Debian 9858 Published by

The following updates has been just released:

[DLA 438-1] libebml security update
[DLA 441-1] pcre3 security update
[DLA 442-1] lxc security update
[DLA 443-1] bsh security update
[DSA 3495-1] xymon security update



[DLA 438-1] libebml security update

Package : libebml
Version : 0.7.7-3.1
CVE ID : CVE-2015-8790 CVE-2015-8791

Two security-related issues were fixed in libebml, a library for accessing the
EBML format:

CVE-2015-8790

The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3
allows context-dependent attackers to obtain sensitive information from
process heap memory via a crafted UTF-8 string, which triggers an invalid
memory access.

CVE-2015-8791

The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows
context-dependent attackers to obtain sensitive information from process
heap memory via a crafted length value in an EBML id, which triggers an
invalid memory access.

For Debian 6 "squeeze", these issues have been fixed in libebml version
0.7.7-3.1+deb6u1. We recommend you to upgrade your libebml packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


[SECURITY] [DLA 441-1] pcre3 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package : pcre3
Version : 8.02-1.1+deb6u1
Debian Bug : 815921

HP's Zero Day Initiative has identified a vulnerability affecting the
pcre3 package. It was assigned ZDI id ZDI-CAN-3542. A CVE identifier has
not been assigned yet.

PCRE Regular Expression Compilation Stack Buffer Overflow Remote Code
Execution Vulnerability.

PCRE did not validate that handling the (*ACCEPT) verb will occur within
the bounds of the cworkspace stack buffer, leading to a stack buffer
overflow.

For Debian 6 "Squeeze", these problems have been fixed in version
8.02-1.1+deb6u1.

We recommend that you upgrade your pcre3 packages.


[DLA 442-1] lxc security update

Package : lxc
Version : 0.7.2-1+deb6u1
CVE ID : CVE-2013-6441 CVE-2015-1335
Debian Bug : #800471

Brief introduction

CVE-2013-6441

The template script lxc-sshd used to mount itself as /sbin/init in the
container using a writable bind-mount.

This update resolved the above issue by using a read-only bind-mount
instead preventing any form of potentially accidental damage.


CVE-2015-1335

On container startup, lxc sets up the container's initial file system
tree by doing a bunch of mounting, guided by the container's configuration
file.

The container config is owned by the admin or user on the host, so we
do not try to guard against bad entries. However, since the mount
target is in the container, it's possible that the container admin
could divert the mount with symbolic links. This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.

This update implements a safe_mount() function that prevents lxc from
doing mounts onto symbolic links.

[DLA 443-1] bsh security update

Package : bsh
Version : 2.0b4-12+deb6u1
CVE ID : CVE-2016-2510

A remote code execution vulnerability was found in BeanShell, an
embeddable Java source interpreter with object scripting language
features.

CVE-2016-2510:
An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java
serialization or XStream to deserialize data from an untrusted
source. A vulnerable application could be exploited for remote
code execution, including executing arbitrary shell commands.


For Debian 6 "Squeeze", these problems have been fixed in version
2.0b4-12+deb6u1.

We recommend that you upgrade your bsh packages.


[DSA 3495-1] xymon security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3495-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
February 29, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xymon
CVE ID : CVE-2016-2054 CVE-2016-2055 CVE-2016-2056 CVE-2016-2057
CVE-2016-2058

Markus Krell discovered that xymon, a network- and
applications-monitoring system, was vulnerable to the following
security issues:

CVE-2016-2054

The incorrect handling of user-supplied input in the "config"
command can trigger a stack-based buffer overflow, resulting in
denial of service (via application crash) or remote code execution.

CVE-2016-2055

The incorrect handling of user-supplied input in the "config"
command can lead to an information leak by serving sensitive
configuration files to a remote user.

CVE-2016-2056

The commands handling password management do not properly validate
user-supplied input, and are thus vulnerable to shell command
injection by a remote user.

CVE-2016-2057

Incorrect permissions on an internal queuing system allow a user
with a local account on the xymon master server to bypass all
network-based access control lists, and thus inject messages
directly into xymon.

CVE-2016-2058

Incorrect escaping of user-supplied input in status webpages can
be used to trigger reflected cross-site scripting attacks.

For the stable distribution (jessie), these problems have been fixed in
version 4.3.17-6+deb8u1.

We recommend that you upgrade your xymon packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/