Debian 10225 Published by

The following Debian updates has been released:

[DSA 3068-1] konversation security update
[DSA 3069-1] curl security update
[DSA 3070-1] kfreebsd-9 security update



[DSA 3068-1] konversation security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3068-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
November 07, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : konversation
CVE ID : CVE-2014-8483

It was discovered that Konversation, an IRC client for KDE, could by
crashed when receiving malformed messages using FiSH encryption.

For the stable distribution (wheezy), this problem has been fixed in
version 1.4-1+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.5-1.

We recommend that you upgrade your konversation packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3069-1] curl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3069-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
November 07, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2014-3707

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL, an URL transfer library, has a bug that can lead to libcurl
eventually sending off sensitive data that was not intended for sending,
while performing a HTTP POST operation.

This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be
used in that order, and then the duplicate handle must be used to
perform the HTTP POST. The curl command line tool is not affected by
this problem as it does not use this sequence.

For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy11.

For the upcoming stable distribution (jessie), this problem will be
fixed in version 7.38.0-3.

For the unstable distribution (sid), this problem has been fixed in
version 7.38.0-3.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3070-1] kfreebsd-9 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3070-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
November 07, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : kfreebsd-9
CVE ID : CVE-2014-3711 CVE-2014-3952 CVE-2014-3953 CVE-2014-8476

Several vulnerabilities have been discovered in the FreeBSD kernel that
may lead to a denial of service or information disclosure.

CVE-2014-3711

Denial of service through memory leak in sandboxed namei lookups.

CVE-2014-3952

Kernel memory disclosure in sockbuf control messages.

CVE-2014-3953

Kernel memory disclosure in SCTP. This update disables SCTP, since the
userspace tools shipped in Wheezy didn't support SCTP anyway.

CVE-2014-8476

Kernel stack disclosure in setlogin() and getlogin().

For the stable distribution (wheezy), these problems have been fixed in
version 9.0-10+deb70.8.

We recommend that you upgrade your kfreebsd-9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/