Debian 10226 Published by

The following 4 updates has been released for Debian GNU/Linux:

[DLA 217-1] xdg-utils security update
[DLA 218-1] xorg-server security update
[DSA 3242-1] chromium-browser security update
[DSA 3243-1] libxml-libxml-perl security update



[DLA 217-1] xdg-utils security update

The two below CVE issues have recently been fixed in Debian squeeze-lts:

CVE-2014-9622

John Houwer discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user's preferred application, to execute arbitrary
commands remotely.

CVE-2015-1877

Jiri Horner discovered a way to cause xdg-open, a tool that automatically
opens URLs in a user's preferred application, to execute arbitrary
commands remotely.

This problem only affects /bin/sh implementations that don't sanitize
local variables. Dash, which is the default /bin/sh in Debian is
affected. Bash as /bin/sh is known to be unaffected.

[DLA 218-1] xorg-server security update

Package : xorg-server
Version : 2:1.7.7-18+deb6u2
CVE ID : CVE-2015-0255

Olivier Fourdan discovered that missing input validation in the Xserver's
handling of XkbSetGeometry requests may result in an information leak or
denial of service.

This upload to Debian squeeze-lts fixes the issue by not swapping
XkbSetGeometry data in the input buffer any more and checking strings'
length against request size.

[DSA 3242-1] chromium-browser security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3242-1 security@debian.org
http://www.debian.org/security/ Michael Gilbert
April 30, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2015-1243 CVE-2015-1250

Several vulnerabilities were discovered in the chromium web browser.

CVE-2015-1243

Saif El-Sherei discovered a use-after-free issue.

CVE-2015-1250

The chrome 42 team found and fixed multiple issues during internal
auditing.

For the stable distribution (jessie), these problems have been fixed in
version 42.0.2311.135-1~deb8u1.

For the testing distribution (stretch), this problem will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 42.0.2311.135-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3243-1] libxml-libxml-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3243-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 01, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxml-libxml-perl
CVE ID : CVE-2015-3451
Debian Bug : 783443

Tilmann Haak from xing.com discovered that XML::LibXML, a Perl interface
to the libxml2 library, did not respect the expand_entities parameter to
disable processing of external entities in some circumstances. This may
allow attackers to gain read access to otherwise protected ressources,
depending on how the library is used.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.0001+dfsg-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 2.0116+dfsg-1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.0116+dfsg-2.

We recommend that you upgrade your libxml-libxml-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/