Debian 10260 Published by

The following updates has been released for Debian:

[DLA 273-1] tidy security update
[DLA 276-1] inspircd security update
[DSA 3308-1] mysql-5.5 security update
[DSA 3309-1] tidy security update



[DLA 273-1] tidy security update

Package : tidy
Version : 20091223cvs-1+deb6u1
CVE ID : CVE-2015-5522 CVE-2015-5523
Debian Bug : 792571

[DLA 276-1] inspircd security update

Package : inspircd
Version : 1.1.22+dfsg-4+squeeze2
Debian Bug : 780880

Adam , upstream author of inspircd found the Debian
patch that fixed CVE-2012-1836 was incomplete. Furthermore, it
introduced an issue, since invalid dns packets caused an infinite loop.
This upload corrects these problems.

As of today, no CVEs has been assigned to these Debian-specific flaws.

For the Squeeze distribution, these issues have been fixed in version
1.1.22+dfsg-4+squeeze2 of inspircd.


[DSA 3308-1] mysql-5.5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3308-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 18, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mysql-5.5
CVE ID : CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648
CVE-2015-4737 CVE-2015-4752
Debian Bug : 792445

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.44. Please see the MySQL 5.5 Release Notes and Oracle's
Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-44.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

For the oldstable distribution (wheezy), these problems have been fixed
in version 5.5.44-0+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 5.5.44-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3309-1] tidy security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3309-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
July 18, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tidy
CVE ID : CVE-2015-5522 CVE-2015-5523
Debian Bug : 792571

Fernando Muñoz discovered that invalid HTML input passed to tidy, an
HTML syntax checker and reformatter, could trigger a buffer overflow.
This could allow remote attackers to cause a denial of service (crash)
or potentially execute arbitrary code.

Geoff McLane also discovered that a similar issue could trigger an
integer overflow, leading to a memory allocation of 4GB. This could
allow remote attackers to cause a denial of service by saturating the
target's memory.

For the oldstable distribution (wheezy), these problems have been fixed
in version 20091223cvs-1.2+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 20091223cvs-1.4+deb8u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your tidy packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/