Debian 10260 Published by

The following updates has been released for Debian:

[DLA 470-1] libksba security update
[DLA 471-1] jansson security update
[DSA 3576-1] icedove security update



[DLA 470-1] libksba security update

Package : libksba
Version : 1.2.0-2+deb7u2
CVE ID : CVE-2016-4579

It was discovered that there was a possible read access beyond a buffer
vulnerability in libksba, a X.509 and CMS certificate support library.

The returned length of the object from _ksba_ber_parse_tl (ti.length)
was not always checked against the actual buffer length, thus leading
to a read access after the end of the buffer and thus a SEGV.

For Debian 7 "Wheezy", this issue has been fixed in libksba version
1.2.0-2+deb7u2.

We recommend that you upgrade your libksba packages.

[DLA 471-1] jansson security update

Package : jansson
Version : 2.3.1-2+deb7u1
CVE ID : CVE-2016-4425
Debian Bug : 823238


Applications that depend on Jansson, a C library for encoding,
decoding and manipulating JSON data, could crash due to stack
exhaustion while parsing a JSON file. This was caused due to an
unlimited parsing depth when parsing JSON arrays and is now fixed by
limiting the depth to 2048.

For Debian 7 "Wheezy", this problem has been fixed in version
2.3.1-2+deb7u1.

We recommend that you upgrade your jansson packages.

[DSA 3576-1] icedove security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3576-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icedove
CVE ID : CVE-2016-1979 CVE-2016-2805 CVE-2016-2807

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail client: Multiple memory safety errors may
lead to the execution of arbitrary code or denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 38.8.0-1~deb8u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/