Debian 10260 Published by

The following 4 Debian updates has been released:

[DLA 294-1] wordpress security update
[DLA 295-1] conntrack security update
[DSA 3339-1] openjdk-6 security update
[DSA 3340-1] zendframework security update



[DLA 294-1] wordpress security update

Package : wordpress
Version : 3.6.1+dfsg-1~deb6u7
CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5731 CVE-2015-5732
CVE-2015-5734

Several vulnerabilities have been fixed in Wordpress, the popular
blogging engine.

CVE-2015-2213

SQL Injection allowed a remote attacker to compromise the site.

CVE-2015-5622

The robustness of the shortcodes HTML tags filter has been
improved. The parsing is a bit more strict, which may affect
your installation. This is the corrected version of the patch
that needed to be reverted in DSA 3328-2.

CVE-2015-5731

An attacker could lock a post that was being edited.

CVE-2015-5732

Cross site scripting in a widget title allows an attacker to
steal sensitive information.

CVE-2015-5734

Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen
Hou-Sand

[DLA 295-1] conntrack security update

Package : conntrack
Version : 1:0.9.14-2+deb6u1
CVE ID : CVE-2015-6496
Debian Bug : #796103

"jann" discovered that in certain configurations, if the relevant
conntrack kernel module is not loaded, conntrackd will crash when
handling DCCP, SCTP or ICMPv6 packets. In the version found in Debian
6.0 "squeeze", this vulnerability only applies to ICMPv6.

For the oldoldstable distribution (squeeze), this problem has been
fixed in version 1:0.9.14-2+deb6u1.

For the oldstable distribution (wheezy) and stable distribution
(jessie), this problem will be fixed soon.

[DSA 3339-1] openjdk-6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3339-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-6
CVE ID : CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621
CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808
CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733
CVE-2015-4748 CVE-2015-4749 CVE-2015-4760

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.

For the oldstable distribution (wheezy), these problems have been fixed
in version 6b36-1.13.8-1~deb7u1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3340-1] zendframework security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3340-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
August 19, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : zendframework
CVE ID : CVE-2015-5161

Dawid Golunski discovered that when running under PHP-FPM in a threaded
environment, Zend Framework, a PHP framework, did not properly handle
XML data in multibyte encoding. This could be used by remote attackers
to perform an XML External Entity attack via crafted XML data.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.11.13-1.1+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 1.12.9+dfsg-2+deb8u3.

For the testing distribution (stretch), this problem has been fixed
in version 1.12.14+dfsg-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.12.14+dfsg-1.

We recommend that you upgrade your zendframework packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/