Debian 10225 Published by

The following updates has been released for Debian:

[DLA 384-1] inspircd security and regression update
[DSA 3443-1] libpng security update
[DSA 3444-1] wordpress security update
[DSA 3445-1] pygments security update



[DLA 384-1] inspircd security and regression update

Package        : inspircd
Version        : 1.1.22+dfsg-4+squeeze3
CVE ID         : CVE-2015-8702
Debian Bug     : 668253

It was discovered that InspIRCd did not validate the names in DNS
responses before using them in inter-server communication.  A remote
attacker controlling the reverse DNS server for an IRC client could
use this for denial of service or possibly for privilege escalation on
the IRC network.

InspIRCd appears to have been completely unusable since version
1.1.22+dfsg-4+squeeze1 due to a bug in its build system triggered by
(e)glibc versions newer than 2.9.  This has also been fixed.

[DSA 3443-1] libpng security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3443-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libpng
CVE ID : CVE-2015-8472 CVE-2015-8540
Debian Bug : 807112 807694

Several vulnerabilities have been discovered in the libpng PNG library.
The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2015-8472

It was discovered that the original fix for CVE-2015-8126 was
incomplete and did not detect a potential overrun by applications
using png_set_PLTE directly. A remote attacker can take advantage of
this flaw to cause a denial of service (application crash).

CVE-2015-8540

Xiao Qixue and Chen Yu discovered a flaw in the png_check_keyword
function. A remote attacker can potentially take advantage of this
flaw to cause a denial of service (application crash).

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.2.49-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in
version 1.2.50-2+deb8u2.

We recommend that you upgrade your libpng packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3444-1] wordpress security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3444-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2016-1564
Debian Bug : 810325

Crtc4L discovered a cross-site scripting vulnerability in wordpress, a
web blogging tool, allowing a remote authenticated administrator to
compromise the site.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.6.1+dfsg-1~deb7u9.

For the stable distribution (jessie), this problem has been fixed in
version 4.1+dfsg-1+deb8u7.

For the unstable distribution (sid), this problem has been fixed in
version 4.4.1+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3445-1] pygments security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3445-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pygments
CVE ID : CVE-2015-8557
Debian Bug : 802828

Javantea discovered that pygments, a generic syntax highlighter, is
prone to a shell injection vulnerability allowing a remote attacker to
execute arbitrary code via shell metacharacters in a font name.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.5+dfsg-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 2.0.1+dfsg-1.1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2.0.1+dfsg-2.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.1+dfsg-2.

We recommend that you upgrade your pygments packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/