Debian 9844 Published by

The following updates has been released for Debian:

[DLA 350-1] eglibc security update
[DLA 351-1] redmine security update
[DLA 352-1] libcommons-collections3-java security update
[DSA 3407-1] dpkg security update



[DLA 350-1] eglibc security update

Package : eglibc
Version : 2.11.3-4+deb6u8
CVE ID : not assigned yet
Debian Bug : 803927

The strxfrm() function is vulnerable to integer overflows when computing
memory allocation sizes (similar to CVE-2012-4412). Furthermore since
it fallbacks to use alloca() when malloc() fails, it is vulnerable to
stack-based buffer overflows (similar to CVE-2012-4424).

Those issues have been fixed in Debian 6 Squeeze with eglibc
2.11.3-4+deb6u8. We recommend that you upgrade libc6 and other
packages provided by eglibc.

[DLA 351-1] redmine security update

Package : redmine
Version : 1.0.1-2+deb6u11
CVE ID : CVE-2015-8346

It was discovered that there was a data disclosure vulnerability in
Redmine, a web-based bug and project management tool.

The time logging form could disclose subjects of issues that are not
visible/public. Patch by Holger Just.

For Debian 6 Squeeze, this issue has been fixed in redmine version
1.0.1-2+deb6u11.

[DLA 352-1] libcommons-collections3-java security update

Package : libcommons-collections3-java
Version : 3.2.1-4+deb6u1

The Apache commons collection suffered from security issues, making
applications to accept serialized objects from untrusted sources. Remote
attackers might take advantage of these issues to execute arbitrary Java
functions and even inject manipulated bytecode.

This release of libcommons-collection3-java prevents these issues by disabling
the deserialization of the functors classes, unless the system property
org.apache.commons.collections.enableUnsafeSerialization is set to 'true'.
Classes considered unsafe are: CloneTransformer, ForClosure,
InstantiateFactory, InstantiateTransformer, InvokerTransformer,
PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.

For Debian 6 "Squeeze", these problems have been fixed in
libcommons-collections3-java version 3.2.1-4+deb6u1. We recommend you to
upgrade your libcommons-collections3-java packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


[DSA 3407-1] dpkg security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3407-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 26, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dpkg
CVE ID : CVE-2015-0860

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb
component of dpkg, the Debian package management system. This flaw could
potentially lead to arbitrary code execution if a user or an automated
system were tricked into processing a specially crafted Debian binary
package (.deb) in the old style Debian binary package format.

This update also includes updated translations and additional bug fixes.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.16.17.

For the stable distribution (jessie), this problem has been fixed in
version 1.17.26.

We recommend that you upgrade your dpkg packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/