Debian 10260 Published by

The following updates has been released for Debian 7 LTS:

[DLA 504-1] libxstream-java security update
[DLA 505-1] libpdfbox-java security update
[DLA 508-1] expat security update



[DLA 504-1] libxstream-java security update

Package : libxstream-java
Version : 1.4.2-1+deb7u1
CVE ID : CVE-2016-3674
Debian Bug : 819455

It was discovered that XStream, a Java library to serialize objects to
XML and back again, was susceptible to XML External Entity attacks.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.2-1+deb7u1.

We recommend that you upgrade your libxstream-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 505-1] libpdfbox-java security update

Package : libpdfbox-java
Version : 1:1.7.0+dfsg-4+deb7u1
CVE ID : CVE-2016-2175


Apache PDFBox did not properly initialize the XML parsers, which
allows context-dependent attackers to conduct XML External Entity
(XXE) attacks via a crafted PDF. This may lead to the disclosure of
confidential data, denial of service, server side request forgery,
port scanning from the perspective of the machine where the parser is
located, and other system impacts.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.7.0+dfsg-4+deb7u1.

We recommend that you upgrade your libpdfbox-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 508-1] expat security update

Package : expat
Version : 2.1.0-1+deb7u4
CVE ID : CVE-2012-6702 CVE-2016-5300


Two related issues have been discovered in Expat, a C library for
parsing XML.

CVE-2012-6702

This issue was introduced when CVE-2012-0876 was addressed. Stefan
Sørensen discovered that the use of the function XML_Parse() seeds
the random number generator generating repeated outputs for rand()
calls.

CVE-2016-5300

This is the product of an incomplete solution for CVE-2012-0876. The
parser poorly seeds the random number generator allowing an
attacker to cause a denial of service (CPU consumption) via an XML
file with crafted identifiers.

You might need to manually restart programs and services using expat
libraries.

For Debian 7 "Wheezy", these problems have been fixed in version
2.1.0-1+deb7u4.

We recommend that you upgrade your expat packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS