[SECURITY] [DLA 1263-1] debian-security-support update
Package: debian-security-support Version: 2018.01.29~deb7u1 This update marks several packages as no longer supported by wheezy-lts: teamspeak-server, teamspeak-client, libstruts1.2-java, nvidia-graphics-drivers, glassfish, jbossas4, libnet-ping-external-perl, mp3gain, tor, jasperreports. For the reasoning please see the links provided in /usr/share/debian-security-support/security-support-ended.deb8 Furthermore it marks swftools as only safe to use for trusted input. For Debian 7 "Wheezy", these problems have been fixed in version 2018.01.29~deb7u1. We recommend that you upgrade your debian-security-support packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1262-1] thunderbird security update
Package: thunderbird Version: 1:52.6.0-1~deb7u1 CVE ID : CVE-2018-5089 CVE-2018-5095 CVE-2018-5096 CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102 CVE-2018-5103 CVE-2018-5104 CVE-2018-5117 Debian Bug : 885157 885158 887766 Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, use after free, integer overflows and other implementation errors may lead to crashes or the execution of arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 1:52.6.0-1~deb7u1. We recommend that you upgrade your thunderbird packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1223-1] thunderbird security update
Package: thunderbird Version: 1:52.5.2-1~deb7u1 CVE ID : CVE-2017-7829 CVE-2017-7846 CVE-2017-7847 CVE-2017-7848 Multiple security issues have been found in the Mozilla Thunderbird mail client including information leaks, unintended JavaScript execution and sender address spoofing. For Debian 7 "Wheezy", these problems have been fixed in version 1:52.5.2-1~deb7u1. We recommend that you upgrade your thunderbird packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1221-1] ruby1.9.1 security update
Package: ruby1.9.1 Version: 1.9.3.194-8.1+deb7u7 CVE ID : CVE-2017-17405 CVE-2017-17790 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-17405 A command injection vulnerability in Net::FTP might allow a malicious FTP server the execution of arbitrary commands. CVE-2017-17790 A command injection vulnerability in lib/resolv.rb's lazy_initialze might allow a command injection attack. However untrusted input to this function is rather unlikely. For Debian 7 "Wheezy", these problems have been fixed in version 1.9.3.194-8.1+deb7u7. We recommend that you upgrade your ruby1.9.1 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1222-1] ruby1.8 security update
Package: ruby1.8 Version: 1.8.7.358-7.1+deb7u5 CVE ID : CVE-2017-17405 CVE-2017-17790 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-17405 A command injection vulnerability in Net::FTP might allow a malicious FTP server the execution of arbitrary commands. CVE-2017-17790 A command injection vulnerability in lib/resolv.rb's lazy_initialze might allow a command injection attack. However untrusted input to this function is rather unlikely. For Debian 7 "Wheezy", these problems have been fixed in version 1.8.7.358-7.1+deb7u5. We recommend that you upgrade your ruby1.8 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1199-1] thunderbird security update
Package: thunderbird Version: 1:52.5.0-1~deb7u1 CVE ID : CVE-2017-7826 CVE-2017-7828 CVE-2017-7830 Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, use after free and other implementation errors may lead to crashes or the execution of arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 1:52.5.0-1~deb7u1. We recommend that you upgrade your thunderbird packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1115-1] debsecan update
Package: debsecan Version: 0.4.16+nmu1+deb7u1 Debian Bug : 842428 Debsecan in Wheezy in its default configuration currently fails to download recent vulnerability data due to an URL change. For Debian 7 "Wheezy", these problems have been fixed in version 0.4.16+nmu1+deb7u1. We recommend that you upgrade your debsecan packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1110-1] samba security update
Package: samba Version: 2:3.6.6-6+deb7u14 CVE ID : CVE-2017-12150 CVE-2017-12163 CVE-2017-12150 Stefan Metzmacher discovered multiple code paths where SMB signing was not enforced. CVE-2017-12163 Yihan Lian and Zhibin Hu discovered that insufficient range checks in the processing of SMB1 write requests could result in disclosure of server memory. For Debian 7 "Wheezy", these problems have been fixed in version 2:3.6.6-6+deb7u14. We recommend that you upgrade your samba packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1097-1] tcpdump security update
Package: tcpdump Version: 4.9.2-1~deb7u1 CVE ID : CVE-2017-12894 CVE-2017-12895 CVE-2017-12896 CVE-2017-12897 CVE-2017-12898 CVE-2017-12899 CVE-2017-12900 CVE-2017-12901 CVE-2017-12902 CVE-2017-12985 CVE-2017-12986 CVE-2017-12987 CVE-2017-12988 CVE-2017-12989 CVE-2017-12990 CVE-2017-12991 CVE-2017-12992 CVE-2017-12993 CVE-2017-12994 CVE-2017-12995 CVE-2017-12996 CVE-2017-12997 CVE-2017-12998 CVE-2017-12999 CVE-2017-13000 CVE-2017-13001 CVE-2017-13002 CVE-2017-13003 CVE-2017-13004 CVE-2017-13005 CVE-2017-13006 CVE-2017-13007 CVE-2017-13008 CVE-2017-13009 CVE-2017-13010 CVE-2017-13011 CVE-2017-13012 CVE-2017-13013 CVE-2017-13014 CVE-2017-13015 CVE-2017-13016 CVE-2017-13017 CVE-2017-13018 CVE-2017-13019 CVE-2017-13020 CVE-2017-13021 CVE-2017-13022 CVE-2017-13023 CVE-2017-13024 CVE-2017-13025 CVE-2017-13026 CVE-2017-13027 CVE-2017-13028 CVE-2017-13029 CVE-2017-13030 CVE-2017-13031 CVE-2017-13032 CVE-2017-13033 CVE-2017-13034 CVE-2017-13035 CVE-2017-13036 CVE-2017-13037 CVE-2017-13038 CVE-2017-13039 CVE-2017-13040 CVE-2017-13041 CVE-2017-13042 CVE-2017-13043 CVE-2017-13044 CVE-2017-13045 CVE-2017-13046 CVE-2017-13047 CVE-2017-13048 CVE-2017-13049 CVE-2017-13050 CVE-2017-13051 CVE-2017-13052 CVE-2017-13053 CVE-2017-13054 CVE-2017-13055 CVE-2017-13687 CVE-2017-13688 CVE-2017-13689 CVE-2017-13690 CVE-2017-13725 CVE-2017-12893 Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or, potentially, execution of arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 4.9.2-1~deb7u1. We recommend that you upgrade your tcpdump packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1090-1] tcpdump security update
Package: tcpdump Version: 4.9.0-1~deb7u2 CVE ID : CVE-2017-11108 CVE-2017-11541 CVE-2017-11542 CVE-2017-11543 Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service (application crash). For Debian 7 "Wheezy", these problems have been fixed in version 4.9.0-1~deb7u2. We recommend that you upgrade your tcpdump packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1080-1] gnupg security update
Package: gnupg Version: 1.4.12-7+deb7u9 CVE ID : CVE-2017-7526 Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that gnupg is prone to a local side-channel attack allowing full key recovery for RSA-1024. See https://eprint.iacr.org/2017/627 for details. For Debian 7 "Wheezy", these problems have been fixed in version 1.4.12-7+deb7u9. We recommend that you upgrade your gnupg packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1071-1] qemu-kvm security update
Package: qemu-kvm Version: 1.1.2+dfsg-6+deb7u23 CVE ID : CVE-2017-6505 CVE-2017-8309 CVE-2017-10664 CVE-2017-11434 Multiple vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests based on the Quick Emulator(Qemu). CVE-2017-6505 Denial of service via infinite loop in the USB OHCI emulation CVE-2017-8309 Denial of service via VNC audio capture CVE-2017-10664 Denial of service in qemu-nbd server, qemu-io and qemu-img. CVE-2017-11434 Denial of service via a crafted DHCP options string For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u23. We recommend that you upgrade your qemu-kvm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1035-1] qemu security update
Package: qemu Version: 1.1.2+dfsg-6+deb7u22 CVE ID : CVE-2016-9602 CVE-2016-9603 CVE-2017-7377 CVE-2017-7471 CVE-2017-7493 CVE-2017-7718 CVE-2017-7980 CVE-2017-8086 Several vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9603 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator and the VNC display driver support is vulnerable to a heap buffer overflow issue. It could occur when Vnc client attempts to update its display after a vga operation is performed by a guest. A privileged user/process inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code on the host with privileges of the Qemu process. CVE-2017-7718 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt functions cirrus_bitblt_rop_fwd_transp_ and/or cirrus_bitblt_rop_fwd_. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. CVE-2017-7980 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds r/w access issues. It could occur while copying VGA data via various bitblt functions. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on a host with privileges of Qemu process on the host. CVE-2016-9602 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper link following issue. It could occur while accessing symbolic link files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7377 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while doing a I/O operation via v9fs_create/v9fs_lcreate routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. CVE-2017-7471 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7493 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. CVE-2017-8086 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while querying file system extended attributes via 9pfs_list_xattr() routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u22. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1027-1] heimdal security update
Package: heimdal Version: 1.6~git20120403+dfsg1-2+deb7u1 CVE ID : CVE-2017-11103 Debian Bug : 868208 Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in Heimdal Kerberos. Also known as Orpheus' Lyre, this vulnerability could be used by an attacker to mount a service impersonation attack on the client if he's on the network path between the client and the service. More details can be found on the vulnerability website (https://orpheus-lyre.info/). For Debian 7 "Wheezy", these problems have been fixed in version 1.6~git20120403+dfsg1-2+deb7u1. We recommend that you upgrade your heimdal packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 1007-1] icedove/thunderbird security update
Package: icedove Version: 1:52.2.1-1~deb7u1 CVE ID : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017- CVE-2017-7778 Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing. For Debian 7 "Wheezy", these problems have been fixed in version 1:52.2.1-1~deb7u1. We recommend that you upgrade your icedove packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 979-1] debian-security-support update
Package: debian-security-support Version: 2017.06.02+deb7u1 Besides bringing the package up to date regarding translations this update marks several packages as no longer supported by wheezy-lts: autotrace, inspircd, ioquake3, kfreebsd-8, kfreebsd-9, matrixssl, teeworlds and trn For the reasoning please see the links provided in /usr/share/debian-security-support/security-support-ended.deb8 For Debian 7 "Wheezy", these problems have been fixed in version 2017.06.02+deb7u1. We recommend that you upgrade your debian-security-support packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 965-1] qemu-kvm security update
Package: qemu-kvm Version: 1.1.2+dfsg-6+deb7u22 CVE ID : CVE-2016-9602 CVE-2017-7377 CVE-2017-7471 CVE-2017-7493 CVE-2017-8086 Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests based on the Quick Emulator(Qemu). CVE-2016-9602 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper link following issue. It could occur while accessing symbolic link files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7377 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while doing a I/O operation via v9fs_create/v9fs_lcreate routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. CVE-2017-7471 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7493 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. CVE-2017-8086 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while querying file system extended attributes via 9pfs_list_xattr() routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u22. We recommend that you upgrade your qemu-kvm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 939-1] qemu-kvm security update
Package: qemu-kvm Version: 1.1.2+dfsg-6+deb7u21 CVE ID : CVE-2016-9603 CVE-2017-7718 CVE-2017-7980 Multiple vulnerabilities have been discovered in qemu-kvm, a full virtualization solution on x86 hardware based on Quick Emulator(Qemu). The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9603 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator and the VNC display driver support is vulnerable to a heap buffer overflow issue. It could occur when Vnc client attempts to update its display after a vga operation is performed by a guest. A privileged user/process inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code on the host with privileges of the Qemu process. CVE-2017-7718 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt functions cirrus_bitblt_rop_fwd_transp_ and/or cirrus_bitblt_rop_fwd_. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. CVE-2017-7980 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds r/w access issues. It could occur while copying VGA data via various bitblt functions. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on a host with privileges of Qemu process on the host. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u21. We recommend that you upgrade your qemu-kvm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 904-1] uzbek-wordlist update
Package: uzbek-wordlist Version: 0.6-3.2+deb7u1 The dictionary provided by this package had an unnecessary unversioned conflict against the thunderbird package which recently got reintroduced into Wheezy. For Debian 7 "Wheezy", this problem has been fixed in version 0.6-3.2+deb7u1. We recommend that you upgrade your uzbek-wordlist packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 896-1] icedove/thunderbird security update
Package: icedove Version: 1:45.8.0-3~deb7u1 CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378 CVE-2017-5380 CVE-2017-5383 CVE-2017-5390 CVE-2017-5396 CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410 Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing. With version 45.8 Debian drops it's custom branding from the Icedove package and ships the mail client as Thunderbird again. Please see the link below for further information: https://wiki.debian.org/Thunderbird Transition packages for the Icedove packages are provided which automatically upgrade to the new version. Since new binary packages need to be installed, make sure to allow that in your upgrade procedure (e.g. by using "apt-get dist-upgrade" instead of "apt-get upgrade"). For Debian 7 "Wheezy", these problems have been fixed in version 1:45.8.0-3~deb7u1. We recommend that you upgrade your icedove packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 881-1] ejabberd security update
Package: ejabberd Version: 2.1.10-4+deb7u2 CVE ID : CVE-2014-8760 Debian Bug : 767521 767535 It was found that ejabberd does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption. For Debian 7 "Wheezy", this problem has been fixed in version 2.1.10-4+deb7u2. This update also disables the insecure SSLv3. We recommend that you upgrade your ejabberd packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 845-1] qemu security update
Package: qemu Version: 1.1.2+dfsg-6+deb7u20 CVE ID : CVE-2017-2615 CVE-2017-2620 CVE-2017-5898 CVE-2017-5973 Debian Bug : Several vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-2615 The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of Qemu process on the host. CVE-2017-2620 The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of Qemu process on the host. CVE-2017-5898 The CCID Card device emulator support is vulnerable to an integer overflow flaw. It could occur while passing message via command/responses packets to and from the host. A privileged user inside guest could use this flaw to crash the Qemu process on host resulting in DoS. CVE-2017-5973 The USB xHCI controller emulator support in qemu is vulnerable to an infinite loop issue. It could occur while processing control transfer descriptors' sequence in xhci_kick_epctx. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. This update also updates the fix CVE-2016-9921 since it was too strict and broke certain guests. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u20. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 807-1] imagemagick security update
Package: imagemagick Version: 8:6.7.7.10-5+deb7u11 CVE ID : CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511 Debian Bug : #851485, #851483, #851380, #851383, #851382, #851381, #851376, #851374 Numerous vulnerabilities were discovered in ImageMagick, an image manipulation program. Issues include memory leaks, out of bound reads and missing checks. This update also includes an update of the fix for CVE-2016-8677 which was incomplete in the previous version. For Debian 7 "Wheezy", these problems have been fixed in version 8:6.7.7.10-5+deb7u11. We recommend that you upgrade your imagemagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 783-1] xen security update
Package: xen Version: 4.1.6.lts1-5 CVE ID : CVE-2016-10013 CVE-2016-10024 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-10013 (xsa-204) Xen mishandles SYSCALL singlestep during emulation which can lead to privilege escalation. The vulnerability is only exposed to 64-bit x86 HVM guests. CVE-2016-10024 (xsa-202) PV guests may be able to mask interrupts causing a Denial of Service. For Debian 7 "Wheezy", these problems have been fixed in version 4.1.6.lts1-5. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 752-1] icedove security update
Package: icedove Version: 45.5.1-1~deb7u1 CVE ID : CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074 CVE-2016-9079 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail client: Multiple memory safety errors, same-origin policy bypass issues, integer overflows, buffer overflows and use-after-frees may lead to the execution of arbitrary code or denial of service. For Debian 7 "Wheezy", these problems have been fixed in version 45.5.1-1~deb7u1. We recommend that you upgrade your icedove packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 698-1] qemu security update
Package: qemu Version: 1.1.2+dfsg-6+deb7u18 CVE ID : CVE-2016-7909 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9102 CVE-2016-9103 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 Debian Bug : 839834 841950 841955 842455 842463 Several vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-7909 Quick Emulator(Qemu) built with the AMD PC-Net II emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets via pcnet_receive(). A privileged user/process inside guest could use this issue to crash the Qemu process on the host leading to DoS. CVE-2016-8909 Quick Emulator(Qemu) built with the Intel HDA controller emulation support is vulnerable to an infinite loop issue. It could occur while processing the DMA buffer stream while doing data transfer in 'intel_hda_xfer'. A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS. CVE-2016-8910 Quick Emulator(Qemu) built with the RTL8139 ethernet controller emulation support is vulnerable to an infinite loop issue. It could occur while transmitting packets in C+ mode of operation. A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS situation. CVE-2016-9101 Quick Emulator(Qemu) built with the i8255x (PRO100) NIC emulation support is vulnerable to a memory leakage issue. It could occur while unplugging the device, and doing so repeatedly would result in leaking host memory affecting, other services on the host. A privileged user inside guest could use this flaw to cause a DoS on the host and/or potentially crash the Qemu process on the host. CVE-2016-9102 CVE-2016-9105 CVE-2016-9106 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to a several memory leakage issues. A privileged user inside guest could use this flaws to leak the host memory bytes resulting in DoS for other services. CVE-2016-9104 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an integer overflow issue. It could occur by accessing xattributes values. A privileged user inside guest could use this flaw to crash the Qemu process instance resulting in DoS. CVE-2016-9103 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an information leakage issue. It could occur by accessing xattribute value before it's written to. A privileged user inside guest could use this flaw to leak host memory bytes. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u18. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 641-1] ruby-activesupport-3.2 security update
Package: ruby-activesupport-3.2 Version: 3.2_3.2.6-6+deb7u3 CVE ID : CVE-2016-0753 Active Support in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters. For Debian 7 "Wheezy", these problems have been fixed in version 3.2_3.2.6-6+deb7u3. We recommend that you upgrade your ruby-activesupport-3.2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 604-1] ruby-actionpack-3.2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ruby-actionpack-3.2 Version: 3.2.6-6+deb7u3 CVE ID : CVE-2015-7576 CVE-2016-0751 CVE-2016-0752 CVE-2016-2097 CVE-2016-2098 CVE-2016-6316 Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails: CVE-2015-7576 A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. CVE-2016-0751 A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service. CVE-2016-0752 A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code. CVE-2016-2097 Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra. CVE-2016-2098 If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit. CVE-2016-6316 Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. For Debian 7 "Wheezy", these problems have been fixed in version 3.2.6-6+deb7u3. We recommend that you upgrade your ruby-actionpack-3.2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJXwyoKAAoJEAe4t7DqmBILmR0P/1ej8OsYXHNwoRtkTUKdVCeH EBXJJA712GMyx93CvP9EjD7XkGvaCPtUKxpOq3Ch7IdGo5txLh7u13ayaKVi65ir 2LHovee6AXh08Y9g3f5svIDnsK8xwVp4O1aSTPI/JY+PwXJ6fp3jK2KOss1+euOI x0hqmuvxCf9xjA84CAOf2zDJUiT/NECGf5EVUFOi98gkXU1MoKyh/FCy3XquSq8K Pmlp/Vxh/Ircyw6b+5b8vepbmUt1+tFlFpyXYGozpXZ/qx8B2o9F+e++J68QXF8n xQQeXroCdnCCaNV03FnUf+5IsDgV99UUETrQ70+dyW9RLtxNbu05yffySp2tsuNs Zzgc4BXCf4y4ncFAZf+hrTYNRzMDGz/tEg3qH9KpWgTegCsXrIHQ0KqCfhAx+Vth 8laPsaQLGV6lu0aCPgicZS0J6jCn/nVMsbMgqoCHnZszL6gTLiSUMsybq6XbLqhQ a930O+q/+1yib1LaI+p7wJhB1bl1u0QTfA68jSakMO3MAXDozM1QTtPhxQMjoUoQ C/Wa/kXkRDzgjBPVQ3tV5F+AiaZ228QidoFMa+KocYiJrl/kxLzvvwS7ck6DTZa/ YJ7jXqpmUdGSnzRPgnb2yXgOdvea67dxtt9vm9RsHcFyuqEOrw3wOeFChjxM2wy2 pRetQsa0pVVl3/cFdaHz =HceA -END PGP SIGNATURE-
[SECURITY] [DLA 571-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: xen Version: 4.1.6.lts1-1 CVE ID : CVE-2014-3672 CVE-2016-3158 CVE-2016-3159 CVE-2016-3710 CVE-2016-3712 CVE-2016-3960 CVE-2016-4480 CVE-2016-6258 Debian Bug : Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-3672 (XSA-180) Andrew Sorensen discovered that a HVM domain can exhaust the hosts disk space by filling up the log file. CVE-2016-3158, CVE-2016-3159 (XSA-172) Jan Beulich from SUSE discovered that Xen does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors. A malicious domain can take advantage of this flaw to obtain address space usage and timing information, about another domain, at a fairly low rate. CVE-2016-3710 (XSA-179) Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds read and write flaw in the QEMU VGA module. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2016-3712 (XSA-179) Zuozhi Fzz of Alibaba Inc discovered potential integer overflow or out-of-bounds read access issues in the QEMU VGA module. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash). CVE-2016-3960 (XSA-173) Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360 discovered an integer overflow in the x86 shadow pagetable code. A HVM guest using shadow pagetables can cause the host to crash. A PV guest using shadow pagetables (i.e. being migrated) with PV superpages enabled (which is not the default) can crash the host, or corrupt hypervisor memory, potentially leading to privilege escalation. CVE-2016-4480 (XSA-176) Jan Beulich discovered that incorrect page table handling could result in privilege escalation inside a Xen guest instance. CVE-2016-6258 (XSA-182) Jérémie Boutoille discovered that incorrect pagetable handling in PV instances could result in guest to host privilege escalation. Additionally this Xen Security Advisory without a CVE was fixed: XSA-166 Konrad Rzeszutek Wilk and Jan Beulich discovered that ioreq handling is possibly susceptible to a multiple read issue. For Debian 7 "Wheezy", these problems have been fixed in version 4.1.6.lts1-1. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJXnG7HAAoJEAe4t7DqmBILHEQP/Rc4wQC3bIp3FC1EWf+ZmrZ7 IKSCmujP9gdpnm8O2nswcFTd+XaJ1ncYK0Q4Te7yppspAmyF9YLBoyOxcQstXNbA Wu/+kR3bvZJIR48wzBsGocZL9NvKnHdGHs3d4tkd9MUGU7rx1BGNqxBW/8h49nmC HQVRQGTYKlW+slljMzVi3RPUB4VRWy2EzVtHcAHXdje4WJDora4RdLc4iqtfKpgJ q+5NnilNClYa617i220AyKcUsgvzY4lLXCtQM4LotOY4YX9js1Lr0e+B/kLs8fVs pJxkJVTrsLa1NlE1Wj3IuwYRNnyEoPUngZX9E6YKyA797FGotwrGenmyTpeWLi+W IQbyVFlYIdKX88OgEmz+j7LIs9YSV2wXkigpcddqXnL6yHFZ0Zl7iAC7vyT/MgSV lHtV9w0hAjC/g/Y/TDxEHzusHNo97pAMJQVuEpmB9T+bzkg6hfJin+OjldQtQ6lW 3MGvkztwfhiYsRJyoDxYuVBr4GT5MdCgTujTtThVxdntmPk0aLvbYsvKyKecAIMU +Y1iVx5ErboP06vlzdJ7RBNAc3lvYvpvtbfMYSGCCyYMREPdLnwaDaZ234RNOvI3 QbSAbuPrjf9L5HaSDpdFMgFaJtrNCKKiXO5zSXTx8BYL9bkFJ8ORlDdxGe5ScbO0 cq++Ai7qDrQDTZpQVv9m =yWuS -END PGP SIGNATURE-
[SECURITY] [DLA 518-1] mozilla-devscripts security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mozilla-devscripts Version: 0.32+deb7u1 Debian Bug : 825508 In preparation of the upcoming switch to Icedove 45 the mozilla-devscripts package was updated to generate correct dependencies for rebuilt extensions. For Debian 7 "Wheezy", these problems have been fixed in version 0.32+deb7u1. In case you build mozilla extensions we recommend that you upgrade your mozilla-devscripts packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJXZDC0AAoJEAe4t7DqmBILHFEP/RjDGaZj2Ur90ia+KG4f8J4M 8Mfuw9NGucePj/ngUC8EJdLwD775tytoXE1rKHMcpBP3rmzVq55IyB5rFc/IWFfn fW90+nz1g918fM1Twq3SHYTp9Il+o9KM5EKVpa4AkqIbpnbdwA5pgZNVn4/l7jfV kKqxIMfZxIzw8jcDmKADyOtqHFQYNuZkuYLl4sHK5ZcJKdf+31qXSNOgAFlrfmqx LpYR0C3YIrB/SAT+T5VPSi98v1hN9gcZvYvcpXET/H/MiZkJwN3D8HmqQ4/tjqPK OgCYUenwhxonvBfpAMNprA1FQ1L8FmdL3UnHULarZ92DXoDtF6B0i3hXuYO2mzku qmZGejB0l4uc3V6maga8ykfNANbqWm+QUGf2f0jGfe95T6xyr5DsjbsGAYYiOt1q AZNFcle1FEVG+xzeI+4MSeKrGq8M3IlAgGUWPqeI8eAhHbGw79nVtNNsHPW7/JVa Vbb0kYHYBtRU9gUg+OCXQw0ZbXgkXae97aRcCGaCi7VTrM3gd6BxsLh6ka9AXH2n KWIiQ8WVbmHiluzsySrCUJ8hEbVgoUZ4tDMsS6VrdIZCrx141sPtYQOnwAwlI2nP vZQhZ6ieeqmpoShwodU8bZXX1aEeymII7Kkl9aNCj+8JeMGGq2BlUbAszUAplB9H 0mSsI38u8x9Qn7pCVzTV =dVqs -END PGP SIGNATURE-
[SECURITY] [DLA 472-2] icedove regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: icedove Version: 31.8.0-1~deb7u1.1 CVE ID : CVE-2016-1979 CVE-2016-2805 CVE-2016-2807 Debian Bug : #823430 The security update for icedove did not build on armhf. This is resolved by this upload. The text of the original DLA follows: Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail client. Multiple memory safety errors may lead to the execution of arbitrary code or denial of service. For Debian 7 "Wheezy", this problem has been fixed in version 38.8.0-1~deb7u1. We recommend that you upgrade your icedove packages. -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJXPNUFAAoJEAe4t7DqmBILhHUQAIKlakm5xi74Gl3IKDO9p6WE TWvfaoQXNZ2Qkr2EDZfKk+Cqv8zkDIwpIEDxMK6ZbtJldEpt2RsRwbmIfDeXYBrl suCwej2dlBHBtAGXD7F8yqVd7uQJqWijCpInM1NPMTjZdewlugSiN7Ai6zYa4P5a bjkWFKnJnQHOsQI+LQMWmU6Om3s88zvXGkU5cO4ddmKTAZOThVfReMAggBUHDzCy mf5hewDIrwitq10P14x95e5KGbwcTzyHyBWFFQFbB+fifY51ZhfW8E1NlB3xVgEU br9oFBzisMdkhEOQnzn2DotBiiXQOOapugQTr5DfCAoiwxfJ/fmo2UKLQZEPsY5/ Bj0LdRSm/x0mab/OZsVAQyuYLsVwnhOk/QyKkbVJ9/BquIfrzmYClgQXBoT1a1ux G/rrcg1aSuB1/TDZbOToXcc04UAwlTE+GKZQvupitsjaxyhkbfJJH71CefT4AF0S UDFOcP84SPVSGK7uIVlFGG3M98bJkY1aUPax0oIbGGw7yISxCz8cd+B5jx2jrvt0 3UBeY1KCmR9VLNfXUeH7Z3nC4iUaElwFP2pjnC4ge9H0ebodG/a9R3GVFVAq3Eqs LsFl6f4NQyv/8efyO8tq//1ijzFYZzkUekvO2IFoCR358J4QggtshBGqZitQB5Hj 98/7ek9BHAg83IMUnuCh =zpcX -END PGP SIGNATURE-
[SECURITY] [DLA 340-1] krb5 security update
Package: krb5 Version: 1.8.3+dfsg-4squeeze10 CVE ID : CVE-2015-2695 CVE-2015-2697 Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-2695 It was discovered that applications which call gss_inquire_context() on a partially-established SPNEGO context can cause the GSS-API library to read from a pointer using the wrong type, leading to a process crash. CVE-2015-2697 It was discovered that the build_principal_va() function incorrectly handles input strings. An authenticated attacker can take advantage of this flaw to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte. For the oldoldstable distribution (squeeze), these problems have been fixed in version 1.8.3+dfsg-4squeeze10. We recommend that you upgrade your krb5 packages. signature.asc Description: PGP signature
[SECURITY] [DLA 315-1] nss security update
Package: nss Version: 3.12.8-1+squeeze12 CVE ID : CVE-2015-2721 CVE-2015-2730 Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-2721 Karthikeyan Bhargavan discovered that NSS incorrectly handles state transitions for the TLS state machine. A man-in-the-middle attacker could exploit this flaw to skip the ServerKeyExchange message and remove the forward-secrecy property. CVE-2015-2730 Watson Ladd discovered that NSS does not properly perform Elliptical Curve Cryptography (ECC) multiplication, allowing a remote attacker to potentially spoof ECDSA signatures. For the oldoldstable distribution (squeeze), these problems have been fixed in version 3.12.8-1+squeeze12. We recommend that you upgrade your nss packages. signature.asc Description: Digital signature
[SECURITY] [DLA 316-1] eglibc security update
Package: eglibc Version: 2.11.3-4+deb6u7 CVE ID : CVE-2014-8121 Bug-Reference : 779587 Several vulnerabilities have been discovered in eglibc that may lead to a privilege escalation or denial of service. Glibc pointer guarding weakness A weakness in the dynamic loader prior has been found. The issue is that the LD_POINTER_GUARD in the environment is not sanitized allowing local attackers easily to bypass the pointer guarding protection on set-user-ID and set-group-ID programs. Potential application crash due to overread in fnmatch When processing certain malformed patterns, fnmatch can skip over the NUL byte terminating the pattern. This can potentially result in an application crash if fnmatch hits an unmapped page before encountering a NUL byte. _IO_wstr_overflow integer overflow A miscalculation in _IO_wstr_overflow could potentially be exploited to overflow a buffer. CVE-2014-8121 DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over the database, which triggers the file pointer to be reset. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.11.3-4+deb6u7. We recommend that you update your packages. signature.asc Description: Digital signature
[SECURITY] [DLA 282-1] lighttpd security update
Package: lighttpd Version: 1.4.28-2+squeeze1.7 CVE ID : CVE-2014-3566 Debian Bug : #765702 This update allows to disable SSLv3 in lighttpd in order to protect against the POODLE attack. SSLv3 is now disabled by default and can be reenabled (if needed) using the ssl.use-sslv3 option. signature.asc Description: Digital signature
[SECURITY] [DLA 253-1] libwmf security update
Package: libwmf Version: 0.2.8.4-6.2+deb6u1 CVE ID : CVE-2015-0848 CVE-2015-4588 Debian Bug : #787644 The following vulnerabilities were discovered in the Windows Metafile conversion library when reading BMP images embedded into WMF files: CVE-2015-0848 A heap overflow when decoding embedded BMP images that don't use 8 bits per pixel. CVE-2015-4588 A missing check in the RLE decoding of embedded BMP images. We recommend that you update your libwmf packages. signature.asc Description: Digital signature
[SECURITY] [DLA 254-1] librack-ruby security update
Package: librack-ruby Version: 1.1.0-4+squeeze3 CVE ID : CVE-2015-3225 There is a potential denial of service vulnerability in Rack, a modular Ruby webserver interface. Carefully crafted requests can cause a `SystemStackError` and cause a denial of service attack by exploiting the lack of a sensible depth check when doing parameter normalization. We recommend that you update your librack-ruby packages. signature.asc Description: Digital signature
[SECURITY] [DLA 237-1] mercurial security update
Package: mercurial Version: 1.6.4-1+deb6u1 CVE ID : CVE-2014-9390 CVE-2014-9462 CVE-2014-9462 Jesse Hertz of Matasano Security discovered that Mercurial, a distributed version control system, is prone to a command injection vulnerability via a crafted repository name in a clone command. CVE-2014-9390 is a security vulnerability that affects mercurial repositories in a case-insensitive filesystem (eg. VFAT or HFS+). It allows for remote code execution of a specially crafted repository. This is less severe for the average Debian installation as they are usually set up with case-sensitive filesystems. signature.asc Description: Digital signature
