Debian 9844 Published by

The following updates has been released for Debian 6 LTS:

[DLA 354-1] nss security update
[DLA 355-1] libxml2 security update



[DLA 354-1] nss security update

Package : nss
Version : 3.12.8-1+squeeze13
CVE ID : CVE-2015-7181 CVE-2015-7182
Debian Bug :

Several vulnerabilities have been discovered in nss, the Mozilla Network
Security Service library. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2015-7181

The sec_asn1d_parse_leaf function improperly restricts access to an
unspecified data structure, which allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via crafted OCTET STRING data, related to a "use-after-poison"
issue.

CVE-2015-7182

A Heap-based buffer overflow in the ASN.1 decoder allows remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via crafted OCTET STRING data.

For the oldoldstable distribution (squeeze), these problems have been fixed
in version 3.12.8-1+squeeze13.

We recommend that you upgrade your nss packages.


[DLA 355-1] libxml2 security update

Package : libxml2
Version : 2.7.8.dfsg-2+squeeze15
CVE ID : CVE-2015-8241 CVE-2015-8317
Debian Bug : 806384

CVE-2015-8241
Buffer overread with XML parser in xmlNextChar

CVE-2015-8317
- issues in the xmlParseXMLDecl function:
If we fail conversing the current input stream while
processing the encoding declaration of the XMLDecl
then it's safer to just abort there and not try to
report further errors.
- If the string is not properly terminated do not try to convert
to the given encoding.

Additional fix for off by one error in previous patch for CVE-2015-7942
(thanks to Salvatore for spotting this)