Debian 9844 Published by

The following updates has been released for Debian 8:

[DSA 3651-1] rails security update
[DSA 3652-1] imagemagick security update
[DSA 3653-1] flex security update
[DSA 3654-1] quagga security update



[DSA 3651-1] rails security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3651-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rails
CVE ID : CVE-2016-6316
Debian Bug : 834155

Andrew Carpenter of Critical Juncture discovered a cross-site scripting
vulnerability affecting Action View in rails, a web application
framework written in Ruby. Text declared as "HTML safe" will not have
quotes escaped when used as attribute values in tag helpers.

For the stable distribution (jessie), this problem has been fixed in
version 2:4.1.8-1+deb8u4.

For the unstable distribution (sid), this problem has been fixed in
version 2:4.2.7.1-1.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3652-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3652-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2016-4562 CVE-2016-4563 CVE-2016-4564 CVE-2016-5010
CVE-2016-5687 CVE-2016-5688 CVE-2016-5689 CVE-2016-5690
CVE-2016-5691 CVE-2016-5841 CVE-2016-5842 CVE-2016-6491
Debian Bugs : 832885 832887 832888 832968 833003 832474 832475 832464
832465 832467 832457 832461 832469 832482 832483 832504
832633 832776 832780 832787 832789 823750 832455 832478
832480 832506 832785 832793 832942 832944 832890 833044
833043 833042 831034 833099 833101 827643 833812 833744
833743 833735 833732 833730 834183 834501 834163 834504

This updates fixes many vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service or the execution of arbitrary code if
malformed TIFF, WPG, RLE, RAW, PSD, Sun, PICT, VIFF, HDR, Meta, Quantum,
PDB, DDS, DCM, EXIF, RGF or BMP files are processed.

For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u4.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3653-1] flex security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3653-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : flex
CVE ID : CVE-2016-6354
Debian Bug : 832768

Alexander Sulfrian discovered a buffer overflow in the
yy_get_next_buffer() function generated by Flex, which may result in
denial of service and potentially the execution of code if operating on
data from untrusted sources.

Affected applications need to be rebuild. bogofilter will be rebuild
against the updated flex in a followup update. Further affected
applications should be reported at the bug referenced above.

For the stable distribution (jessie), this problem has been fixed in
version 2.5.39-8+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2.6.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.6.1-1.

We recommend that you upgrade your flex packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3654-1] quagga security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3654-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
August 26, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : quagga
CVE ID : CVE-2016-4036 CVE-2016-4049
Debian Bug : 822787 835223

Two vulnerabilities were discovered in quagga, a BGP/OSPF/RIP routing
daemon.

CVE-2016-4036

Tamás Németh discovered that sensitive configuration files in
/etc/quagga were world-readable despite containing sensitive
information.

CVE-2016-4049

Evgeny Uskov discovered that a bgpd instance handling many peers
could be crashed by a malicious user when requesting a route dump.

For the stable distribution (jessie), these problems have been fixed in
version 0.99.23.1-1+deb8u2.

We recommend that you upgrade your quagga packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/