Published by

The following Debian updates has been released:

[DSA 3164-1] typo3-src security update
[DSA 3165-1] xdg-utils security update
[DSA 3166-1] e2fsprogs security update



[DSA 3164-1] typo3-src security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3164-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 21, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : typo3-src
CVE ID : not yet available

Pierrick Caillon discovered that the authentication could be bypassed in
the Typo 3 content management system. Please refer to the upstream
advisory for additional information:
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/

For the stable distribution (wheezy), this problem has been fixed in
version 4.5.19+dfsg1-5+wheezy4.

The upcoming stable distribution (jessie) no longer includes Typo 3.

For the unstable distribution (sid), this problem has been fixed in
version 4.5.40+dfsg1-1.

We recommend that you upgrade your typo3-src packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3165-1] xdg-utils security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3165-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
February 21, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xdg-utils
CVE ID : CVE-2015-1877
Debian Bug : 777722

Jiri Horner discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user's preferred application, to execute arbitrary
commands remotely.

This problem only affects /bin/sh implementations that don't sanitize
local variables. Dash, which is the default /bin/sh in Debian is
affected. Bash as /bin/sh is known to be unaffected.

For the stable distribution (wheezy), this problem has been fixed in
version 1.1.0~rc1+git20111210-6+deb7u3.

For the upcoming stable (jessie) and unstable (sid) distributions,
this problem will be fixed soon.

We recommend that you upgrade your xdg-utils packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3166-1] e2fsprogs security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3166-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
February 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : e2fsprogs
CVE ID : CVE-2015-0247 CVE-2015-1572
Debian Bug : 778948

Jose Duart of the Google Security Team discovered a buffer overflow in
in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file
systems. This issue can possibly lead to arbitrary code execution if
a malicious device is plugged in, the system is configured to
automatically mount it, and the mounting process chooses to run fsck
on the device's malicious filesystem.

CVE-2015-0247

Buffer overflow in the ext2/ext3/ext4 file system open/close routines.

CVE-2015-1572

Incomplete fix for CVE-2015-0247.

For the stable distribution (wheezy), these problems have been fixed in
version 1.42.5-1.1+deb7u1.

For the upcoming stable (jessie) and unstable (sid) distributions,
these problems will be fixed soon.

We recommend that you upgrade your e2fsprogs packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/