Debian 10225 Published by

1 update for Debian 7 LTS and 2 for Debian 8:

[DLA 478-1] squid3 security update
[DSA 3579-1] xerces-c security update
[DSA 3580-1] imagemagick security update



[DLA 478-1] squid3 security update

Package : squid3
Version : 3.1.20-2.2+deb7u5
CVE ID : CVE-2016-4051 CVE-2016-4052 CVE-2016-4053 CVE-2016-4054
CVE-2016-4554 CVE-2016-4555 CVE-2016-4556
Debian Bug : 823968

Several security issues have been discovered in the Squid caching proxy.

CVE-2016-4051

CESG and Yuriy M. Kaminskiy discovered that Squid cachemgr.cgi
was vulnerable to a buffer overflow when processing remotely supplied
inputs relayed through Squid.

CVE-2016-4052

CESG discovered that a buffer overflow made Squid vulnerable to a
Denial of Service (DoS) attack when processing ESI responses.

CVE-2016-4053

CESG found that Squid was vulnerable to public information disclosure
of the server stack layout when processing ESI responses.

CVE-2016-4054

CESG discovered that Squid was vulnerable to remote code execution
when processing ESI responses.

CVE-2016-4554

Jianjun Chen found that Squid was vulnerable to a header smuggling
attack that could lead to cache poisoning and to bypass of same-origin
security policy in Squid and some client browsers.

CVE-2016-4555 and CVE-2016-4556

"bfek-18" and "@vftable" found that Squid was vulnerable to a Denial
of Service (DoS) attack when processing ESI responses, due to
incorrect pointer handling and reference counting.

For Debian 7 "Wheezy", these issues have been fixed in squid3 version
3.1.20-2.2+deb7u5. We recommend you to upgrade your squid3 packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


[DSA 3579-1] xerces-c security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3579-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 16, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xerces-c
CVE ID : CVE-2016-2099
Debian Bug : 823863

Gustavo Grieco discovered an use-after-free vulnerability in xerces-c, a
validating XML parser library for C++, due to not properly handling
invalid characters in XML input documents in the DTDScanner.

For the stable distribution (jessie), this problem has been fixed in
version 3.1.1-5.1+deb8u2.

For the testing distribution (stretch), this problem has been fixed
in version 3.1.3+debian-2.

For the unstable distribution (sid), this problem has been fixed in
version 3.1.3+debian-2.

We recommend that you upgrade your xerces-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3580-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3580-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
May 16, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717
CVE-2016-3718
Debian Bug : 823542

Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code (CVE-2016-3714), make HTTP
GET or FTP requests (CVE-2016-3718), or delete (CVE-2016-3715), move
(CVE-2016-3716), or read (CVE-2016-3717) local files.

These vulnerabilities are particularly critical if Imagemagick processes
images coming from remote parties, such as part of a web service.

The update disables the vulnerable coders (EPHEMERAL, URL, MVG, MSL, and
PLT) and indirect reads via /etc/ImageMagick-6/policy.xml file. In
addition, we introduce extra preventions, including some sanitization for
input filenames in http/https delegates, the full remotion of PLT/Gnuplot
decoder, and the need of explicit reference in the filename for the
insecure coders.

For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u2.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/