Debian 9844 Published by

The following Debian 6 LTS updates has been released:

[DLA 229-1] libnokogiri-ruby security update
[DLA 230-1] eglibc security update
[DLA 231-1] dulwich security update



[DLA 229-1] libnokogiri-ruby security update

Package : libnokogiri-ruby
Version : 1.4.0-4+deb6u1
CVE ID : CVE-2012-6685

An XML eXternal Entity (XXE) flaw was found in Nokogiri, a Ruby gem for
parsing HTML, XML, and SAX. Using external XML entities, a remote attacker
could specify a URL in a specially crafted XML that, when parsed, would
cause a connection to that URL to be opened.

This update enables the "nonet" option by default (and provides new
methods to disable default options if needed).

[DLA 230-1] eglibc security update

Package : eglibc
Version : 2.11.3-4+deb6u6
CVE ID : CVE-2015-1781

Arjun Shankar of Red Hat discovered that gethostbyname_r and related
functions compute the size of an input buffer incorrectly if the passed-in
buffer is misaligned. This results in a buffer overflow.

For the oldoldstable distribution (squeeze), this problem has been
fixed in version 2.11.3-4+deb6u6.

[DLA 231-1] dulwich security update

Package : dulwich
Version : 0.6.1-1+deb6u1
CVE ID : CVE-2015-0838

Ivan Fratric of the Google Security Team has found a buffer overflow in
the C implementation of the apply_delta() function, used when accessing
Git objects in pack files. An attacker could take advantage of this flaw
to cause the execution of arbitrary code with the privileges of the user
running a Git server or client based on Dulwich.

For the oldoldstable distribution (squeeze), this problem has been
fixed in version 0.6.1-1+deb6u1.