Debian 9843 Published by

The following updates for Debian has been released:

[DLA 349-1] python-django security update
[DSA 3404-1] python-django security update
[DSA 3405-1] smokeping security update
[DSA 3406-1] nspr security update



[DLA 349-1] python-django security update

Package : python-django
Version : 1.2.3-3+squeeze15
CVE ID : CVE-2015-8213

It was discovered that there was a potential settings leak in date
template filter of Django, a web-development framework.

If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g.
{{ last_updated|date:user_date_format }}, then a malicious user
could obtain any secret in the application's settings by specifying
a settings key instead of a date format. e.g. "SECRET_KEY" instead
of "j/m/Y".

To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing
the date/time formatting settings.

For Debian 6 Squeeze, this issue has been fixed in python-django
version 1.2.3-3+squeeze15.

[DSA 3404-1] python-django security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3404-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 25, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2015-8213

Ryan Butterfield discovered a vulnerability in the date template filter
in python-django, a high-level Python web development framework. A
remote attacker can take advantage of this flaw to obtain any secret in
the application's settings.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.4.5-1+deb7u14.

For the stable distribution (jessie), this problem has been fixed in
version 1.7.7-1+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1.8.7-1.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3405-1] smokeping security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3405-1 security@debian.org
https://www.debian.org/security/ Florian Weimer
November 25, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : smokeping
CVE ID : CVE-2015-0859

Tero Marttila discovered that the Debian packaging for smokeping
installed it in such a way that the CGI implementation of Apache httpd
(mod_cgi) passed additional arguments to the smokeping_cgi program,
potentially leading to arbitrary code execution in response to crafted
HTTP requests.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.6.8-2+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 2.6.9-1+deb8u1.

We recommend that you upgrade your smokeping packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3406-1] nspr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3406-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 25, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nspr
CVE ID : CVE-2015-7183

It was discovered that incorrect memory allocation in the NetScape
Portable Runtime library might result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2:4.9.2-1+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 2:4.10.7-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2:4.10.10-1.

For the unstable distribution (sid), this problem has been fixed in
version 2:4.10.10-1.

We recommend that you upgrade your nspr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/