Debian 9858 Published by

The following updates has been released for Debian:

[DLA 708-1] mysql-5.5 security update
[DLA-709-1] postgresql-9.1 update
[DSA 3716-1] firefox-esr security update



[DLA 708-1] mysql-5.5 security update

Package : mysql-5.5
Version : 5.5.53-0+deb7u1
CVE ID : CVE-2016-5584 CVE-2016-7440
Debian Bug : 841050

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.53, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

* https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html
* http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Also note that packaging will now create /var/lib/mysql-files, as
server will now by default restrict all import/export operations to
this directory.This can be changed using the secure-file-priv
configuration option.

For Debian 7 "Wheezy", these problems have been fixed in version
5.5.53-0+deb7u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA-709-1] postgresql-9.1 update

Package : postgresql-9.1
Version : 9.1.24-0+deb7u1

Several bugs were discovered in PostgreSQL, a relational database server
system. This update corrects various stability issues.

9.1.24 marks the end of life of the PostgreSQL 9.1 branch. No further
releases will be made by the PostgreSQL Global Development Group.

Users of PostgreSQL 9.1 should look into upgrading to a newer PostgreSQL
release. Options are:

* Upgrading to Debian 8 (Jessie), providing postgresql-9.4.

* The use of the apt.postgresql.org repository, providing packages for all
active PostgreSQL branches (9.2 up to 9.6 at the time of writing).

See https://wiki.postgresql.org/wiki/Apt for more information about the
repository.

A helper script to activate the repository is provided in
/usr/share/doc/postgresql-9.1/examples/apt.postgresql.org.sh.gz.

* In Debian, an LTS version of 9.1 is in planning that will cover the
lifetime of wheezy-lts. Updates will made on a best-effort basis. Users
can take advantage of this, but should still consider upgrading to newer
PostgreSQL versions over the next months.

See https://wiki.debian.org/LTS for more information about Debian LTS.


[DSA 3716-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3716-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 16, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297
CVE-2016-9064 CVE-2016-9066 CVE-2016-9074

Multiple security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, buffer overflows and other
implementation errors may lead to the execution of arbitrary code or
bypass of the same-origin policy. Also, a man-in-the-middle attack in
the addon update mechanism has been fixed.

For the stable distribution (jessie), these problems have been fixed in
version 45.5.0esr-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 45.5.0esr-1 and version 50.0-1 of the firefox source package.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/