Debian 9858 Published by

The following updates has been released for Debian GNU/Linux: [SECURITY] [DSA 2701-1] krb5 security update, [SECURITY] [DSA 2700-1] wireshark security update, and [SECURITY] [DSA 2699-1] iceweasel security update



[SECURITY] [DSA 2701-1] krb5 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2701-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
May 29, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : krb5
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2002-2443
Debian Bug : 708267

It was discovered that the kpasswd service running on UDP port 464
could respond to response packets, creating a packet loop and a denial
of service condition.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.8.3+dfsg-4squeeze7.

For the stable distribution (wheezy), this problem has been fixed in
version 1.10.1+dfsg-5+deb7u1.

For the testing distribution (jessie), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 1.10.1+dfsg-6.

We recommend that you upgrade your krb5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2700-1] wireshark security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2700-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 02, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wireshark
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-3555 CVE-2013-3557 CVE-2013-3558 CVE-2013-3559
CVE-2013-3560 CVE-2013-3562

Multiple vulnerabilities were discovered in the dissectors for GTPv2,
ASN.1 BER, PPP CCP, DCP ETSI, MPEG DSM-CC and Websocket, which could
result in denial of service or the execution of arbitrary code.

The oldstable distribution (squeeze) is not affected.

For the stable distribution (wheezy), these problems have been fixed in
version 1.8.2-5wheezy3.

For the unstable distribution (sid), these problems have been fixed in
version 1.8.7-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2699-1] iceweasel security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2699-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 02, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceweasel
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-0773 CVE-2013-0775 CVE-2013-0776 CVE-2013-0780
CVE-2013-0782 CVE-2013-0783 CVE-2013-0787 CVE-2013-0788
CVE-2013-0793 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800
CVE-2013-0801 CVE-2013-1670 CVE-2013-1674 CVE-2013-1675
CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679
CVE-2013-1680 CVE-2013-1681

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
missing input sanitising vulnerabilities, use-after-free vulnerabilities,
buffer overflows and other programming errors may lead to the execution
of arbitrary code, privilege escalation, information leaks or
cross-site-scripting.

We're changing the approach for security updates for Iceweasel, Icedove
and Iceape in stable-security: Instead of backporting security fixes,
we now provide releases based on the Extended Support Release branch. As
such, this update introduces packages based on Firefox 17 and at some
point in the future we will switch to the next ESR branch once ESR 17
has reached it's end of life.

Some Xul extensions currently packaged in the Debian archive are not
compatible with the new browser engine. Up-to-date and compatible
versions can be retrieved from http://addons.mozilla.org as a short
term solution. A solution to keep packaged extensions compatible with
the Mozilla releases is still being sorted out.

We don't have the resources to backport security fixes to the Iceweasel
release in oldstable-security any longer. If you're up to the task and
want to help, please get in touch with team@security.debian.org.
Otherwise, we'll announce the end of security support for Iceweasel,
Icedove and Iceape in Squeeze in the next update round.

For the stable distribution (wheezy), these problems have been fixed in
version 17.0.6esr-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 17.0.6esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/