Debian 9858 Published by

2 updates for Debian 6 LTS and 2 for Debian 7/8:

[DLA 421-1] openssl security update
[DLA 422-1] python-imaging security update
[DSA 3485-1] didiwiki security update
[DSA 3486-1] chromium-browser security update



[DLA 421-1] openssl security update

Package : openssl
Version : 0.9.8o-4squeeze23
CVE ID : CVE-2015-3197

CVE-2015-3197:
A malicious client can negotiate SSLv2 ciphers that have been disabled on the
server and complete SSLv2 handshakes even if all SSLv2 ciphers have been
disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.

Additionally, when using a DHE cipher suite a new DH key will always be
generated for each connection.


This will be the last security update for the squeeze version of the package.
The 0.9.8 version is no longer supported and the squeeze LTS support will end
soon. If you are using openssl you should upgrade to wheezy or preferably
jessie. The version in those versions contain many security improvements.

[DLA 422-1] python-imaging security update

Package : python-imaging
Version : 1.1.7-2+deb6u2
CVE ID : CVE-2016-0775
Debian Bug : 813909


Two buffer overflows were discovered in python-imaging, a Python
library for loading and manipulating image files, which may lead to
the execution of arbitrary code.


CVE-2016-0775
Buffer overflow in FliDecode.c

The second buffer overflow was in PcdDecode.c. A CVE identifier has
not been assigned yet.

For Debian 6 "Squeeze", these problems have been fixed in version
1.1.7-2+deb6u2.

We recommend that you upgrade your python-imaging packages.

[DSA 3485-1] didiwiki security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3485-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
February 20, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : didiwiki
CVE ID : CVE-2013-7448
Debian Bug : 815111

Alexander Izmailov discovered that didiwiki, a wiki implementation,
failed to correctly validate user-supplied input, thus allowing a
malicious user to access any part of the filesystem.

For the oldstable distribution (wheezy), this problem has been fixed
in version 0.5-11+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 0.5-11+deb8u1.

For the testing (stretch) and unstable (sid) distributions, this
problem has been fixed in version 0.5-12.

We recommend that you upgrade your didiwiki packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3486-1] chromium-browser security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3486-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
February 21, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2016-1622 CVE-2016-1623 CVE-2016-1624 CVE-2016-1625
CVE-2016-1626 CVE-2016-1627 CVE-2016-1628 CVE-2016-1629

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2016-1622

It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.

CVE-2016-1623

Mariusz Mlynski discovered a way to bypass the Same Origin Policy.

CVE-2016-1624

lukezli discovered a buffer overflow issue in the Brotli library.

CVE-2016-1625

Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.

CVE-2016-1626

An out-of-bounds read issue was discovered in the openjpeg library.

CVE-2016-1627

It was discovered that the Developer Tools did not validate URLs.

CVE-2016-1628

An out-of-bounds read issue was discovered in the pdfium library.

CVE-2016-1629

A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.

For the stable distribution (jessie), these problems have been fixed in
version 48.0.2564.116-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 48.0.2564.116-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/