Debian 9844 Published by

Two for Debian 7 LTS and one for Debian 8:

[DLA 485-1] extplorer security update
[DLA 486-1] imagemagick security update
[DSA 3585-1] wireshark security update



[DLA 485-1] extplorer security update

Package : extplorer
Version : 2.1.0b6+dfsg.3-4+deb7u3
CVE ID : CVE-2015-5660

This security update fixes a security issue in extplorer. We recommend you
upgrade your extplorer package.

* CVE-2015-5660
Cross-site request forgery (CSRF) vulnerability allows remote
attackers to hijack the authentication of arbitrary users for
requests that execute PHP code.

Further information about Debian LTS security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 486-1] imagemagick security update

Package : imagemagick
Version : 8:6.7.7.10-5+deb7u5
CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717
CVE-2016-3718
Debian Bug : 823542

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code (CVE-2016-3714), make
HTTP GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715),
move (CVE-2016-3716), or read (CVE-2016-3717) local files.

These vulnerabilities are particularly critical if Imagemagick processes
images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
PLT) and indirect reads via /etc/ImageMagick/policy.xml file. In
addition, we introduce extra preventions, including some sanitization
for input filenames in http/https delegates, the full remotion of
PLT/Gnuplot decoder, and the need of explicit reference in the filename
for the insecure coders.

For the wheezy, these problems have been fixed in version
8:6.7.7.10-5+deb7u5.

We recommend that you upgrade your imagemagick packages.

[DSA 3585-1] wireshark security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3585-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 22, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wireshark
CVE ID : CVE-2016-4006 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081
CVE-2016-4082 CVE-2016-4085

Multiple vulnerabilities were discovered in the dissectors/parsers for
PKTC, IAX2, GSM CBCH and NCP which could result in denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 1.12.1+g01b65bf-4+deb8u6.

For the testing distribution (stretch), these problems have been fixed
in version 2.0.3+geed34f0-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.0.3+geed34f0-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/