Debian 9844 Published by

The following two updates has been released for Debian:

[DLA 198-1] wireshark security update
[DSA 3232-1] curl security update



[DLA 198-1] wireshark security update

Package : wireshark
Version : 1.8.2-5wheezy15~deb6u1
CVE ID : CVE-2015-2191 CVE-2015-2188 CVE-2015-0564 CVE-2015-0562
CVE-2014-8714 CVE-2014-8713 CVE-2014-8712 CVE-2014-8711
CVE-2014-8710 CVE-2014-6432 CVE-2014-6431 CVE-2014-6430
CVE-2014-6429 CVE-2014-6428 CVE-2014-6423 CVE-2014-6422

The following vulnerabilities were discovered in the Squeeze's Wireshark
version:

CVE-2015-2188 The WCP dissector could crash
CVE-2015-0564 Wireshark could crash while decypting TLS/SSL sessions
CVE-2015-0562 The DEC DNA Routing Protocol dissector could crash
CVE-2014-8714 TN5250 infinite loops
CVE-2014-8713 NCP crashes
CVE-2014-8712 NCP crashes
CVE-2014-8711 AMQP crash
CVE-2014-8710 SigComp UDVM buffer overflow
CVE-2014-6432 Sniffer file parser crash
CVE-2014-6431 Sniffer file parser crash
CVE-2014-6430 Sniffer file parser crash
CVE-2014-6429 Sniffer file parser crash
CVE-2014-6428 SES dissector crash
CVE-2014-6423 MEGACO dissector infinite loop
CVE-2014-6422 RTP dissector crash

Since back-porting upstream patches to 1.2.11-6+squeeze15 did not fix
all the outstanding issues and some issues are not even tracked publicly
the LTS Team decided to sync squeeze-lts's wireshark package with
wheezy-security to provide the best possible security support.

Note that upgrading Wireshark from 1.2.x to 1.8.x introduces
several backward-incompatible changes in package structure, shared
library API/ABI, availability of dissectors and in syntax of command
line parameters.


[DSA 3232-1] curl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3232-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
April 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148

Several vulnerabilities were discovered in cURL, an URL transfer library:

CVE-2015-3143

NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent
over the connection authenticated as a different user. This is
similar to the issue fixed in DSA-2849-1.

CVE-2015-3144

When parsing URLs with a zero-length hostname (such as "http://:80"),
libcurl would try to read from an invalid memory address. This could
allow remote attackers to cause a denial of service (crash). This
issue only affects the upcoming stable (jessie) and unstable (sid)
distributions.

CVE-2015-3145

When parsing HTTP cookies, if the parsed cookie's "path" element
consists of a single double-quote, libcurl would try to write to an
invalid heap memory address. This could allow remote attackers to
cause a denial of service (crash). This issue only affects the
upcoming stable (jessie) and unstable (sid) distributions.

CVE-2015-3148

When doing HTTP requests using the Negotiate authentication method
along with NTLM, the connection used would not be marked as
authenticated, making it possible to reuse it and send requests for
one user over the connection authenticated as a different user.

For the stable distribution (wheezy), these problems have been fixed in
version 7.26.0-1+wheezy13.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 7.38.0-4+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 7.42.0-1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/