Debian 10225 Published by

The following updates has been released for Debian:

[DLA 482-1] libgd2 security update
[DLA 483-1] expat security update
[DSA 3584-1] librsvg security update



[DLA 482-1] libgd2 security update

---

Package : libgd2
Version : 2.0.36~rc1~dfsg-6.1+deb7u3
CVE ID : CVE-2015-8874
Debian Bug : 824627

It was discovered that there was a stack consumption vulnerability
in the libgd2 graphics library which allowed remote attackers to
cause a denial of service via a crafted imagefilltoborder call.

For Debian 7 "Wheezy", this issue has been fixed in libgd2 version
2.0.36~rc1~dfsg-6.1+deb7u3.

We recommend that you upgrade your libgd2 packages.

[DLA 483-1] expat security update

Package : expat
Version : 2.1.0-1+deb7u3
CVE ID : CVE-2016-0718

Gustavo Grieco discovered that Expat, a XML parsing C library, does not
properly handle certain kinds of malformed input documents, resulting in
buffer overflows during processing and error reporting. A remote
attacker can take advantage of this flaw to cause an application using
the Expat library to crash, or potentially, to execute arbitrary code
with the privileges of the user running the application.


For Debian 7 "Wheezy", these problems have been fixed in version
2.1.0-1+deb7u3.

We recommend that you upgrade your expat packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3584-1] librsvg security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3584-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 19, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : librsvg
CVE ID : CVE-2015-7558 CVE-2016-4347 CVE-2016-4348

Gustavo Grieco discovered several flaws in the way librsvg, a SAX-based
renderer library for SVG files, parses SVG files with circular
definitions. A remote attacker can take advantage of these flaws to
cause an application using the librsvg library to crash.

For the stable distribution (jessie), these problems have been fixed in
version 2.40.5-1+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 2.40.12-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.40.12-1.

We recommend that you upgrade your librsvg packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/