Debian 10225 Published by

The following updates has been released for Debian:

[DLA 177-1] openssl security update
[DSA 3198-1] php5 security update
[DSA 3199-1] xerces-c security update
[DSA 3200-1] drupal7 security update



[DLA 177-1] openssl security update

Package : openssl
Version : 0.9.8o-4squeeze20
CVE ID : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288
CVE-2015-0289 CVE-2015-0292 CVE-2015-0293

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2015-0209

It was discovered that a malformed EC private key might result in
memory corruption.

CVE-2015-0286

Stephen Henson discovered that the ASN1_TYPE_cmp() function
can be crashed, resulting in denial of service.

CVE-2015-0287

Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

CVE-2015-0288

It was discovered that missing input sanitising in the
X509_to_X509_REQ() function might result in denial of service.

CVE-2015-0289

Michal Zalewski discovered a NULL pointer dereference in the
PKCS#7 parsing code, resulting in denial of service.

CVE-2015-0292

It was discovered that missing input sanitising in base64 decoding
might result in memory corruption.

CVE-2015-0293

A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.



[DSA 3198-1] php5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3198-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 20, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2015-2301 CVE-2015-2331

Multiple vulnerabilities have been discovered in the PHP language:

CVE-2015-2301

Use-after-free in the phar extension.

CVE-2015-2331

Emmanuel Law discovered an integer overflow in the processing
of ZIP archives, resulting in denial of service or potentially
the execution of arbitrary code.

For the stable distribution (wheezy), these problems have been fixed in
version 5.4.39-0+deb7u1. This update also fixes a regression in the
curl support introduced in DSA 3195.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3199-1] xerces-c security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3199-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
March 20, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xerces-c
CVE ID : CVE-2015-0252
Debian Bug : 780827

Anton Rager and Jonathan Brossard from the Salesforce.com Product
Security Team and Ben Laurie of Google discovered a denial of service
vulnerability in xerces-c, a validating XML parser library for C++. The
parser mishandles certain kinds of malformed input documents, resulting
in a segmentation fault during a parse operation. An unauthenticated
attacker could use this flaw to cause an application using the
xerces-c library to crash.

For the stable distribution (wheezy), this problem has been fixed in
version 3.1.1-3+deb7u1.

We recommend that you upgrade your xerces-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3200-1] drupal7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3200-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 20, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : drupal7
CVE ID : CVE-2015-2559

Multiple vulnerabilities have been found the Drupal content management
framework. More information can be found at
https://www.drupal.org/SA-CORE-2015-001

For the stable distribution (wheezy), this problem has been fixed in
version 7.14-2+deb7u9.

For the unstable distribution (sid), this problem has been fixed in
version 7.32-1+deb8u2.

We recommend that you upgrade your drupal7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/