Debian 10260 Published by

The following updates has been released for Debian:

[DLA 392-1] roundcube security update
[DSA 3447-1] tomcat7 security update



[DLA 392-1] roundcube security update

Package : roundcube
Version : 0.3.1-6+deb6u1
CVE ID : CVE-2015-8770

High-Tech Bridge Security Research Lab discovered a path traversal
vulnerability in a popular webmail client Roundcube. Vulnerability can be
exploited to gain access to sensitive information and under certain
circumstances to execute arbitrary code and totally compromise the
vulnerable server.

The vulnerability exists due to insufficient sanitization of "_skin" HTTP
POST parameter in "/index.php" script when changing between different
skins of the web application. A remote authenticated attacker can use path
traversal sequences (e.g. "../../") to load a new skin from arbitrary
location on the system, readable by the webserver.

[DSA 3447-1] tomcat7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3447-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 17, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat7
CVE ID : CVE-2014-7810

It was discovered that malicious web applications could use the
Expression Language to bypass protections of a Security Manager as
expressions were evaluated within a privileged code section.

For the oldstable distribution (wheezy), this problem has been fixed
in version 7.0.28-4+deb7u3. This update also provides fixes for
CVE-2013-4444, CVE-2014-0075, CVE-2014-0099, CVE-2014-0227 and
CVE-2014-0230, which were all fixed for the stable distribution (jessie)
already.

For the stable distribution (jessie), this problem has been fixed in
version 7.0.56-3+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 7.0.61-1.

For the unstable distribution (sid), this problem has been fixed in
version 7.0.61-1.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/