Debian 9858 Published by

The following new security updates are available for Debian GNU/Linux:

[DLA 405-1] tiff security update
[DLA 406-1] phpmyadmin security update
[DLA 407-1] prosody security update
[DLA 408-1] gosa security update
[DSA 3460-1] privoxy security update
[DSA 3461-1] freetype security update
[DSA 3462-1] radicale security update
[DSA 3463-1] prosody security update
[DSA 3464-1] rails security update



[DLA 405-1] tiff security update

Package : tiff
Version : 3.9.4-5+squeeze14
CVE ID : CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2015-8784
Debian Bug :

Several security flaws have been found and solved in libtiff, a
library that provides support for handling Tag Image File Format
(TIFF). These flaws concern out of bounds reads and writes in the
LogL16Decode, LogLuvDecode24, LogLuvDecode32, LogLuvDecodeTile,
LogL16Encode, LogLuvEncode24, LogLuvEncode32 and NeXTDecode functions.

These IDs were assigned for the problems: CVE-2015-8781,
CVE-2015-8782, CVE-2015-8783 and CVE-2015-8784.

For Debian 6 "Squeeze", these issues have been fixed in tiff version
3.9.4-5+squeeze14. We recommend you to upgrade your tiff packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


[DLA 406-1] phpmyadmin security update

Package : phpmyadmin
Version : 4:3.3.7-11
CVE ID : CVE-2016-2039 CVE-2016-2041

Several flaws were discovered in the CSRF authentication code of
phpMyAdmin.

CVE-2016-2039

The XSRF/CSRF token is generated with a weak algorithm using
functions that do not return cryptographically secure values.

CVE-2016-2041

The comparison of the XSRF/CSRF token parameter with the value saved
in the session is vulnerable to timing attacks. Moreover, the
comparison could be bypassed if the XSRF/CSRF token matches a
particular pattern.


[DLA 407-1] prosody security update

Package : prosody
Version : 0.7.0-1squeeze1+deb6u2
CVE ID : CVE-2016-0756

The flaw allows a malicious server to impersonate the vulnerable domain
to any XMPP domain whose domain name includes the attacker's domain as a
suffix.

For example, 'bber.example' would be able to connect to 'jabber.example'
and successfully impersonate any vulnerable server on the network.

This release also fixes a regression introduced in the previous
CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.

[DLA 408-1] gosa security update

Package : gosa
Version : 2.6.11-3+squeeze5
CVE ID : CVE-2015-8771

GOsa is a combination of system-administrator and end-user web interface,
designed to handle LDAP based setups.

GOsa upstream reported a code injection vulnerability in the Samba plugin
code of GOsa. During Samba password changes it has been possible to
inject malicious Perl code.

This upload to Debian Squeeze LTS fixes this issues. However, if you
upgrade to this fixed package revision, please note that Samba password
changes will stop working until the sambaHashHook parameter in gosa.conf
has been updated to accept base64 encoded password strings from the PHP
code of GOsa.

Please read /usr/share/doc/gosa/NEWS.gz and the gosa.conf (5) man page
after you have upgraded to this package revision and adapt gosa.conf as
described there.

[DSA 3460-1] privoxy security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3460-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
January 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : privoxy
CVE ID : CVE-2016-1982 CVE-2016-1983

It was discovered that privoxy, a web proxy with advanced filtering
capabilities, contained invalid reads that could enable a remote
attacker to crash the application, thus causing a Denial of Service.

For the oldstable distribution (wheezy), these problems have been fixed
in version 3.0.19-2+deb7u3.

For the stable distribution (jessie), these problems have been fixed in
version 3.0.21-7+deb8u1.

For the testing (stretch) and unstable (sid) distributions, these
problems have been fixed in version 3.0.24-1.

We recommend that you upgrade your privoxy packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 3461-1] freetype security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3461-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
January 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : freetype
CVE ID : CVE-2014-9674
Debian Bug : 777656

Mateusz Jurczyk discovered multiple vulnerabilities in
Freetype. Opening malformed fonts may result in denial of service or
the execution of arbitrary code.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.4.9-1.1+deb7u3.

We recommend that you upgrade your freetype packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3462-1] radicale security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3462-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
January 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : radicale
CVE ID : CVE-2015-8747 CVE-2015-8748
Debian Bug : 809920

Two vulnerabilities were fixed in radicale, a CardDAV/CalDAV server.

CVE-2015-8747

The (not configured by default and not available on Wheezy)
multifilesystem storage backend allows read and write access to
arbitrary files (still subject to the DAC permissions of the user
the radicale server is running as).

CVE-2015-8748

If an attacker is able to authenticate with a user name like `.*',
he can bypass read/write limitations imposed by regex-based rules,
including the built-in rules `owner_write' (read for everybody,
write for the calendar owner) and `owner_only' (read and write for
the the calendar owner).

For the oldstable distribution (wheezy), these problems have been fixed
in version 0.7-1.1+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 0.9-1+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 1.1.1-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.1-1.

We recommend that you upgrade your radicale packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3463-1] prosody security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3463-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 31, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : prosody
CVE ID : CVE-2016-0756

It was discovered that insecure handling of dialback keys may allow
a malicious XMPP server to impersonate another server.

For the oldstable distribution (wheezy), this problem has been fixed
in version 0.8.2-4+deb7u4.

For the stable distribution (jessie), this problem has been fixed in
version 0.9.7-2+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.10-1.

We recommend that you upgrade your prosody packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3464-1] rails security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3464-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 31, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rails
CVE ID : CVE-2015-3226 CVE-2015-3227 CVE-2015-7576 CVE-2015-7577
CVE-2015-7581 CVE-2016-0751 CVE-2016-0752 CVE-2016-0753

Multiple security issues have been discovered in the Rails on Rails web
application development framework, which may result in denial of service,
cross-site scripting, information disclosure or bypass of input
validation.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.1.8-1+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 2:4.2.5.1-1.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/