Debian 9858 Published by

6 updates has been released for Debian 6 LTS and 3 for Debian 7:

[DLA 146-1] krb5 security update
[DLA 147-1] wpasupplicant security update
[DLA 148-1] sympa security update
[DLA 149-1] ntp security update
[DLA 150-1] unzip security update
[DLA 151-1] libxml2 security update
[DSA 2978-2] libxml2 security update
[DSA 3154-2] ntp security update
[DSA 3156-1] liblivemedia security update



[DLA 146-1] krb5 security update

Package : krb5
Version : 1.8.3+dfsg-4squeeze9
CVE ID : CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423

Multiples vulnerabilities have been found in krb5, the MIT
implementation of Kerberos:

CVE-2014-5352

Incorrect memory management in the libgssapi_krb5 library might
result in denial of service or the execution of arbitrary code.

CVE-2014-9421

Incorrect memory management in kadmind's processing of XDR data
might result in denial of service or the execution of arbitrary code.

CVE-2014-9422

Incorrect processing of two-component server principals might result
in impersonation attacks.

CVE-2014-9423

An information leak in the libgssrpc library.

[DLA 147-1] wpasupplicant security update

Package : wpasupplicant
Version : 0.6.10-2.1+deb6u1
CVE ID : CVE-2014-3686

It was discovered that wpasupplicant could be tricked into executing
arbitrary commands when calling action scripts.


[DLA 148-1] sympa security update

Package : sympa
Version : 6.0.1+dfsg-4+squeeze3
CVE ID : CVE-2015-1306

A vulnerability has been discovered in the web interface of sympa, a
mailing list manager. An attacker could take advantage of this flaw in
the newsletter posting area, which allows sending to a list, or to
oneself, any file located on the server filesystem and readable by the
sympa user.


[DLA 149-1] ntp security update

Package : ntp
Version : 1:4.2.6.p2+dfsg-1+deb6u2
CVE ID : CVE-2014-9297 CVE-2014-9298

Several vulnerabilities were discovered in the ntp package, an
implementation of the Network Time Protocol. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2014-9297

Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (ntpd crash).

CVE-2014-9298

Stephen Roettger of the Google Security Team reported that ACLs
based on IPv6 ::1 addresses can be bypassed.



[DLA 150-1] unzip security update

Package : unzip
Version : 6.0-4+deb6u2
CVE ID : CVE-2014-8139 CVE-2014-9636
Debian Bug : 775640 776589

A flaw was found in the test_compr_eb() function allowing out-of-bounds
read and write access to memory locations. By carefully crafting a
corrupt ZIP archive an attacker can trigger a heap overflow, resulting
in application crash or possibly having other unspecified impact.

Additionally this update corrects a defective patch applied to address
CVE-2014-8139, which caused a regression with executable jar files.


[DLA 151-1] libxml2 security update

Package : libxml2
Version : 2.7.8.dfsg-2+squeeze11
CVE ID : CVE-2014-0191 CVE-2014-3660
Debian Bug : 768089

It was discovered that the update released for libxml2 in DSA 2978 fixing
CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external
entities regardless of whether entity substitution or validation is
enabled.

In addition, this update addresses a regression introduced in DSA 3057 by
the patch fixing CVE-2014-3660. This caused libxml2 to not parse an
entity when it's used first in another entity referenced from an
attribute value.

[DSA 2978-2] libxml2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2978-2 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
February 06, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxml2
CVE ID : CVE-2014-0191 CVE-2014-3660
Debian Bug : 768089

It was discovered that the update released for libxml2 in DSA 2978 fixing
CVE-2014-0191 was incomplete. This caused libxml2 to still fetch external
entities regardless of whether entity substitution or validation is
enabled.

In addition, this update addresses a regression introduced in DSA 3057 by
the patch fixing CVE-2014-3660. This caused libxml2 to not parse an
entity when it's used first in another entity referenced from an
attribute value.

For the stable distribution (wheezy), these problems have been fixed in
version 2.8.0+dfsg1-7+wheezy3.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 2.9.1+dfsg1-4.

For the unstable distribution (sid), these problems have been fixed in
version 2.9.1+dfsg1-4.

We recommend that you upgrade your libxml2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3154-2] ntp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3154-2 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
February 07, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntp
CVE ID : CVE-2014-9297

Marc Deslauriers reported that the patch applied to ntp for CVE-2014-9297
in DSA 3154-1 was incomplete. This update corrects that problem. For
reference, the relevant part of the original advisory text follows.

Several vulnerabilities were discovered in the ntp package, an
implementation of the Network Time Protocol. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2014-9297

Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (ntpd crash).

For the stable distribution (wheezy), this problem has been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:4.2.6.p5+dfsg-5.

We recommend that you upgrade your ntp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3156-1] liblivemedia security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3156-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
February 07, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : liblivemedia
CVE ID : CVE-2013-6933

A vulnerability was found in liveMedia, a set of C++ libraries for
multimedia streaming. RTSP messages starting with whitespace were assumed
to have a zero length, triggering an integer underflow, infinite loop,
and then a buffer overflow. This could allow remote attackers to cause a
denial of service (crash) or arbitrary code execution via crafted RTSP
messages.

The packages vlc and mplayer have also been updated to reflect this
improvement.

For the stable distribution (wheezy), this problem has been fixed in
liblivemedia version 2012.05.17-1+wheezy1, vlc version 2.0.3-5+deb7u2+b1,
and mplayer version 2:1.0~rc4.dfsg1+svn34540-1+deb7u1.

For the upcoming stable distribution (jessie), this problem has been
fixed in liblivemedia version 2014.01.13-1.

For the unstable distribution (sid), this problem has been fixed in
liblivemedia version 2014.01.13-1.

We recommend that you upgrade your liblivemedia, vlc, and mplayer
packages.

Further information about Debian Security Advisories, how to apply these
updates to your system and frequently asked questions can be found at:
https://www.debian.org/security/