Debian 10225 Published by

The following updates has been released for Debian 6 LTS:

[DLA 385-2] isc-dhcp regression update
[DLA 393-1] srtp security update
[DLA 394-1] passenger security update



[DLA 385-2] isc-dhcp regression update

Package : isc-dhcp
Version : 4.1.1-P1-15+squeeze10
CVE ID : CVE-2015-8605
Debian Bug : #810875

With the previous upload of the isc-dhcp package to Debian Squeeze LTS
two issues got introduced into LTS that are resolved by this upload.

(1)

CVE-2015-8605 had only been resolved for the LDAP variant of the DHCP
server package built from the isc-dhcp source package. With upload of
version 4.1.1-P1-15+squeeze10, now all DHCP server variants (LDAP and
non-LDAP alike) include the fix for CVE-2015-8605. Thanks to Ben
Hutchings for spotting this inaccuracy.

(2)

The amd64 binary build of the previously uploaded isc-dhcp version
(4.1.1-P1-15+squeeze9) was flawed and searched for the dhcpd.conf
configuration file at the wrong location [1,2,3]. This flaw in the amd64
build had been caused by a not-100%-pure-squeeze-lts build system on the
maintainer's end. The amd64 build of version 4.1.1-P1-15+squeeze10 has
been redone in a brand-new build environment and does not show the
reported symptom(s) anymore.

I deeply apologize for the experienced inconvenience to all who
encountered this issue.

[1] https://bugs.debian.org/811097
[2] https://bugs.debian.org/811397
[3] https://bugs.debian.org/811402

[DLA 393-1] srtp security update

Package : srtp
Version : 1.4.4~dfsg-6+deb6u2
CVE ID : CVE-2015-6360

Prevent potential DoS attack due to lack of bounds checking on RTP header
CSRC count and extension header length. Credit goes to Randell Jesup and
the Firefox team for reporting this issue.

(As there is no aead mode available in the Squeeze version,
only srtp_unprotect() needed to be patched)

[DLA 394-1] passenger security update

Package : passenger
Version : 2.2.11debian-2+deb6u1
CVE ID : CVE-2015-7519

agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60
and 5.0.x before 5.0.22, when used in Apache integration mode or in
standalone mode without a filtering proxy, allows remote attackers to
spoof headers passed to applications by using an _ (underscore) character
instead of a - (dash) character in an HTTP header, as demonstrated by an
X_User header.