Debian 10225 Published by

The following security updates are available for Debian GNU/Linux:

[DLA 131-1] file security update
[DSA 3123-1] binutils security update
[DSA 3124-1] otrs2 security update



[DLA 131-1] file security update

Package : file
Version : 5.04-5+squeeze9
CVE ID : CVE-2014-8116 CVE-2014-8117
Debian Bug : 773148

Multiple security issues have been found in file, a tool/library to
determine a file type. Processing a malformed file could result in
denial of service. Most of the changes are related to parsing ELF
files.

As part of the fixes, several limits on aspects of the detection were
added or tightened, sometimes resulting in messages like "recursion
limit exceeded" or "too many program header sections".

To mitigate such shortcomings, these limits are controllable by a new
"-R"/"--recursion" parameter in the file program. Note: A future
upgrade for file in squeeze-lts might replace this with the "-P"
parameter to keep usage consistent across all distributions.


CVE-2014-8116

The ELF parser (readelf.c) allows remote attackers to cause a
denial of service (CPU consumption or crash).

CVE-2014-8117

softmagic.c does not properly limit recursion, which allows remote
attackers to cause a denial of service (CPU consumption or crash).

(no identifier has been assigned so far)

out-of-bounds memory access



[DSA 3123-1] binutils security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3123-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
January 09, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : binutils
CVE ID : CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502
CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738

Multiple security issues have been found in binutils, a toolbox for
binary file manipulation. These vulnerabilities include multiple memory
safety errors, buffer overflows, use-after-frees and other implementation
errors
may lead to the execution of arbitrary code, the bypass of security
restrictions, path traversal attack or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 2.22-8+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.25-3.

We recommend that you upgrade your binutils packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3124-1] otrs2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3124-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
January 10, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : otrs2
CVE ID : CVE-2014-9324

Thorsten Eckel of Znuny GMBH and Remo Staeuble of InfoGuard discovered
a privilege escalation vulnerability in otrs2, the Open Ticket Request
System. An attacker with valid OTRS credentials could access and
manipulate ticket data of other users via the GenericInterface, if a
ticket webservice is configured and not additionally secured.

For the stable distribution (wheezy), this problem has been fixed in
version 3.1.7+dfsg1-8+deb7u5.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 3.3.9-3.

For the unstable distribution (sid), this problem has been fixed in
version 3.3.9-3.

We recommend that you upgrade your otrs2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/