY0resqXXzpkRGx2DwRR4oyPE+FrLMIROu7O4mf8A1lke 9cGm40fJtYNVw0DsjtQA =SDgH -END PGP SIGNATURE-
[SECURITY] [DLA 588-2] mongodb security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mongodb Version: 2.0.6-1+deb7u1 CVE ID : CVE-2016-6494 Debian Bug : 832908, 833087 This is an update of DLA-558-1. The previous build had revision number that was considered lower than the one in wheezy and was therefore not installed at upgrade. The text for DLA-558-1 is included here for reference (with some improvement). Two security related problems have been found in the mongodb package, both related to logging. CVE-2016-6494 World-readable .dbshell history file Debian Bug 833087 Bruteforcable challenge responses in unprotected logfile For Debian 7 "Wheezy", these problems have been fixed in version 2.0.6-1.1+deb7u1. We recommend that you upgrade your mongodb packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXqjqGAAoJEF6Q3PqUJodvFS0P/0EgWrSsCACt/vHc0H5fpfh8 kmINtfQjHXp3bTd5UqFHdHnB+gfPyNkK2jKQg35eXKofqfzHhaTExfFEYS5g/6eh w4mCrIhhf90zVPh/I2VPbX3INZKPF2dbRx/9TlvrIGCk8pTi3ik+Od8WpXU/yd+d x+oLk+KYSy+i9zshQ/hUoGdoe9+Bom2PokPnue+a7QDItYx9NC1RTfjRi2UOJUoy n/tFRieERY1n1mHYQh/RJQicoHLYioH6N0z0s2cDhpLTbpqIxFQKV8w7jASuO/7K fCvx4o6OTgK+8nOrh21lxCyRCTNPj+VATBAxr1e6Am4+sEuwPpviTQJ0pljYuCY9 AmTV/ZnrtEHJ7T5DlB+GTNU0AtwjlFGAGy6adQ9lrGd5Fj4P3InqBCfLYfLqcFzz 7RDjBo3hJybzjTzG4+dgpIqzT0fdmSW8am49Uo/C3UHWnPM7OUk5RYdYABuO8h/z Ae+wvii6XC9SLsfXahxSJtU73GD8YEtvxGT3p0Aw3dPWWhS9ZcPFtmRI7H1g1pMN TRErfL5NztnVRx1rDus+XFiqYJhENcdn8wY4cr6THvVzkrgGDQY7YdJaawbjDk2g i/MGtFfukeRMEBaEkjT60vHrXyoGKWFYE15irm1bnP3QtgYWpCs4shmc6HHWYKZ3 wr3B3W/2P/d4uO+WbkFo =p0ii -END PGP SIGNATURE-
[SECURITY] [DLA 588-1] mongodb security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mongodb Version: 2.0.6-1+deb7u1 CVE ID : CVE-2016-6494 Debian Bug : 832908, 833087 Two security related problems have been found in the mongodb package, related to logging. CVE-2016-6494 World-readable .dbshell history file TEMP-0833087-C5410D Bruteforcable challenge responses in unprotected logfile For Debian 7 "Wheezy", these problems have been fixed in version 2.0.6-1+deb7u1. We recommend that you upgrade your mongodb packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXqFZDAAoJEF6Q3PqUJodvU9QP/1uVCFMe7nW4vYgMCQC9LgF3 IW4K/9vU2xdgx1OF2w8ntxr5pmzOwsxtEtOCahzQXIiJgM1GM4JYaDD819EuNoO+ mm0W4jERFv/BSaUdL/Kkd4VWxIQ33tarolMqXJt+7nwxh2IQOjJxmJyfNGBgoEAB hPZiRa5lXTyIDOM/ImQFE8o9Nem+epQL2/4FOA/oys5Uop4Y/JFnjTtjEhvgRmCf YpjZsvNeMyhoEiOuzBvES8Er2xcMczis/KJXqL4Gj+6E10B7t0FelNtf0JWEL2gd NFGCf8iZ/71cQ3JRnPZPWXLTj3RLJ7zjU6ul5VHQNWl7FEJ98BnwZr4x0PfnJ/lj sg+a4ByYOqOdEFZ1oqogZvfQdmis8uxxRWIU8/s0hpOMh07nmekka40YA9OEsy0X B6//t/P1+Ppli3yUwu/jsfgg+4/SbYzx5HjOKH50P1GGADsCg4/vnpaQz2wzsGzJ 8jb/2ZjcSDzHIg9kyR6FBqbr4hnLj0YH75lqbuJwIbglbJ577BZEYFy6COl5y5JK qnIkYpSkqkmUu8HVdmdEbPFoZnQbIXrOFN04AYwEYAXzWEW16vIR1p4kQfFR02TE IN9qAHCf7dHSv9GQvTiPxCRJwjU9Oq+7g1htBODyjkN0BZIMgONIDZsqaisActcP FG14M0/DMQwS8Vlc5afW =0Jbk -END PGP SIGNATURE-
[SECURITY] [DLA 578-1] openssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: openssh Version: 6.0p1-4+deb7u5 CVE ID : CVE-2016-6210 OpenSSH secure shell client and server had a user enumeration problem reported. CVE-2016-6210 User enumeration via covert timing channel For Debian 7 "Wheezy", this problem has been fixed in version 6.0p1-4+deb7u5. We recommend that you upgrade your openssh packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXnR7eAAoJEF6Q3PqUJodv//QP/RzUhwWNrKgttgDNCxZPZba+ 3b1PSM04QiOSTCheaBGIumu0Ad7trSut48yTaQazTWULImYAK2PTUEUYJ1VSG2BQ M2wQ0yD/RoevUdMKgwIM9ekCNweHTZQpISKkew2jIW0v3wpK/NBMXIQy63VDtump cuuwnivi2utm3cVIbY+r9DgqqLleYgZVs8NdkaRzE1VVT/b7hFk0NODfxVBpEBot 7GE6h+Tl+AO1rXr3UXdg0AKWSG9h79gkBggpcn3u1pKHR/jFk3xnL+4zrgSqytU6 iGeyqT79Tdsy+46rHyBatjDhvYvIA/p0d57Cf6H8a0KP0PHbM1VZRg9jxBLse2X4 ppvesJZ7YWEE9Iiorov5sw25aHqnYxYFDGxQQXGN905JQBDzmJf2EkFWbukzMfgf eelhwrfosMGKC5T9IYcQbn0kWKkxINd4aAu/bl52GDOZLE11x6rSwd30voZxb5PJ MlFl59vMbi1giNKhFeHP05ZtPk9dcSQLGGGqO/exPKYtN8SN4XYTXyD/KKxOPt71 bblt6CdjhgdXuq+sxTxxkgaYTgdk86jPLchHaJ2f/mKZXGmtGQp/xNYuCgFFfTmb IwPw0VQt4hu/U8Gi+snmoxfcE1amrSagUnV2Jd+rgPjWx80pmdsuQUUKSwqGIogp qAB6AyE6HpI+A5IpLOnm =MzvQ -END PGP SIGNATURE-
[SECURITY] [DLA 551-1] phpmyadmin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: phpmyadmin Version: 4:3.4.11.1-2+deb7u5 CVE ID : CVE-2016-5731 CVE-2016-5733 CVE-2016-5739 Phpmyadmin, a web administration tool for MySQL, had several Cross Site Scripting (XSS) vulnerabilities were reported. CVE-2016-5731 With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script. CVE-2016-5733 Several XSS vulnerabilities were found with the Transformation feature. Also a vulnerability was reported allowing a specifically- configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload. CVE-2016-5739 A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token. This could be used to direct a CSRF attack against a user. For Debian 7 "Wheezy", these problems have been fixed in version 4:3.4.11.1-2+deb7u5. We recommend that you upgrade your phpmyadmin packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXi+3gAAoJEF6Q3PqUJodvh6kP+wVOKcqTwDQ1h/bzHn9gSKTV Gp2Q56sxfkRFvxNBJMVvDeqp51Nf0Cjssy/n5sg+B4TVkFbPHpr311xAzbgSmt5c A6yxlorYUtzcwfEVfy2JUBwNAoSN0TCs1VGPf0hoA+vFCIwDvDon4LiZMCGMow4H bU/ViRuw9oRtYMLBqSPeZlNlaWMz7qCzc62gg+ljGE8fRw4OwyieAoMFDFQXy2Fd xh1k7zYFvxgR8EUzsDzkyunyJNHNcJ2KVJRPEANbITc6ufOIsov4NMFhhpCZrtiF nEI8c4Mqh446AyzZirE+kmvqzvuTBYg17cmexqpiohwNSJglEfiRYsNGDfbvNQ8+ 0CUpokM2f8Ss2GyKY0XZm6g7nRXrQE6hUSrLuVphh9sDeGqXsVPW+6IR8G5RBJ7K p9ND4Av7yGp7alb4vG+QSAXLniUBUs47soqeO5a6mDpgS1haLv0cBngdcOQYRAhF NfxC5wi+OvVUg6SmHd+HmR7YnSpSdZynyVORge8u/6F++JMFy5Bf+NMhajmlpx9u zVSrMFmXXZ70g84bDMSQMbCJWl75dLjdSTrBr3yeK+0Jskrshh8pz1RxLgIoeNl8 eT4ui39ClKt4icmr7JwkS0boSxnXp2Evr2Bqn7CaoJaPk7LJG4BYOY42sP4JO2IB nP5aczKcZPDyAQ2+fcsd =fme8 -END PGP SIGNATURE-
[SECURITY] [DLA 507-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: nss Version: 2:3.14.5-1+deb7u7 CVE ID : CVE-2015-4000 Debian Bug : N/A A vulnerability has been found in nss. CVE-2015-4000 With TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. The solution in nss was to not accept bit lengths less than 1024. This may potentially be a backwards incompatibility issue but such low bit lengths should not be in use so it was deemed acceptable. For Debian 7 "Wheezy", these problems have been fixed in version 2:3.14.5-1+deb7u7. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- --------- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXVps6AAoJEF6Q3PqUJodvwUwP/ivLYufklsqFh1/W34MHrcm4 N/hiwwCSZTIxkjkWTfsdgLNQ496nHqTvFDMAmGsi5jD0d1pwAX35vfdc0mxIOFXG STkFBH1qD2Y/+ObNXMPxu8W0ta3z18Ke9ErqJofzlq+krzXb3NxHfFAejvbMexlm Dt/oLKdGdaoPZis1IB5ye3I0iJvC7562uD6F437D32nIrWim4bFF3X//a+7l3Xms DutWbZ8RG3Oe1CXaQYnLUiKnuE45HQ41rzIt9hrt2gcS766eW7IW99Z2j+a/YkDQ eLscShCSmCsurS1b47yKUjfoDZQGCCnrA+JQwYxR4g2hvfbV794cf2a49fvnxGNL aK8GbO/PulL0EjVOtwhCJv2dF1WwL2UvgWx4d511mrK3q1bVAjYje2gwLdO+YY6q TFwuTsZP7zaKvcGx0FBiYJFkgtO5lzvQkmXIwTr106AewjHtOyUdcKyrl5bJczEO HMY5cMl9VWiQcmGFp5s3QfucgL10EjNTKWog0LcHty9vhm87ckS1WrYuhOS6sIb2 6dCL4sv7TLZhm+zMT8QHAccvws+wUzdlSKC2UEeSnxp79IGg5Xf1rc8imGCYgBYe BdkdZnweCEQ1avcl/wbICAK9GJtZlmgnHG26SDGPak4dA5ZuWbITFORcyBPXYzK6 TKAODDDd5NJYK8U7vZv6 =72yt -END PGP SIGNATURE-
[SECURITY] [DLA 506-1] dhcpcd5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: dhcpcd5 Version: 5.5.6-1+deb7u2 CVE ID : CVE-2014-7912 CVE-2014-7913 Debian Bug : N/A Two vulnerabilities were discovered in dhcpcd5 a DHCP client package. A remote (on a local network) attacker can possibly execute arbitrary code or cause a denial of service attack by crafted messages. CVE-2014-7912 The get_option function does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message. CVE-2014-7913 The print_option function misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message. For Debian 7 "Wheezy", these problems have been fixed in version 5.5.6-1+deb7u2. We recommend that you upgrade your dhcpcd5 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXVe0+AAoJEF6Q3PqUJodv/5sQAMTyDoM0smhIiOLQt7lm+mXU pp1eQYKA//35Ev18d0r7XYewbJUI664Go994v08suZZ1ZsJapFbXlHpa8QakXoqc 4umHVG7ISv448LpULTEdIq8fwO+BOTMOx3c66fQvp/IsEiklw5E0AEyeHDX3aefL x7Z5AP6Byjw+usvgfihYSz7UIjme235SRpCwV05Xc86t2uD4J14QZbA4tDwbsZQ5 aKd3kmjRKDhyTILtqLZSuLEx4k7jyXR5lQx23IrbBTQpqWBrrGTrDO9gLqOiRO5b huIKQC4LYTh+tLG5BCTpvDr0PobsXP2uPSyMewomuGhWa/npmEOb5upkaJyrJOMg tp2jX52bbQy26fKO5uEKrmiGC5Rqd23D1xbGKrGYb7pvswGq/tNEBMEgivEnLbZ6 nbNcTrEDa3tG26rvYwXk0OOXxMc4NN9IACfiRL+PQTJEvSC+D6le7Jo3GYfASDoa VHkGvg1ZOqxCOzrN3lKvlQbUqu7klzaS0pHKa3meNZkL6Gs4Z0OuEwbRFk9hhtO1 n/8DXNKye/0U7uTtQr9D1Xhj1MQ6DvPy2QPICQek5NWd6O0p8bioYofbQug2dZP1 z99FaX6c1y+WmY65L+fZgadtTe/YMiRg974WCcZDvh0LNp6xnZh/DAloVODuADLB pRxtkwgHqGW9qGTx9EMV =hoM6 -END PGP SIGNATURE-
[SECURITY] [DLA 496-1] ruby-activerecord-3.2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ruby-activerecord-3.2 Version: 3.2.6-5+deb7u2 CVE ID : CVE-2015-7577 Debian Bug : N/A CVE-2015-7577 activerecord/lib/active_record/nested_attributes.rb in Active Record does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature. For Debian 7 "Wheezy", this problem have been fixed in version 3.2.6-5+deb7u2. We recommend that you upgrade your ruby-activerecord-3.2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- ----- Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXTLVBAAoJEF6Q3PqUJodvPL8P+wbYvgnTxcd2YiGv5fITLhmU A+SGv4IfnGbpcRGQxX45BElmIiJLlQI1Uq0RemYxtEWEXKHP1n+eGc/dy4kLyHW1 qHfMZw+Tvj80wC+4h98NUPQ3N46d+26NqmPeKb96wbTB1mFtE+phT7SoDxyr4akF knMXC1scIKcNZeyO9Se2rmMcFp4Dz5fYuCWVy/tLfZeLbt44fF0VssC03PFQa9+w 63ROQ1Ej6+XlgauOTmC+cacZPqZ1P+D7vS9/XFJPhLmxkAHmlmEVHOoF1cBf55MH dbVBZeKHMrMHebUzOl6HfQzldssySck35HwfMiF5pDD2NkTyXrvfW7n56QdbSH/2 6Ujsf+EhHkN89cHJ03G6obwDEVy2fxyx8nfH+kfEKGhWdXmTaqSasmylKl6vF7KW kPd+KoX6V3lV9EvmGQNDPGOuwyeDM2H5KcwC7d50q8tJfcSQD0KWMw0jezF3M/R4 M3fQanWd+SmmZfctGkbWFwpeSDa7GfeKmIHRs5gZyxhgwP6JtFPfatkewlKziAUL v+ppLV5Qao6/5sQw9vb4b96mDWlzIey6tR66fvq1WdKOrDACrvkyPfxDkqoe8AjW wqaAPz3pdVD0h9Iitrku3RudHEjBm1N0Sbt+3EqzTPydLWyJcQFW2zL4kTwUonHd 5EvVz/NxYPxZfVmZ/fsV =j3AP -END PGP SIGNATURE-
[SECURITY] [DLA 489-1] ruby-mail security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ruby-mail Version: 2.4.4-2+deb7u1 CVE ID : N/A Debian Bug : N/A This security update fixes a security issue in ruby-mail. We recommend you upgrade your ruby-mail package. Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) released a whitepaper entitled "SMTP Injection via recipient email addresses" ( http://www.mbsd.jp/Whitepaper/smtpi.pdf). This whitepaper has a section discussing how one such vulnerability affected the 'mail' ruby gem (see section 3.1). Whitepaper has all the specific details, but basically the 'mail' ruby gem module is prone to the recipient attack as it does not validate nor sanitize given recipient addresses. Thus, the attacks described in chapter 2 of the whitepaper can be applied to the gem without any modification. The 'mail' ruby gem itself does not impose a length limit on email addresses, so an attacker can send a long spam message via a recipient address unless there is a limit on the application's side. This vulnerability affects only the applications that lack input validation. For Debian 7 "Wheezy", these problems have been fixed in version 2.4.4-2+deb7u1. Further information about Debian LTS security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- - Ola Lundqvist --- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26 0A6A 5E90 DCFA 9426 876F / --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXRgu0AAoJEF6Q3PqUJodvbh8P/jCZq/C7nDfGDRNnCAIUz7Cj eQqj9OHWhHoMMJaAvUmnrU8oBBPyZBOhS7pLVNVZJOKXZejZX6Z2PG+7Z3NDSZqu YPUZ/FJL/LudPfV9/rbZ+GJUaTBvqOo7cMMW8FWvCv5/0TNGLK+RFPQ1LFNGz0mT Okmg+SAtIFG0vc3h1TBRzKvCVroGtQb6QCevWxc3jxLMlUuXcN0Wki8nxL5j6Pqe KsQlQGr/8tUXhCvoinugm0gTht92/YrPHcla793e3zHcRR+Tqqx7siFhpWXo/z9Z vdgGpSn0MTSHL+RA0xlC+RdG3rPDwnt8wzBck1wH3t2MD6fC6DhdSvV6nPBGg3gu cybz+rQHFdxjrQDC4/0rwdejDN85AcWYpXdOdS/Z7NrXenIWrkG+DCIck9DV5eim gczENh7QIYj0sIMs8uXVxq94amUpBxVHsYxOaoccXxC5iOSsDEHLZ9ifn5v2ngy9 uXTSKbMNdy/hcZmBINIqN0gTM0j3kiL9z3T3XIkTZSsMpwGmwi1dRofkuVKqpZEz Faw1tEXdc1aIfiLqTU5CCh35FpXyYmmyDdd9kcjmhAK5jbg1HlE5OjjfZnPn9/5p q5SAaz5lwUPWh0eTo1ef1wl4V85849EuLnPBrXPYlNgQFxkBIVihj4p3jbIwX616 JiePONAwg0WBVML/i9vg =u2n3 -END PGP SIGNATURE-