Debian 9844 Published by

The following updates for Debian has been released:

[DLA 145-1] php5 security update
[DSA 3145-1] privoxy security update
[DSA 3146-1] requests security update
[DSA 3147-1] openjdk-6 security update
[DSA 3148-1] chromium-browser end of life



[DLA 145-1] php5 security update

Package : php5
Version : 5.3.3-7+squeeze24
CVE ID : CVE-2014-0237 CVE-2014-0238 CVE-2014-2270 CVE-2014-8117

Brief introduction

CVE-2014-0237

The cdf_unpack_summary_info function in cdf.c in the Fileinfo
component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows
remote attackers to cause a denial of service (performance
degradation) by triggering many file_printf calls.

CVE-2014-0238

The cdf_read_property_info function in cdf.c in the Fileinfo
component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows
remote attackers to cause a denial of service (infinite loop
or out-of-bounds memory access) via a vector that (1) has zero
length or (2) is too long.

CVE-2014-2270

softmagic.c in file before 5.17 and libmagic allows context
dependent attackers to cause a denial of service (out-of-bounds
memory access and crash) via crafted offsets in the softmagic
of a PE executable.

CVE-2014-8117

- Stop reporting bad capabilities after the first few.
- limit the number of program and section header number of sections
- limit recursion level


CVE-2015-TEMP (no official CVE number available yet)
- null pointer deference (PHP bugs: 68739 68740)
- out-of-bounds memory access (file bug: 398)
additional patches from CVE-2014-3478 added

[DSA 3145-1] privoxy security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3145-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
January 30, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : privoxy
CVE ID : CVE-2015-1381 CVE-2015-1382
Debian Bug : 776490

Multiple vulnerabilities were discovered in Privoxy, a privacy enhancing
HTTP proxy, which might result in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 3.0.19-2+deb7u2.

For the upcoming stable distribution (jessie), these problems will be
fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 3.0.21-7.

We recommend that you upgrade your privoxy packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3146-1] requests security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3146-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
January 30, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : requests
CVE ID : CVE-2014-1829 CVE-2014-1830
Debian Bug : 733108

Jakub Wilk discovered that in requests, an HTTP library for the Python
language, authentication information was improperly handled when a
redirect occured. This would allow remote servers to obtain two
different types of sensitive information: proxy passwords from the
Proxy-Authorization header (CVE-2014-1830), or netrc passwords from
the Authorization header (CVE-2014-1829).

For the stable distribution (wheezy), this problem has been fixed in
version 0.12.1-1+deb7u1.

For the upcoming stable distribution (jessie) and unstable
distribution (sid), this problem has been fixed in version 2.3.0-1.

We recommend that you upgrade your requests packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3147-1] openjdk-6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3147-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 30, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-6
CVE ID : CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591
CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395
CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, information disclosure or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 6b34-1.13.6-1~deb7u1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3148-1] chromium-browser end of life

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3148-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
January 31, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser

Security support for the chromium web browser is now discontinued
for the stable distribution (wheezy). Chromium upstream stopped
supporting wheezy's build environment (gcc 4.7, make, etc.), so
there is no longer any practical way to continue building security
updates.

Chromium users that desire continued security updates are encouraged
to upgrade early to the upcoming stable release (jessie), Debian 8.

An alternative is to switch to the iceweasel web browser, which will
continue to recieve security updates in wheezy for some time.

Note that until the official release happens, chromium package updates
for jessie may have a larger than usual delay due to possible bugs and
testing migration rules.

Also, there will be no more DSAs announcing chromium package updates
until jessie becomes officially released.

Instructions for upgrading from Debian 7 to 8 are available at:
https://www.debian.org/releases/jessie/amd64/release-notes/ch-upgrading.en.html

Media for installing Debian 8 from scratch are also available
(the release candidate media, jessie_di_rc1, are recommended):
http://www.debian.org/devel/debian-installer
http://cdimage.debian.org/cdimage/jessie_di_rc1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/