Debian 9844 Published by

The following updates are available for Debian GNU/Linux:

[DLA 232-1] tomcat6 security update
[DLA 233-1] clamav security and upstream version update
[DSA 3274-1] virtualbox security update



[DLA 232-1] tomcat6 security update

Package : tomcat6
Version : 6.0.41-2+squeeze7
CVE ID : CVE-2014-0227 CVE-2014-0230 CVE-2014-7810
Debian Bug : 787010 785312 785316

The following vulnerabilities were found in Apache Tomcat 6:

CVE-2014-0227

The Tomcat security team identified that it was possible to conduct HTTP
request smuggling attacks or cause a DoS by streaming malformed data.

CVE-2014-0230

AntBean@secdig, from the Baidu Security Team, disclosed that it was
possible to cause a limited DoS attack by feeding data by aborting an
upload.

CVE-2014-7810

The Tomcat security team identified that malicious web applications could
bypass the Security Manager by the use of expression language.

For Debian 6 "Squeeze", these issues have been fixed in tomcat6 version
6.0.41-2+squeeze7.


[DLA 233-1] clamav security and upstream version update

Package : clamav
Version : 0.98.7+dfsg-0+deb6u1
CVE ID : CVE-2014-9328 CVE-2015-1461 CVE-2015-1462 CVE-2015-1463
CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2668

Upstream published version 0.98.7. This update updates sqeeze-lts to the
latest upstream release in line with the approach used for other Debian
releases.

The changes are not strictly required for operation, but users of the previous
version in Squeeze may not be able to make use of all current virus signatures
and might get warnings.

The bug fixes that are part of this release include security fixes related
to packed or crypted files (CVE-2014-9328, CVE-2015-1461, CVE-2015-1462,
CVE-2015-1463, CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, and CVE-2015-2668)
and several fixes to the embedded libmspack library, including a potential
infinite loop in the Quantum decoder (CVE-2014-9556).

If you use clamav, we strongly recommend that you upgrade to this version.


[DSA 3274-1] virtualbox security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3274-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 28, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : virtualbox
CVE ID : CVE-2015-3456

Jason Geffner discovered a buffer overflow in the emulated floppy
disk drive, resulting in the potential privilege escalation.

For the oldstable distribution (wheezy), this problem has been fixed
in version 4.1.18-dfsg-2+deb7u5.

For the stable distribution (jessie), this problem has been fixed in
version 4.3.18-dfsg-3+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 4.3.28-dfsg-1.

We recommend that you upgrade your virtualbox packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/