Debian 9843 Published by

The following Debian updates has been released:

[DLA 136-1] websvn security update
[DSA 3135-1] mysql-5.5 security update
[DSA 3136-1] polarssl security update
[DSA 3137-1] websvn security update



[DLA 136-1] websvn security update

Package : websvn
Version : 2.3.3-1+deb6u1
CVE ID : CVE-2013-6892
Debian Bug : 775682

James Clawson discovered that websvn, a web viewer for Subversion
repositories, would follow symlinks in a repository when presenting a
file for download. An attacker with repository write access could
thereby access any file on disk readable by the user the webserver
runs as.

[DSA 3135-1] mysql-5.5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3135-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
January 23, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mysql-5.5
CVE ID : CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382
CVE-2015-0411 CVE-2015-0432
Debian Bug : 775881

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.41. Please see the MySQL 5.5 Release Notes and Oracle's
Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-41.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

For the stable distribution (wheezy), these problems have been fixed in
version 5.5.41-0+wheezy1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3136-1] polarssl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3136-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
January 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : polarssl
CVE ID : CVE-2015-1182
Debian Bug : 775776

A vulnerability was discovered in PolarSSL, a lightweight crypto and
SSL/TLS library. A remote attacker could exploit this flaw using
specially crafted certificates to mount a denial of service against an
application linked against the library (application crash), or
potentially, to execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.9-1~deb7u5.

For the upcoming stable distribution (jessie) and the unstable
distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your polarssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3137-1] websvn security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3137-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
January 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : websvn
CVE ID : CVE-2013-6892
Debian Bug : 775682

James Clawson discovered that websvn, a web viewer for Subversion
repositories, would follow symlinks in a repository when presenting a
file for download. An attacker with repository write access could
thereby access any file on disk readable by the user the webserver
runs as.

For the stable distribution (wheezy), this problem has been fixed in
version 2.3.3-1.1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.3.3-1.2.

We recommend that you upgrade your websvn packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/