Debian 9859 Published by

The following updates has been released for Debian 7 LTS:

[DLA 648-1] c-ares security update
[DLA-647-1] freeimage security update
[DLA-649-1] python-django security update



[DLA 648-1] c-ares security update

Package : c-ares
Version : 1.9.1-3+deb7u1
CVE ID : CVE-2016-5180
Debian Bug : 839151


Gzob Qq discovered that the query-building functions in c-ares, an
asynchronous DNS request library would not correctly process crafted
query names, resulting in a heap buffer overflow and potentially
leading to arbitrary code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
1.9.1-3+deb7u1.

We recommend that you upgrade your c-ares packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA-647-1] freeimage security update

Package : freeimage
Version : 3.15.1-1.1+deb7u1
CVE ID : CVE-2016-5684
Debian Bug : #839827

It was discovered that there was an out-of-bounds write vulnerability in the
XMP image handling functionality in freeimage, a support library for various
graphics image formats. A specially crafted XMP file can cause an arbitrary
memory overwrite resulting in code execution.

For Debian 7 "Wheezy", this issue has been fixed in freeimage version
3.15.1-1.1+deb7u1.

We recommend that you upgrade your freeimage packages.

[DLA-649-1] python-django security update

Package : python-django
Version : 1.4.22-1+deb7u1
CVE ID : CVE-2016-7401

It was discovered that there was a possible CSRF protection bypass on sites
that use Google Analytics in python-django, a High-level Python web
development framework.

More information can be found in the upstream announcement:

https://www.djangoproject.com/weblog/2016/sep/26/security-releases/

For Debian 7 "Wheezy", this issue has been fixed in python-django version
1.4.22-1+deb7u1.

We recommend that you upgrade your python-django packages.