Debian 9844 Published by

Three for both Debian 7 LTS and Debian 8:

[DLA 533-1] php5 security update
[DLA 534-1] libgd2 security update
[DLA 535-1] xerces-c security update
[DSA 3608-1] libreoffice security update
[DSA 3609-1] tomcat8 security update
[DSA 3610-1] xerces-c security update



[DLA 533-1] php5 security update

Package : php5
Version : 5.4.45-0+deb7u4
CVE ID : CVE-2016-5093 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096
PHP bugs : 70661 70728 70741 70480

* CVE-2016-5093.patch
Absence of null character causes unexpected zend_string length and
leaks heap memory. The test script uses locale_get_primary_language
to reach get_icu_value_internal but there are some other functions
that also trigger this issue:
locale_canonicalize, locale_filter_matches,
locale_lookup, locale_parse
* CVE-2016-5094.patch
don't create strings with lengths outside int range
* CVE-2016-5095.patch
similar to CVE-2016-5094
don't create strings with lengths outside int range
* CVE-2016-5096.patch
int/size_t confusion in fread
* CVE-TEMP-bug-70661.patch
bug70661: Use After Free Vulnerability in WDDX Packet Deserialization
* CVE-TEMP-bug-70728.patch
bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
* CVE-TEMP-bug-70741.patch
bug70741: Session WDDX Packet Deserialization Type Confusion
Vulnerability
* CVE-TEMP-bug-70480-raw.patch
bug70480: php_url_parse_ex() buffer overflow read


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u4.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 534-1] libgd2 security update

Package : libgd2
Version : 2.0.36~rc1~dfsg-6.1+deb7u4
CVE ID : CVE-2016-5766

* CVE-2016-5766
Integer Overflow in _gd2GetHeader() resulting in heap overflow.

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.36~rc1~dfsg-6.1+deb7u4.

We recommend that you upgrade your libgd2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 535-1] xerces-c security update

Package : xerces-c
Version : 3.1.1-3+deb7u4
CVE ID : CVE-2016-4463
Debian Bug : 828990

Brandon Perry discovered that xerces-c, a validating XML parser library
for C++, fails to successfully parse a DTD that is deeply nested,
causing a stack overflow. A remote unauthenticated attacker can take
advantage of this flaw to cause a denial of service against applications
using the xerces-c library.

Additionally this update includes an enhancement to enable applications
to fully disable DTD processing through the use of an environment
variable (XERCES_DISABLE_DTD).

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.1-3+deb7u4.

We recommend that you upgrade your xerces-c packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3608-1] libreoffice security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3608-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 29, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2016-4324

Aleksandar Nikolic discovered that missing input sanitising in the RTF
parser in Libreoffice may result in the execution of arbitrary code if
a malformed documented is opened.

For the stable distribution (jessie), this problem has been fixed in
version 1:4.3.3-2+deb8u5.

For the testing distribution (stretch), this problem has been fixed
in version 1:5.1.4~rc1-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.1.4~rc1-1.

We recommend that you upgrade your libreoffice packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3609-1] tomcat8 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3609-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 29, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat8
CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 CVE-2016-3092

Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in information disclosure, the
bypass of CSRF protections, bypass of the SecurityManager or denial of
service.

For the stable distribution (jessie), these problems have been fixed in
version 8.0.14-1+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 8.0.36-1.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3610-1] xerces-c security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3610-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 29, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xerces-c
CVE ID : CVE-2016-4463
Debian Bug : 828990

Brandon Perry discovered that xerces-c, a validating XML parser library
for C++, fails to successfully parse a DTD that is deeply nested,
causing a stack overflow. A remote unauthenticated attacker can take
advantage of this flaw to cause a denial of service against applications
using the xerces-c library.

Additionally this update includes an enhancement to enable applications
to fully disable DTD processing through the use of an environment
variable (XERCES_DISABLE_DTD).

For the stable distribution (jessie), this problem has been fixed in
version 3.1.1-5.1+deb8u3.

We recommend that you upgrade your xerces-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/