Debian 9859 Published by

The following updates has been released for Debian:

[DLA 549-1] ruby-eventmachine security update
[DSA 3619-1] libgd2 security update
[DSA 3620-1] pidgin security update



[DLA 549-1] ruby-eventmachine security update

Package : ruby-eventmachine
Version : 0.12.10-3+deb7u1
Debian Bug : 678512 696015

EventMachine, a Ruby network engine could be crashed by opening
a high number of parallel connections (>= 1024) towards a server
using the EventMachine engine. The crash happens due to the file
descriptors overwriting the stack.

For Debian 7 "Wheezy", these problems have been fixed in version
0.12.10-3+deb7u1.

We recommend that you upgrade your ruby-eventmachine packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3619-1] libgd2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3619-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 15, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libgd2
CVE ID : CVE-2016-5116 CVE-2016-5766 CVE-2016-6128 CVE-2016-6132
CVE-2016-6161 CVE-2016-6214
Debian Bug : 829014 829062 829694

Several vulnerabilities were discovered in libgd2, a library for
programmatic graphics creation and manipulation. A remote attacker can
take advantage of these flaws to cause a denial-of-service against an
application using the libgd2 library (application crash), or potentially
to execute arbitrary code with the privileges of the user running the
application.

For the stable distribution (jessie), these problems have been fixed in
version 2.1.0-5+deb8u4.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.2-29-g3c2b605-1 or earlier.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3620-1] pidgin security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3620-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 15, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pidgin
CVE ID : CVE-2016-2365 CVE-2016-2366 CVE-2016-2367 CVE-2016-2368
CVE-2016-2369 CVE-2016-2370 CVE-2016-2371 CVE-2016-2372
CVE-2016-2373 CVE-2016-2374 CVE-2016-2375 CVE-2016-2376
CVE-2016-2377 CVE-2016-2378 CVE-2016-2380 CVE-2016-4323

Yves Younan of Cisco Talos discovered several vulnerabilities in the
MXit protocol support in pidgin, a multi-protocol instant messaging
client. A remote attacker can take advantage of these flaws to cause a
denial of service (application crash), overwrite files, information
disclosure, or potentially to execute arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 2.11.0-0+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 2.11.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.11.0-1.

We recommend that you upgrade your pidgin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/