Debian 9859 Published by

The following Debian updates are available:

[DSA 2874-1] mutt security update
[DSA 2875-1] cups-filters security update
[DSA 2876-1] cups security update
[DSA 2877-1] lighttpd security update



[DSA 2874-1] mutt security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2874-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mutt
CVE ID : CVE-2014-0467
Debian Bug : 708731

Beatrice Torracca and Evgeni Golov discovered a buffer overflow in the
mutt mailreader. Malformed RFC2047 header lines could result in denial
of service or potentially the execution of arbitrary code.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.5.20-9+squeeze3.

For the stable distribution (wheezy), this problem has been fixed in
version 1.5.21-6.2+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 1.5.22-2.

We recommend that you upgrade your mutt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2875-1] cups-filters security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2875-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cups-filters
CVE ID : CVE-2013-6474 CVE-2013-6475 CVE-2013-6476

Florian Weimer of the Red Hat Product Security Team discovered multiple
vulnerabilities in the pdftoopvp CUPS filter, which could result in the
execution of aribitrary code if a malformed PDF file is processed.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.18-2.1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.47-1.

We recommend that you upgrade your cups-filters packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2876-1] cups security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2876-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cups
CVE ID : CVE-2013-6474 CVE-2013-6475 CVE-2013-6476

Florian Weimer of the Red Hat Product Security Team discovered multiple
vulnerabilities in the pdftoopvp CUPS filter, which could result in the
execution of aribitrary code if a malformed PDF file is processed.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.4-7+squeeze4.

For the stable distribution (wheezy) and the unstable distribution (sid)
the filter is now part of the cups-filters source package.

We recommend that you upgrade your cups packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2877-1] lighttpd security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2877-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
March 12, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lighttpd
CVE ID : CVE-2014-2323 CVE-2014-2324
Debian Bug : 741493

Several vulnerabilities were discovered in the lighttpd web server.

CVE-2014-2323

Jann Horn discovered that specially crafted host names can be used
to inject arbitrary MySQL queries in lighttpd servers using the
MySQL virtual hosting module (mod_mysql_vhost).

This only affects installations with the lighttpd-mod-mysql-vhost
binary package installed and in use.

CVE-2014-2324

Jann Horn discovered that specially crafted host names can be used
to traverse outside of the document root under certain situations
in lighttpd servers using either the mod_mysql_vhost, mod_evhost,
or mod_simple_vhost virtual hosting modules.

Servers not using these modules are not affected.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.28-2+squeeze1.6.

For the stable distribution (wheezy), these problems have been fixed in
version 1.4.31-4+deb7u3.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.33-1+nmu3.

We recommend that you upgrade your lighttpd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/