Debian 9844 Published by

The following updates for Debian 6 LTS has been released:

[DLA 88-1] ruby1.8 security update
[DLA 89-1] nss security update
[DLA 90-1] imagemagick security update



[DLA 88-1] ruby1.8 security update

Package : ruby1.8
Version : 1.8.7.302-2squeeze3
CVE ID : CVE-2011-0188 CVE-2011-2686 CVE-2011-2705 CVE-2011-4815
CVE-2014-8080 CVE-2014-8090

This update fixes multiple local and remote denial of service and remote code
execute problems:

CVE-2011-0188

Properly allocate memory, to prevent arbitrary code execution or application
crash. Reported by Drew Yao.

CVE-2011-2686

Reinitialize the random seed when forking to prevent CVE-2003-0900 like
situations.

CVE-2011-2705

Modify PRNG state to prevent random number sequence repeatation at forked
child process which has same pid. Reported by Eric Wong.

CVE-2011-4815

Fix a problem with predictable hash collisions resulting in denial of service
(CPU consumption) attacks. Reported by Alexander Klink and Julian Waelde.

CVE-2014-8080

Fix REXML parser to prevent memory consumption denial of service via crafted
XML documents. Reported by Willis Vandevanter.

CVE-2014-8090

Add REXML::Document#document to complement the fix for CVE-2014-8080.
Reported by Tomas Hoger.


[DLA 89-1] nss security update

Package : nss
Version : 3.12.8-1+squeeze10
CVE ID : CVE-2014-1544

In nss, a set of libraries designed to support cross-platform development
of security-enabled client and server applications, Tyson Smith and Jesse
Schwartzentruber discovered a use-after-free vulnerability that allows
remote attackers to execute arbitrary code by triggering the improper
removal of an NSSCertificate structure from a trust domain.

[DLA 90-1] imagemagick security update

Package : imagemagick
Version : 8:6.6.0.4-3+squeeze5
CVE ID : CVE-2014-8716
Debian Bug : 768494

Some special crafted JPEG file could lead to dos due to missing check in
embeded EXIF properties (EXIF directory offsets must be greater than 0).