Debian 9844 Published by

The following Debian updates has been released:

[DLA 302-1] zendframework security update
[DLA 303-1] openjdk-6 security update



[DLA 302-1] zendframework security update

Package : zendframework
Version : 1.10.6-1squeeze5
CVE ID : CVE-2015-5161

Dawid Golunski discovered that when running under PHP-FPM in a threaded
environment, Zend Framework, a PHP framework, did not properly handle XML data
in multibyte encoding. This could be used by remote attackers to perform an XML
External Entity attack via crafted XML data.

For Debian 6 “Squeeze”, this issue has been fixed in zendframework
version 1.10.6-1squeeze5.


[DLA 303-1] openjdk-6 security update

Package : openjdk-6
Version : 6b36-1.13.8-1~deb6u1
CVE ID : CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625
CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000
CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748
CVE-2015-4749 CVE-2015-4760

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information
disclosure, denial of service or insecure cryptography.

For Debian 6 "Squeeze", these issues have been fixed in openjdk-6
version 6b36-1.13.8-1~deb6u1.

We recommend that you upgrade your openjdk-6 packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/