Debian 10165 Published by

The following updates has been released for Debian:

[DLA 398-1] privoxy security update
[DLA 399-1] foomatic-filters security update
[DLA 400-1] pound security update
[DSA 3452-1] claws-mail security update



[DLA 398-1] privoxy security update

Package : privoxy
Version : 3.0.16-1+deb6u1
CVE ID : CVE-2016-1982 CVE-2016-1983


CVE-2016-1982
Prevent invalid reads in case of corrupt chunk-encoded content

CVE-2016-1983
Remove empty Host headers in client requests; resulting in
invalid reads.

[DLA 399-1] foomatic-filters security update

Package : foomatic-filters
Version : 4.0.5-6+squeeze2+deb6u13
CVE ID : not yet assigned

cups-filters contains multiple buffer overflows caused by lack of size
checks when copying from environment variables to local buffers (strcpy)
as well on string concatenation operations (strcat).

[DLA 400-1] pound security update

Package : pound
Version : 2.6-1+deb6u1
CVE ID : CVE-2009-3555 CVE-2011-3389 CVE-2012-4929 CVE-2014-3566

This update fixes certain known vulnerabilities in pound in squeeze-lts by
backporting the version in wheezy.

CVE-2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, multiple Cisco products, and other products,
does not properly associate renegotiation handshakes with an
existing connection, which allows man-in-the-middle attackers to
insert data into HTTPS sessions, and possibly other types of
sessions protected by TLS or SSL, by sending an unauthenticated
request that is processed retroactively by a server in a
post-renegotiation context, related to a "plaintext injection"
attack, aka the "Project Mogul" issue.

CVE-2011-3389
The SSL protocol, as used in certain configurations in Microsoft
Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
Chrome, Opera, and other products, encrypts data by using CBC mode
with chained initialization vectors, which allows man-in-the-middle
attackers to obtain plaintext HTTP headers via a blockwise
chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the
Java URLConnection API, or (3) the Silverlight WebClient API, aka a
"BEAST" attack.

CVE-2012-4929
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google
Chrome, Qt, and other products, can encrypt compressed data without
properly obfuscating the length of the unencrypted data, which
allows man-in-the-middle attackers to obtain plaintext HTTP headers
by observing length differences during a series of guesses in which
a string in an HTTP request potentially matches an unknown string in
an HTTP header, aka a "CRIME" attack.

CVE-2014-3566
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the "POODLE" issue.

[DSA 3452-1] claws-mail security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3452-1 security@debian.org
https://www.debian.org/security/ Ben Hutchings
January 23, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : claws-mail
CVE ID : CVE-2015-8614

"DrWhax" of the Tails project reported that Claws Mail is missing
range checks in some text conversion functions. A remote attacker
could exploit this to run arbitrary code under the account of a user
that receives a message from them using Claws Mail.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.8.1-2+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 3.11.1-3+deb8u1.

We recommend that you upgrade your claws-mail packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/