The following updates has been released for Debian 6 LTS:
[DLA 322-1] commons-httpclient security update
[DLA 323-1] fuseiso security update
[DLA 324-1] binutils security update
[DLA 322-1] commons-httpclient security update
[DLA 323-1] fuseiso security update
[DLA 324-1] binutils security update
[DLA 322-1] commons-httpclient security update
Package : commons-httpclient
Version : 3.1-9+deb6u2
CVE ID : CVE-2015-5262
Trevin Beattie [1] discovered an issue where one could observe hanging
threads in a multi-threaded Java application. After debugging the issue,
it became evident that the hanging threads were caused by the SSL
initialization code in commons-httpclient.
This upload fixes this issue by respecting the configured SO_TIMEOUT
during SSL handshakes with the server.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1259892
[DLA 323-1] fuseiso security update
Package : fuseiso
Version : 20070708-2+deb6u1
Debian Bug : #779047
The following two issues have recently been fixed in Debian LTS (squeeze)
for the fuseiso package.
Issue 1
An integer overflow, leading to a heap-based buffer overflow flaw was
found in the way FuseISO, a FUSE module to mount ISO filesystem
images, performed reading of certain ZF blocks of particular inodes.
A remote attacker could provide a specially-crafted ISO file that,
when mounted via the fuseiso tool would lead to fuseiso binary crash.
This issue was discovered by Florian Weimer of Red Hat Product
Security Team.
The issue got resolve by bailing out before ZF blocks that exceed the
supported block size of 2^17 are to be read.
Issue 2
A stack-based buffer overflow flaw was found in the way FuseISO, a
FUSE module to mount ISO filesystem images, performed expanding of
directory portions for absolute path filename entries. A remote
attacker could provide a specially-crafted ISO file that, when
mounted via fuseiso tool would lead to fuseiso binary crash or,
potentially, arbitrary code execution with the privileges of the user
running the fuseiso executable.
This issue was discovered by Florian Weimer of Red Hat Product
Security Team.
The issue got resolved by checking the resulting length of an
absolute path name and by bailing out if the platform's PATH_MAX
value gets exceeded.
[DLA 324-1] binutils security update
Package : binutils
Version : 2.20.1-16+deb6u2
CVE ID : CVE-2012-3509
Debian Bug : 688951
This update fixes several issues as described below.
PR ld/12613 (no CVE assigned)
Niranjan Hasabnis discovered that passing an malformed linker
script to GNU ld, part of binutils, may result in a stack buffer
overflow. If the linker is used with untrusted object files, this
would allow remote attackers to cause a denial of service (crash)
or possibly privilege escalation.
CVE-2012-3509
#688951
Sang Kil Cha discovered that a buffer size calculation in
libiberty, part of binutils, may result in integer overflow and
then a heap buffer overflow. If libiberty or the commands in
binutils are used to read untrusted binaries, this would allow
remote attackers to cause a denial of service (crash) or possibly
privilege escalation.
PR binutils/18750 (no CVE assigned)
Joshua Rogers reported that passing a malformed ihex (Intel
hexadecimal) file to to various commands in binutils may result in
a stack buffer overflow. A similar issue was found in readelf.
If these commands are used to read untrusted binaries, this would
allow remote attackers to cause a denial of service (crash) or
possibly privilege escalation.
For the oldoldstable distribution (squeeze), these problems have been
fixed in version 2.20.1-16+deb6u2.
For the oldstable distribution (wheezy) and the stable distribution
(jessie), PR ld/12613 and CVE-2012-3509 were fixed before release, and
PR binutils/18750 will be fixed in a later update.