Debian 10225 Published by

The following updates has been released for Debian:

[DSA 3509-1] rails security update
[DSA 3510-1] iceweasel security update
[DSA 3511-1] bind9 security update
[DSA 3512-1] libotr security update



[DSA 3509-1] rails security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3509-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
March 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rails
CVE ID : CVE-2016-2097 CVE-2016-2098

Two vulnerabilities have been discovered in Rails, a web application
framework written in Ruby. Both vulnerabilities affect Action Pack, which
handles the web requests for Rails.

CVE-2016-2097

Crafted requests to Action View, one of the components of Action Pack,
might result in rendering files from arbitrary locations, including
files beyond the application's view directory. This vulnerability is
the result of an incomplete fix of CVE-2016-0752.
This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

CVE-2016-2098

If a web applications does not properly sanitize user inputs, an
attacker might control the arguments of the render method in a
controller or a view, resulting in the possibility of executing
arbitrary ruby code.
This bug was found by Tobias Kraze from Makandra and joernchen of
Phenoelit.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.1.8-1+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 2:4.2.5.2-1.

For the unstable distribution (sid), these problems have been fixed in
version 2:4.2.5.2-1.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3510-1] iceweasel security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3510-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceweasel
CVE ID : CVE-2016-1950 CVE-2016-1952 CVE-2016-1954 CVE-2016-1957
CVE-2016-1958 CVE-2016-1960 CVE-2016-1961 CVE-2016-1962
CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1974
CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792
CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796
CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800
CVE-2016-2801 CVE-2016-2802

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
buffer overflows, use-after-frees and other implementation errors may
lead to the execution of arbitrary code, denial of service, address bar
spoofing and overwriting local files.

For the oldstable distribution (wheezy), these problems have been fixed
in version 38.7.0esr-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 38.7.0esr-1~deb8u1.

For the unstable distribution (sid), Debian is in the process of moving
back towards using the Firefox name. These problems will soon be fixed
in the firefox-esr source package.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3511-1] bind9 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3511-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
March 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2016-1285 CVE-2016-1286

Two vulnerabilites have been discovered in ISC's BIND DNS server.

CVE-2016-1285

A maliciously crafted rdnc, a way to remotely administer a BIND server,
operation can cause named to crash, resulting in denial of service.

CVE-2016-1286

An error parsing DNAME resource records can cause named to crash,
resulting in denial of service.

For the oldstable distribution (wheezy), these problems have been fixed
in version 9.8.4.dfsg.P1-6+nmu2+deb7u10.

For the stable distribution (jessie), these problems have been fixed in
version 9.9.5.dfsg-9+deb8u6.

For the testing (stretch) and unstable (sid) distributions, these
problems will be fixed soon.

We recommend that you upgrade your bind9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3512-1] libotr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3512-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libotr
CVE ID : CVE-2016-2851

Markus Vervier of X41 D-Sec GmbH discovered an integer overflow
vulnerability in libotr, an off-the-record (OTR) messaging library, in
the way how the sizes of portions of incoming messages were stored. A
remote attacker can exploit this flaw by sending crafted messages to an
application that is using libotr to perform denial of service attacks
(application crash), or potentially, execute arbitrary code with the
privileges of the user running the application.

For the oldstable distribution (wheezy), this problem has been fixed
in version 3.2.1-1+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 4.1.0-2+deb8u1.

We recommend that you upgrade your libotr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/