The following updates has been released for Debian GNU/Linux:
[DLA 274-1] groovy security update
[DLA 275-1] ruby1.9.1 security update
[DLA 277-1] libidn security update
[DSA 3310-1] freexl security update
[DSA 3311-1] mariadb-10.0 security update
[DLA 274-1] groovy security update
[DLA 275-1] ruby1.9.1 security update
[DLA 277-1] libidn security update
[DSA 3310-1] freexl security update
[DSA 3311-1] mariadb-10.0 security update
[DLA 274-1] groovy security update
Package : groovy
Version : 1.7.0-4+deb6u1
CVE ID : CVE-2015-3253
cpnrodzc7, working with HP's Zero Day Initiative, discovered that
Java applications using standard Java serialization mechanisms to
decode untrusted data, and that have Groovy on their classpath, can
be passed a serialized object that will cause the application to
execute arbitrary code.
For the oldoldstable distribution (squeeze), this problem has been
fixed in version 1.7.0-4+deb6u1.
For the oldstable distribution (wheezy) and stable distribution
(jessie), this problem will be fixed soon.
[DLA 275-1] ruby1.9.1 security update
Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u6
CVE ID : CVE-2014-6438
It was discovered that the uri package in the Ruby standard library
uses regular expressions that may result in excessive backtracking.
Ruby applications that parse untrusted URIs using this library were
susceptible to denial-of-service attacks by passing crafted URIs.
For the oldoldstable distribution (squeeze), this problem has been
fixed in version 1.9.2.0-2+deb6u6.
The oldstable distribution (wheezy) and stable distribution (jessie)
were not affected by this problem as it was fixed before release.
[DLA 277-1] libidn security update
Package : libidn
Version : 1.15-2+deb6u1
CVE ID : CVE-2015-2059
Thijs Alkemade discovered that the Jabber server may pass an invalid
UTF-8 string to libidn, the GNU library for Internationalized Domain
Names (IDNs). In the case of the Jabber server, this results in
information disclosure, and it is likely that some other applications
using libidn have similar vulnerabilities. This update changes libidn
to check for invalid strings rather than assuming that the application
has done so.
For the oldoldstable distribution (squeeze), this problem has been
fixed in version 1.15-2+deb6u1.
For the oldstable distribution (wheezy) and stable distribution
(jessie), this problem will be fixed soon.
[DSA 3310-1] freexl security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3310-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : freexl
CVE ID : not yet available
It was discovered that an integer overflow in freexl, a library to parse
Microsoft Excel spreadsheets may result in denial of service if a
malformed Excel file is opened.
For the oldstable distribution (wheezy), this problem has been fixed
in version 1.0.0b-1+deb7u2.
For the stable distribution (jessie), this problem has been fixed in
version 1.0.0g-1+deb8u2.
For the testing distribution (stretch), this problem has been fixed
in version 1.0.2-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.0.2-1.
We recommend that you upgrade your freexl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[DSA 3311-1] mariadb-10.0 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3311-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 20, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : mariadb-10.0
CVE ID : CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501
CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573
CVE-2015-3152
Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.20. Please see the MariaDB 10.0 Release Notes for further
details:
https://mariadb.com/kb/en/mariadb/mariadb-10017-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10018-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10019-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10020-release-notes/
For the stable distribution (jessie), these problems have been fixed in
version 10.0.20-0+deb8u1.
For the unstable distribution (sid), these problems have been fixed in
version 10.0.20-1 or earlier versions.
We recommend that you upgrade your mariadb-10.0 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
