Debian 9859 Published by

The following Debian updates are available: [DSA 2854-1] mumble security update, [DSA 2853-1] horde3 security update, and [DSA 2855-1] libav security update



[DSA 2854-1] mumble security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2854-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
February 05, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mumble
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2014-0044 CVE-2014-0045
Debian Bug : 737739

Several issues have been discovered in mumble, a low latency VoIP
client. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2014-0044

It was discovered that a malformed Opus voice packet sent to a
Mumble client could trigger a NULL pointer dereference or an
out-of-bounds array access. A malicious remote attacker could
exploit this flaw to mount a denial of service attack against a
mumble client by causing the application to crash.

CVE-2014-0445

It was discovered that a malformed Opus voice packet sent to a
Mumble client could trigger a heap-based buffer overflow. A
malicious remote attacker could use this flaw to cause a client
crash (denial of service) or potentially use it to execute
arbitrary code.

The oldstable distribution (squeeze) is not affected by these problems.

For the stable distribution (wheezy), these problems have been fixed in
version 1.2.3-349-g315b5f5-2.2+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your mumble packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[DSA 2853-1] horde3 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2853-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
February 05, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : horde3
Vulnerability : Remote code execution
Problem type : remote
Debian-specific: no
CVE ID : CVE-2014-1691
Debian Bug : 737149

Pedro Ribeiro from Agile Information Security found a possible remote
code execution on Horde3, a web application framework. Unsanitized
variables are passed to the unserialize() PHP function. A remote attacker
could specially-crafted one of those variables allowing her to load and
execute code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 3.3.8+debian0-3.

In the testing (jessie) and unstable (sid) distributions, Horde is
distributed in the php-horde-util package. This problem has been fixed in
version 2.3.0-1.

We recommend that you upgrade your horde3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2855-1] libav security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2855-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 05, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libav
Vulnerability : several
Problem type : local
Debian-specific: no
CVE ID : CVE-2011-3944 CVE-2013-0845 CVE-2013-0846 CVE-2013-0849
CVE-2013-0865 CVE-2013-7010 CVE-2013-7014 CVE-2013-7015

Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library. The IDs mentioned above are just
a portion of the security issues fixed in this update. A full list of the
changes is available at
http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.10

For the stable distribution (wheezy), these problems have been fixed in
version 6:0.8.9-1.

For the unstable distribution (sid), these problems have been fixed in
version 6:9.11-1.

We recommend that you upgrade your libav packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/