Debian 9844 Published by

The following updates for Debian GNU/Linux are available:

[DLA 347-1] putty security update
[DSA 3402-1] symfony security update
[DSA 3403-1] libcommons-collections3-java security update



[DLA 347-1] putty security update

Package        : putty
Version        : 0.60+2010-02-20-1+squeeze4
CVE ID         : CVE-2015-5309

It was discovered that PuTTY's terminal emulator did not properly
validate the parameter to the ECH (erase characters) control sequence,
allowing a denial of service and possibly remote code execution.

For the oldoldstable distribution (squeeze), this problem has been
fixed in version 0.60+2010-02-20-1+squeeze4.

For the oldstable (wheezy) and stable (jessie) distributions, this
problem will be fixed soon.

[DSA 3402-1] symfony security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3402-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 24, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : symfony
CVE ID : CVE-2015-8124 CVE-2015-8125

Several vulnerabilities have been discovered in symfony, a framework to
create websites and web applications. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2015-8124

The RedTeam Pentesting GmbH team discovered a session fixation
vulnerability within the "Remember Me" login feature, allowing an
attacker to impersonate the victim towards the web application if
the session id value was previously known to the attacker.

CVE-2015-8125

Several potential remote timing attack vulnerabilities were
discovered in classes from the Symfony Security component and in the
legacy CSRF implementation from the Symfony Form component.

For the stable distribution (jessie), these problems have been fixed in
version 2.3.21+dfsg-4+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 2.7.7+dfsg-1.

We recommend that you upgrade your symfony packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3403-1] libcommons-collections3-java security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3403-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 24, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libcommons-collections3-java

This update backports changes from the commons-collections 3.2.2 release
which disable the deserialisation of the functors classes unless the
system property org.apache.commons.collections.enableUnsafeSerialization
is set to 'true'. This fixes a vulnerability in unsafe applications
deserialising objects from untrusted sources without sanitising the
input data. Classes considered unsafe are: CloneTransformer, ForClosure,
InstantiateFactory, InstantiateTransformer, InvokerTransformer,
PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.2.1-5+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 3.2.1-7+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 3.2.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.2.2-1.

We recommend that you upgrade your libcommons-collections3-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/