Debian 9844 Published by

The following updates has been released for Debian GNU/Linux:

[DSA 3323-1] icu security update
[DSA 3324-1] icedove security update
[DSA 3325-1] apache2 security update



[DSA 3323-1] icu security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3323-1 security@debian.org
https://www.debian.org/security/ Laszlo Boszormenyi
August 01, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icu
CVE ID : CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760
Debian Bug : 778511 784773

Several vulnerabilities were discovered in the International Components
for Unicode (ICU) library.

CVE-2014-8146

The Unicode Bidirectional Algorithm implementation does not properly
track directionally isolated pieces of text, which allows remote
attackers to cause a denial of service (heap-based buffer overflow)
or possibly execute arbitrary code via crafted text.

CVE-2014-8147

The Unicode Bidirectional Algorithm implementation uses an integer
data type that is inconsistent with a header file, which allows
remote attackers to cause a denial of service (incorrect malloc
followed by invalid free) or possibly execute arbitrary code via
crafted text.

CVE-2015-4760

The Layout Engine was missing multiple boundary checks. These could
lead to buffer overflows and memory corruption. A specially crafted
file could cause an application using ICU to parse untrusted font
files to crash and, possibly, execute arbitrary code.

Additionally, it was discovered that the patch applied to ICU in DSA-3187-1
for CVE-2014-6585 was incomplete, possibly leading to an invalid memory
access. This could allow remote attackers to disclose portion of private
memory via crafted font files.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.8.1.1-12+deb7u3.

For the stable distribution (jessie), these problems have been fixed in
version 52.1-8+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 52.1-10.

For the unstable distribution (sid), these problems have been fixed in
version 52.1-10.

We recommend that you upgrade your icu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3324-1] icedove security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3324-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
August 01, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icedove
CVE ID : CVE-2015-2721 CVE-2015-2724 CVE-2015-2734 CVE-2015-2735
CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739
CVE-2015-2740 CVE-2015-4000

Multiple security issues have been found in Icedove, Debian's version
of the Mozilla Thunderbird mail client: multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code or denial of service. This update also
addresses a vulnerability in DHE key processing commonly known as
the "LogJam" vulnerability.

For the oldstable distribution (wheezy), these problems have been fixed
in version 31.8.0-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 31.8.0-1~deb8u1.

For the unstable distribution (sid), these problems will be fixed
shortly.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3325-1] apache2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3325-1 security@debian.org
https://www.debian.org/security/ Stefan Fritsch
August 01, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2015-3183 CVE-2015-3185

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2015-3183

An HTTP request smuggling attack was possible due to a bug in
parsing of chunked requests. A malicious client could force the
server to misinterpret the request length, allowing cache poisoning
or credential hijacking if an intermediary proxy is in use.

CVE-2015-3185

A design error in the "ap_some_auth_required" function renders the
API unusuable in apache2 2.4.x. This could lead to modules using
this API to allow access when they should otherwise not do so.
The fix backports the new "ap_some_authn_required" API from 2.4.16.
This issue does not affect the oldstable distribution (wheezy).


In addition, the updated package for the oldstable distribution (wheezy)
removes a limitation of the Diffie-Hellman (DH) parameters to 1024 bits.
This limitation may potentially allow an attacker with very large
computing resources, like a nation-state, to break DH key exchange by
precomputation. The updated apache2 package also allows to configure
custom DH parameters. More information is contained in the
changelog.Debian.gz file.
These improvements were already present in the stable, testing, and
unstable distributions.


For the oldstable distribution (wheezy), these problems have been fixed
in version 2.2.22-13+deb7u5.

For the stable distribution (jessie), these problems have been fixed in
version 2.4.10-10+deb8u1.

For the testing distribution (stretch), these problems will be fixed
soon.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/