Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 207-1] subversion security update
[DSA 3233-1] wpa security update
[DSA 3234-1] openjdk-6 security update
[DSA 3235-1] openjdk-7 security update



[DLA 207-1] subversion security update

Package : subversion
Version : 1.6.12dfsg-7+deb6u2
CVE ID : CVE-2013-1845 CVE-2013-1846 CVE-2013-1847 CVE-2013-1849
CVE-2014-0032 CVE-2015-0248 CVE-2015-0251
Debian Bug : 704940 737815

Several vulnerabilities were discovered in Subversion, a version control
system. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2015-0248

Subversion mod_dav_svn and svnserve were vulnerable to a remotely
triggerable assertion DoS vulnerability for certain requests with
dynamically evaluated revision numbers.

CVE-2015-0251

Subversion HTTP servers allow spoofing svn:author property values for
new revisions via specially crafted v1 HTTP protocol request
sequences.

CVE-2013-1845

Subversion mod_dav_svn was vulnerable to a denial of service attack
through a remotely triggered memory exhaustion.

CVE-2013-1846 / CVE-2013-1847 / CVE-2013-1849 / CVE-2014-0032

Subversion mod_dav_svn was vulnerable to multiple remotely triggered
crashes.

This update has been prepared by James McCoy.

[DSA 3233-1] wpa security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3233-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
April 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wpa
CVE ID : CVE-2015-1863
Debian Bug : 783148

The Google security team and the smart hardware research group of
Alibaba security team discovered a flaw in how wpa_supplicant used SSID
information when creating or updating P2P peer entries. A remote
attacker can use this flaw to cause wpa_supplicant to crash, expose
memory contents, and potentially execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 1.0-3+deb7u2. Note that this issue does not affect the binary
packages distributed in Debian as the CONFIG_P2P is not enabled for
the build.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 2.3-1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.3-2.

We recommend that you upgrade your wpa packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3234-1] openjdk-6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3234-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-6
CVE ID : CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477
CVE-2015-0478 CVE-2015-0480 CVE-2015-0488

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure
or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 6b35-1.13.7-1~deb7u1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3235-1] openjdk-7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3235-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477
CVE-2015-0478 CVE-2015-0480 CVE-2015-0488

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure
or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 7u79-2.5.5-1~deb7u1.

For the upcoming stable distribution (jessie), these problems will be
fixed soon in version 7u79-2.5.5-1~deb8u1 (the update will be available
shortly after the final jessie release).

For the unstable distribution (sid), these problems have been fixed in
version 7u79-2.5.5-1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/