Debian 9843 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 280-1] ghostscript security update
[DLA 281-1] expat security update
[DLA 282-1] lighttpd security update
[DSA 3316-1] openjdk-7 security update
[DSA 3317-1] lxc security update
[DSA 3318-1] expat security update



[DLA 280-1] ghostscript security update

Package : ghostscript
Version : 8.71~dfsg2-9+squeeze2
CVE ID : CVE-2015-3228
Debian Bug : 793489

In gs_heap_alloc_bytes(), add a sanity check to ensure we don't
overflow the variable holding the actual number of bytes we
allocate.

[DLA 281-1] expat security update

Package : expat
Version : 2.0.1-7+squeeze2
CVE ID : CVE-2015-1283

Multiple integer overflows in the XML_GetBuffer function in Expat
through 2.1.0, as used in Google Chrome before 44.0.2403.89 and
other products, allow remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other
impact via crafted XML data, a related issue to CVE-2015-2716.

[DLA 282-1] lighttpd security update

Package : lighttpd
Version : 1.4.28-2+squeeze1.7
CVE ID : CVE-2014-3566
Debian Bug : #765702

This update allows to disable SSLv3 in lighttpd in order to protect
against the POODLE attack. SSLv3 is now disabled by default and can be
reenabled (if needed) using the ssl.use-sslv3 option.


[DSA 3316-1] openjdk-7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3316-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 25, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2014-8873 CVE-2015-0460 CVE-2015-0469 CVE-2015-0470
CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488
CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621
CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808
CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733
CVE-2015-4748 CVE-2015-4749 CVE-2015-4760

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.

For the oldstable distribution (wheezy), these problems have been fixed
in version 7u79-2.5.6-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 7u79-2.5.6-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 7u79-2.5.6-1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3317-1] lxc security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3317-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lxc
CVE ID : CVE-2015-1331 CVE-2015-1334
Debian Bug : 793298

Several vulnerabilities have been discovered in LXC, the Linux
Containers userspace tools. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2015-1331

Roman Fiedler discovered a directory traversal flaw in LXC when
creating lock files. A local attacker could exploit this flaw to
create an arbitrary file as the root user.

CVE-2015-1334

Roman Fiedler discovered that LXC incorrectly trusted the
container's proc filesystem to set up AppArmor profile changes and
SELinux domain transitions. A malicious container could create a
fake proc filesystem and use this flaw to run programs inside the
container that are not confined by AppArmor or SELinux.

For the stable distribution (jessie), these problems have been fixed in
version 1:1.0.6-6+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 1:1.0.7-4.

For the unstable distribution (sid), these problems have been fixed in
version 1:1.0.7-4.

We recommend that you upgrade your lxc packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3318-1] expat security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3318-1 security@debian.org
https://www.debian.org/security/ Laszlo Boszormenyi (GCS)
July 26, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : expat
CVE ID : CVE-2015-1283
Debian Bug : 793484

Multiple integer overflows have been discovered in Expat, an XML parsing
C library, which may result in denial of service or the execution of
arbitrary code if a malformed XML file is processed.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.1.0-1+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.1.0-6+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.1.0-7.

We recommend that you upgrade your expat packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/