Debian 9858 Published by

The following updates has been released for Debian:

[DLA 449-2] botan1.10 regression update
[DLA 464-1] libav security update
[DLA 465-1] debian-security-support update
[DSA 3574-1] libarchive security update



[DLA 449-2] botan1.10 regression update

Package : botan1.10
Version : 1.10.5-1+deb7u1
Debian Bug : 823297


The security update for botan1.10 caused a regression in monotone due
to a ABI change. In order to fix this issue all reverse-dependencies
of botan1.10 have been rebuilt.

For Debian 7 "Wheezy", these problems have been fixed in

monotone 1.0-6+deb7u2
softhsm 1.3.3-2+deb7u1

We recommend that you upgrade both packages.



[DLA 464-1] libav security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package : libav
Version : 6:0.8.17-2+deb7u1
CVE ID : CVE-2014-9676

It was discovered that there was a use-after free vulnerability in
libav, a multimedia player, server, encoder and transcoder library.

The seg_write_packet function in libavformat/segment.c in ffmpeg
2.1.4 and earlier does not free the correct memory location, which
allows remote attackers to cause a denial of service ("invalid
memory handler") and possibly execute arbitrary code via a crafted
video that triggers a use after free.

For Debian 7 Wheezy, this issue has been fixed in libav version
6:0.8.17-2+deb7u1.

We recommend that you upgrade your libav packages.

[DLA 465-1] debian-security-support update

Package : debian-security-support
Version : 2016.05.09+nmu1~deb7u1

It is not feasible to fully support some Debian packages through the releases
life cycle. The debian-security-support package provides the
check-support-status tool that helps to warn the administrator about installed
packages whose security support is limited or has to prematurely end.

For Debian 7 "Wheezy", debian-security-support version 2016.05.09+nmu1~deb7u1
updates the list of packages with restricted support in Wheezy LTS. In
particular, this version also includes a new feature to notify the user about
oncoming end-of-lifes.

We recommend you to install the debian-security-support and run
check-support-status to verify the status of installed packages. Please, refer
to the check-support-status (1) man page for more information about how to
use it.


[DSA 3574-1] libarchive security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3574-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 10, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libarchive
CVE ID : CVE-2016-1541
Debian Bug : 823893

Rock Stevens, Andrew Ruef and Marcin 'Icewall' Noga discovered a
heap-based buffer overflow vulnerability in the zip_read_mac_metadata
function in libarchive, a multi-format archive and compression library,
which may lead to the execution of arbitrary code if a user or automated
system is tricked into processing a specially crafted ZIP file.

For the stable distribution (jessie), this problem has been fixed in
version 3.1.2-11+deb8u1.

We recommend that you upgrade your libarchive packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/