Debian 10033 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 138-1] jasper security update
[DLA 140-1] rpm security update
[DLA 141-1] libksba security update
[DLA 142-1] privoxy security update
[DSA 3143-1] virtualbox security update

[DLA 138-1] jasper security update

Package : jasper
Version : 1.900.1-7+squeeze4
CVE ID : CVE-2014-8157 CVE-2014-8158
Debian Bug : 775970

An off-by-one flaw, leading to a heap-based buffer overflow
(CVE-2014-8157), and an unrestricted stack memory use flaw
(CVE-2014-8158) were found in JasPer, a library for manipulating
JPEG-2000 files. A specially crafted file could cause an application
using JasPer to crash or, possibly, execute arbitrary code.

[DLA 140-1] rpm security update

Package : rpm
Version : 4.8.1-6+squeeze2
CVE ID : CVE-2012-0060 CVE-2012-0061 CVE-2012-0815 CVE-2013-6435

Several vulnerabilities have been fixed in rpm:


Fix integer overflow which allowed remote attackers to execute arbitrary


Prevent remote attackers from executing arbitrary code via crafted
RPM files.


Fix denial of service and possible code execution via negative value in
region offset in crafted RPM files.

CVE-2012-0060 and CVE-2012-0061

Prevent denial of service (crash) and possibly execute arbitrary code
execution via an invalid region tag in RPM files.

We recommend that you upgrade your rpm packages.

[DLA 141-1] libksba security update

Package : libksba
Version : 1.0.7-2+deb6u1
CVE ID : CVE-2014-9087

A vulnerability has been fixed in the libksba X.509 and CMS support library:


Fix buffer overflow in ksba_oid_to_str reported by Hanno Böck.

We recommend that you upgrade your libksba packages.

[DLA 142-1] privoxy security update

Package : privoxy
Version : 3.0.16-1+deb6u1
CVE ID : CVE-2015-1031 CVE-2015-1381 CVE-2015-1382

Several vulnerabilities have been fixed in privoxy, a privacy enhancing
HTTP proxy:

CVE-2015-1031, CID66394:

unmap(): Prevent use-after-free if the map only consists of one item.

CVE-2015-1031, CID66376 and CID66391:

pcrs_execute(): Consistently set *result to NULL in case of errors.
Should make use-after-free in the caller less likely.


Fix multiple segmentation faults and memory leaks in the pcrs code.


Fix invalid read to prevent potential crashes.

We recommend that you upgrade your privoxy packages.

[DSA 3143-1] virtualbox security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3143-1 Moritz Muehlenhoff
January 28, 2015
- -------------------------------------------------------------------------

Package : virtualbox
CVE ID : CVE-2015-0377 CVE-2015-0418

Two vulnerabilities have been discovered in VirtualBox, a x86
virtualisation solution, which might result in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 4.1.18-dfsg-2+deb7u4.

For the unstable distribution (sid), these problems have been fixed in
version 4.3.18-dfsg-2.

We recommend that you upgrade your virtualbox packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: