Debian 9844 Published by

The following security updates has been released for Debian:

[DLA 536-1] wget security update
[DLA 537-1] roundcube security update
[DLA 538-1] wireshark security update
[DSA 3611-1] libcommons-fileupload-java security update



[DLA 536-1] wget security update

Package : wget
Version : 1.13.4-3+deb7u3
CVE ID : CVE-2016-4971
Debian Bug : 827003

On a server redirect from HTTP to a FTP resource, wget would trust
the HTTP server and uses the name in the redirected URL as the
destination filename.
This behaviour was changed and now it works similarly as a redirect
from HTTP to another HTTP resource so the original name is used as
the destination file. To keep the previous behaviour the user must
provide --trust-server-names.

For Debian 7 "Wheezy", these problems have been fixed in version
1.13.4-3+deb7u3.

We recommend that you upgrade your wget packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 537-1] roundcube security update

Package : roundcube
Version : 0.7.2-9+deb7u3
CVE ID : CVE-2015-8864

Roundcube, a webmail solution for IMAP servers, was susceptible to
cross-site-scripting (XSS) vulnerabilities when handling SVG images.
When right-clicking on the download link of an attached image, it was
possible that embedded Javascript could be executed in a separate Tab.

The update disables displaying of SVG images in e-mails and TABS.
Downloading attachments is still possible. This security update also
mitigates against other ways to exploit this issue in SVG images.
(CVE-2016-4068)

For Debian 7 "Wheezy", these problems have been fixed in version
0.7.2-9+deb7u3.

We recommend that you upgrade your roundcube packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 538-1] wireshark security update

Package : wireshark
Version : 1.12.1+g01b65bf-4+deb8u6~deb7u2
CVE ID : CVE-2016-5350 CVE-2016-5351 CVE-2016-5353
CVE-2016-5354 CVE-2016-5355 CVE-2016-5356
CVE-2016-5357 CVE-2016-5359


The following vulnerabilities have been discovered in the Wheezy's
Wireshark version:

CVE-2016-5350

The SPOOLS dissector could go into an infinite loop

CVE-2016-5351

The IEEE 802.11 dissector could crash

CVE-2016-5353

The UMTS FP dissector could crash

CVE-2016-5354

Some USB dissectors could crash

CVE-2016-5355

The Toshiba file parser could crash

CVE-2016-5356

The CoSine file parser could crash

CVE-2016-5357

The NetScreen file parser could crash

CVE-2016-5359

The WBXML dissector could go into an infinite loop

For Debian 7 "Wheezy", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u6~deb7u2.

We recommend that you upgrade your wireshark packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3611-1] libcommons-fileupload-java security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3611-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libcommons-fileupload-java
CVE ID : CVE-2016-3092

The TERASOLUNA Framework Development Team discovered a denial of service
vulnerability in Apache Commons FileUpload, a package to make it
easy to add robust, high-performance, file upload capability to servlets
and web applications. A remote attacker can take advantage of this flaw
by sending file upload requests that cause the HTTP server using the
Apache Commons Fileupload library to become unresponsive, preventing the
server from servicing other requests.

For the stable distribution (jessie), this problem has been fixed in
version 1.3.1-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 1.3.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.2-1.

We recommend that you upgrade your libcommons-fileupload-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/