Debian 9859 Published by

2 new updates for Debian 6 LTS and 1 for Debian 7/8:

[DLA 434-1] gtk+2.0 security update
[DLA 435-1] tomcat6 security update
[DSA 3494-1] cacti security update



[DLA 434-1] gtk+2.0 security update

Package : gtk+2.0
Version : 2.20.1-2+deb6u2
CVE ID : CVE-2015-4491 CVE-2015-7673 CVE-2015-7674

Gustavo Grieco discovered different security issues in Gtk+2.0's
gdk-pixbuf.

CVE-2015-4491

Heap overflow when processing BMP images which may allow to execute
of arbitrary code via malformed images.

CVE-2015-7673

Heap overflow when processing TGA images which may allow execute
arbitrary code or denial of service (process crash) via malformed
images.

CVE-2015-7674

Integer overflow when processing GIF images which may allow to
execute arbitrary code or denial of service (process crash) via
malformed image.

For Debian 6 "Squeeze", these issues have been fixed in gtk+2.0 version
2.20.1-2+deb6u2. We recommend you to upgrade your gtk+2.0 packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


[DLA 435-1] tomcat6 security update

Package : tomcat6
Version : 6.0.45-1~deb6u1
CVE ID : CVE-2015-5174 CVE-2015-5345 CVE-2015-5351
CVE-2016-0706 CVE-2016-0714 CVE-2016-0763

Tomcat 6, an implementation of the Java Servlet and the JavaServer
Pages (JSP) specifications and a pure Java web server environment, was
affected by multiple security issues prior version 6.0.45.

CVE-2015-5174
Directory traversal vulnerability in RequestUtil.java in Apache
Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27
allows remote authenticated users to bypass intended SecurityManager
restrictions and list a parent directory via a /.. (slash dot dot)
in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as demonstrated by
the $CATALINA_BASE/webapps directory.

CVE-2015-5345
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before
7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes
redirects before considering security constraints and Filters, which
allows remote attackers to determine the existence of a directory
via a URL that lacks a trailing / (slash) character.

CVE-2015-5351
The Manager and Host Manager applications in Apache Tomcat
establish sessions and send CSRF tokens for arbitrary new requests,
which allows remote attackers to bypass a CSRF protection mechanism
by using a token.

CVE-2016-0706
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before
8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the org/apache
/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application.

CVE-2016-0714
The session-persistence implementation in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before
9.0.0.M2 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions
and execute arbitrary code in a privileged context via a web
application that places a crafted object in a session.

CVE-2016-0763
The setGlobalContext method in org/apache/naming/factory
/ResourceLinkFactory.java in Apache Tomcat does not consider whether
ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or
cause a denial of service (application disruption), via a web
application that sets a crafted global context.


For Debian 6 "Squeeze", these problems have been fixed in version
6.0.45-1~deb6u1.

We recommend that you upgrade your tomcat6 packages.

[DSA 3494-1] cacti security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3494-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 27, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cacti
CVE ID : CVE-2015-8377 CVE-2015-8604

Two SQL injection vulnerabilities were discovered in cacti, a web
interface for graphing of monitoring systems. Specially crafted input
can be used by an attacker in parameters of the graphs_new.php script to
execute arbitrary SQL commands on the database.

For the oldstable distribution (wheezy), these problems have been fixed
in version 0.8.8a+dfsg-5+deb7u8.

For the stable distribution (jessie), these problems have been fixed in
version 0.8.8b+dfsg-8+deb8u4.

For the testing distribution (stretch), these problems have been fixed
in version 0.8.8f+ds1-4.

For the unstable distribution (sid), these problems have been fixed in
version 0.8.8f+ds1-4.

We recommend that you upgrade your cacti packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/