Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 238-1] fuse security update
[DSA 3279-1] redis security update
[DSA 3280-1] php5 security update



[DLA 238-1] fuse security update

Package : fuse
Version : 2.8.4-1.1+deb6u1
CVE ID : CVE-2015-3202
Debian Bug : #786439

Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not
scrub the environment before executing mount or umount with elevated
privileges. A local user can take advantage of this flaw to overwrite
arbitrary files and gain elevated privileges by accessing debugging
features via the environment that would not normally be safe for
unprivileged users.

For the old-oldstable distribution (squeeze-lts), this problem has been
fixed in version 2.8.4-1.1+deb6u1.

We recommend that you upgrade your fuse packages.


[DSA 3279-1] redis security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3279-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
June 06, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : redis
CVE ID : CVE-2015-4335

It was discovered that redis, a persistent key-value database, could
execute insecure Lua bytecode by way of the EVAL command. This could
allow remote attackers to break out of the Lua sandbox and execute
arbitrary code.

For the stable distribution (jessie), this problem has been fixed in
version 2:2.8.17-1+deb8u1.

For the testing distribution (stretch), this problem will be fixed
in version 2:3.0.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 2:3.0.2-1.

We recommend that you upgrade your redis packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3280-1] php5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3280-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 07, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2015-2783 CVE-2015-3329 CVE-2015-4021 CVE-2015-4022
CVE-2015-4024 CVE-2015-4025 CVE-2015-4026

Multiple vulnerabilities have been discovered in PHP:

CVE-2015-4025 / CVE-2015-4026

Multiple function didn't check for NULL bytes in path names.

CVE-2015-4024

Denial of service when processing multipart/form-data requests.

CVE-2015-4022

Integer overflow in the ftp_genlist() function may result in
denial of service or potentially the execution of arbitrary code.

CVE-2015-4021 CVE-2015-3329 CVE-2015-2783

Multiple vulnerabilities in the phar extension may result in
denial of service or potentially the execution of arbitrary code
when processing malformed archives.

For the oldstable distribution (wheezy), these problems have been fixed
in version 5.4.41-0+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 5.6.9+dfsg-0+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 5.6.9+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 5.6.9+dfsg-1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/