Debian 9858 Published by

Two new updates are available for Debian 6 LTS and one for Debian 7/8:

[DLA 344-1] nspr security update
[DLA 345-1] strongswan security update
[DSA 3400-1] lxc security update



[DLA 344-1] nspr security update

Package : nspr
Version : 4.8.6-1+squeeze3
CVE ID : CVE-2015-7183

Google security engineer Ryan Sleevi found a vulnerability in the NetScape
Portable Runtime Library (NSPR). NSPR allocated memory without specific checks,
making it possible for remote attackers to cause a Denial of Service or execute
arbitrary code.

For Debian 6 "Squeeze", this issue have been fixed in nspr version
4.8.6-1+squeeze3. We recommend that you upgrade your nspr packages.

Learn more about the Debian Long Term Support (LTS) Project and how to apply
these updates at: https://wiki.debian.org/LTS/


[DLA 345-1] strongswan security update

Package : strongswan
Version : 4.4.1-5.8
CVE ID : CVE-2015-8023

Tobias Brunner found an authentication bypass vulnerability in
strongSwan, an IKE/IPsec suite.

Due to insufficient validation of its local state the server
implementation of the EAP-MSCHAPv2 protocol in the eap-mschapv2 plugin
can be tricked into successfully concluding the authentication without
providing valid credentials.

It's possible to recognize such attacks by looking at the server logs.
The following log message would be seen during the client
authentication:

EAP method EAP_MSCHAPV2 succeeded, no MSK established

[DSA 3400-1] lxc security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3400-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lxc
CVE ID : CVE-2015-1335
Debian Bug : 800471

Roman Fiedler discovered a directory traversal flaw in LXC, the Linux
Containers userspace tools. A local attacker with access to a LXC
container could exploit this flaw to run programs inside the container
that are not confined by AppArmor or expose unintended files in the host
to the container.

For the stable distribution (jessie), this problem has been fixed in
version 1:1.0.6-6+deb8u2.

We recommend that you upgrade your lxc packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/