Debian 9859 Published by

The following two updates has been released for Debian:

[DSA 3355-2] libvdpau regression update
[DSA 3390-1] xen security update



[DSA 3355-2] libvdpau regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3355-2 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
November 02, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvdpau
Debian Bug : 802625

The previous update for libvdpau, DSA-3355-1, introduced a regression in
the stable distribution (jessie) causing a segmentation fault when the
DRI_PRIME environment variable is set. For reference, the original
advisory text follows.

Florian Weimer of Red Hat Product Security discovered that libvdpau, the
VDPAU wrapper library, did not properly validate environment variables,
allowing local attackers to gain additional privileges.

For the stable distribution (jessie), this problem has been fixed in
version 0.8-3+deb8u2.

We recommend that you upgrade your libvdpau packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3390-1] xen security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3390-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 02, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2015-7835

It was discovered that the code to validate level 2 page table entries
is bypassed when certain conditions are satisfied. A malicious PV guest
administrator can take advantage of this flaw to gain privileges via a
crafted superpage mapping.

For the oldstable distribution (wheezy), this problem has been fixed
in version 4.1.4-3+deb7u9.

For the stable distribution (jessie), this problem has been fixed in
version 4.4.1-9+deb8u2.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/