Debian 10165 Published by

The following two updates has been released for Debian 7 LTS:

[DLA 474-1] dosfstools security update
[DLA 475-1] python-tornado security update



[DLA 474-1] dosfstools security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package : dosfstools
Version : 3.0.13-1+deb7u1
CVE IDs : CVE-2015-8872 CVE-2016-4804

It was discovered that there was an invalid memory and heap overflow
vulnerability in dosfstools, a collection of utilities for making and
checking MS-DOS FAT filesystems.

For Debian 7 "Wheezy", this issue has been fixed in dosfstools version
3.0.13-1+deb7u1.

We recommend that you upgrade your dosfstools packages.

[DLA 475-1] python-tornado security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package : python-tornado
Version : 2.3-2+deb7u1
CVE ID : CVE-2014-9720

It was discovered that python-tornado, a Python web framework and
asynchronous networking library, was susceptible for the BREACH attack.
The XSRF token is now encoded with a random mask on each request. This
makes it safe to include in compressed pages without being vulnerable.

For Debian 7 "Wheezy", these problems have been fixed in version
2.3-2+deb7u1.

We recommend that you upgrade your python-tornado packages.