Debian 10225 Published by

The following updates has been released for Debian 7 LTS:

[DLA 581-1] libreoffice security update
[DLA 582-1] libidn security update
[DLA 583-1] lighttpd security update



[DLA 581-1] libreoffice security update

Package : libreoffice
Version : 1:3.5.4+dfsg2-0+deb7u7
CVE ID : CVE-2016-4324

Aleksandar Nikolic discovered that missing input sanitising in
the RTF parser in Libreoffice may result in the execution of
arbitrary code if a malformed documented is opened.

For Debian 7 "Wheezy", these problems have been fixed in version
1:3.5.4+dfsg2-0+deb7u7.

We recommend that you upgrade your libreoffice packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 582-1] libidn security update

Package : libidn
Version : 1.25-2+deb7u2
CVE ID : CVE-2015-8948 CVE-2016-6261 CVE-2016-6263

Multiple vulnerabilities have been discovered in libidn. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-8948

When idn is reading one zero byte as input an out-of-bounds-read occurred.

CVE-2016-6261

An out-of-bounds stack read is exploitable in idna_to_ascii_4i.

CVE-2016-6263

stringprep_utf8_nfkc_normalize reject invalid UTF-8, causes a crash.

For Debian 7 "Wheezy", these problems have been fixed in version
1.25-2+deb7u2.

We recommend that you upgrade your libidn packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 583-1] lighttpd security update

Package : lighttpd
Version : 1.4.31-4+deb7u5
CVE ID : CVE-2016-1000212
Debian Bug : 832571

Dominic Scheirlinck and Scott Geary of Vend reported an insecure
behaviour in the lighttpd web server. Lighttpd assigned Proxy header
values from client requests to internal HTTP_PROXY environment
variables. This could be used to carry out Man in the Middle Attacks
(MIDM) or create connections to arbitrary hosts.

For Debian 7 "Wheezy", this issue has been fixed in version
1.4.31-4+deb7u5.

We recommend that you upgrade your lighttpd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS