Debian 10228 Published by

Three new updates has been released for Debian 6 LTS and one new update for Debian 7:

[DLA 248-1] qemu security update
[DLA 249-1] qemu-kvm security update
[DLA 250-1] libclamunrar security update
[DSA 3292-1] cinder security update



[DLA 248-1] qemu security update

Package : qemu
Version : 0.12.5+dfsg-3squeeze4
CVE ID : CVE-2015-3456

A vulnerability was discovered in the qemu virtualisation solution:

CVE-2015-3456

Jason Geffner discovered a buffer overflow in the emulated floppy
disk drive, resulting in the potential execution of arbitrary code.

Despite the end-of-life of qemu support in the old-oldstable
distribution (squeeze-lts), this problem has been fixed in version
0.12.5+dfsg-3squeeze4 of the qemu source package due to its severity
(the so-called VENOM vulnerability).

Further problems may still be present in the qemu package in the
old-oldstable distribution (squeeze-lts) and users who need to rely on
qemu are encouraged to upgrade to a newer version of Debian.

We recommend that you upgrade your qemu packages.


[DLA 249-1] qemu-kvm security update

Package : qemu-kvm
Version : 0.12.5+dfsg-5+squeeze11
CVE ID : CVE-2015-3456

A vulnerability was discovered in the qemu virtualisation solution:

CVE-2015-3456

Jason Geffner discovered a buffer overflow in the emulated floppy
disk drive, resulting in the potential execution of arbitrary code.

Despite the end-of-life of qemu-kvm support in the old-oldstable
distribution (squeeze-lts), this problem has been fixed in version
0.12.5+dfsg-5+squeeze11 of the qemu-kvm source package due to its
severity (the so-called VENOM vulnerability).

Further problems may still be present in the qemu-kvm package in the
old-oldstable distribution (squeeze-lts) and users who need to rely on
qemu-kvm are encouraged to upgrade to a newer version of Debian.

We recommend that you upgrade your qemu-kvm packages.


[DLA 250-1] libclamunrar security update

Package : libclamunrar
Version : 0.98.5-0+deb6u1
Debian Bug : 770647

Upstream published version 0.98.5. This update updates sqeeze-lts to the
latest upstream release in line with the approach used for other Debian
releases.

This update corrects a double-free error that existed within the
"unrar_extract_next_prepare()" function (libclamunrar_iface/unrar_iface.c)
when parsing a RAR file. While no CVE was assigned, this issue does have
potential security implications.

If you use libclamunrar, we strongly recommend that you upgrade to this
version.

[DSA 3292-1] cinder security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3292-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cinder
CVE ID : CVE-2015-1851
Debian Bug : 788996

Bastian Blank from credativ discovered that cinder, a
storage-as-a-service system for the OpenStack cloud computing suite,
contained a bug that would allow an authenticated user to read any
file from the cinder server.

For the stable distribution (jessie), this problem has been fixed in
version 2014.1.3-11+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2015.1.0+2015.06.16.git26.9634b76ba5-1.

We recommend that you upgrade your cinder packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/