Debian 9843 Published by

Three new updates has been released for Debian 7 LTS and one for Debian 8:

[DLA 481-2] phpmyadmin regression update
[DLA 495-1] libtasn1-3 security update
[DLA 496-1] ruby-activerecord-3.2 security update
[DSA 3589-1] gdk-pixbuf security update



[DLA 481-2] phpmyadmin regression update

Package : phpmyadmin
Version : 4:3.4.11.1-2+deb7u4
CVE ID : CVE-2016-1927 CVE-2016-2038 CVE-2016-2039 CVE-2016-2040
CVE-2016-2041 CVE-2016-2045 CVE-2016-2560
Debian Bug : 825301

The previous security upload broke the search pages in phpMyAdmin. This
was caused by a broken patch applied to fix CVE-2016-2040.

For Debian 7 "Wheezy", these problems have been fixed in version
4:3.4.11.1-2+deb7u4.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 495-1] libtasn1-3 security update

Package : libtasn1-3
Version : 2.13-2+deb7u3
CVE ID : CVE-2016-4008

* CVE-2016-4008: infinite loop while parsing DER certificates
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1
before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag,
allows remote attackers to cause a denial of service
(infinite recursion) via a crafted certificate.

For Debian 7 "Wheezy", these problems have been fixed in version
2.13-2+deb7u3.

We recommend that you upgrade your libtasn1-3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 496-1] ruby-activerecord-3.2 security update

Package : ruby-activerecord-3.2
Version : 3.2.6-5+deb7u2
CVE ID : CVE-2015-7577
Debian Bug : N/A

CVE-2015-7577

activerecord/lib/active_record/nested_attributes.rb in Active Record
does not properly implement a certain destroy option, which allows
remote attackers to bypass intended change restrictions by leveraging
use of the nested attributes feature.

For Debian 7 "Wheezy", this problem have been fixed in version
3.2.6-5+deb7u2.

We recommend that you upgrade your ruby-activerecord-3.2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3589-1] gdk-pixbuf security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3589-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gdk-pixbuf
CVE ID : CVE-2015-7552 CVE-2015-8875

Several vulnerabilities have been discovered in gdk-pixbuf, a toolkit
for image loading and pixel buffer manipulation. A remote attacker can
take advantage of these flaws to cause a denial-of-service against an
application using gdk-pixbuf (application crash), or potentially, to
execute arbitrary code with the privileges of the user running the
application, if a malformed image is opened.

For the stable distribution (jessie), these problems have been fixed in
version 2.31.1-2+deb8u5.

We recommend that you upgrade your gdk-pixbuf packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/