Debian 10260 Published by

The following updates has been released for Debian 7 LTS:

[DLA 488-1] xymon security update
[DLA 489-1] ruby-mail security update
[DLA 490-1] bozohttpd security update



[DLA 488-1] xymon security update

Package : xymon
Version : 4.3.0~beta2.dfsg-9.1+deb7u1
CVE ID : CVE-2016-2054 CVE-2016-2055 CVE-2016-2056 CVE-2016-2058


Markus Krell discovered that Xymon (formerly known as Hobbit), a
network- and applications-monitoring system, was vulnerable to the
following security issues:

CVE-2016-2054

The incorrect handling of user-supplied input in the "config"
command can trigger a stack-based buffer overflow, resulting in
denial of service (via application crash) or remote code execution.

CVE-2016-2055

The incorrect handling of user-supplied input in the "config"
command can lead to an information leak by serving sensitive
configuration files to a remote user.

CVE-2016-2056

The commands handling password management do not properly validate
user-supplied input, and are thus vulnerable to shell command
injection by a remote user.

CVE-2016-2058

Incorrect escaping of user-supplied input in status webpages can
be used to trigger reflected cross-site scripting attacks.


For Debian 7 "Wheezy", these problems have been fixed in version
4.3.0~beta2.dfsg-9.1+deb7u1.

We recommend that you upgrade your xymon packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 489-1] ruby-mail security update

Package : ruby-mail
Version : 2.4.4-2+deb7u1
CVE ID : N/A
Debian Bug : N/A

This security update fixes a security issue in
ruby-mail. We recommend you upgrade your ruby-mail package.

Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) released a
whitepaper entitled "SMTP Injection via recipient email addresses" (
http://www.mbsd.jp/Whitepaper/smtpi.pdf). This whitepaper has a section
discussing how one such vulnerability affected the 'mail' ruby gem (see
section 3.1).

Whitepaper has all the specific details, but basically the 'mail' ruby gem
module is prone to the recipient attack as it does not validate nor
sanitize given recipient addresses. Thus, the attacks described in chapter
2 of the whitepaper can be applied to the gem without any modification. The
'mail' ruby gem itself does not impose a length limit on email addresses,
so an attacker can send a long spam message via a recipient address unless
there is a limit on the application's side. This vulnerability affects only
the applications that lack input validation.

For Debian 7 "Wheezy", these problems have been fixed in version
2.4.4-2+deb7u1.

Further information about Debian LTS security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 490-1] bozohttpd security update

Package : bozohttpd
Version : 20111118-1+deb7u1
CVE ID : CVE-2014-5015 CVE-2015-8212
Debian Bug : 755197

Two security vulnerabilities have been discovered in bozohttpd, a small
HTTP server.

CVE-2014-5015

Bozotic HTTP server (aka bozohttpd) before 201407081 truncates
paths when checking .htpasswd restrictions, which allows remote
attackers to bypass the HTTP authentication scheme and access
restrictions via a long path.

CVE-2015-8212

A flaw in CGI suffix handler support was found, if the -C option
has been used to setup a CGI handler, that could result in remote
code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
20111118-1+deb7u1.

We recommend that you upgrade your bozohttpd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS