Debian 9858 Published by

The following 3 security updates has been released for Debian GNU/Linux:

[DSA 2950-2] openssl update
[DSA 2960-1] icedove security update
[DSA 2961-1] php5 security update



[DSA 2950-2] openssl update

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2950-2 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 16, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470

This update updates the upstream fix for CVE-2014-0224 to address
problems with CCS which could result in problems with the Postgres
database.

In addition this update disables ZLIB compress by default. If you need
to re-enable it for some reason, you can set the environment variable
OPENSSL_NO_DEFAULT_ZLIB.

This update also fixes a header declaration which could result in
build failures in applications using OpenSSL.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u11.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2960-1] icedove security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2960-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 16, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icedove
CVE ID : CVE-2014-1533 CVE-2014-1538 CVE-2014-1541 CVE-2014-1545

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and buffer overflows may lead to the execution of arbitrary code
or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 24.6.0-1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2961-1] php5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2961-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
June 16, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2014-4049
Debian Bug : 751364

It was discovered that PHP, a general-purpose scripting language
commonly used for web application development, is vulnerable to a
heap-based buffer overflow in the DNS TXT record parsing. A malicious
server or man-in-the-middle attacker could possibly use this flaw to
execute arbitrary code as the PHP interpreter if a PHP application uses
dns_get_record() to perform a DNS query.

For the stable distribution (wheezy), this problem has been fixed in
version 5.4.4-14+deb7u11.

For the testing distribution (jessie), this problem has been fixed in
version 5.6.0~beta4+dfsg-3.

For the unstable distribution (sid), this problem has been fixed in
version 5.6.0~beta4+dfsg-3.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/