Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 104-1] pdns-recursor security update
[DLA 105-1] graphviz security update
[DSA 3096-1] pdns-recursor security update
[DSA 3098-1] graphviz security update
[DSA 3099-1] dbus security update



[DLA 104-1] pdns-recursor security update

Package : pdns-recursor
Version : 3.2-4+deb6u1
CVE ID : CVE-2014-8601

Florian Maury from ANSSI discovered a flaw in pdns-recursor, a
recursive DNS server : a remote attacker controlling
maliciously-constructed zones or a rogue server could affect the
performance of pdns-recursor, thus leading to resource exhaustion and
a potential denial-of-service.

[DLA 105-1] graphviz security update

Package : graphviz
Version : 2.26.3-5+squeeze3
CVE ID : CVE-2014-9157
Debian Bug : 772648

Joshua Rogers discovered a format string vulnerability in the yyerror
function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing
tools. An attacker could use this flaw to cause graphviz to crash or
possibly execute arbitrary code.

[DSA 3096-1] pdns-recursor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3096-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
December 11, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns-recursor
CVE ID : CVE-2014-8601

Florian Maury from ANSSI discovered a flaw in pdns-recursor, a
recursive DNS server : a remote attacker controlling
maliciously-constructed zones or a rogue server could affect the
performance of pdns-recursor, thus leading to resource exhaustion and
a potential denial-of-service.

For the stable distribution (wheezy), this problem has been fixed in
version 3.3-3+deb7u1.

For the upcoming stable distribution (jessie) and unstable
distribution (sid), this problem has been fixed in version 3.6.2-1.

We recommend that you upgrade your pdns-recursor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3098-1] graphviz security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3098-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
December 11, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : graphviz
CVE ID : CVE-2014-9157
Debian Bug : 772648

Joshua Rogers discovered a format string vulnerability in the yyerror
function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing
tools. An attacker could use this flaw to cause graphviz to crash or
possibly execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 2.26.3-14+deb7u2.

For the upcoming stable distribution (jessie), this problem will be
fixed soon in version 2.38.0-7.

For the unstable distribution (sid), this problem has been fixed in
version 2.38.0-7.

We recommend that you upgrade your graphviz packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3099-1] dbus security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3099-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
December 11, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dbus
CVE ID : CVE-2014-7824

Simon McVittie discovered that the fix for CVE-2014-3636 was
incorrect, as it did not fully address the underlying
denial-of-service vector. This update starts the D-Bus daemon as root
initially, so that it can properly raise its file descriptor count.

In addition, this update reverts the auth_timeout change in the
previous security update to its old value because the new value causes
boot failures on some systems. See the README.Debian file for details
how to harden the D-Bus daemon against malicious local users.

For the stable distribution (wheezy), these problem have been fixed in
version 1.6.8-1+deb7u5.

For the upcoming stable distribution (jessie) and the unstable
distribution (sid), these problem have been fixed in version 1.8.10-1.

We recommend that you upgrade your dbus packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/