[SECURITY] [DSA 4405-1] openjpeg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4405-1 secur...@debian.org https://www.debian.org/security/Luciano Bello March 10, 2019https://www.debian.org/security/faq - - Package: openjpeg2 CVE ID : CVE-2017-17480 CVE-2018-5785 CVE-2018-6616 CVE-2018-14423 CVE-2018-18088 Debian Bug : 884738 888533 889683 904873 910763 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, that could be leveraged to cause a denial of service or possibly remote code execution. CVE-2017-17480 Write stack buffer overflow in the jp3d and jpwl codecs can result in a denial of service or remote code execution via a crafted jp3d or jpwl file. CVE-2018-5785 Integer overflow can result in a denial of service via a crafted bmp file. CVE-2018-6616 Excessive iteration can result in a denial of service via a crafted bmp file. CVE-2018-14423 Division-by-zero vulnerabilities can result in a denial of service via a crafted j2k file. CVE-2018-18088 Null pointer dereference can result in a denial of service via a crafted bmp file. For the stable distribution (stretch), these problems have been fixed in version 2.1.2-1.1+deb9u3. We recommend that you upgrade your openjpeg2 packages. For the detailed security status of openjpeg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjpeg2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlyFF8QACgkQbsLe9o/+ N3Qi1xAAh+mmOaJdUGny+QX1vNd7+Tuv8O+gBU1ctzOrNFZMIbBQraQDap9KiTzU 104Ih+n0mNgHcdfWWdithrfpnFUmgW8UWWXV6jc/Fy8wDqXU3Z6J2hDQ945Qhggy vPTfjRAKnTThPobRcX3D+wmGTieH6BS+8V6rPwcQfnQQG5qitbMPo/T1hWo6aRNE RNVFoEahHMLPnv6vJBNNNDclb690Bbjb5hBHJjMAEQcWSkJHHYMcr/Q0TetqpJnt oZb9YnJvgSEaXcf2nl7N7lCoNfsnQ91S1zX2gxEiaW1vx58lfHcAytebfzJutGzG 2iUAUtpr99fYS7en27a44q0AkoVx49+mfbU2xX6gS4gO4jpdoOOrpr7Kdk8ll3aY KJPp6DovyL+Ds5Ij3EZyWKaeVBE7aMW9k76T0Ax6HMe+zWxqVGWaRaKHP70n8kI+ QqDJdDt1MzK6f2gKuxiKeDvR67IMm+SuXdExsVzjhuT5PojiakfkPfWDOeDqGAlP 5KJ24PiL2JvtVzegcNdKtRebOkLSpC6FOQhoo+VTAdyunRvnCeN9CUwJ2oxdSMjJ a1319wZKjT6EWUntLand/fqBkKWDg9XHaGgRwKEgADwyz22yWBROE0CtKoUjQU6c GqdIzsq63rZREz8ZuyFzmvIpgWu3TDqNk4ZyzNdRgKCQeRxxYPU= =CJHO -END PGP SIGNATURE-
[SECURITY] [DSA 4243-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4243-1 secur...@debian.org https://www.debian.org/security/Luciano Bello July 11, 2018 https://www.debian.org/security/faq - - Package: cups CVE ID : CVE-2017-15400 CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 CVE-2018-6553 Several vulnerabilities were discovered in CUPS, the Common UNIX Printing System. These issues have been identified with the following CVE ids: CVE-2017-15400 Rory McNamara discovered that an attacker is able to execute arbitrary commands (with the privilege of the CUPS daemon) by setting a malicious IPP server with a crafted PPD file. CVE-2018-4180 Dan Bastone of Gotham Digital Science discovered that a local attacker with access to cupsctl could escalate privileges by setting an environment variable. CVE-2018-4181 Eric Rafaloff and John Dunlap of Gotham Digital Science discovered that a local attacker can perform limited reads of arbitrary files as root by manipulating cupsd.conf. CVE-2018-4182 Dan Bastone of Gotham Digital Science discovered that an attacker with sandboxed root access can execute backends without a sandbox profile by provoking an error in CUPS' profile creation. CVE-2018-4183 Dan Bastone and Eric Rafaloff of Gotham Digital Science discovered that an attacker with sandboxed root access can execute arbitrary commands as unsandboxed root by modifying /etc/cups/cups-files.conf CVE-2018-6553 Dan Bastone of Gotham Digital Science discovered that an attacker can bypass the AppArmor cupsd sandbox by invoking the dnssd backend using an alternate name that has been hard linked to dnssd. For the stable distribution (stretch), these problems have been fixed in version 2.2.1-8+deb9u2. We recommend that you upgrade your cups packages. For the detailed security status of cups please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAltGE+0ACgkQbsLe9o/+ N3RzTBAAog31K8+nfhrds2NQZeWaz0rGevs6hHj5wuf40FemG0IoHYfl7xba66Fx gVTZSDbpOuFnG1YQet0UpfsXsogTuaPv6/qP89YASEM8ncLSgBUTKS1bK7VM6SyP NZCWUmjmfsyf0yv7tvnWnq0k5I6MwHRRX6l0fI+treXz0nwjXDIPnKH1Xbv4zW1Y TTpmxD4FknyzkXJGxJoBwMcclPGCkT6W1IrBPQrjscUJvFBWiNW3umAoiuv+aCCr sM+raoK0SJTLFJ289AhrXajKilt0SfTHly12mpxUKnyevPCAz5o+nbtQMhQrALLQ foRuTAfI3WhubZFd7bTUjhrVo1nhS4khnmriyRxsCL7o19dc5rfQd1fO1IvCDQCb YtnWhDD7Tfzspetpr5kUk/pbB1U//uyWDFji73ZURFPbn5Pa+Z80OUGIRd9IIlNg ODJsNq5X/bjwoJgwJwi3W6SieyNWKBaTR5Ktk2iqBOJQ++KqV3BmsCVI/B/5NFnV /heBZYugaknsmdQVbdKa9jv3GIr4TE4frqJJrAsZ0KGnlKNNzoe3pQIk6nA0f/4d z3JalPDGwfL+Qq2AAJlqx2346ro0bViHUAGXJc1zsx44LHBVaRotV+a0gTXsh3z/ 3tQIHs2KZ4KRzczK7pbDDbeSEsaL6XsWb0vXbG2ZNAHoGxV7jQo= =g0fa -END PGP SIGNATURE-
[SECURITY] [DSA 4167-1] sharutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4167-1 secur...@debian.org https://www.debian.org/security/Luciano Bello April 05, 2018https://www.debian.org/security/faq - - Package: sharutils CVE ID : CVE-2018-197 Debian Bug : 893525 A buffer-overflow vulnerability was discovered in Sharutils, a set of utilities handle Shell Archives. An attacker with control on the input of the unshar command, could crash the application or execute arbitrary code in the its context. For the oldstable distribution (jessie), this problem has been fixed in version 4.14-2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1:4.15.2-2+deb9u1. We recommend that you upgrade your sharutils packages. For the detailed security status of sharutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sharutils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlrGU8EACgkQbsLe9o/+ N3SX9Q/6A6qLYBDrTSnlqUqjWKiQXTUGMGndookV24BCpSapSXYtFjPph6N5WVny 55vq3Ume6rZuSix8D4+WWktZTPKS2iDgVtCZWRG7Onl0WJGgkXUETrd31/hvT8PJ izGyhzlbDaQtjerZxIMXzqtjlMyUmN0cDyhRd6JxT6Uu2FMCUqkCZenfxxSbo2W9 N322K98cU20C3WO/1KnMWpVMSEEaBTnW612gcfN59eR10pilQK/Pst2PCfEaf83K 6LVI07HHIHxe3sS2WJB2CMkClYCNB9Xzcp+PyHcn9oFhmwPNFo3jix3/0ueG/Agt YOshVmk/wsRN+Kqx+b8R9/i+aZaNQV2sr9Ml0C+nHREBWxE5wykSe+F25b7Gq3AD XabbQmQouEDFtIkNQ8tVBhnhLh3HxWD35l2WQV98A1XYPCllwVqrBj7c9d2DaQDF 63zin1gCivzUtaQWmNjOTA2ATbKfDZHgqFfMvcBuIbCCykHYctHKJiEXC/5LeoI+ d61iRxytLy+l5oDDsaRi9KWFabDmgb+65asvEHwgz2nbtcxMfilanYuO7aS5ET9+ ZcEFTmhUqMb8Ly8Ln4ikLNeAtcR4MrrTXm+ZIWkzhF2eLWKuRswVL6ZdkAAls8/W fwi0b13695gwpsleoGuNOJCLQwiCOm8xmzbnNaua3LQLZmBGWmg= =dr+o -END PGP SIGNATURE-
[SECURITY] [DSA 4165-1] ldap-account-manager security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4165-1 secur...@debian.org https://www.debian.org/security/Luciano Bello April 03, 2018https://www.debian.org/security/faq - - Package: ldap-account-manager CVE ID : CVE-2018-8763 CVE-2018-8764 Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web front-end for LDAP directories. CVE-2018-8763 The found Reflected Cross Site Scripting (XSS) vulnerability might allow an attacker to execute JavaScript code in the browser of the victim or to redirect her to a malicious website if the victim clicks on a specially crafted link. CVE-2018-8764 The application leaks the CSRF token in the URL, which can be use by an attacker to perform a Cross-Site Request Forgery attack, in which a victim logged in LDAP Account Manager might performed unwanted actions in the front-end by clicking on a link crafted by the attacker. For the oldstable distribution (jessie), these problems have been fixed in version 4.7.1-1+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 5.5-1+deb9u1. We recommend that you upgrade your ldap-account-manager packages. For the detailed security status of ldap-account-manager please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ldap-account-manager Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlrEKtAACgkQbsLe9o/+ N3SLAg/8D57LdCvy6gnki27pdVsXd0WwHd18CD0/LMKX+1WicjxYbV6FXmQ/7iON Vsbwr0dSYBlszFnRYcgP6wRxabjRnfgEUcp2z7DOeN2/OFyp50Ct9AHJsQUkurvK m1UCPtpp0ij0APnaGWQc9sb4oJcBhIAu8pzvCiGbV5RywYWIqV70ok9DawOqecWJ eAMKBwEwmsn4gOId1vmDeK33kBRceWm0DCkdehzmvp6VzP4K3K+7KYs59pEuvpJO UQtItfs+a+L7ob2iWtDEwxaXFK/3kptEXLjEbdobonFCL2GnXDTozWvGpMuCrO/g fEnU9Bbwg1n3BqzpWPFw+8gDwkvJZ+EoIGQwPEcaE0khmokdMOssmrpIlFZucomQ CtHA74kctZAc6xOeGIF6VS6uElScyyYTak/IzETuDjapbw9bVjIPxj/vbaQNWIoi bOm5Nf4nprKM1a0UMLmIzalFIEL6gZCsTc0kVC9AKtYb79wYP3ZJKcDLWOlRPpXf 29nh4WaE+uCU9wnjjIDorv9M63eDcBW6oOWpoaLis7Iv14GYeTk8PDBMP9+RQ8gk sJ98Xv3gmd90ZC/5UX3vJ7FikFiDX8pK3xKEwfLfv1lXsN15KX/OgCxUbruAm5VG TUyDOe+JTs+KCIVbCq9bxHCLsAvroGwwUHCW0HtBThDmOiUIChc= =GGc+ -END PGP SIGNATURE-
[SECURITY] [DSA 4161-1] python-django security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4161-1 secur...@debian.org https://www.debian.org/security/Luciano Bello April 01, 2018https://www.debian.org/security/faq - - Package: python-django CVE ID : CVE-2018-7536 CVE-2018-7537 James Davis discovered two issues in Django, a high-level Python web development framework, that can lead to a denial-of-service attack. An attacker with control on the input of the django.utils.html.urlize() function or django.utils.text.Truncator's chars() and words() methods could craft a string that might stuck the execution of the application. For the oldstable distribution (jessie), these problems have been fixed in version 1.7.11-1+deb8u3. For the stable distribution (stretch), these problems have been fixed in version 1:1.10.7-2+deb9u1. We recommend that you upgrade your python-django packages. For the detailed security status of python-django please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-django Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlrA2oMACgkQbsLe9o/+ N3QU1w/8Cc1ftnEutYxDFXMkv43zHrTxPocwVaHD/YV+cWxrEHWWpR7AaGDN/wKi wj5kynz3Gc3yTO5tYErOTLJQA+PcskVNotvTsPa54yYS+FuUrUMhGhPnqGTNQ4aB SXRRSQMjaYQGKjUrRHlXpS9kjP0/acqrDTS2cNKwpHiLmK2oQE17KNasQStaAJ9f 1QVMd8XoNTVMWzjz3/Vd3TMZzARzqBfHhcbox/NlP30/F2smGCj05TnSeLnlvGSx ArtuZLmSdxDWjkvusFzO3tpK4Kvwe57g92rrEpBhy14lKsQAZETvm+uCehMHEXQP MYWJq7gDTodBkzrqqE4jZugTus29DxVhLh4vLi9V6gSlYHRJMQC4iT+eWkyz3EDO n3CSXEG95Kv8fAURkLuFS5wGQ9SllGPVl2t20b13kj5gnccfTKYnevqp3uFdmsyx ftVI+hFS0Q+xWz5432PErpSg78HEU5ieWpPfKp180rfVitlJOO497dgBqg1DI+xH 7X6QLgKXFI0WbUK64sdiakZSnED6IgLZNZF8bD+CUHT6LywGyRZ/Ndo7C7lRe3By dVp6tdJcoSX/GyeREQ96sTu+YF4C/902kTyihYbzI4QNRFNeA+ZJud3tpfqSfiCJ 30jYifAufFMc4F6JrRTvnW8M+SDp5RlcPqmlBx14hDOEiojNtHw= =gBGR -END PGP SIGNATURE-
[SECURITY] [DSA 4152-1] mupdf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4152-1 secur...@debian.org https://www.debian.org/security/Luciano Bello March 27, 2018https://www.debian.org/security/faq - - Package: mupdf CVE ID : CVE-2018-6544 CVE-2018-151 Debian Bug : 891245 Two vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book viewer, which may result in denial of service or remote code execution. An attacker can craft a PDF document which, when opened in the victim host, might consume vast amounts of memory, crash the program, or, in some cases, execute code in the context in which the application is running. For the oldstable distribution (jessie), these problems have been fixed in version 1.5-1+deb8u4. For the stable distribution (stretch), these problems have been fixed in version 1.9a+ds1-4+deb9u3. We recommend that you upgrade your mupdf packages. For the detailed security status of mupdf please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mupdf Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlq6g4QACgkQbsLe9o/+ N3Susg/9G1OrrHcEbHNoaio0T0Wuf/v0ppoC3Lup+I4DR5zMeRTZJaqvyZlyBpWb P6EWGS35/+r3kL/+IY5FQUrB+UoYyM85DNHG+5/5/pmbO1SrQuBECs+btgEgAtWL A9cTnT7sFAGSUWIuGxu07WZdzxlPTb7ZQLoWvekYU+AObNdWCaJuON6qepKwFsUM 8Cqmx2M1G0kPVzRIrivoNuQV2gwSG2l26pMNAJqPwZzY0fYCizZsIyDy+AA1Yiuc H7Nwb5xtl2QOLP4MtyQ9Oy3skOA2DGvKGkSxTBAYhOMl43814W3TpXeHz4ZJlTIa TTMHbXOQuFOnIxe4s2dXwCXKOhwdswmUoLSuyvVcsWFdN3tZfQzC254L/oS7lBZN RRxqXQNHZ0Vzr4Sgp1dKA9y1+IFgWuqdCW6h3LATROq0Kd9OZ2UlL9q9PJvXsJ9p DI5DDH8WAMcgukUkbRGM/JapGcdtFVmQTdulnJ5qs9swJfajWhlCgrueWlsfvfjm BYJI7JyWgs1wh0hmCwxK13JbSEAIxB0jJ6fLWioAuHGfOMZppxG0FN30fJpOWEEd xiF8r8T6+hLXl7ynDH/3D29kNIv/qKskvrPw7VFYUjPA+EIo4kNx/3RnoBA8P9Jd FQjaz/m64uT6WFvu1Gr3Qex9meUb7M32XdbDQ2bR3vT70p+T5Eo= =GrpD -END PGP SIGNATURE-
[SECURITY] [DSA 4109-1] ruby-omniauth security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4109-1 secur...@debian.org https://www.debian.org/security/ February 09, 2018 https://www.debian.org/security/faq - - Package: ruby-omniauth CVE ID : CVE-2017-18076 Debian Bug : 888523 Lalith Rallabhandi discovered that OmniAuth, a Ruby library for implementing multi-provider authentication in web applications, mishandled and leaked sensitive information. An attacker with access to the callback environment, such as in the case of a crafted web application, can request authentication services from this module and access to the CSRF token. For the oldstable distribution (jessie), this problem has been fixed in version 1.2.1-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.3.1-1+deb9u1. We recommend that you upgrade your ruby-omniauth packages. For the detailed security status of ruby-omniauth please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-omniauth Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlp+Vf8ACgkQbsLe9o/+ N3RymRAAj5ygv8aqAZVGam3wRQ5eOux+kmSP3eBe1pYb+egLEdbtetFALbbq0GyF OWE5BpIcq483FE06CaVpuBK1xIk6f5SiS0jYPzMRdlIcfidfCk1SWcHbQ/5H8koP Gn3visVhHIPwecwdeDCKTpvWIHSBT9sLH3j971K8DdR9ICTWdvCGo92T4/Txy3oL YDGUFD90oqZ/qGJ2uMazJydaxslCc5KS/pSv7w/daDiRVtK14pQAjBO6BYWYKFzg tQYnl/kDwoFAhltB8mvpMOSbPK7s1Z2PKu49uT0x7EWZV19mv4jMwo2rZ137yQcu duK1nXIIbhVtA/7d02FMTfdahXDl8EjRAwmuSpsZZeRmPe3irVN3Ghh93VURDBYh cnJCoM1CjfAuVFz6nWOFE4oolQ/0CUSPUG5o+y5RGWwaImifOK5fc57lPqthiK4D 41+Fw1xQCJ5BwSig4zFPjRottB4etbzag1wvIhOKHnmpb0IHpweAbWsEs8PO1xG6 imbKc68UHZw3LMGHbIyTOKSHbqjVaF2pnYrX/SWhdgEshTMZ4lv0KMTAWPmPxL30 3i3bgl8QnSr93kA13C3Zbog0TfrHouEd2SaxAwfkIE1RR+vXeoqKgoVTu6SpAOoH 3M1QiigPLlzomKVYQe5a19j2dkAEIbnnuNtc+wZbI/3v0Me6PQU= =oO+m -END PGP SIGNATURE-
[SECURITY] [DSA 4105-1] mpv security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4105-1 secur...@debian.org https://www.debian.org/security/ February 06, 2018 https://www.debian.org/security/faq - - Package: mpv CVE ID : CVE-2018-6360 Debian Bug : 888654 It was discovered that mpv, a media player, was vulnerable to remote code execution attacks. An attacker could craft a malicious web page that, when used as an argument in mpv, could execute arbitrary code in the host of the mpv user. For the stable distribution (stretch), this problem has been fixed in version 0.23.0-2+deb9u1. We recommend that you upgrade your mpv packages. For the detailed security status of mpv please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mpv Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlp6Y/YACgkQbsLe9o/+ N3TWEw//e9bs2KffecS2gGBSuCUc/tU/FtgYT4rmQyhljQx30FzMRobw1I4MH2f3 awImhX7EGyAHcqBlx+l3NoxG/tlVhqLcmcIdtQV5/EhLmApy2WaIuF91gs9rxht6 qoZP8kEk5D4D+aPkNhCsnrTNnnRRfaMUF46oALDair+0VnYspWnlp2f1azjnVSYu PcGzEbAqECX7xDZ68By4eCGQN8NkWebCWhgrTCnmMpnR8+gNYtE2XTasToLUc2/Y FO6tlT3wduUEk/JjQ4XGMHKwSJ0zvN4ZH7D8JifnGAPTupOaBs4hpkPnkTKaBunr 5WGGsTd+sTcvocG8U7s5NeV7EC95S0EEuV3CJthmMbwwbXtIY0ISKSPFC74tjy2Z xwK+izPjOSidCXpvrrXZGAQywLH6GcnZkPtPeXORD8e7QtasihSaUxwRcgUKrkfp nKTTlp9TMoyZVBC4RwiAo9xG1IOA442QrIM9t9AtzM/fgg3nkif1jHVB6Tze9Sry 5v6NinSiGOx6ViwevFPJBoCU4iXNiH3lPLLnZ2MItyOjvLiQgCu/DnZ31TNNERJ+ afX0Aa8KIv5WA7NgJ8uKl1HCuwylDIY9OgOdeofr6ApiToEovf8UonAxoBuWksMw lYor0nRHZ843w2eRCN+eRmCVMFIk693K83kyK83ads4E9OAV1Vc= =1wlc -END PGP SIGNATURE-
[SECURITY] [DSA 4094-2] smarty3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4094-2 secur...@debian.org https://www.debian.org/security/ January 30, 2018 https://www.debian.org/security/faq - - Package: smarty3 CVE ID : CVE-2017-1000480 Debian Bug : 886460 Côme Chilliet from the FusionDirectory team detected a regression in the previously issued fix for CVE-2017-1000480. This regression only affects the Jessie version of the patch. For reference, the relevant part of the original advisory text follows. It was discovered that Smarty, a PHP template engine, was vulnerable to code-injection attacks. An attacker was able to craft a filename in comments that could lead to arbitrary code execution on the host running Smarty. For the oldstable distribution (jessie), this problem has been fixed in version 3.1.21-1+deb8u2. We recommend that you upgrade your smarty3 packages. For the detailed security status of smarty3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/smarty3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlpwrI8ACgkQbsLe9o/+ N3S2ThAAoTIBEBY7C7wZyHe00TMijKJh5Hjxtz7ApEzctO3+I8WCSm+90onW8W/J W7+7eI9pNaVhWeK6yreO2rq/4qYMQvR2AJhA5L39k0JYQbTIIaCMSUXoCQ5ueP6X IbXdlihcSFKxNpfqXZRBfg2M0k86RzUpIS1A4IJYpl4/pWG549JpXsoLxb9l/YgH v81km+PA3SMXmkhZ7pfE/pQ/956hGCjd+qIRVkKdakZx+paxE6y24ltr2CGteQaN IugRK0Fx7K9QhZrfsy6IrcoRn9Kz6QGStPJLNvV2doeM+ZUy7mT8sLHpIaEeu8U0 WElCxM8GAf9hfIYcrx1yAPV0KVj73HGluFeMTzijg7NtIb0fKTB/3i8uhN0Gw7MG AftCzH5PHPiQj7PtcZOXBwQQssLaQzGRSCG5KgNiiAg27kwvYOcyhK6FtMmMcqjK wF8M5mckuiCiqDSM4nuXrqiRt0viZkaLY2hIni09r0PaGIUKvQso1I/+X3QT3Bdr 6AzBgQxegCrZn9peduGCt8u1HS0jQH3X3rygptr33vtT6KerfgfehzCBFKQxhZJf b1lGdABJyiLBqQlMNoFIML9TKcLSN4kfUn5gBhcdPVR8XykHLgSycnBww/2GK3dY Vs5KGL+QhJ4CWPr0oSpypX0Upd+KL/0okGAaYcMLJw97VhNk2pE= =r8LY -END PGP SIGNATURE-
[SECURITY] [DSA 4094-1] smarty3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4094-1 secur...@debian.org https://www.debian.org/security/ January 22, 2018 https://www.debian.org/security/faq - - Package: smarty3 CVE ID : CVE-2017-1000480 Debian Bug : 886460 It was discovered that Smarty, a PHP template engine, was vulnerable to code-injection attacks. An attacker was able to craft a filename in comments that could lead to arbitrary code execution on the host running Smarty. For the oldstable distribution (jessie), this problem has been fixed in version 3.1.21-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u1. We recommend that you upgrade your smarty3 packages. For the detailed security status of smarty3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/smarty3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlpmaRAACgkQbsLe9o/+ N3SLJBAAoZt3q3HeplRZjJC8qcwCUic2ZRn/V6xW3BDI7NyNbUb1sOJrNFXPDLYl 4cTSbpG9LzK+OeEnZ/TbEG9sqZAUuH+rInhv/E89yZpgwg9/k6WK5LgI7KxHSL/X JeGO6WLtJECkvE0QLymtlQnftCWJ+Ov9ia/mm9uenUF6mmJSyaNq6sXMSbTDYZSu R3qki2b5tchWKFBWMfpR444OfxekWUJ9UJHqyItPCDoaLInBvogTEQvohtroXO/d ewx2Ea4TLFzsdehAQK6I8XbfN4vpqYafTCVQ2kR5Dk3QNQr1TrPWRJUH7y1s3k8p CGZbPI6iIorOAzRQWJqPV4tt+84coiCsEga5Bc5xadHALJ6xAaRHQx8dzPc4SsSs oyrPyBUSYEspQpulgbcv9yZoy0EyO7s4ejEuZ4Fpvs/oFxXZ5yQDciK2W0eAxfNv DHSUNyuJ+yAv9Y/IM2rb4KS3f0kyA9pYxHUtUDzkqYnl4wYai/byx38jYJQmSBoC KiyItXfwVe3pb8U9TXUj1gFDPt4bNqfE8yTy/qMWWMhKsZQKOEYdumn5yANy9OMi 6NnkZe6w9N6rAt9Gs20fyxu85Djo3jNodlwH6tb7rk/aRQSX0HBIbu8w+2z2UUql vRqrBVnWsGUIY7OkgmoyLTONJ4S2oAWyGiqy6USsD7gYfR2kmnc= =9MnI -END PGP SIGNATURE-
[SECURITY] [DSA 4006-2] mupdf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4006-2 secur...@debian.org https://www.debian.org/security/ November 10, 2017 https://www.debian.org/security/faq - - Package: mupdf CVE ID : CVE-2017-15587 Debian Bug : 879055 It was discovered that the original patch applied for CVE-2017-15587 in DSA-4006-1 was incomplete. Updated packages are now available to address this problem. For reference, the relevant part of the original advisory text follows. CVE-2017-15587 Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file. For the oldstable distribution (jessie), this problem has been fixed in version 1.5-1+deb8u3. For the stable distribution (stretch), this problem have been fixed in version 1.9a+ds1-4+deb9u2. We recommend that you upgrade your mupdf packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAloGD7UACgkQbsLe9o/+ N3SHXw//XanAOryOk4TuF8kEFZ3/TPdryr/64h9e9h6JC5Ro0BHX5687agJ+aDwW D1gBgULOsdwZqppRpnT8bcIJmb9KUQPhfbeeQyhkDA7DzpAZRZunpg+Wlbe+saGA ifrZss3y5Ys1w1PJOTOJxwKfWdwHDVwa4Z5Tj18zNBGKLM7LI9bbQ7evcKMob3rB /SsWz0/R+GKZR5M18/0+YKIVllIH0eQI4ZCGu3FkP3oEwbdidtJP1rdc4sZWRmCk NnJw7cotwNmAKlMUCapzK4BMEqMRmT+3eHi+UcIfh2MxDG3ecGF+Ev4Ok3H12FwG 4c3QJFaOMItMbl8U+Av7T6IwIHFPYJoCHEUekiNFIy0U7pLimE53dpZvcLM2Is9d lqDN203nqio1znTPemafqFDCD6E+m8DDegkvAkZ/XDPuTikr4Zlp9NXsq3R54V5l K3LjPhR7HEtu5YbhSHdnZ5Tj1WU765PTXhmu/off4GuKJV/1fRAsZ54fkPtlew0f 0Qj3pabBFNcElB2b81xjVEMHP8WdYyEoUASRUnGdbsZxEmx39ZI0j2Zu6kHJIhTO hwhSUUmx98qBE6pq+97mXoiD4cBOqE309ycDaRWxWq16bBh7u04bv002ROZLqIrg WY0zre1W4BQuSj7GzO1BMzNBdyuoXu0GgQ5yslgy8TkIb/BbHuU= =gE7H -END PGP SIGNATURE-
[SECURITY] [DSA 4006-1] mupdf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-4006-1 secur...@debian.org https://www.debian.org/security/ October 24, 2017 https://www.debian.org/security/faq - - Package: mupdf CVE ID : CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587 Debian Bug : 877379 879055 Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which may result in denial of service or the execution of arbitrary code. CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687 WangLin discovered that a crafted .xps file can crash MuPDF and potentially execute arbitrary code in several ways, since the application makes unchecked assumptions on the entry format. CVE-2017-15587 Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file. For the stable distribution (stretch), these problems have been fixed in version 1.9a+ds1-4+deb9u1. We recommend that you upgrade your mupdf packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlnvXmEACgkQbsLe9o/+ N3RzjhAAmd9oUssec7y32MDcEl5Q5r/SPQ+SdsnHiDlaZ/Eokmjf2pAmSos4GJ0H 55nT83AIGFRMufz6BDTw10Zng4ZhWUbVXiB4dHJfk8GbyaHTq7+OGFpSr+QlbOGU 5HDGTKcBarOiuIyFXEdjJxkUWM0kq95nXP2DJQfLc3x6w3y3KkakWOHvHu29Epav 8cbbWFNVJGYCrIHr6x3W8ml3xmv33WxdTshkBA3/2ksfRGe7HLdUiRshQUETYW2R W24dcGzym4JrOYeAEaVowg+yM1pSDi/ogWu9ca4wvSclo8CtHZ1AoyxQHC9m1VKo dGLEpvjhfE8MXoaUqi+9MrOxQZhYEcNgAVIJd1aHGVmtYVaGa2P4b7x6m/RHTChr bk3DHWSnrt1ctxH2mqxY4nbbFqvLC1Q221ZF3o6d6R2Y3xOes8trxQWyoUS3heNI TBiOBuQ0SrvYRFQwUGxqnNFsKRKC7ird1o8S+fpTrWK1YOuSXLmEFRFsi9jjh2SU HmZd/i7xeiTpGYDubWy3tgzbXcGj5h0axGnCEf2ncKmnknoSJ85Oism/JZcfzSGq VW08893Mfa5Qsl41v9lkitWO3iWMp/pJXMhuSrVLO7yKVTKZj+n6zu7Qi+8h5fqh FzkhVwtLYV+rKFGEIaRq9IXkHni5E1FLkBjaeRtbM1fQ44CGVLY= =/wFe -END PGP SIGNATURE-
[SECURITY] [DSA 3957-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3957-1 secur...@debian.org https://www.debian.org/security/Luciano Bello August 28, 2017 https://www.debian.org/security/faq - - Package: ffmpeg CVE ID : CVE-2017-9608 CVE-2017-9993 CVE-2017-11399 CVE-2017-11665 CVE-2017-11719 Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code. CVE-2017-9608 Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a crafted MOV file. CVE-2017-9993 Thierry Foucu discovered that it was possible to leak information from files and symlinks ending in common multimedia extensions, using the HTTP Live Streaming. CVE-2017-11399 Liu Bingchang of IIE discovered an integer overflow in the APE decoder that can be triggered by a crafted APE file. CVE-2017-11665 JunDong Xie of Ant-financial Light-Year Security Lab discovered that an attacker able to craft a RTMP stream can crash FFmpeg. CVE-2017-11719 Liu Bingchang of IIE discovered an out-of-bound access that can be triggered by a crafted DNxHD file. For the stable distribution (stretch), these problems have been fixed in version 7:3.2.7-1~deb9u1. We recommend that you upgrade your ffmpeg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmkgDYACgkQbsLe9o/+ N3T8Uw//SjcX5ZPW2HpGoXQ0Ai9MG0iHDOntJ+9NSmqDc0byW4GMFyGNt6WJnvau dZvXzOSBRLk+I+WmdgeFy6DnroXA/VSoRMBhFXMKIfxJgNTTodIr6G06XACLBr2W 5Tl5F4+gjKzFHxfG1ypux6D1QSo88a8uiEoR+kDXSuoEH/yZ2irC/bX0rwtap7Fu /BrfsClsUFOAbDadN3XiOOiK3b4FRE+UfTEAaLMnMYrMJfX8CiC5ABi9tG7imZXr rlj7pSp2rlosgqSCZ+uCo6haqg9jamiBmzZbT1qSD+VjLFmGMvw/yuRN3wGSt5kQ nxuLVNghg7qGi660R5ci9TYpn5UyBprkeEVQLh3Ts3U8VpN169yFAD+Zln/2KGVw mYSjEjXiPg4IE2/Phfw8XIqaO1zTezAU/yTMd4XBl2n7j1swAMgdaDPfmIBMg74w +iQOWM7D4xY01sXwgjdo9wVpsZuWU6KiSp1A4Y0QeozU0/ZMwlHlQHLlIDWfYhr6 EfgwG3y+ZfyHDiJELU1yuXv6gPxSvfn+MgkNopqzUNbMOZytX705fWA4cwV2fIFF G4RwVsJfV2tA1Zf+wUvjighm54r8mpRExtyQdi79Il4cws+5ggeAX2cT5Te6mosI 3CR8dKBZmfpRgRmcKUTJLZmFaD0pm+g/HCpV0+bZ+Xx7RbF7NGI= =Y7WV -END PGP SIGNATURE-
[SECURITY] [DSA 3956-1] connman security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3956-1 secur...@debian.org https://www.debian.org/security/Luciano Bello August 27, 2017 https://www.debian.org/security/faq - - Package: connman CVE ID : CVE-2017-12865 Debian Bug : 872844 Security consultants in NRI Secure Technologies discovered a stack overflow vulnerability in ConnMan, a network manager for embedded devices. An attacker with control of the DNS responses to the DNS proxy in ConnMan might crash the service and, in same cases, remotely execute arbitrary commands in the host running the service. For the oldstable distribution (jessie), this problem has been fixed in version 1.21-1.2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.33-3+deb9u1. For the testing distribution (buster), this problem has been fixed in version 1.33-3+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 1.35-1. We recommend that you upgrade your connman packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmjRVgACgkQbsLe9o/+ N3T3/Q//VQRbz2KIvb/nJA79D9HsmJiV5MCs8odlsPfV+796eENsgepO3elsdm75 vo5FHTORoN+tc2cw9zOkpgR/tTNYVFq/adcchecjW6E8Ruh57AwT1PaDDStaTger ra9tk3QBVOWBkhdZmag8RxNt99EK9o1pVn0zu2cdNWwWR+0DJFLOTn+icvaX9a00 E53GXX/CCMEYw0Smo3t3D0HuR6NLLDFbyV1Cf/fte29Hdt7Ni0aXUZsjyqlND7LI mF1m4OcouoGhS/QFBEkIsduMs07Merc7ZHQ93z/RMtqQzo9Ev/7qBsgGG7TokTif m+HmH6x6OJ+QIVca2VK7i3pKmWu+zLtF5zixG/U0ED5nVoeDE1vnHmLlQilHOzi/ Dxmb6gPNQvbLYE3Hr2ytgL4ICmADVeUlpVfEc4km17G8fiTCaCY5vAlKRUy209bE d9izLn1u3J2i1gb3IsJ1qxfIG3kxy6xnXXED0sGZXCp61HU2SaXTiK76B5MLiBHP wQN335oSsRIbORSsCvfcqVUAtLs9BLqV3fQ57wb7nM5qH7vfHndcGXc/lVNb6eJe 3PjOIyDUU58K987FnvbN+FSWGuv5cfbsQLZwfICU5s95r2EAoS06tk2/iGU76Wwy zjmu3on4C2men6TxIaWCOamkBR+igB9MvRIRD2wRIUkg5mudmf8= =p3fr -END PGP SIGNATURE-
[SECURITY] [DSA 3953-1] aodh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3953-1 secur...@debian.org https://www.debian.org/security/Luciano Bello August 23, 2017 https://www.debian.org/security/faq - - Package: aodh CVE ID : CVE-2017-12440 Debian Bug : 872605 Zane Bitter from Red Hat discovered a vulnerability in Aodh, the alarm engine for OpenStack. Aodh does not verify that the user creating the alarm is the trustor or has the same rights as the trustor, nor that the trust is for the same project as the alarm. The bug allows that an authenticated users without a Keystone token with knowledge of trust IDs to perform unspecified authenticated actions by adding alarm actions. For the stable distribution (stretch), this problem has been fixed in version 3.0.0-4+deb9u1. We recommend that you upgrade your aodh packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmd3fYACgkQbsLe9o/+ N3Se8xAAimg7Xo4NfIIGKBctTpzCv5cmxC49w4NqeC37a2uaLPOA3DLU/WV30S13 st+NelwaFHrhE/hXgiWgoGi1p2b2v4Gs/C//NO70qNoXIRePs76+ic7RWAAB9ddI J7n1CiTUtNisILP6EmhEoOd6kSReCc34jUc7s2YPr0DS0ziEcOJrR8X2SfK621zs nfxPGMUMBE5+Fk9gOrXz1zCJguGvIQBRnSNQjLf8eFZvva0e2nAulIvq6buvKW2B 9ZftuNHQnpW3/k+1kDZ7FqMTvFsC5gQdEF9c+qmZd54lyb5qWgds9W2Xh3meQZDM oq64lGSozMcFIfeLLFfCktQfpmxInIHsjT+DK8FnAr3UgGD6zhCJMTNIxP6p+3xB 2Y2z+PUFMumpWNOtb3o/9DEauL1v5BxCTRLr7C0sr0MLdypm6JmH+ASv5FaKN8o4 i9mgabqext57ejKVqOhDGTcZJJB3uN6N8WeOTt/E3bU22kSN9H8BeBX9RHsgVnsF wehYkH1qEynb+E6dA6o0epMX/Of926PTeUsu+3ipPZWALM/dSvjkwdr+LRjDt8w4 sd5k//1SH9SnUQTiPDrEk2hu/HEj01HGrhh8eJNn9+2Zq7+ZmFUgiPduyFWlEoBk Ky5zI5NtuTvgW1OjH+GX1tZNc8EPzPDlapB1I+RvCUITQWVtDlQ= =OTsW -END PGP SIGNATURE-
[SECURITY] [DSA 3950-1] libraw security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3950-1 secur...@debian.org https://www.debian.org/security/Luciano Bello August 21, 2017 https://www.debian.org/security/faq - - Package: libraw CVE ID : CVE-2017-6886 CVE-2017-6887 Debian Bug : 864183 Hossein Lotfi and Jakub Jirasek from Secunia Research have discovered multiple vulnerabilities in LibRaw, a library for reading RAW images. An attacker could cause a memory corruption leading to a DoS (Denial of Service) with craft KDC or TIFF file. For the oldstable distribution (jessie), these problems have been fixed in version 0.16.0-9+deb8u3. For the stable distribution (stretch), these problems have been fixed in version 0.17.2-6+deb9u1. We recommend that you upgrade your libraw packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmbZIoACgkQbsLe9o/+ N3QjYRAArtj2jyK39+qYwrUiRIb1eFZJ9ktBaY9kajnGIH+JnEbzna8YeNHvXxoF FQk6q91iAVG+KANxaYYp1R1r2t56a6gK5b6kb3kgkmSH2DifbRThlhI/XnAngI20 KqPmOscW9Y5v/RQs5N7+d11CiMp99aI8yY043rXxNywAcXgs0rcuefxjqo1Al04s nN6hg1Btibz0oWFBVkUC91tJ7nUSN/EvSqdV5WlkuilN2nJqCART1bmj8ixZMcpw AntyWGW+eiJt7FuJw2APXlQCBMaprQJsVbs2xel+EVK1LwVDOgs+wbon4GUWkiPm MIxBenPPPfC3YoELK2DlcQQEkVhPeZDqK+ZqxWOzpYkjWMhlR/OFWz/gc0sDloCQ OTkLHmgNeQen067qnfbt08s0zBwsr1UoujoNldnrPyqqEbHuqHiWlg3NiZjmUQOn Ymfwe7BSq/9Bb0KpkdHbykziFhV7TIoCLS8fNniCZ/Wv7DQ7Us1Mb0SxZGd9b8HG KUFW6KKQ+LY2QfwgaCv2Ds2JaPR9LJ6+kCS0arIgeWve1ZHZq2Q5sxN4vbehIS9+ EP7SwFAwU8F/PFO+DvlF1FvBRhhAQznL0xan9Rzd5LEjNu+A3Rpe9YE+CuCqY3zE i1Kcsh/V7oRoG7Ht680JsCYnqEGBc5GdVYEJ24223tJQMIxM/Aw= =RMQr -END PGP SIGNATURE-
[SECURITY] [DSA 3783-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3783-1 secur...@debian.org https://www.debian.org/security/Luciano Bello February 08, 2017 https://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161 Several issues have been discovered in PHP, a widely-used open source general-purpose scripting language. CVE-2016-10158 Loading a TIFF or JPEG malicious file can lead to a Denial-of-Service attack when the EXIF header is being parsed. CVE-2016-10159 Loading a malicious phar archive can cause an extensive memory allocation, leading to a Denial-of-Service attack on 32 bit computers. CVE-2016-10160 An attacker might remotely execute arbitrary code using a malicious phar archive. This is the consequence of an off-by-one memory corruption. CVE-2016-10161 An attacker with control of the unserialize() function argument can cause an out-of-bounce read. This could lead to a Denial-of-Service attack or a remote code execution. For the stable distribution (jessie), these problems have been fixed in version 5.6.30+dfsg-0+deb8u1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJYm9J1AAoJEG7C3vaP/jd0VUkP/0Yx3o0lF24kLK37t2OYf/DX kbVlrz6lUgpB5K41E1rQLk/BltM/LeQ+/pxzfrY92IttQfAx4Ls7dzwyD8cGElSC u1fkrB0/1laDnm8Dp7A4BVITSmk7J7+l5ZaHGjJK4Pu0JLqen/GBvwVSldCpKvL9 M3d2PlUrHQ1VQQEtKSj9axthAuSdaQ6qNnxL3MmeYjY5pNTZ+msoFRHcplTdeihC gWYXSurs0iFZ3zV8qLvVG5NqZqx1BVVobmDIJNbZ/iq38RhxjEIeYsEysNMLyxKB Bop8hiSqAqsnssJsOLM8sKslsb5u6LX9YO788zZhJwdn36nsN9Zt3IzsKPdmDaa7 RhKtvDBYjbGTYSA3i+5rbDCZZU6o1cX5/peHuj+4Bp3EZiNaxMkhV98HRRqHAYqm W6v+5Cyq5Yfd1IQmb+JQWe03RcBIGVaS4ic16yGklFOC1pFW2qwlmP2XQMIqp6Xv z0X0cELtX0LiAHTI7RQw/Ts7/WmMZg731CdfrWmEl66qPvM5V4uqeT40PHjSqyH3 ubaBoibjBN3b2aWYEYbvgnVatXaQafYF0pXdYQDXUUs6OpousWd/Y+3peB4oQCY5 e1mfsn0odNda8CwU3U37pKg4t57cqouwKT5YjYO8odWurZOkVQjeeLZDTe4SV+8s kklPqS1NZ/W+oE2Oy7tb =vVtJ -END PGP SIGNATURE-
[SECURITY] [DSA 3725-1] icu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3725-1 secur...@debian.org https://www.debian.org/security/Luciano Bello November 27, 2016 https://www.debian.org/security/faq - - Package: icu CVE ID : CVE-2014-9911 CVE-2015-2632 CVE-2015-4844 CVE-2016-0494 CVE-2016-6293 CVE-2016-7415 Debian Bug : 838694 Several vulnerabilities were discovered in the International Components for Unicode (ICU) library. CVE-2014-9911 Michele Spagnuolo discovered a buffer overflow vulnerability which might allow remote attackers to cause a denial of service or possibly execute arbitrary code via crafted text. CVE-2015-2632 An integer overflow vulnerability might lead into a denial of service or disclosure of portion of application memory if an attacker has control on the input file. CVE-2015-4844 Buffer overflow vulnerabilities might allow an attacker with control on the font file to perform a denial of service attacker or, possibly, execute arbitrary code. CVE-2016-0494 Integer signedness issues were introduced as part of the CVE-2015-4844 fix. CVE-2016-6293 A buffer overflow might allow an attacker to perform a denial of service or disclosure of portion of application memory. CVE-2016-7415 A stack-based buffer overflow might allow an attacker with control on the locale string to perform a denial of service and, possibly, execute arbitrary code. For the stable distribution (jessie), these problems have been fixed in version 52.1-8+deb8u4. For the unstable distribution (sid), these problems have been fixed in version 57.1-5. We recommend that you upgrade your icu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJYOxmOAAoJEG7C3vaP/jd0vqkQAKAMItur4VZLQdyw7yLRDNwN hZx7Z7w2etBM7bZVulYvOrNWzdfBal45uQ4XVYMlgjOAmGGnBNRcuEZBI7tOFOJ5 euwEz+HQj/T5ZiwjMjP9VbflM3OOgAbHHjvyuiS72n7pKjJFAvIvvIQZ7n2fzbtp oRWF7qXgtUFgjh/Bk8VLizW/AqfmJnaRpITOWuLldGyqu23iKgBC/m1u5j3uX7gq YWjbHh66t93IaosforaX6o2B25IMLIAcIlLE1yOFIDsnNffV/Wb38huBodXWDgkd iUJlaz4uNGYpCG5J2Fy5GVY+ePTFyLNGW9hgvgLiTpqWXN+fo9B2y7nkhUtTDljY QMgF9oCzdFBAzsbm3EN6thbMr3+/BlH1smWuxthWlzenVWzYRRW9biXiYHhAuTLx k9v/4A2oCL61uCaHsrc8NbMhI6BUq0hvQJPHrU97ix9U4cRJGPLWSKkKpJVTEjqI 1Xki47FSNTykUXcbgNV1StJ8paL106J8ZHFRdy10p7np+rIR+dujU4Hz5P9hzw07 4aECq/FQGescS2rgpC1QQmUR9qLZdQ0ag9oEmPWHXvoblqii6u3DJyZKTURhWJA8 Wn6FmmlwojYs8nZsuixJXB3a5ExhH3jTfiB1v1DLCjCVAOeAlUkuILSv1SOUXSzo 7xp83+DgrMJ93GY2aHV4 =vHKf -END PGP SIGNATURE-
[SECURITY] [DSA 3597-1] expat security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3597-1 secur...@debian.org https://www.debian.org/security/Luciano Bello June 07, 2016 https://www.debian.org/security/faq - - Package: expat CVE ID : CVE-2012-6702 CVE-2016-5300 Two related issues have been discovered in Expat, a C library for parsing XML. CVE-2012-6702 It was introduced when CVE-2012-0876 was addressed. Stefan Sørensen discovered that the use of the function XML_Parse() seeds the random number generator generating repeated outputs for rand() calls. CVE-2016-5300 It is the product of an incomplete solution for CVE-2012-0876. The parser poorly seeds the random number generator allowing an attacker to cause a denial of service (CPU consumption) via an XML file with crafted identifiers. You might need to manually restart programs and services using expat libraries. For the stable distribution (jessie), these problems have been fixed in version 2.1.0-6+deb8u3. For the unstable distribution (sid), these problems have been fixed in version 2.1.1-3. We recommend that you upgrade your expat packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXVvdDAAoJEG7C3vaP/jd0YQoP/iNI/wcPsJl1Dzji5NiBhaAJ 9QXYxekJEusKQgUE4odgqfR58knCN9KX0YPw7lg1hWxkD2UEgwBMT9uKzXeojBdS 4mvh9kZquA5Uizy4gXaoo/lVzUYfRCrFBiWaH3vT6ta+Se9fb0wq5GZq1Ad7FRrK 70YSv5yuu0jkA9KU9AspJt0d44nqdfiNCOl6mjW768pDs4B7jKxWmryI+ziWTWmG ZJH4TlUMBwYZ7vxe3+1t/3aHzyHfg+hjkWIpKvR9TsFnnKxcYyecCHjOh57ytCBF Kr4TD46oyzHxMYR4GR0ig1bsbmcZOpS78OH5h0aikRta/DzFwvP027YSBp+DlhD1 J9iKPySdykU4Ks4qgc1Ywe2J04pIzdyfJwWAaOug+rMJIT06ft+Md8GPm+LxtZLv n67DgIqGEvLoBneC9UUP4Qmz/uFbX2F0ILi69j1PZf6d8WrrSX2UM9azvXGr+YyA 3AHPp/uH20NvytJkTTV6IC0EbQ2HdxprEhRCLb5ggh8rNVU0ozM+/OkNjNzXlHmV WzeVej+DqTuHYDbvBAYKvQ9G+DgqX3gHm2+OHFz/j16WLhP9+o54Pb7zL7spToG0 xIxU8l2e8rsjTvJNN3Qja4p6mJrUblKW3Mxm28sKgfy/EPWXCAwFRy1/aPVxAISd qKokFSeLrpmmON44o5ah =Au1C -END PGP SIGNATURE-
[SECURITY] [DSA 3591-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3591-1 secur...@debian.org https://www.debian.org/security/Luciano Bello June 01, 2016 https://www.debian.org/security/faq - - Package: imagemagick CVE ID : CVE-2016-5118 Debian Bug : 825799 Bob Friesenhahn from the GraphicsMagick project discovered a command injection vulnerability in ImageMagick, a program suite for image manipulation. An attacker with control on input image or the input filename can execute arbitrary commands with the privileges of the user running the application. This update removes the possibility of using pipe (|) in filenames to interact with imagemagick. It is important that you upgrade the libmagickcore-6.q16-2 and not just the imagemagick package. Applications using libmagickcore-6.q16-2 might also be affected and need to be restarted after the upgrade. For the stable distribution (jessie), this problem has been fixed in version 6.8.9.9-5+deb8u3. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXTrgYAAoJEG7C3vaP/jd051kQAIvICEXyTZ80DvFl1z6gFK9y 5qaS3wHqH5LI9pr6STRi2T3zjCjLErUzHfmfIQkkfjV2IOLOGYo5Np3MIYAVXwee R65969LW3K0e7sFGMG56yPspGIJ9xU7bmtxN48ooxLhvpFLwUmZowedQH+iEnVph /JhxPlA82Tk7lHaqbrtXmvo06THl2NwwD3Fxa6m5gVI6A3oAHPWx7z7uhagfusWO cPOcPdRIPCF8mNERpiggmtNLTRpnRx9XNokJGLrsofY64J9L9qB4CXHQP5JxBH0z AnKewYm2Ez9il8m+kfVEkbQ3Q5G53Te3ezN+l01Bw2kfzAf9KunkPn/fmO+TBrk/ flyy2DvGjRx4j5awcMGXfXTilF/ImtO/BBF/w0NfRdKV29/3OLNQsBL9uP2eO1iC ClkFfLMWmXsy7kN19jimIZyllX6TTC8xjHPw+3Nv/pe8KTHgPiqw+OMDCMS6kk+c 2hDkTwushUl2afNPVRUQn2HdsQUekjPist6ieVl4v1ywl44XwYHjslAuD3oIJKIY kXwa97OCxCaCxv4SrocSLDKdJWVmZZ7zvgKIzDQQPUUTAqiRZCWY37ll5VCmZr1A l7l2+KvmiDmyh8ofmmELBcy4ggqCWR2ofTyMLAEB0Qod2Eop6zxQwaxyZfHZ6UUp vk1xibycgsAc2IFNj8h5 =crNt -END PGP SIGNATURE-
[SECURITY] [DSA 3588-1] symfony security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3588-1 secur...@debian.org https://www.debian.org/security/Luciano Bello May 29, 2016 https://www.debian.org/security/faq - - Package: symfony CVE ID : CVE-2016-1902 CVE-2016-4423 Two vulnerabilities were discovered in Symfony, a PHP framework. CVE-2016-1902 Lander Brandt discovered that the class SecureRandom might generate weak random numbers for cryptographic use under certain settings. If the functions random_bytes() or openssl_random_pseudo_bytes() are not available, the output of SecureRandom should not be consider secure. CVE-2016-4423 Marek Alaksa from Citadelo discovered that it is possible to fill up the session storage space by submitting inexistent large usernames. For the stable distribution (jessie), these problems have been fixed in version 2.3.21+dfsg-4+deb8u3. For the testing distribution (stretch), these problems have been fixed in version 2.8.6+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 2.8.6+dfsg-1. We recommend that you upgrade your symfony packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXSyojAAoJEG7C3vaP/jd0fkgP/Rg3MGnU+HOjA3yyqMpG44ui pdYS9uxQHpfqrABEu4BxOOBikJmJOFTVbX6LgKRv7RD8ko0GocEfFVdVyIBg4q37 ym1Kue3pLUYG+ZSDZY3AFTDqOPHdEd1VV0g+NSHOfwQUxB5rZcWbknL1JGiyuZBt vZ6S6t11zEUppBrjlVqFoLZyqaO/6gbOSEl3IYoBJ8nGvpsEb54Hr1xnA0V61BmO LSsnXumvkljlWxfLmdbv6eFZZPeqcTUSTrhSY8HSG4fk1hZYmD5zCcmj9HwFwpDV Ix8qIr2dYqDeP1kXt5vgaJnQnYDcFZswz97vgdc+u+JfpwZzzg5YNLzXtyWMLueb AoTpYkKqyMKt9OYR2LMrR6MApd53SlUMssb6TGBUvrs75fkkInDnn98x7HMOBANf eCZjsaR42tm0H2ydi1mEI3kC2OswLXoVakAw//jYlRoznocQ2J11SvDWZ3ZIVN9N V2AhyotQSD67BYiEkt1n1uln3zoHLxf8rMXRKO1A0CT0TQujyvwucXQ9YrMjcvN9 TbjocikONjdvjrCGD7N5jYh6VFFjyLNgj+erXroGGnFWLq38Ao2+R+7ogMIUl4gX 20ygoVwNeo2Bb+vmUiPOGTmh53GpbuTxMQArpT7/647gwZJhb2CtkzMnDxMBoU2x E4S/jTK1mnD7vScdwaNs =gJF9 -END PGP SIGNATURE-
[SECURITY] [DSA 3580-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3580-1 secur...@debian.org https://www.debian.org/security/Luciano Bello May 16, 2016 https://www.debian.org/security/faq - - Package: imagemagick CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718 Debian Bug : 823542 Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code (CVE-2016-3714), make HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move (CVE-2016-3716), or read (CVE-2016-3717) local files. These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service. The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In addition, we introduce extra preventions, including some sanitization for input filenames in http/https delegates, the full remotion of PLT/Gnuplot decoder, and the need of explicit reference in the filename for the insecure coders. For the stable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u2. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXOeIaAAoJEG7C3vaP/jd0ROMP/2Twg466ucZVRzucPlyGQv+e eyu80GMnB9UlRIXrrpAoVKr7F+FnwnZiMtzqLXuoRIms4+pESBRMVu7YXMRMWupi Nj0DaZClL07cBm4RDF+Nzr/UK4XCWFTeHxDKBBD684ddfIL6PeJoKzRd13Yt4/9Y 14oijuDSCGSjSM761UMYh1y6Gnr47zx93t6TzomGFpcnp8KVMJeEWnnWere7QNFk xxwdDQhnQXWHwQP8h4WvS9/z+tRzQ80cmBzmcAZDgZ4ApllUyxHiv5OqBaRSP6aD C0k8UedOBUTTq6TGQCCmsM/JOE2o3LAzlbbEMWY3C2a9DxJ+H9gpQ6RHqZcFSE4A fs5jeJkviUB2R9M6tPLAlBBDmiEyGYfgVjUiEq/Rq1pWKU6RCDxnjbd8Uu3Cv0IV QRIqfPuL8KUN/X0PjXvJGZXIsN3xyOCW22grQEsyldUyLe4UivHNhFdKp6zb3cyo YyCC+mmDOVl7SwJa2swztOHSPZ7xlv2o4tMuvGVIP9x6mmTD8X6nJlY1g7SqSEZf CELrEE9B8YDIbd8fhiKzFgsh5Rjae0+MQW3g6bA8gtCc5iwoAl67g+bUBPwPhaIs riOWsAjPFoYyzsMeMLJpEpe7rFzLOWutfv4Vi3f0F+QgIpq89e4X0HlSTsCrjrAl s+4kgn+3ifTDFT2joBj7 =atw/ -END PGP SIGNATURE-
[SECURITY] [DSA 3547-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3547-1 secur...@debian.org https://www.debian.org/security/Luciano Bello April 11, 2016https://www.debian.org/security/faq - - Package: imagemagick Debian Bug : 811308 Several vulnerabilities were discovered in Imagemagick, a program suite for image manipulation. This update fixes a large number of potential security problems such as null-pointer access and buffer-overflows that might lead to memory leaks or denial of service. Any of these security problems have a CVE number assigned. For the oldstable distribution (wheezy), this problem has been fixed in version 8:6.7.7.10-5+deb7u4. For the stable distribution (jessie), this problem was already fixed in version 8:6.8.9.9-5+deb8u1, in the last point release. We recommend that you upgrade your imagemagick packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXC/ZEAAoJEG7C3vaP/jd0yjAP/RJ3GHiMQDNYXsilOf/hBssm 6PRuYeH0XSjX37PsDzvOCt3A8POiOTJPOXPIU1Mmsqtd3B3VzXmwXIbfVW1dTSeT TrxlCfvFfdF16ckrzvcv136BIBAQTnQ8UG6z8o+8FSwVBvdjeo4Iim5gS6zepzhK xDokj924lCNbnwTiy2vQ0EgVW2EeZaa3ntRyldQ9ZC1Zo62hg6abNFBwdkB/giGx zqdMw9kXqvsiQiZqEVrMhfjAEpFZ3JceVMs80L2yBK5VuFVUirgPgBdH8ySZ8exW Fr1Yllu6G2nkzGKSiHGzRMd1lrzM3lV7LLrWq/jlQ7rI2ogEZ+4HHgQJLjpYJBuq KkTxWhIGsXjDOrQlZZ2xx4V8jn2naQCbYTXcB1LKvcktKsp9D2SFYUC6rWDA2k1J JD7tMTGq4JIQspP/bJ61mvtDp9v4z+9/Uwjt5S/eawdY/n9FT2Z71UlC226GxU8/ IgbGw4wH3VCM3zsZsxyqINVFLT48AxbkW7bkxjJVpm7Ic2CcIwlewodkkdWMdSA2 pj0lABOphaClhnNtHOQ2YwqYrPxOXjl5PeMoVIymKdx9h7eSWO6pLfGVuKljN2XK CeuR/5R0mubPrnrGB6AVEOjEYVRQ1YvGfEm1/ox7q51MZYdCT9+TTQEXOHGSoQGk aSM2D/rhnJ/VT0RkYlF4 =a1rj -END PGP SIGNATURE-
[SECURITY] [DSA 3509-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3509-1 secur...@debian.org https://www.debian.org/security/Luciano Bello March 09, 2016https://www.debian.org/security/faq - - Package: rails CVE ID : CVE-2016-2097 CVE-2016-2098 Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby. Both vulnerabilities affect Action Pack, which handles the web requests for Rails. CVE-2016-2097 Crafted requests to Action View, one of the components of Action Pack, might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra. CVE-2016-2098 If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit. For the stable distribution (jessie), these problems have been fixed in version 2:4.1.8-1+deb8u2. For the testing distribution (stretch), these problems have been fixed in version 2:4.2.5.2-1. For the unstable distribution (sid), these problems have been fixed in version 2:4.2.5.2-1. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJW4FkEAAoJEG7C3vaP/jd0VUwP/i8VGs83jQkZ8QlNpP8QlhS5 7coDFyerpNk/7TkVgR42PeY50gkgFBBdR1Dxr3XLsb3EDFNz6r6DceEDT145Ym0t X9E0fgkRFv1ShxK2SkrWAV3IVkuvgJuAEXdKk6/qbOy816BQurAPjgm/ULaG/BiR BaEyxd5N+t0Bko8szfuiu+kAhkeLhMAa2IjA6f3qFq/aor8pjzqqP1+rfOAd00hU Xwv6b4jKxQa9gGHcPfnCQd9b+3sVNCo/9K0rN2EdyH8JPUtj2DHrVtekoHG0lRY2 biJzIzXrogUxIfidazJqAvTx3gj5VHKnSDGY+0eKN1Kbx71AnuSk4hB4rgE0WCVq DEWCfsYKnxcGz48CVtZUUrCmGiNosiJuVy3R+4/qwjc6Idt6Ssw2OwMeUpeghK0J h6RK98at5DVH4WdxZRZmHsLQl90ckRLqav9z2v01Gnd+v7MzUX7SvcB3Osa4OAaS gDImML1BOonQFMuQN/mpDT6UbRH96kUZcsrYWt3xIugED1LqS4QLvxr/5LgzoXY8 cPulb11O5EB9XDB4PQmMmrX3bzpAsw5L4l2VYQkQPIm6Gzcoyrugefnm4rjghA2F 1k5qgmi6ESuwonMd+RR0bC5sYCGdAbm6uqwJgkQFeUHJ/csOIUen/3S5rsBq8Bal P9l9VPGFoFhUL7/HN9Zx =4cBd -END PGP SIGNATURE-
[SECURITY] [DSA 3509-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3509-1 secur...@debian.org https://www.debian.org/security/Luciano Bello March 09, 2016https://www.debian.org/security/faq - - Package: rails CVE ID : CVE-2016-2097 CVE-2016-2098 Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby. Both vulnerabilities affect Action Pack, which handles the web requests for Rails. CVE-2016-2097 Crafted requests to Action View, one of the components of Action Pack, might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra. CVE-2016-2098 If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit. For the stable distribution (jessie), these problems have been fixed in version 2:4.1.8-1+deb8u2. For the testing distribution (stretch), these problems have been fixed in version 2:4.2.5.2-1. For the unstable distribution (sid), these problems have been fixed in version 2:4.2.5.2-1. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJW4F8MAAoJEG7C3vaP/jd0BrYP/1GZnTIWexNXQhzTkLUrtCeZ Fl7DmgqCl4GotJpBoF/j1R3PtWjL1BkcAyci5WkvtbJBfxW2P7uR1sGxFwPbjjDV +HTNs17puKDug13B3FEJ0aVSZFjJsSVy3etF1M1BC9c4yZ44x7Wbp5ncLDIXQfFP +EsyGbaral44/gKBqqjIHmLz9v5iK19fYfpVlJjx3poU+u1+EDq74nVW+pmjsPXF V7hCzpk1YwxVEA785cjPoodQVpTO37ezc+OJedk7x9q/lgMnZqDc7YzJKzXxPCG0 zRmk4bkq/sUsIhpJebfirHvwmT6GI6K0j8wNfIR49mZ8gjzx4ybI5nj/DPV2Q+gC +SMILBfzJduI9NSjkkamrTZvIVa1P+N4LLWmBXRPftVyWU4Pwi6V4OfA8BpUE1md OTkHP+JunqTfEE8zsSUKsF/tQJ4QRuAk5vmOgNQOed0srMPWrkLb1EKeAegZNkFV 3qcc5XNvDEaP/+QxmzpR5DVWBTQ7x8G3O2PmQ8osU6aMeyNvm6aVWbpbFNxzfUj+ EDiXGY49b0F8LOqGITr5JCzPO7pNqWreu0Jws/ZczQrca0bC8xySLGpcveVcmZE3 PDr37xxvcMUgqPvVacE+KMrWkwLAaklO9636kdnSy05vhWVrXXcP1MYnwpJXdf0s jEWdGzhk24fmfN3Qx5/E =ISXs -END PGP SIGNATURE-
[SECURITY] [DSA 3509-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3509-1 secur...@debian.org https://www.debian.org/security/Luciano Bello March 09, 2016https://www.debian.org/security/faq - - Package: rails CVE ID : CVE-2016-2097 CVE-2016-2098 Two vulnerabilities have been discovered in Rails, a web application framework written in Ruby. Both vulnerabilities affect Action Pack, which handles the web requests for Rails. CVE-2016-2097 Crafted requests to Action View, one of the components of Action Pack, might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra. CVE-2016-2098 If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit. For the stable distribution (jessie), these problems have been fixed in version 2:4.1.8-1+deb8u2. For the testing distribution (stretch), these problems have been fixed in version 2:4.2.5.2-1. For the unstable distribution (sid), these problems have been fixed in version 2:4.2.5.2-1. We recommend that you upgrade your rails packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJW4FkEAAoJEG7C3vaP/jd0VUwP/i8VGs83jQkZ8QlNpP8QlhS5 7coDFyerpNk/7TkVgR42PeY50gkgFBBdR1Dxr3XLsb3EDFNz6r6DceEDT145Ym0t X9E0fgkRFv1ShxK2SkrWAV3IVkuvgJuAEXdKk6/qbOy816BQurAPjgm/ULaG/BiR BaEyxd5N+t0Bko8szfuiu+kAhkeLhMAa2IjA6f3qFq/aor8pjzqqP1+rfOAd00hU Xwv6b4jKxQa9gGHcPfnCQd9b+3sVNCo/9K0rN2EdyH8JPUtj2DHrVtekoHG0lRY2 biJzIzXrogUxIfidazJqAvTx3gj5VHKnSDGY+0eKN1Kbx71AnuSk4hB4rgE0WCVq DEWCfsYKnxcGz48CVtZUUrCmGiNosiJuVy3R+4/qwjc6Idt6Ssw2OwMeUpeghK0J h6RK98at5DVH4WdxZRZmHsLQl90ckRLqav9z2v01Gnd+v7MzUX7SvcB3Osa4OAaS gDImML1BOonQFMuQN/mpDT6UbRH96kUZcsrYWt3xIugED1LqS4QLvxr/5LgzoXY8 cPulb11O5EB9XDB4PQmMmrX3bzpAsw5L4l2VYQkQPIm6Gzcoyrugefnm4rjghA2F 1k5qgmi6ESuwonMd+RR0bC5sYCGdAbm6uqwJgkQFeUHJ/csOIUen/3S5rsBq8Bal P9l9VPGFoFhUL7/HN9Zx =4cBd -END PGP SIGNATURE-
[SECURITY] [DSA 3425-1] tryton-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3425-1 secur...@debian.org https://www.debian.org/security/Luciano Bello December 17, 2015 https://www.debian.org/security/faq - - Package: tryton-server CVE ID : CVE-2015-0861 Cédric Krier discovered a vulnerability in the server-side of Tryton, an application framework written in Python. An aunthenticated malicious user can write arbitrary values in record fields due missed checks of access permissions when multiple records are written. The oldstable distribution (wheezy) is not affected. For the stable distribution (jessie), this problem has been fixed in version 3.4.0-3+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 3.8.1-1. We recommend that you upgrade your tryton-server packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWcopTAAoJEG7C3vaP/jd0MJAP/A4csuNTEfm2+N8kbSFi4gDW IVY+KuQgYZjT9bcmFDQfRmkYgXIi5P5RBQ7GJq8peH5XydQ1N0Yr50T5WjftLVMb TUY7the4qCLa/JseIOzCE/MfTwMPu++LfuVfuiFiLoa2WC9FTmZwqbkqGdnT4MP7 5+QkI1CzfqZHYCzr2ikK0FNXhQIEgBZxbDCVyLLD55H/OqqtnytfPF3rmVeEjjCY uWbRiIewYSNBn/fXmZimuTYK6Hv+DwwV7nUPXyYNQH3UwQ9475CJ/fPeBt7sIi1W XX4a7yOuYxgSk/kxmNXp/Xz98H3BCD3Y3x1+LByud+bhVNGN0T0C5P1CrXGZfIVw 8L23xZGz0506Qurm6ov94ieYvurN0Sb6rSXQTgj1O5d5ImiVYL2o1j57bImUEWJE nZEYx3boEXLOniQJ4rvj/FwPwPmdf4VZ3ci8+WqhxGXc0TKgT45DWrEcz/KmIaQd zVFX9/3JTjZr3w6CPXwhx6BzTanefWXGOiUlHkM50QRfI/8+i+mo9Z60dtoKF20U QHkFlSbrx9mSGUrvFsMlnm6xRgUA2n8uTtxK6uZG4FPqhWf5Za48G08w27GigQmu AUxLQb4/ywAdI3BvGMO0wOHc9dnxImhbI2xNRlWEGaD1qypO9+iyin7QAno6QkCa p1fiDt0H2RqerK24GlFp =m3b7 -END PGP SIGNATURE-
[SECURITY] [DSA 3425-1] tryton-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3425-1 secur...@debian.org https://www.debian.org/security/Luciano Bello December 17, 2015 https://www.debian.org/security/faq - - Package: tryton-server CVE ID : CVE-2015-0861 Cédric Krier discovered a vulnerability in the server-side of Tryton, an application framework written in Python. An aunthenticated malicious user can write arbitrary values in record fields due missed checks of access permissions when multiple records are written. The oldstable distribution (wheezy) is not affected. For the stable distribution (jessie), this problem has been fixed in version 3.4.0-3+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 3.8.1-1. We recommend that you upgrade your tryton-server packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWcopTAAoJEG7C3vaP/jd0MJAP/A4csuNTEfm2+N8kbSFi4gDW IVY+KuQgYZjT9bcmFDQfRmkYgXIi5P5RBQ7GJq8peH5XydQ1N0Yr50T5WjftLVMb TUY7the4qCLa/JseIOzCE/MfTwMPu++LfuVfuiFiLoa2WC9FTmZwqbkqGdnT4MP7 5+QkI1CzfqZHYCzr2ikK0FNXhQIEgBZxbDCVyLLD55H/OqqtnytfPF3rmVeEjjCY uWbRiIewYSNBn/fXmZimuTYK6Hv+DwwV7nUPXyYNQH3UwQ9475CJ/fPeBt7sIi1W XX4a7yOuYxgSk/kxmNXp/Xz98H3BCD3Y3x1+LByud+bhVNGN0T0C5P1CrXGZfIVw 8L23xZGz0506Qurm6ov94ieYvurN0Sb6rSXQTgj1O5d5ImiVYL2o1j57bImUEWJE nZEYx3boEXLOniQJ4rvj/FwPwPmdf4VZ3ci8+WqhxGXc0TKgT45DWrEcz/KmIaQd zVFX9/3JTjZr3w6CPXwhx6BzTanefWXGOiUlHkM50QRfI/8+i+mo9Z60dtoKF20U QHkFlSbrx9mSGUrvFsMlnm6xRgUA2n8uTtxK6uZG4FPqhWf5Za48G08w27GigQmu AUxLQb4/ywAdI3BvGMO0wOHc9dnxImhbI2xNRlWEGaD1qypO9+iyin7QAno6QkCa p1fiDt0H2RqerK24GlFp =m3b7 -END PGP SIGNATURE-
[SECURITY] [DSA 3421-1] grub2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3421-1 secur...@debian.org https://www.debian.org/security/Luciano Bello December 16, 2015 https://www.debian.org/security/faq - - Package: grub2 CVE ID : CVE-2015-8370 Debian Bug : 807614 Hector Marco and Ismael Ripoll, from Cybersecurity UPV Research Group, found an integer underflow vulnerability in Grub2, a popular bootloader. A local attacker can bypass the Grub2 authentication by inserting a crafted input as username or password. More information: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html For the oldstable distribution (wheezy), this problem has been fixed in version 1.99-27+deb7u3. For the stable distribution (jessie), this problem has been fixed in version 2.02~beta2-22+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 2.02~beta2-33. We recommend that you upgrade your grub2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWca2YAAoJEG7C3vaP/jd0dlcP/RhoHne63QfnrnIquCwCZ/QP xaeAcEHt4/4es0+vin1XGBoGQTXN+WcK11sxteoHnrGuI6Wc8JnLbKab/FkvHPKr T/IiXrzqqjbN5LyE1aBRlfucFyIH4t23UEOEalqv5pXuG5Cf3ixVRcapsE2aOP3y 4bz506nn/3wqlnDxQrK1lsLJD1UliT4M4R9r7pAWUm4TAItxamq3f6RQWzhEB4FQ l9mY8pVFQA00V8nrGOrOq50Q2BB8vS/ien+vWns4x34SM1s5CnJtJdqKRoi0CE1n 53+4Q8JgyJv3CEmqXBCfcA5j4lUTErAu2C7voS7UWFpuvTLl/L4b29VvOvBFPdab fXQalh9TPq+SC2U5VIDfz9d+6vNXZrrl9JuEVmJW2obZuDcRuQ46AvMvlIOXliYC rR4Ks6dPVwItaSPPi4zFX1cSqAiIwjNZlOGKDtZMpdOsxQ1S0S4LliAdrDvjFGgi 4z4eX1bj3Rmvt+GEoHax0Hr0rj4NUWeK+eXPHbpREULZk8b5XbX0mHSbyW1FZbiB PUIJVS9x3jEqdCIJgjkQ+0RbF6mgBMebeRJL/jIfUf52GLfxbMsXvcr2syJKdZGm +rP12n+vpZiFSfUbngwnUJYBTT1CNyn3AGJl4QTzbePWXtPQmSAEpeF4okJL7yRL XRbVKamQzx2quRhDq97r =OKnv -END PGP SIGNATURE-
[SECURITY] [DSA 3423-1] cacti security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3423-1 secur...@debian.org https://www.debian.org/security/Luciano Bello December 16, 2015 https://www.debian.org/security/faq - - Package: cacti CVE ID : CVE-2015-8369 Debian Bug : 807599 Several SQL injection vulnerabilities have been discovered in Cacti, an RRDTool frontend written in PHP. Specially crafted input can be used by an attacker in the rra_id value of the graph.php script to execute arbitrary SQL commands on the database. For the oldstable distribution (wheezy), this problem has been fixed in version 0.8.8a+dfsg-5+deb7u7. For the stable distribution (jessie), this problem has been fixed in version 0.8.8b+dfsg-8+deb8u3. For the testing distribution (stretch), this problem has been fixed in version 0.8.8f+ds1-3. For the unstable distribution (sid), this problem has been fixed in version 0.8.8f+ds1-3. We recommend that you upgrade your cacti packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWcbucAAoJEG7C3vaP/jd0IDMP/0XgMQ+yt3LzvSLG7P4KIn9x fmqTYbZYyTak4dPlxNak3mf7D5BNttA19he82qFxwoaqIO3vIVNhN2640l22MN+x Vs8gNr+8H4NJoq9H38sG1KrR+XGR/ewn2WLbPH3K/yodUiO9Yn0U+7Hy0TyCh6y7 rHADlrJ+SmivbASwGJ7M6cwwGjNoLlkb17HzgxaUT/fVsC94qENvwl5NX9EPzOqz lBc1MDiETzc2x9KcZsJ/ZiFnGW9WiXPA/6y9WGzFbqnAh7t/6rnCKq76nmglOxFm TVVXs+DNQoqzYoPnbnO56JDXJFiOcoKct7sKENSEiRKAOEE4RC052ic3ar7pihnC 2yxTaxk44pi4k52NAsGLS9DZDHQ9U36q/vMnGL3uKEgNTdCL6A+xxduj9lb9zhzz dRSYqtUg8Pxw4Lpoo5iePn38iNhRIMN2kux0j5RszbfKU9xYV8sE6Qk4AuXxS//J GlmSbsv20E1p6QrE+8RU6Ba8fgPN4pVSjwSMtxpcuK7Owo8fQ/Z2lAZfHRgZDM2V 5iKVY+JitVLiD8AmAG9+JmVMbY9SrxuHjf9DbHSVmihHe5BlUOdPhUB8yUFJQkxD 8ft+1bMr6Th+VPtOE+Y6GomkniS4YerSEd4zw3Fnkoco6bioFqJZ8y32Yp5PoTeY oVBjHOGLTmrL+QUxqgz8 =NJhL -END PGP SIGNATURE-
[SECURITY] [DSA 3417-1] bouncycastle security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3417-1 secur...@debian.org https://www.debian.org/security/Luciano Bello December 14, 2015 https://www.debian.org/security/faq - - Package: bouncycastle CVE ID : CVE-2015-7940 Debian Bug : 802671 Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz Institute for IT Security, published a paper in ESORICS 2015 where they describe an invalid curve attack in Bouncy Castle Crypto, a Java library for cryptography. An attacker is able to recover private Elliptic Curve keys from different applications, for example, TLS servers. More information: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html Practical Invalid Curve Attacks on TLS-ECDH: http://euklid.org/pdf/ECC_Invalid_Curve.pdf For the oldstable distribution (wheezy), this problem has been fixed in version 1.44+dfsg-3.1+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 1.49+dfsg-3+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 1.51-2. We recommend that you upgrade your bouncycastle packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWbrnpAAoJEG7C3vaP/jd0sYEP/0oGLjRD26QDcghTOV4kZpmO QQc3rXHiyMylQGUVJ6mHFES+dVwHlWy6VumRlQp2uBB/O+afvM3jEo1Mx9jgrYhR +2hpqc21kh1sIJEi+ZK7MfaGjlg8IVIYXapXi/DdJt0dGGJuji+qN+XWRue5yLgm 08vm4scq8TUohYxpdNnpoWUSJ2/k49aQ60Jz+tz+80UjqDcaxhS7lw1YxqzOHOBs YABdawwUh0mfguQIIfHS+5R6lb/YzzE07ZVdgQVRzNL4z0PMNCUV4uT6xTWpn/Wx kvgiDW+Qpw4mkKIAeKkOuHWoXxHsOQfY7DRXfOnyybv0GTDGV0OKuYKbkxXe8kqh g/msrAfg0EGvHiiFgudlMwvdXpkG+gOqu7YyHbTSSPuD9MFjMJdMQIOeih4+GcPN Yxvvl6x/JKgagJcNco3G6VzXcbcgHBU8WgdN5xASxJcBhzUBmyTaMRmVtuj8vguP EhcBa0a/xzpI6TZqnQc3drznU3sqxcvDI3shPKckLN5lJpUXiKaTOcageILkfxpg NUmZ01YQEI7nYJFjAMflKnqXFcRanTYBHhI7aZxbfueviqx7uTzXLT5oiyf99sIR DA8+7uVPr6O2QXmnOTleAEIpNYs9VibfAtGt3DRkAAeo3ARRM7+yAxXtmN20uBO9 2fAMEkxz0RpnUdEEtKnw =P/dD -END PGP SIGNATURE-
[SECURITY] [DSA 3416-1] libphp-phpmailer security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3416-1 secur...@debian.org https://www.debian.org/security/Luciano Bello December 13, 2015 https://www.debian.org/security/faq - - Package: libphp-phpmailer CVE ID : CVE-2015-8476 Debian Bug : 807265 Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library for email transfer, used by many CMSs. The library accepted email addresses and SMTP commands containing line breaks, which can be abused by an attacker to inject messages. For the oldstable distribution (wheezy), this problem has been fixed in version 5.1-1+deb6u11. For the stable distribution (jessie), this problem has been fixed in version 5.2.9+dfsg-2+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 5.2.14+dfsg-1. We recommend that you upgrade your libphp-phpmailer packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWbcIxAAoJEG7C3vaP/jd0Pw8P/iJwLRDYqr0lFGj5IWA3Tles J2FTVmPz72ewepQFxNYwSAZ9x8YRwzD94Chy7MYnU91EBHSV/sYxft9HXY70BkgX TsVdnvhF8Oz9zHk1czJcHu+ExyAGGy+2siWRlgFU4ABMY4Hd06MiLaPi6ZAVkU1f MNWznrd8CDdKZ3AjXEnJiQYD6ig4wT3WfkNWcEWEdKqKniqF5/vqLAbwFnNCMGsP 4fFiqcChqpOviwi8CrTlPuHuZPZPE1wGF7ns9hM4mONhWmiMMhYmQJJ5s8RNY/W0 aQL14p2WtQfm/8zozA3sNqv5EUYJ9+kQUN6jD/YhvFf/idSTvsNljt5DnduZW8de 9t4vCJvwdAkY9EEDl7nQkh1hrWJCjh/rlDigdcNG7UFkctLJUNu6YKaM4BBOIARY 72huJREK/V3VYcLx6hN1fFa9QkaQfiQrTZt7mjjBIqUmzXOJQvTemsAvfbdS2MRY NYB7Dz6muX0oqf76XUyzrl2mUqQX7/c8s7Cpb2ajgR4nE59xOgJTz3AKU/OZ0G/H j+fYVMcO1JfTro3LauttEBeZBgWlntQlU2hb021NSY7q0oaVndr3/RWlFtyCF1Fc +DlqLM4gdW1eZQDzu9PA+Eb5RGn7DuRzTtzvtVxGuHPcW0Jji94Hu3559UAmwg7W Mupf98RrV0FmvtHYNJdf =UHhf -END PGP SIGNATURE-
[SECURITY] [DSA 3363-1] owncloud-client security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3363-1 secur...@debian.org https://www.debian.org/security/Luciano Bello September 20, 2015https://www.debian.org/security/faq - - Package: owncloud-client CVE ID : CVE-2015-4456 Johannes Kliemann discovered a vulnerability in ownCloud Desktop Client, the client-side of the ownCloud file sharing services. The vulnerability allows man-in-the-middle attacks in situations where the server is using self-signed certificates and the connection is already established. If the user in the client side manually distrusts the new certificate, the file syncing will continue using the malicious server as valid. For the stable distribution (jessie), this problem has been fixed in version 1.7.0~beta1+really1.6.4+dfsg-1+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 1.8.4+dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.8.4+dfsg-1. We recommend that you upgrade your owncloud-client packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJV/ojKAAoJEAVMuPMTQ89EfzUP/3W7wDaOrMi4iux7KJSMk7Sd ukXkUi71k8nIF/ILqP+SOuTjrqDhq5Yoa6rL6uk86nQbIEHXsMcR0caey4+ObJRC Emxelx0frZVqoCfXDVKq7wxverZH+15ezAiPhFrpBH/LgGQ9Y+mdO+xGP14q65zP 26ksMs+90h7GxpLw0082pXR/QYu+etvnmFK3D8Z2t9nS9SmC6K9WRNgcCwDoQmpR INY2NafwmT6nrQzWh+dBOj65DpAt6hneyj/LG0udB3YgLtlabPeQYmvSDfpJhtfE YugR+B7srNZ8XyV6RQrZDA7Xa5kGrA5NIBU0ht1qaV3FGWHmTV1LZaWXO/qq7WJZ m1u4QLzeOO/jV3eeeKSLx1VJK07DtBOYmuPtixtJaWUKPAIQN+xsQjxyf3sqoXC6 /Be4RvAqglBQBc/e2ee/iUiO1MW1huTmLoRQkY71XvsrGqLdYxKlyMb0V/sCjn+i 3Sxjaf1h0VSL9geDPwJqWfxBrHhlCJCFsLJZPTXYqIQMtM/Zy8zCuFkSb5qArfY4 ORaw7Brwzd7TQoKdu1Q1tYOBAxoMSlqnocJCKpNTLXaaZvm7Nwh4ea+yle+rPa8P gJnIaDIXrYIgCN0+2fYD4aPti/my+4xqDwfO3IwdVCJVKC5ssNm1yaA4yhTr0urv KPZqG7c5yc38EJJfbels =BRV5 -END PGP SIGNATURE-
[SECURITY] [DSA 3155-1] postgresql-9.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3155-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 06, 2015 http://www.debian.org/security/faq - - Package: postgresql-9.1 CVE ID : CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244 Several vulnerabilities have been found in PostgreSQL-9.1, a SQL database system. CVE-2014-8161: Information leak A user with limited clearance on a table might have access to information in columns without SELECT rights on through server error messages. CVE-2015-0241: Out of boundaries read/write The function to_char() might read/write past the end of a buffer. This might crash the server when a formatting template is processed. CVE-2015-0243: Buffer overruns in contrib/pgcrypto The pgcrypto module is vulnerable to stack buffer overrun that might crash the server. CVE-2015-0244: SQL command injection Emil Lenngren reported that an attacker can inject SQL commands when the synchronization between client and server is lost. For the stable distribution (wheezy), these problems have been fixed in version 9.1.15-0+deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 9.1.14-0+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 9.1.15-0+deb8u1. We recommend that you upgrade your postgresql-9.1 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU1MH9AAoJEG7C3vaP/jd0aWkP/3sTR8/jF3dNJPa9+zslaV3c KW71N+njtj9ewdTY9W+RAgSS8eGdaQh0SymmxRHNUrOk6uMYkF3hVhSDrxUsS6Ch dE4yVQ4RHmaoxh+2w9GSX6/tAl6XzR6z1p+Wael3dfPgdMt81mM7ejkng1Egp+2E SrxhMNIuXCGrvnLKBh+4B8vZFM0OMDqRNyN6rxIBOBFyFUJ4Qycvy6itJub95pSd T3TPp1blOvbJGwLlsIkgdFsZqBFBeLnTPZx2v9ohOFAkyMP7kQH3nz9kihuz00G5 Jl0MEiLEVNZam9YgO/Wze+s4Mj1o/1cQp4/WAVDUIKBoUPmCYFH3GlBzXQ3dlDAE RhajIfN/gZawEi4VPeAWdByv7n9YVcRl+7t/0XmgPzEXNywjfYKOOAWdnvO9JDID SBy1FyHgRzRT4hyhCV3A6mZGVWkKbC6X7feoehgLaN7383AZGG3lFEdKFHHlBy6I 2hY27g91i+iUNOsVbO6SoOqKyIXzXWKTMAW4u5dwqz+3A71W35lCRuJPoAGulM+K fgd+9ZPngPBRsZLB0RPC79kVHGPpiXjML8HkxYLnOQ1s7+hznWwGQrNCsoi84b2K rkqTzh/WwbC3p44M9nEWFjGPaVhPKuT7Mcn+PJG6LwgzudYGvPL0OYPB32ZZ1mVJ DSgbf9YCiS5Gx6mISwDr =uGFO -END PGP SIGNATURE-
[SECURITY] [DSA 3081-1] libvncserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3081-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello November 29, 2014 http://www.debian.org/security/faq - - Package: libvncserver CVE ID : CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 Debian Bug : 762745 Several vulnerabilities have been discovered in libvncserver, a library to implement VNC server functionality. These vulnerabilities might result in the execution of arbitrary code or denial of service in both the client and the server side. For the stable distribution (wheezy), these problems have been fixed in version 0.9.9+dfsg-1+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 0.9.9+dfsg-6.1. We recommend that you upgrade your libvncserver packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJUeeSEAAoJEG7C3vaP/jd02QcP/3lJ0magNk1FkkV4c1t8yTct wXA+kTpp5p2Ph7Vq4plQi4huBEaY332uGDkMe8OD01OSUxFp8A/+Bc88B9RAgrMP CYi8YuUSJNh7IZWp0edJodIquRjXtASsVIvQFnyb8/v4EK6jT+UENaLgAjbJNG0G E0RE1TPcd9rYkRI3LrkFZoL4ycbx92bEIMKFw0a+IdHMfNyhDDfBuNeys87C/LST 2yXlTps7oYr2EiiB4rlqhJlMoySUPdTIODTAKuhBmJblyKxNAYKi8BPoddshDg4Y swIsOPTWqZVgr7I0qCRfnYRfCx/ahgdNlRBLlW0SKxnFfrO3obKUC11mBYS3+E2e xpE40FZ0o9NQASjDEGJ/uGqsP0+UphBplQVUL4a1BZeZA5XOxPVHELx1k03LIoyv B5byCINvUdbJ5BbovEe7KyZtR/OJpLgzVqZOoQepQaFpKX6aV8CqX44xzQUpITpg kiX9iSu2VwdIy7e52JUY4Gf+DK5GnIVcctPylmC2lZHI5asr2218S3+qmX1cp3HI ENb3Y8CS9XY3O2c8pNZmudzHKxurVTbEG5sGG0W6+qY6rsHZQXziKOCXvEth39lS j6FAFnnew+qjdHzIhGeWbtnPhyaCHkpusiqD4kgUT4B1Nwi0x4bbRdOjvyY3VKmj h3ONpnfa4kMznTC2Feof =NYwr -END PGP SIGNATURE-
[SECURITY] [DSA 3063-1] quassel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3063-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello November 02, 2014 http://www.debian.org/security/faq - - Package: quassel CVE ID : CVE-2014-8483 Debian Bug : 766962 An out-of-bounds read vulnerability was discovered in Quassel-core, one of the components of the distributed IRC client Quassel. An attacker can send a crafted message that crash to component causing a denial of services or disclosure of information from process memory. For the stable distribution (wheezy), this problem has been fixed in version 0.8.0-1+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 0.10.0-2.1 (will be available soon). We recommend that you upgrade your quassel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJUVqKrAAoJEG7C3vaP/jd0V54P/1VJfO+kai33curXU7BsJ//A zmXLmdqVgoVLwaSzUHS+f1YN2/hitme8CDuMFtM84HnoFwZqatMg28zwFnWxbv8Q QFmWVixvSVv01l3tkfhe+6mpZGrc+tLCFddLcCdJseJ7JUnzgmQPVupAJFbw2gTb Ge8BmrqFN0UWkyn5oCU500e3kL/dHpNLOA3U7scl4SsIqVReDSSpRqfE5cLuZw5w qmagxr2Xq3rW3vvlJ5+HTXtTEgZaDn1Ir6CTkslO9AuzRScW0AotNGgqWeUy+TJG ba+3dm4MJTtxcb+3XrPVI5cHAZBS/TkKmJWWurre84gdFPs2Hmegw+p0PGCrGHDM GpX9pK4CGSDi5kUsb3jMLIBNoKIK0lmJxMcW4RJckEmQtH948MUrCZn+i84WhgMa oSsP3Q2FgueMIyVvedr5sYeYYZPBdr2oJ+IuybhvEoSpAM9GO2Mqu2dcfqA7g3OS UkbiE/IyAVSCZu7D43P3JbE5/Fp64BfijqecHRPgH0XQc72vpCo4Vmv5XqcgL47W A2vCS+f37oBwfk5OCZzo0mTxFdjmCNQ/vAR6TUD53oqp/ymmEJNH+ubZjkvfcDq7 EQEuRrVJHncjfdBQhKQeu8IAYaEZxcVjS7oIvH3Ii58NXeqK709Q3+f8wawh01cV hAPDXr9QKOOUP5dh6eR8 =i7wv -END PGP SIGNATURE-
[SECURITY] [DSA 3062-1] wget security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3062-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello November 01, 2014 http://www.debian.org/security/faq - - Package: wget CVE ID : CVE-2014-4877 Debian Bug : 766981 HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user's system when Wget runs in recursive mode against a malicious FTP server. Arbitrary file creation may override content of user's files or permit remote code execution with the user privilege. This update changes the default setting in Wget such that it no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. For the stable distribution (wheezy), this problem has been fixed in version 1.13.4-3+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.16-1. We recommend that you upgrade your wget packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJUVpzsAAoJEG7C3vaP/jd0HuwP/1xCK+cddnPbiTBDdQ7ADDd1 tw6Qj9smr7anS5iio9Afi4DSSdM79T6P3tL+Qj9QDKzCfk11Q0UemU/QOlwY2ep+ uV5lVIuevTsEypxz0V3p7BMyaTP0tS2bcxBAAhIzGXcBjnQ91G74J6vWfSJ+btiu 7vMJ9eqMXbj6oz4Vx7VooWRmLRlU1H+bQzrw7e3kONrOM6Smb6GBzl6H7yaA7ns+ 2k7FR4mvggHiCQa8pU2DNUbSW7CwSuoMuu6jdDOGFmgT/Qt74LF9erGZ1Zja6IXX Obk5JksAtPkm/RfuhkAA2dVaf6EuGN7VyTjTPumrQgYan2WZZcSsRDtS2uQ9BlRJ bzJKnr7KYKUH+bKVSA2fEPxk8nr4o0kWAtty58L1bTlHJ3T4CJfgpNUJBgyxKkZK ezIoDokHwH1fUnAsU/7IJdzjsjyOhAZmYAkj5m0mVfklkCTqYPL8mL0FrODovloW 22w5KYJ8uluYgdUBOv5/HBmm7UEX2irOF1a4WB9fvwYo/yAdcMd8PtqtNMuabpVG t7aIvGJDJJWXqN0YUYtyqVFcQG+NznRU/2wQnwNzR3i/a9gkQlsU0/SAbVaGW7Nc 5tb4337DZnAhknY9PygGvc5AQsxeA7igXaQx5rMLqPsJmIvkdD0873H2RjmqPins 0sYvWVBAefAMZH6eAnuy =bD/d -END PGP SIGNATURE-
[SECURITY] [DSA 3047-1] rsyslog security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3047-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello October 08, 2014 http://www.debian.org/security/faq - - Package: rsyslog CVE ID : CVE-2014-3683 Mancha discovered a vulnerability in rsyslog, a system for log processing. This vulnerability is an integer overflow that can be triggered by malformed messages to a server, if this one accepts data from untrusted sources, provoking message loss. This vulnerability can be seen as an incomplete fix of CVE-2014-3634 (DSA 3040-1). For the stable distribution (wheezy), this problem has been fixed in version 5.8.11-3+deb7u2. For the testing distribution (jessie), this problem has been fixed in version 8.4.2-1. For the unstable distribution (sid), this problem has been fixed in version 8.4.2-1. We recommend that you upgrade your rsyslog packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJUNRtTAAoJEG7C3vaP/jd0aC0P/18HW5L/IzRB9fv56sTfdKYC 01msAwatFCpp8UU9RLCQilKukXFZhLbWEJs3qe5KLWQtX4pDt6YvSq0pBKFsOP+v ys3UmhvZj+tekbn/i9IaQ+Kpdu0aVnvj6mSdI59OcgQzaUA3i2oRf7mim3BRTUeK fWBUcsLHORw5wKxM71H2P+MiEMMgV55rarrHLrJGTDLDuMpSi8n3mgR3UWy7uwib wBKU2HNOeeNCsQ6QV5/NH8gW8zFMykm8CBTFSiXExvLPB7SLm5nQ+EKX0WD61vjQ TLcjDqLPbLeisq3yUV/wN/jCvfn8RN+MxznOhtEeAPU/hExdIN3q1ZVKV25Nu0LQ auyhYbvRZgAp5IeflmJuektmPAINg1/VyD2SJfORZCsXLJquClKa+JNZl2QYMJfp YQj2LJwFYDaoNH0OuC18yy5PrbJQymUb4RWJcb1+/7ArpR1U4wSGj7iqW94QhMeo H57SdX8f0kodV+LChPLvXKO9eMIwwUj05t44szhaUqZfd44pK3oLn8TZJrcg1pLc vys27+X3EaboPceIVjfp1MTcDgzyMZP2fQ0TFysExVjS6GBMDMubWthAJJ3MIfLE mtXIsAq2WFabNxNYxmCV0VC0I6OpxqouMrPzngQDZ5vMhtRGHGl9rn5BOy9zTwaG 6QhlrGg5x2Yl59217jF+ =rKeg -END PGP SIGNATURE-
[SECURITY] [DSA 3040-1] rsyslog security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3040-1 secur...@debian.org http://www.debian.org/security/ September 30, 2014 http://www.debian.org/security/faq - - Package: rsyslog CVE ID : CVE-2014-3634 Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog, a system for log processing. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack. For the stable distribution (wheezy), this problem has been fixed in version 5.8.11-3+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 8.4.1-1. We recommend that you upgrade your rsyslog packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJUKxzwAAoJEG7C3vaP/jd0FCAP/j3PkBtRiX5Xfu9Y5AUh80dG I8z2KZb51G3pBh5MKB1jn4W4jafhIK++kJ9bqSmtlUiHtnhj78ylP7TMfzTmACQd s+GeTHh5nDfaSN8Tyaw0uf6n6SmaH+/sj6BBR6esXdFqvED2r1MMy5GD4OaYRMvd I9FdaCZeoytuJMj5PwdF5cxSFlgWWaymD/xINkAA+z0kXCYmZE+aYbsyN5GKB0ta 9whD4GQZxsMTrjj28vj+cO++OjTSVj+xr67H4eNe8qNcxPTNeBC82s3RK4REKTZX FLu6bMXtdBFibiq7+tQGoQl1YOAenox5Yb3LpKnBa2fIgouZ/gs1fOTb5v13cNAU 6up+s9X/JW4MU2bDV3TC/jry9hKQI3nBjIOYobKlX8DAxhWJEIRKm8HCbotsktKj /kdzaUNqgQ3vSQBidbQSty2h7IlC0GhG+QR91HFqq5qUcKbggf5tNGNU86HT3zvD vfYAiNroN14mxDwEwbUnrZ7E4BSZxjr7xIv5N1a80FdGV/C0gyotKlK7Lx5GapM0 bZyRHUloO885kURlzzm5fxe9vRTtD5iF/w2NNsRhZCo1VFEvlf3UMrVW64atGMjH sDFZcclV6lALmOSGWGF7l/EWUM3UQ/wKyxTZTiK6gZ+SlZpZTlGQ19hUlqc1az+T dl/U/APBaNQKLLX45CXZ =aQBZ -END PGP SIGNATURE-
[SECURITY] [DSA 3021-2] file regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3021-2 secur...@debian.org http://www.debian.org/security/ Luciano Bello September 10, 2014 http://www.debian.org/security/faq - - Package: file CVE ID : CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538 CVE-2014-3587 This update corrects DSA 3021-1, which introduced a regression in the detection of a some Composite Document Files (CDF), marking them look as corrupted, with the error: Can't expand summary_info. On additional information, 5.11-2+deb7u4 changed the detection of certain text files in the same way php5 did this in 5.4.4-14+deb7u13. Since the new output is more accurate and this change also restored the better detection as seen in the squeeze version of file, this is not being reverted. For reference, the original advisory text follows: Multiple security issues have been found in file, a tool to determine a file type. These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash. For the stable distribution (wheezy), these problems have been fixed in version 5.11-2+deb7u5. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJUEL8GAAoJEG7C3vaP/jd08q8P+we/EY7R2DBthSIt374X7Uf5 P4vW0uhAtFeBaHGvuA8AJJLDSqvOPjz0guUSIOLvot4ekbr3QrJRjsIsRKmfxuX2 rbDzp7jcR4kQHoX75bOv+XcHSoHfZ+LkPZvIdvPNCw5XTEQrpygdJ5yPEybswMc3 tdEr2edb60/xE0L06S0CffaIput/1PukgMwtVKWKk9+94DV7ybzoLEHdaTx3FjlI Adzoe7xecwTOmRpH+mAS4PgGtb2bYhCqoun907GRAGiQB9WXCMyLO+e8T2w4Cgf7 wHgakf+7Zp44np+KBtgeYOypkTZ8jWwCtMgRVKuuAom9SxBzGKCkScExfRfIec48 eJ/qAXgmsEuER0rBuGuc6FvBOPjXmHX/HUmlv9ZfR9MZgE5nxMEOuUSJBe9+OotS VtL0ZrIOfgnIhkvkvgYb8RuARjjLOOyDuvFluflUXwR5s3rRwqmZpOBkl9n7sSiY p4b+nEDifKOnZ+5+zHajKJU4McSitJxgjbWhTRZfe26Tv7MJYAMuqzdch2aGBIdw Rk9MVaPMLyULPsnZZqGB5Hw1JwTy3EsHscweEDuYcg/46/K2CwIzSc0f0o2iTtbW a6GN1ccP+JUbnpOhPcixaumwnVYg/CKYMe1rIGRaGQ9r3HznOf9t04rM0VzAlSyh tzHzmdiXr273gTPWFbt+ =KYvn -END PGP SIGNATURE-
[SECURITY] [DSA 3021-1] file security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3021-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello September 09, 2014 http://www.debian.org/security/faq - - Package: file CVE ID : CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538 CVE-2014-3587 Multiple security issues have been found in file, a tool to determine a file type. These vulnerabilities allow remote attackers to cause a denial of service, via resource consumption or application crash. For the stable distribution (wheezy), these problems have been fixed in version 5.11-2+deb7u4. For the testing distribution (jessie), these problems have been fixed in version file 1:5.19-2. For the unstable distribution (sid), these problems have been fixed in version file 1:5.19-2. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJUDvwUAAoJEG7C3vaP/jd0SDYP/AkzZ+8iuo3Vny9C57fW1nSD 62oc2VbWRmYGQj2fbpbrvfiYe4a00pRRHemEd1V4o5uP7NPX+HfiwhVrm38Pjs1f A4A6yAOQaBtwjpSRcN9j9KsHNcx7wYYW+jFmOHF3VjkyejWUYnMy0sDvFP770ZrO xHAbMnLr8RbS6MD9/ZRYkbZ9pfoDvwkeFLkODDTVOM7Ooy3ks3vAKFZdi/HM8aGO nUH568f96j3EPxEEeu3VRe/3v8iqBuNnckDAkXNhbsFvN0ORbDCidiMDMv4VoaBS x7O6RPxXy0NuvwVbaPzoXCIJnsOvS7F30e/4gULOYx+tjB9zq+ZY3tzEaCSzadOs //cvvrL6E+SlNBHJK6OH6PdHCEWuqbMI1jtEFQrmfwTl7Qiv47lz8YGA0GIvOQCT MMMb5aokOdc7aTkUn81aUwLNdea5Sh2OTyNaC4Tul4D3B0COF1I89ji79BAhWIyU q5RmJq02piIn5SM8DCBDgftfgTZoz3YoEnGSQwyw29IU5/gpPfCXosbo7fxppDw0 e+wu9GSWes2ncCpLCQC8mB4q77WxMEpFLx7TVRqdwKgQb/yjZb5IN/OZhUWTMY5H fqThWmJkyZBkPFspOalaid7/hSCrgxISjqxHJqDdChRDqYhV0KJG+eb+YFgDRIWw fWpibn9fZ7yydgEb1Lmg =fJPN -END PGP SIGNATURE-
[SECURITY] [DSA 2984-1] acpi-support security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-2984-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 22, 2014 http://www.debian.org/security/faq - - Package: acpi-support CVE ID : CVE-2014-1419 CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script. For the stable distribution (wheezy), this problem has been fixed in version 0.140-5+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 0.142-2. For the unstable distribution (sid), this problem has been fixed in version 0.142-2. We recommend that you upgrade your acpi-support packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTzp77AAoJEG7C3vaP/jd0zssP/1WfL6Iq0elSTlAmqX8ZXQh2 0O8PFodYLSq/02clDQjGPAfxjwG2LWuXUlvt9/vn9G//sOKIW4SrGmoJRU89zwpk uPPV51yLRaK4dv+A5binwFgCt+57vz3Of/8ung2JFEXBhWGh8fGqnRXpmCYM2BlI 70GHA2xLCNXxDd+aYClz7zXo0yPuTUhFWoL6HF+5IGoAJcn93t2N/UPPJ4Q7TM2f cGOISy1WGicas8ytOpY9dRVBw314yEliYCMbJKJBcbnfawMAg2XLjbx3Kx9X7DEz 6wsW7TmgiyiDx44iqItdyc5hX3AqtbA1IIqdnBuKfzhxDBmtt7Ku4e/C5VoDIGqq cs6Tsp11ztslsxoxi1B2nvJbGPAQt9CgiFRBdCzkawC/xD0IBCjEpVyqyCdr+TLe sd1mGny3qk+j88xD7rgKK2e/p7ttce+CRsltH/TQHjGohsj/Z6tK9d6pzTNpJsUQ 9sau879yXv7X+s/x5v9QRpDuXgAi56yOpdWFU/UJuS8+Rg7OlakepWAheTrKcPl1 gboUO3xzuBgKYQDiNU7w/j3JKvFue+iIl9c+CHo8qriufR62hdwnpubM3qQurExG rD0as7VIqqMPyOEaxn2Y8lZvCzkworCr2wPbLzSIWtfUM73zkcGMIpIwLw9OkkEV 8x4tW7dLSAktXPZAlzxZ =leQs -END PGP SIGNATURE-
[SECURITY] [DSA 2895-2] prosody regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-2895-2 secur...@debian.org http://www.debian.org/security/ Luciano Bello April 21, 2014 http://www.debian.org/security/faq - - Package: prosody CVE ID : CVE-2014-2744 CVE-2014-2745 Debian Bug : 743836 The update for prosody in DSA 2895 caused a regression when a client logins with the compression functionality activated. This update corrects that problem. For reference, the original advisory text follows. A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-com- pressed XML elements (attack known as zip bomb) over XMPP streams and consume all the resources of the server. For the stable distribution (wheezy), this problem has been fixed in version 0.8.2-4+deb7u2 of prosody. We recommend that you upgrade your prosody package. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTVFsbAAoJEG7C3vaP/jd0dsgQAIWJ3rTPgvpf4XWhmnzcZDn9 cf0F8jGL8sD5KaXepyr1f91qdAG5/bhd0lrsYGuuK9JS7UANa5SyN04GuAA9tgFi vmAg7aSgLAcmdHhjmQy5ABDXI6eLmXxVv2abvkN3RulnClMHByyTdJSMbwYzvNbq YyyVhunCuYPiyl48GuwseHPwo58Sd4CTXNTj7y94UjTQH2fP/75t4GRidoT03wEL iD4pvb4eSG0dniCU/nL5RALAbfCQNQXb++vMAWYkiGQPf5MG0sI8jS4Rql6jdVh3 eFMhYwUnNRSfYkdHso6uhydcMhQbOR3b3r4Vbi+G2kzldtPA6ZhkqIU23WLltBSu Z+KGsV+T1+aReCijMznRmSl/lzIfX51s3w6SibRHdnvZqDTX9YAiIfBVfWYMMN7C PC5MbANRTZYpovkQsMGY+cJENztPzArDq/Dex/BfqIgKr7bcTvgmhI0faPqXj1sb lp7vBNs77qB3n0wPUVE8ws5Dt4pOoJJW71u/cLBIQchE05mrvuwip43ud5fs8m45 gZvyk496n0hQbgqDaPCN+nsraC1W6AMizMEG4AskZEa+v06MGfMAmtwdEN/5+XjA qAL1kRfZPIUUMIbtayv6W4THNdmo6ckIs/8amkpuJyOxBJaRJWewFUMCQWMuYioL jpknu6AtYPWSz/UItRku =a97E -END PGP SIGNATURE-
[SECURITY] [DSA 2895-1] prosody security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-2895-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello April 06, 2014 http://www.debian.org/security/faq - - Package: prosody A denial-of-service vulnerability has been reported in Prosody, a XMPP server. If compression is enabled, an attacker might send highly-com- pressed XML elements (attack known as zip bomb) over XMPP streams and consume all the resources of the server. The SAX XML parser lua-expat is also affected by this issues. For the stable distribution (wheezy), this problem has been fixed in version 0.8.2-4+deb7u1 of prosody. For the unstable distribution (sid), this problem has been fixed in version 0.9.4-1 of prosody. For the stable distribution (wheezy), this problem has been fixed in version 1.2.0-5+deb7u1 of lua-expat. For the unstable distribution (sid), this problem has been fixed in version 1.3.0-1 lua-expat. We recommend that you upgrade your prosody and lua-expat packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJTQI03AAoJEG7C3vaP/jd0YFIQAIZPBm3OfgC09T8G5m1sP+ER wcc/dV6Mm8Ldm3dXHpHRzAB5fds5LNPe2hmWsoa4QNkCLr0a2UHhnaf3wgHld1GU 6JGQBRGWA1IjS5fJotEVlOlLQZXxfNF9coajkAD0uUviUZYIt22XBmZRleHSrE4C RZAVgFrjR2dZPDqDB9Cgnb6WAsPSn+zgPmMikdqC74RLIpl1+A7q5D4apbGUHCFa kvID5E/V9SbfgVEN6F84XN5UbHprzGGF2RpNRGJUcNHcVGb/3CKWPNUg+BUDsbRL IgwLLwClTue/+Wv0UDnIe3VyQr6h2c9+2diaj5n0DebAKE3cPpknTrrfacb9U1kS J0NTrbEKH6XoggPTJPNRY1ut+kM4dVu0oYDV1nfGlGHBxmfM5GOMNKLBU+K79PFA hNP/5shfjt8PmEG27n2UdDJiAjmVF6rWc2gdtyFQNArBZHlx0+KxBnLLYlx48r09 6W5YGhlTfVKeG07DOCCqxBHi84CL6GJ0BFn4/sE6SQS+7bOSD4VYa+3xzThp7PQr q/7NWX1rHcRm3iScJUlapZB6Zg6DzwuBJ5QcpKdWFzmYOJfDwp/GQTp+ddrSmhdc JLcNO4M9mUjFJQuitfuJTGV2j36eehaZrDZ+iBnDquI5p6yQGP2tbL3S3VXPAQuM W0hdkefNVJrhJztQvvbj =SKLx -END PGP SIGNATURE-
[SECURITY] [DSA 2863-1] libtar security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2863-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 18, 2014 http://www.debian.org/security/faq - - Package: libtar Vulnerability : directory traversal CVE ID : CVE-2013-4420 Debian Bug : 731860 A directory traversal attack was reported against libtar, a C library for manipulating tar archives. The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files beyond the tar_extract_glob and tar_extract_all prefix parameter. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.11-6+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 1.2.16-1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.2.20-2. We recommend that you upgrade your libtar packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlMD2k4ACgkQQWTRs4lLtHkipgCfYa2NgP/BZLJLKcVKHWV37FQt Vu4AoKKS7cw7dBZXm1X/3nVvpBxyv1fA =5swt -END PGP SIGNATURE-
[SECURITY] [DSA 2853-1] horde3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2853-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 05, 2014 http://www.debian.org/security/faq - - Package: horde3 Vulnerability : Remote code execution Problem type : remote Debian-specific: no CVE ID : CVE-2014-1691 Debian Bug : 737149 Pedro Ribeiro from Agile Information Security found a possible remote code execution on Horde3, a web application framework. Unsanitized variables are passed to the unserialize() PHP function. A remote attacker could specially-crafted one of those variables allowing her to load and execute code. For the oldstable distribution (squeeze), this problem has been fixed in version 3.3.8+debian0-3. In the testing (jessie) and unstable (sid) distributions, Horde is distributed in the php-horde-util package. This problem has been fixed in version 2.3.0-1. We recommend that you upgrade your horde3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLyKAcACgkQQWTRs4lLtHlWcACfT0u21jD6K068z14ulj6O5a5D lhoAoK0KKLs0hF68bUtFPo6DmFauGmpa =wdfw -END PGP SIGNATURE-
[SECURITY] [DSA 2831-1] puppet security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2831-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello December 31, 2013 http://www.debian.org/security/faq - - Package: puppet Vulnerability : insecure temporary files Problem type : remote Debian-specific: no CVE ID : CVE-2013-4969 An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system. For the oldstable distribution (squeeze), this problem has been fixed in version 2.6.2-5+squeeze9. For the stable distribution (wheezy), this problem has been fixed in version 2.7.23-1~deb7u2. For the testing distribution (jessie), this problem has been fixed in version 3.4.0-1. For the unstable distribution (sid), this problem has been fixed in version 3.4.0-1. We recommend that you upgrade your puppet packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLC57wACgkQQWTRs4lLtHkyPACdGvgJFTsNR/Y5kysnIqRZMfUP 98cAoIGVdGtlEDmKxNdZbFBCoivocFH9 =1KHZ -END PGP SIGNATURE-
[SECURITY] [DSA 2817-1] libtar security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2817-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello December 14, 2013 http://www.debian.org/security/faq - - Package: libtar Vulnerability : Integer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-4397 Debian Bug : 725938 Timo Warns reported multiple integer overflow vulnerabilities in libtar, a library for manipulating tar archives, which can result in the execution of arbitrary code. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.11-6+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 1.2.16-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.2.20-1. For the unstable distribution (sid), this problem has been fixed in version 1.2.20-1. We recommend that you upgrade your libtar packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlKsStgACgkQQWTRs4lLtHkfPQCfatC9ids0FAX+3gbBzwgSJyf9 mhQAoKBLYgLv8Gbb5gfeUQMAB7u+fWl3 =7nuN -END PGP SIGNATURE-
[SECURITY] [DSA 2805-1] sup-mail security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2805-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello November 27, 2013 http://www.debian.org/security/faq - - Package: sup-mail Vulnerability : command injection Problem type : remote Debian-specific: no CVE ID : CVE-2013-4478 CVE-2013-4479 Debian Bug : 728232 joernchen of Phenoelit discovered two command injection flaws in Sup, a console-based email client. An attacker might execute arbitrary command if the user opens a maliciously crafted email. CVE-2013-4478 Sup wrongly handled the filename of attachments. CVE-2013-4479 Sup did not sanitize the content-type of attachments. For the oldstable distribution (squeeze), these problems have been fixed in version 0.11-2+nmu1+deb6u1. For the stable distribution (wheezy), these problems have been fixed in version 0.12.1+git20120407.aaa852f-1+deb7u1. We recommend that you upgrade your sup-mail packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlKWXoIACgkQQWTRs4lLtHlQWwCeLPf1Y2SrfseZSRdOuv4Qf2Kp emwAniwS6y/oIM/CjwGCJzly4IfeW7gA =aytc -END PGP SIGNATURE-
[SECURITY] [DSA 2765-1] davfs2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2765-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello September 26, 2013 http://www.debian.org/security/faq - - Package: davfs2 Vulnerability : privilege escalation Problem type : remote Debian-specific: no CVE ID : CVE-2013-4362 Debian Bug : 723034 Davfs2, a filesystem client for WebDAV, calls the function system() insecurely while is setuid root. This might allow a privilege escalation. For the oldstable distribution (squeeze), this problem has been fixed in version 1.4.6-1.1+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1.4.6-1.1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.4.7-3. For the unstable distribution (sid), this problem has been fixed in version 1.4.7-3. We recommend that you upgrade your davfs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlJET/IACgkQQWTRs4lLtHlBLgCdF4Qy2xNMa4AMczLpKwsGh2+r 3n0AoMHTaRkUTFl1H1JgCaAhy1gq6w3c =Du8w -END PGP SIGNATURE-
[SECURITY] [DSA 2618-1] ircd-hybrid security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2618-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 07, 2013 http://www.debian.org/security/faq - - Package: ircd-hybrid Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-0238 Debian Bug : 699267 Bob Nomnomnom reported a Denial of Service vulnerability in IRCD-Hybrid, an Internet Relay Chat server. A remote attacker may use an error in the masks validation and crash the server. For the stable distribution (squeeze), this problem has been fixed in version 7.2.2.dfsg.2-6.2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1:7.2.2.dfsg.2-10. For the unstable distribution (sid), this problem has been fixed in version 1:7.2.2.dfsg.2-10. We recommend that you upgrade your ircd-hybrid packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlEUJF8ACgkQQWTRs4lLtHl2HACgkWC8FefxJBjGMe1BM0/9zkle 6bkAnR7l15cYQppBCLHPq42XHqWj70fO =yoys -END PGP SIGNATURE-
[SECURITY] [DSA 2617-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2617-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 02, 2013 http://www.debian.org/security/faq - - Package: samba Vulnerability : several issues Problem type : remote Debian-specific: no CVE ID : CVE-2013-0213 CVE-2013-0214 Jann Horn had reported two vulnerabilities in Samba, a popular cross-platform network file and printer sharing suite. In particular, these vulnerabilities affect to SWAT, the Samba Web Administration Tool. CVE-2013-0213: Clickjacking issue in SWAT An attacker can integrate a SWAT page into a malicious web page via a frame or iframe and then overlaid by other content. If an authenticated valid user interacts with this malicious web page, she might perform unintended changes in the Samba settings. CVE-2013-0214: Potential Cross-site request forgery An attacker can persuade a valid SWAT user, who is logged in, to click in a malicious link and trigger arbitrary unintended changes in the Samba settings. For the stable distribution (squeeze), these problems have been fixed in version 3.5.6~dfsg-3squeeze9. For the testing distribution (wheezy), these problems have been fixed in version 2:3.6.6-5. For the unstable distribution (sid), these problems have been fixed in version 2:3.6.6-5. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlENAmoACgkQQWTRs4lLtHmRtgCgi55rZbXQyGnZSmrffjeH37zV tOUAoKKwc6/g5g2U7Heo6SF3DkegVq11 =R2Mp -END PGP SIGNATURE-
[SECURITY] [DSA 2573-1] radsecproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2573-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello November 10, 2012 http://www.debian.org/security/faq - - Package: radsecproxy Vulnerability : SSL certificate verification weakness Problem type : remote Debian-specific: no CVE ID : CVE-2012-4523 CVE-2012-4566 Ralf Paffrath reported that Radsecproxy, a RADIUS protocol proxy, mixed up pre- and post-handshake verification of clients. This vulnerability may wrongly accept clients without checking their certificate chain under certain configurations. Raphael Geissert spotted that the fix for CVE-2012-4523 was incomplete, giving origin to CVE-2012-4566. Both vulnerabilities are fixed with this update. Notice that this fix may make Radsecproxy reject some clients that are currently (erroneously) being accepted. For the stable distribution (squeeze), these problems have been fixed in version 1.4-1+squeeze1. For the testing distribution (wheezy), these problems have been fixed in version 1.6.2-1. For the unstable distribution (sid), these problems have been fixed in version 1.6.2-1. We recommend that you upgrade your radsecproxy packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlCeylIACgkQQWTRs4lLtHkHaACcDHUTL37Y/8wTylt4xFSkwJVJ BI0AoIVkG7fkhBYWb7VEAIDSK5kjRHqJ =N4xn -END PGP SIGNATURE-
[SECURITY] [DSA 2552-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2552-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello September 26, 2012 http://www.debian.org/security/faq - - Package: tiff Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2010-2482 CVE-2010-2595 CVE-2010-2597 CVE-2010-2630 CVE-2010-4665 CVE-2012-2113 CVE-2012-3401 Debian Bug : 678140 Several vulnerabilities were discovered in Tiff, a library set and tools to support the Tag Image File Format (TIFF), allowing denial of service and potential privilege escalation. These vulnerabilities can be exploited via a specially crafted TIFF image. CVE-2012-2113 The tiff2pdf utility has an integer overflow error when parsing images. CVE-2012-3401 Huzaifa Sidhpurwala discovered heap-based buffer overflow in the t2p_read_tiff_init() function. CVE-2010-2482 An invalid td_stripbytecount field is not properly handle and can trigger a NULL pointer dereference. CVE-2010-2595 An array index error, related to downsampled OJPEG input. in the TIFFYCbCrtoRGB function causes an unexpected crash. CVE-2010-2597 Also related to downsampled OJPEG input, the TIFFVStripSize function crash unexpectly. CVE-2010-2630 The TIFFReadDirectory function does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file. CVE-2010-4665 The tiffdump utility has an integer overflow in the ReadDirectory function. For the stable distribution (squeeze), these problems have been fixed in version 3.9.4-5+squeeze5. For the testing distribution (wheezy), these problems have been fixed in version 4.0.2-2. For the unstable distribution (sid), these problems have been fixed in version 4.0.2-2. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBjdswACgkQQWTRs4lLtHliFwCfSSHP0HDK4SqjmYYBZMEIKjnt WB0An3bjQgsJoFMjILJMzqOSLWuel4Dc =xFhO -END PGP SIGNATURE-
[SECURITY] [DSA 2531-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2531-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello August 18, 2012http://www.debian.org/security/faq - - Package: xen Vulnerability : Denial of Service Problem type : remote Debian-specific: no CVE ID : CVE-2012-3432 CVE-2012-3433 Debian Bug : 683279 Several denial-of-service vulnerabilities have been discovered in Xen, the popular virtualization software. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2012-3432 Guest mode unprivileged code, which has been granted the privilege to access MMIO regions, may leverage that access to crash the whole guest. Since this be used to crash a client from within, this vulnerability is consider with low impact. CVE-2012-3433 A guest kernel can cause the host to become unresponsive for a period of time, potentially leading to a DoS. Since an attacker with full control in the guest can impact on the host, this vulnerability is consider with high impact. For the stable distribution (squeeze), this problem has been fixed in version 4.0.1-5.3. For the unstable distribution (sid), this problem has been fixed in version 4.1.3-1. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlAvuLsACgkQQWTRs4lLtHn8CgCfWnIGc4IXpRIZHXy33ffHDI9r kpIAnjJG3/PVtN3/PWWm5rzGAmfh4Wu5 =6TxK -END PGP SIGNATURE-
[SECURITY] [DSA 2510-1] extplorer security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2510-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 12, 2012 http://www.debian.org/security/faq - - Package: extplorer Vulnerability : Cross-site request forgery Problem type : remote Debian-specific: no CVE ID : CVE-2012-3362 Debian Bug : 678737 John Leitch has discovered a vulnerability in eXtplorer, a very feature rich web server file manager, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited for example, to create an administrative user account by tricking an logged administrator to visiting an attacker-defined web link. For the stable distribution (squeeze), this problem has been fixed in version 2.1.0b6+dfsg.2-1+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 2.1.0b6+dfsg.3-3. For the unstable distribution (sid), this problem has been fixed in version 2.1.0b6+dfsg.3-3. We recommend that you upgrade your extplorer packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk//SPsACgkQQWTRs4lLtHkwDwCfag8DV30vTAKknHO6xivXiN8V 9FcAn1obsLGZhksDhJ2bPlzxcd4Edn5G =yna1 -END PGP SIGNATURE-
[SECURITY] [DSA 2509-1] pidgin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2509-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 08, 2012 http://www.debian.org/security/faq - - Package: pidgin Vulnerability : remote code execution Problem type : remote Debian-specific: no CVE ID : CVE-2012-3374 Debian Bug : #680661 Ulf Härnhammar found a buffer overflow in Pidgin, a multi protocol instant messaging client. The vulnerability can be exploited by an incoming message in the MXit protocol plugin. A remote attacker may cause a crash, and in some circumstances can lead to remote code execution. For the stable distribution (squeeze), this problem has been fixed in version 2.7.3-1+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 2.10.4-1.1. For the unstable distribution (sid), this problem has been fixed in version 2.10.6-1. We recommend that you upgrade your pidgin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk/54JYACgkQQWTRs4lLtHlQAQCfWhUXLPaZ1uY3L6jdPBfv0P0t 3H0An12zClezErF+lBkWnogUDTydVkz5 =U5CS -END PGP SIGNATURE-
[SECURITY] [DSA 2434-1] nginx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2434-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello March 19, 2012 http://www.debian.org/security/faq - - Package: nginx Vulnerability : sensitive information leak Problem type : remote Debian-specific: no CVE ID : CVE-2012-1180 Debian Bug : 664137 Matthew Daley discovered a memory disclosure vulnerability in nginx. In previous versions of this web server, an attacker can receive the content of previously freed memory if an upstream server returned a specially crafted HTTP response, potentially exposing sensitive information. For the stable distribution (squeeze), this problem has been fixed in version 0.7.67-3+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 1.1.17-1. We recommend that you upgrade your nginx packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk9nuSsACgkQQWTRs4lLtHmBXgCfQ9bc7DxAo5RIKuPF8UgSaGxn zXUAn3T+A7FpQ6iyr2Ebh2pIoBdPHVz2 =3d9U -END PGP SIGNATURE-
[SECURITY] [DSA 2394-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2394-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello January 27, 2012 http://www.debian.org/security/faq - - Package: libxml2 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-0216 CVE-2011-2821 CVE-2011-2834 CVE-2011-3905 CVE-2011-3919 Debian Bug : 652352 643648 656377 Many security problems had been fixed in libxml2, a popular library to handle XML data files. CVE-2011-3919: Jüri Aedla discovered a heap-based buffer overflow that allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2011-0216: An Off-by-one error have been discoveried that allows remote attackers to execute arbitrary code or cause a denial of service. CVE-2011-2821: A memory corruption (double free) bug has been identified in libxml2's XPath engine. Through it, it is possible to an attacker allows cause a denial of service or possibly have unspecified other impact. This vulnerability does not affect the oldstable distribution (lenny). CVE-2011-2834: Yang Dingning discovered a double free vulnerability related to XPath handling. CVE-2011-3905: An out-of-bounds read vulnerability had been discovered, which allows remote attackers to cause a denial of service. For the oldstable distribution (lenny), this problem has been fixed in version 2.6.32.dfsg-5+lenny5. For the stable distribution (squeeze), this problem has been fixed in version 2.7.8.dfsg-2+squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 2.7.8.dfsg-7. For the unstable distribution (sid), this problem has been fixed in version 2.7.8.dfsg-7. We recommend that you upgrade your libxml2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk8h1n8ACgkQQWTRs4lLtHnXgACfV+dXC4Yc/aNb5udhKMYsEryT mXAAoLetgUJRnDACae5LC9qnegUiNHRt =j/Is -END PGP SIGNATURE-
[SECURITY] [DSA 2287-1] libpng security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2287-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 28, 2011 http://www.debian.org/security/faq - - Package: libpng Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2501 CVE-2011-2690 CVE-2011-2691 CVE-2011-2692 Debian Bug : #632786 #633871 The PNG library libpng has been affected by several vulnerabilities. The most critical one is the identified as CVE-2011-2690. Using this vulnerability, an attacker is able to overwrite memory with an arbitrary amount of data controlled by her via a crafted PNG image. The other vulnerabilities are less critical and allow an attacker to cause a crash in the program (denial of service) via a crafted PNG image. For the oldstable distribution (lenny), this problem has been fixed in version 1.2.27-2+lenny5. Due to a technical limitation in the Debian archive processing scripts, the updated packages cannot be released in paralell with the packages for Squeeze. They will appear shortly. For the stable distribution (squeeze), this problem has been fixed in version 1.2.44-1+squeeze1. For the unstable distribution (sid), this problem has been fixed in version 1.2.46-1. We recommend that you upgrade your libpng packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4xjLsACgkQXm3vHE4uylq7CQCePrXfrYx62a4m16tzR7SSyYGg 6EAAn2XljKzyE0G879OhswPKYFqiYErg =29YO -END PGP SIGNATURE-
[SECURITY] [DSA 2254-2] oprofile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2254-2secur...@debian.org http://www.debian.org/security/ Luciano Bello July 11, 2011 http://www.debian.org/security/faq - -- Package: oprofile Vulnerability : command injection Problem type : local Debian-specific: no Debian bug : 624212 CVE ID : CVE-2011-1760 Jamie Strandboge noticed that the patch propoused to fix CVE-2011-1760 in OProfile has been incomplete. For reference, the description of the original DSA, is: OProfile is a performance profiling tool which is configurable by opcontrol, its control utility. Stephane Chauveau reported several ways to inject arbitrary commands in the arguments of this utility. If a local unprivileged user is authorized by sudoers file to run opcontrol as root, this user could use the flaw to escalate his privileges. For the oldstable distribution (lenny), this problem has been fixed in version 0.9.3-2+lenny2. For the stable distribution (squeeze), this problem has been fixed in version 0.9.6-1.1+squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 0.9.6-1.4. For the unstable distribution (sid), this problem has been fixed in version 0.9.6-1.4. We recommend that you upgrade your oprofile packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4g6H8ACgkQ62zWxYk/rQe4HwCdF+WRL64GWAPTMsbrgElb7dl6 130AnAxpVmVXtGWf3rFbdWrIji1hAFVE =Qjea -END PGP SIGNATURE-
[SECURITY] [DSA 2276-2] asterisk regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2276-2 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 11, 2011 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : multiple denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2011-2529 CVE-2011-2535 Debian Bug : 631445 631446 631448 633481 DSA 2276-1 for Asterisk in the oldstable distribution (lenny) introduced a functionality bug which invokes an undefined symbol. For the oldstable distribution (lenny), this problem has been fixed in version 1.4.21.2~dfsg-3+lenny5. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4bSCQACgkQHYflSXNkfP+GsgCdFXnnbGpJQ6iVfUiMY++o1m/5 RF8AoIrnqgUzVJ4FjuhF9IoVJK2/d8pc =IlPB -END PGP SIGNATURE-
[SECURITY] [DSA 2276-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2276-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello July 10, 2011 http://www.debian.org/security/faq - - Package: asterisk Vulnerability : multiple denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2011-2529 CVE-2011-2535 Debian Bug : 631445 631446 631448 Paul Belanger reported a vulnerability in Asterisk identified as AST-2011-008 (CVE-2011-2529) through which an unauthenticated attacker may crash an Asterisk server remotely. A package containing a null char causes the SIP header parser to alter unrelated memory structures. Jared Mauch reported a vulnerability in Asterisk identified as AST-2011-009 through which an unauthenticated attacker may crash an Asterisk server remotely. If a user sends a package with a Contact header with a missing left angle bracket () the server will crash. A possible workaround is to disable chan_sip. The vulnerability identified as AST-2011-010 (CVE-2011-2535) reported about an input validation error in the IAX2 channel driver. An unauthenticated attacker may crash an Asterisk server remotely by sending a crafted option control frame. For the oldstable distribution (lenny), this problem has been fixed in version 1.4.21.2~dfsg-3+lenny3. For the stable distribution (squeeze), this problem has been fixed in version 1.6.2.9-2+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8.4.3-1. For the unstable distribution (sid), this problem has been fixed in version 1:1.8.4.3-1. We recommend that you upgrade your asterisk packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4Zwm8ACgkQHYflSXNkfP+G9QCgmlIDAuhXZSFFYspmaJkvt8uS gwkAnRduatGpgQo19s7RuEOspPIgOtlE =RXeA -END PGP SIGNATURE-
[SECURITY] [DSA-2210-2] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2210-2 secur...@debian.org http://www.debian.org/security/ Luciano Bello June 25, 2011 http://www.debian.org/security/faq - - Package: tiff Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2011-0191 CVE-2011-0192 CVE-2011-1167 Debian Bug : 619614 630042 The recent tiff update DSA-2210-1 introduced a regression that could lead to encoding problems of tiff files. This update fixes this problem (bug #630042). For reference, the description of the original DSA, which fixed CVE-2011-0191 CVE-2011-0192 CVE-2011-1167 CVE-2011-0191 A buffer overflow allows to execute arbitrary code or cause a denial of service via a crafted TIFF image with JPEG encoding. This issue affects the Debian 5.0 Lenny package only. CVE-2011-0192 A buffer overflow allows to execute arbitrary code or cause a denial of service via a crafted TIFF Internet Fax image file that has been compressed using CCITT Group 4 encoding. CVE-2011-1167 Heap-based buffer overflow in the thunder (aka ThunderScan) decoder allows to execute arbitrary code via a TIFF file that has an unexpected BitsPerSample value. For the oldstable distribution (lenny), this problem has been fixed in version 3.8.2-11.5. For the stable distribution (squeeze), this problem has been fixed in version 3.9.4-5+squeeze3. For the testing distribution (wheezy), this problem has been fixed in version 3.9.5-1. For the unstable distribution (sid), this problem has been fixed in version 3.9.5-1. We recommend that you upgrade your tiff packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk4FuRIACgkQNxpp46476aqJsgCfZHj2QAEkb1yPGsR3w4VFDT0l OgcAniwL8jNLWEIZitLaTmF89e9H0Cop =7afE -END PGP SIGNATURE-
[SECURITY] [DSA 2254-1] oprofile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Debian Security Advisory DSA 2254-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello June 3, 2011 http://www.debian.org/security/faq - --- Package: oprofile Vulnerability : command injection Problem type : local Debian-specific: no Debian bug : 624212 CVE ID : CVE-2011-1760 OProfile is a performance profiling tool which is configurable by opcontrol, its control utility. Stephane Chauveau reported several ways to inject arbitrary commands in the arguments of this utility. If a local unprivileged user is authorized by sudoers file to run opcontrol as root, this user could use the flaw to escalate his privileges. For the oldstable distribution (lenny), this problem has been fixed in version 0.9.3-2+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 0.9.6-1.1+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 0.9.6-1.2. For the unstable distribution (sid), this problem has been fixed in version 0.9.6-1.2. We recommend that you upgrade your oprofile packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3qdL0ACgkQHYflSXNkfP/FlACeJhDQcRMuQHvWHa25HnSdMECy T90An1FejDYdiCPVthcunO2YytGOzc6e =Weyj -END PGP SIGNATURE-
[SECURITY] [DSA 2234-1] zodb security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2234-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello May 10, 2011 http://www.debian.org/security/faq - - Package: zodb Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2009-0668 CVE-2009-0669 Debian Bug : 540465 Several remote vulnerabilities have been discovered in python-zodb, a set of tools for using ZODB, that could lead to arbitrary code execution in the worst case. The Common Vulnerabilities and Exposures project identified the following problems: CVE-2009-0668 The ZEO server doesn't restrict the callables when unpickling data received from a malicious client which can be used by an attacker to execute arbitrary python code on the server by sending certain exception pickles. This also allows an attacker to import any importable module as ZEO is importing the module containing a callable specified in a pickle to test for a certain flag. CVE-2009-0669 Due to a programming error an authorization method in the StorageServer component of ZEO was not used as an internal method. This allows a malicious client to bypass authentication when connecting to a ZEO server by simply calling this authorization method. The update also limits the number of new object ids a client can request to 100 as it would be possible to consume huge amounts of resources by requesting a big batch of new object ids. No CVE id has been assigned to this. For the oldstable distribution (lenny), this problem has been fixed in version 1:3.6.0-2+lenny3. The stable distribution (squeeze) is not affected, it was fixed before the initial release. For the unstable distribution (sid), this problem has been fixed in version 1:3.8.2-1. We recommend that you upgrade your zodb packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk3JhrgACgkQXm3vHE4uylo3NACbBrl+e3SPOx5Sd9ooqOOQIWeB BvcAmwd2mKE/q/DpaA3xYVRU5XYPl/0D =zb3T -END PGP SIGNATURE-
[SECURITY] [DSA 2165-1] ffmpeg-debian security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2165-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello February 16, 2011 http://www.debian.org/security/faq - - Package: ffmpeg-debian Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2010-3429 CVE-2010-4704 CVE-2010-4705 Several vulnerabilities have been discovered in FFmpeg coders, which are used by by MPlayer and other applications. CVE-2010-3429 Cesar Bernardini and Felipe Andres Manzano reported an arbitrary offset dereference vulnerability in the libavcodec, in particular in the flic file format parser. A specific flic file may exploit this vulnerability and execute arbitrary code. Mplayer is also affected by this problem, as well as other software that use this library. CVE-2010-4704 Greg Maxwell discovered an integer overflow the Vorbis decoder in FFmpeg. A specific ogg file may exploit this vulnerability and execute arbitrary code. CVE-2010-4705 A potential integer overflow has been discovered in the Vorbis decoder in FFmpeg. This upload also fixes an incomplete patch from DSA-2000-1. Michael Gilbert noticed that there was remaining vulnerabilities, which may cause a denial of service and potentially execution of arbitrary code. For the oldstable distribution (lenny), this problem has been fixed in version 0.svn20080206-18+lenny3. We recommend that you upgrade your ffmpeg-debian packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk1b2bEACgkQNxpp46476apZfQCgikLMnHum8LZNNkxNTJ3V2AJ2 7ccAoJFdX+ABvUy5ghdchKoPcxNeSegO =t0vw -END PGP SIGNATURE-
[SECURITY] [DSA 2091-1] New squirrelmail packages fix cross-site request forgery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2091-1 secur...@debian.org http://www.debian.org/security/Luciano Bello August 12, 2010 http://www.debian.org/security/faq - Package: squirrelmail Vulnerability : No user-specific token implemented Problem type : remote Debian-specific: no Debian bug : 543818 CVE ID : CVE-2009-2964 CVE-2010-2813 SquirrelMail, a webmail application, does not employ a user-specific token for webforms. This allows a remote attacker to perform a Cross Site Request Forgery (CSRF) attack. The attacker may hijack the authentication of unspecified victims and send messages or change user preferences among other actions, by tricking the victim into following a link controled by the offender. In addition, a denial-of-service was fixed, which could be triggered when a passwords containing 8-bit characters was used to log in (CVE-2010-2813). For the stable distribution (lenny), these problems have been fixed in version 1.4.15-4+lenny3.1. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 1.4.21-1. We recommend that you upgrade your squirrelmail packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1.diff.gz Size/MD5 checksum:34647 2251562662703a0d8e4f0de309ca60a6 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15.orig.tar.gz Size/MD5 checksum: 621320 87b466fef98e770307afffd75fe25589 http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1.dsc Size/MD5 checksum: 1240 a4e2ab21379259946f02a1d30831fe6d Architecture independent packages: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1_all.deb Size/MD5 checksum: 615152 d08549fd86ffec2ae16b36e358f50cd6 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMZFbAAAoJEOxfUAG2iX57E9wH/2R7hpqY9l0OTtMT+TpEP6ld SWMx1rhE+Vf8nss3AKSx88uAn0szgS0zyVdBuGbksFsKDsLLAyreajwyqyNqYWdf +saBoZHbOXsE3xQUp1ceHJQ5LO3hPl8e7PlSfb91TVX0PTwjAbflIICGXNXjsT3j 2gQRUWI8VtIbKNaTh0erSS2tU0CHdcWxcVjCmPLJxrDZ5jy9vTgiyc2secI6PLLQ uXpTBTC4ORRcui1L464cDb0a0xdX9s3qBu5PGydYwGyCMXsf4Vs8atejBUIK/XZq 2aLNcAQuwNHttZtlRuig8LLmavpVEvDXErlFhETOd6UFCz5sVq9yfrMMT3ECli0= =9dTP -END PGP SIGNATURE-
[SECURITY] [DSA 2090-1] New socat packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2090-1 secur...@debian.org http://www.debian.org/security/Luciano Bello August 06, 2010 http://www.debian.org/security/faq - Package: socat Vulnerability : incorrect user-input validation Problem type : remote Debian-specific: no Debian bug : 591443 CVE ID : CVE-2010-2799 A stack overflow vulnerability was found in socat that allows an attacker to execute arbitrary code with the privileges of the socat process. This vulnerability can only be exploited when an attacker is able to inject more than 512 bytes of data into socat's argument. A vulnerable scenario would be a CGI script that reads data from clients and uses (parts of) this data as argument for a socat invocation. For the stable distribution (lenny), this problem has been fixed in version 1.6.0.1-1+lenny1. For the unstable distribution (sid), this problem has been fixed in version 1.7.1.3-1. We recommend that you upgrade your socat package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1.orig.tar.gz Size/MD5 checksum: 489105 5a6a1d1e398d5c4d32fa6515baf477af http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1.dsc Size/MD5 checksum: 1013 157ca774934ca80c6a94c1b741a9093b http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1.diff.gz Size/MD5 checksum: 4381 7e52b5124379d307c379b6ecf70284f0 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_alpha.deb Size/MD5 checksum: 341794 8bd7ad19df1117ec16195fa75a127706 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_amd64.deb Size/MD5 checksum: 330554 3106c700362d15d5f1ef3ebb68e6805c arm architecture (ARM) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_arm.deb Size/MD5 checksum: 312612 2a70ed46e9491e800a77823b0217abbb armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_armel.deb Size/MD5 checksum: 315430 08e6b5a7b9eda8dbe3173c115c8e1796 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_hppa.deb Size/MD5 checksum: 331510 d1802193cb2a2f28ef51d8c07f5e374b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_i386.deb Size/MD5 checksum: 316594 24c9775f51968d945266e7a28b9d103a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_ia64.deb Size/MD5 checksum: 387414 c2bbf057264a8387df441dd3a9bbc330 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_mips.deb Size/MD5 checksum: 333986 48385d0f66ea5397bc718c0e2af6b056 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_mipsel.deb Size/MD5 checksum: 328748 3f2edf664abb7e8318f5a5c3b9c35991 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_powerpc.deb Size/MD5 checksum: 339838 77db34fb93c8bd07590729d3e1aaa98d s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_s390.deb Size/MD5 checksum: 329612 56dc31e55ccb561742fe751993200255 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/s/socat/socat_1.6.0.1-1+lenny1_sparc.deb Size/MD5 checksum: 312724 96fa647e83461a5f2fd1678d6da6ee27 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org
[SECURITY] [DSA 2042-1] New iscsitarget packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Debian Security Advisory DSA-2042-1 secur...@debian.org http://www.debian.org/security/ Luciano Bello May 5th, 2010http://www.debian.org/security/faq - --- Package: iscsitarget Vulnerability : format string Problem type : remote Debian-specific: no Debian bug : 574935 CVE ID : CVE-2010-0743 Florent Daigniere discovered multiple format string vulnerabilities in Linux SCSI target framework (which is known as iscsitarget under Debian) allow remote attackers to cause a denial of service in the ietd daemon. The flaw could be trigger by sending a carefully-crafted Internet Storage Name Service (iSNS) request. For the stable distribution (lenny), this problem has been fixed in version 0.4.16+svn162-3.1+lenny1. For the testing distribution (squeeze), this problem has been fixed in version 0.4.17+svn229-1.4. For the unstable distribution (sid), this problem has been fixed in version 0.4.17+svn229-1.4. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1.dsc Size/MD5 checksum: 1193 df8ae44c0366731c4102f1c5290f6c15 http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162.orig.tar.gz Size/MD5 checksum: 354607 7105541d6b64f75852a725bcc26636bf http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1.diff.gz Size/MD5 checksum: 6743 d529b9d00d84471b032a425596ee63fe Architecture independent packages: http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget-source_0.4.16+svn162-3.1+lenny1_all.deb Size/MD5 checksum:42926 006bfefbd074b9dbf72843ef643ff8df alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_alpha.deb Size/MD5 checksum:67210 14b0bdb4c8ec37cbafdea7794e23abd8 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_amd64.deb Size/MD5 checksum:60612 109ce97790e712a34de0f35900013b4c arm architecture (ARM) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_arm.deb Size/MD5 checksum:56720 18811f116a76d7313a2a3a28110cf826 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_armel.deb Size/MD5 checksum:54884 3e461faf8c4894b16ca5ef30fe984f9d hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_hppa.deb Size/MD5 checksum:61690 e782044016a48646e518672dab64fa38 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_i386.deb Size/MD5 checksum:55872 4b76ecbc8b77f188fddeb22c85340730 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_ia64.deb Size/MD5 checksum:78788 64e434cc92a5c15464bbd686cf42b5e5 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_mips.deb Size/MD5 checksum:60938 4bd9648a4d57aebbf988bd109d50db31 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_mipsel.deb Size/MD5 checksum:60864 7f6bae57597af59dec08361837b52e6a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_powerpc.deb Size/MD5 checksum:63610 1c2e92e14e5880718638fc4f73e35e3f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/i/iscsitarget/iscsitarget_0.4.16+svn162-3.1+lenny1_s390.deb Size/MD5 checksum:60210 5ad590f73d54b0524c95e9281e30a2ae sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org
[SECURITY] [DSA 2028-1] New xpdf packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2028-1secur...@debian.org http://www.debian.org/security/ Luciano Bello April 5th, 2010 http://www.debian.org/security/faq - -- Package: xpdf Vulnerability : multiple Problem type : local (remote) Debian-specific: no Debian bug : 551287 CVE ID : CVE-2009-1188 CVE-2009-3603 CVE-2009-3604 CVE-2009-3606 CVE-2009-3608 CVE-2009-3609 Several vulnerabilities have been identified in xpdf, a suite of tools for viewing and converting Portable Document Format (PDF) files. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1188 and CVE-2009-3603 Integer overflow in SplashBitmap::SplashBitmap which might allow remote attackers to execute arbitrary code or an application crash via a crafted PDF document. CVE-2009-3604 NULL pointer dereference or heap-based buffer overflow in Splash::drawImage which might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document. CVE-2009-3606 Integer overflow in the PSOutputDev::doImageL1Sep which might allow remote attackers to execute arbitrary code via a crafted PDF document. CVE-2009-3608 Integer overflow in the ObjectStream::ObjectStream which might allow remote attackers to execute arbitrary code via a crafted PDF document. CVE-2009-3609 Integer overflow in the ImageStream::ImageStream which might allow remote attackers to cause a denial of service via a crafted PDF document. For the stable distribution (lenny), this problem has been fixed in version 3.02-1.4+lenny2. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 3.02-2. Upgrade instructions - - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02.orig.tar.gz Size/MD5 checksum: 674912 599dc4cc65a07ee868cf92a667a913d2 http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny2.diff.gz Size/MD5 checksum:44597 d25be5fd97c9d9171db95025b7c32c5a http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny2.dsc Size/MD5 checksum: 1274 6cffe3ed50825b5a2746b71c4bd073ac Architecture independent packages: http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.02-1.4+lenny2_all.deb Size/MD5 checksum: 1270 6a4da9738ca93522b57cafadb598ca65 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.02-1.4+lenny2_all.deb Size/MD5 checksum:66414 24f28ede9dcaeeb2b7aa24b9603496be alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny2_alpha.deb Size/MD5 checksum: 1019484 8d91cca64026c90667b2d29a94190892 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny2_alpha.deb Size/MD5 checksum: 1895246 cf7dc335f3e5987577ad3559a44f0666 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny2_amd64.deb Size/MD5 checksum: 922594 1ce29c4e15fe4600f557e8d055f5b203 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny2_amd64.deb Size/MD5 checksum: 1709600 989f4f4a09b07c4d08d4b69456e6e8bd arm architecture (ARM) http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny2_arm.deb Size/MD5 checksum: 907674 b058407dae72e49939662466b3e3d139 http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny2_arm.deb Size/MD5 checksum: 1667592 ebd3ae168496645940066041e51c0e32 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.02-1.4+lenny2_armel.deb Size/MD5 checksum: 1603124 4f79ec52afae68ee081ee2073180878e http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.02-1.4+lenny2_armel.deb Size/MD5 checksum: 886136 38594fe36b0a657a3d91ba2ec7fd74ac hppa architecture (HP PA
[SECURITY] [DSA 1858-1] New imagemagick packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1858-1 secur...@debian.org http://www.debian.org/security/Luciano Bello August 10, 2009 http://www.debian.org/security/faq - Package: imagemagick Vulnerability : multiple Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2007-1667 CVE-2007-1797 CVE-2007-4985 CVE-2007-4986 CVE-2007-4987 CVE-2007-4988 CVE-2008-1096 CVE-2008-1097 CVE-2009-1882 Debian Bug : 418057 412945 444267 530838 Several vulnerabilities have been discovered in the imagemagick image manipulation programs which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1667 Multiple integer overflows in XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). CVE-2007-1797 Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). CVE-2007-4985 A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). CVE-2007-4986 Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). CVE-2007-4987 Off-by-one error allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address. It affects only the oldstable distribution (etch). CVE-2007-4988 A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). CVE-2008-1096 The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only to oldstable (etch). CVE-2008-1097 Heap-based buffer overflow in the PCX coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption. It affects only to oldstable (etch). CVE-2009-1882 Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. For the old stable distribution (etch), these problems have been fixed in version 7:6.2.4.5.dfsg1-0.15+etch1. For the stable distribution (lenny), these problems have been fixed in version 7:6.3.7.9.dfsg2-1~lenny3. For the upcoming stable distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 7:6.5.1.0-1.1. We recommend that you upgrade your imagemagick packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.15+etch1.tar.gz Size/MD5 checksum: 5202678 cbb51d6956c6dd68f7dfaa068d0b416b http://security.debian.org/pool/updates/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.15+etch1.dsc Size/MD5 checksum: 958 6c8ffe1f0d0efab6652070aabd8fab8d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.15+etch1_alpha.deb Size/MD5