Debian 9858 Published by

The following updates has been released for Debian:

[DLA 251-2] zendframework regression update
[DLA-252-1] postgresql-8.4 update
[DSA 3294-1] wireshark security update



[DLA 251-2] zendframework regression update

Package : zendframework
Version : 1.10.6-1squeeze4
CVE ID : CVE-2012-6531 CVE-2012-6532 CVE-2014-2681 CVE-2014-2682
CVE-2014-2683 CVE-2014-2684 CVE-2014-2685 CVE-2014-4914
CVE-2014-8088 CVE-2014-8089 CVE-2015-3154
Debian Bug : 743175 754201

The previous zendframework upload incorrectly fixes CVE-2015-3154,
causing a regression. This update corrects this problem. Thanks to
Евгений Смолин (Evgeny Smolin) .

CVE-2012-6531

Pádraic Brady identified a weakness to handle the SimpleXMLElement
zendframework class, allowing to remote attackers to read arbitrary
files or create TCP connections via an XML external entity (XXE)
injection attack.

CVE-2012-6532

Pádraic Brady found that remote attackers could cause a denial of
service by CPU consumption, via recursive or circular references
through an XML entity expansion (XEE) attack.

CVE-2014-2681

Lukas Reschke reported a lack of protection against XML External
Entity injection attacks in some functions. This fix extends the
incomplete one from CVE-2012-5657.

CVE-2014-2682

Lukas Reschke reported a failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. This fix extends the incomplete one from
CVE-2012-5657.

CVE-2014-2683

Lukas Reschke reported a lack of protection against XML Entity
Expansion attacks in some functions. This fix extends the incomplete
one from CVE-2012-6532.

CVE-2014-2684

Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported an error in the consumer's verify method that lead
to acceptance of wrongly sourced tokens.

CVE-2014-2685

Christian Mainka and Vladislav Mladenov from the Ruhr-University
Bochum reported a specification violation in which signing of a
single parameter is incorrectly considered sufficient.

CVE-2014-4914

Cassiano Dal Pizzol discovered that the implementation of the ORDER
BY SQL statement in Zend_Db_Select contains a potential SQL
injection when the query string passed contains parentheses.

CVE-2014-8088

Yury Dyachenko at Positive Research Center identified potential XML
eXternal Entity injection vectors due to insecure usage of PHP's DOM
extension.

CVE-2014-8089

Jonas Sandström discovered an SQL injection vector when manually
quoting value for sqlsrv extension, using null byte.

CVE-2015-3154

Filippo Tessarotto and Maks3w reported potential CRLF injection
attacks in mail and HTTP headers.


[DLA-252-1] postgresql-8.4 update

Package : postgresql-8.4
Version : 8.4.22lts4-0+deb6u1

Several bugs were discovered in PostgreSQL, a relational database server
system. The 8.4 branch is EOLed upstream, but still present in Debian squeeze.
This new LTS minor version contains the fixes that were applied upstream to the
9.0.22 version, backported to 8.4.22 which was the last version officially
released by the PostgreSQL developers. This LTS effort for squeeze-lts is a
community project sponsored by credativ GmbH.

## Migration to Version 8.4.22lts4

A dump/restore is not required for those running 8.4.X. However, if you are
upgrading from a version earlier than 8.4.22, see the relevant release notes.

## Changes

* Fix rare failure to invalidate relation cache init file (Tom Lane)

With just the wrong timing of concurrent activity, a VACUUM FULL
on a system catalog might fail to update the init file that's used to
avoid cache-loading work for new sessions. This would result in
later sessions being unable to access that catalog at all.
This is a very ancient bug, but it's so hard to trigger that no
reproducible case had been seen until recently.



[DSA 3294-1] wireshark security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3294-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 23, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wireshark
CVE ID : CVE-2015-4651 CVE-2015-4652

Multiple vulnerabilities were discovered in the dissectors for WCCP
and GSM DTAP, which could result in denial of service.

The oldstable distribution (wheezy) is not affected.

For the stable distribution (jessie), these problems have been fixed in
version 1.12.1+g01b65bf-4+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 1.12.6+gee1fce6-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.12.6+gee1fce6-1.

We recommend that you upgrade your wireshark packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/