Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 283-1] icu security update
[DLA 284-1] apache2 security update
[DLA 285-1] bind9 security update
[DSA 3319-1] bind9 security update



[DLA 283-1] icu security update

Package : icu
Version : 4.4.1-8+squeeze4
CVE ID : CVE-2015-4760

A vulnerability has been found in the International Components
for Unicode (ICU) library:

CVE-2015-4760

It was discovered that ICU Layout Engine was missing multiple
boundary checks. These could lead to buffer overflows and memory
corruption. A specially crafted file could cause an application
using ICU to parse untrusted font files to crash and, possibly,
execute arbitrary code.

For the squeeze distribution, these issues have been fixed in version
4.4.1-8+squeeze4 of icu.

We recommend to upgrade your icu packages.


[DLA 284-1] apache2 security update

Package : apache2
Version : 2.2.16-6+squeeze15
CVE ID : CVE-2015-3183

A vulnerability has been found in the Apache HTTP Server.

CVE-2015-3183

Apache HTTP Server did not properly parse chunk headers, which
allowed remote attackers to conduct HTTP request smuggling via a
crafted request. This flaw relates to mishandling of large
chunk-size values and invalid chunk-extension characters in
modules/http/http_filters.c.

For the squeeze distribution, these issues have been fixed in version
2.2.16-6+squeeze15 of apache2.

We recommend you to upgrade your apache2 packages.


[DLA 285-1] bind9 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package : bind9
Version : 1:9.7.3.dfsg-1~squeeze16
CVE ID : CVE-2015-5477

Jonathan Foote discovered that the BIND DNS server does not properly
handle TKEY queries. A remote attacker can take advantage of this flaw
to mount a denial of service via a specially crafted query triggering an
assertion failure and causing BIND to exit.

[DSA 3319-1] bind9 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3319-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 28, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2015-5477

Jonathan Foote discovered that the BIND DNS server does not properly
handle TKEY queries. A remote attacker can take advantage of this flaw
to mount a denial of service via a specially crafted query triggering an
assertion failure and causing BIND to exit.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u6.

For the stable distribution (jessie), this problem has been fixed in
version 1:9.9.5.dfsg-9+deb8u2.

We recommend that you upgrade your bind9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/