The following updates has been released for Debian:
[DLA 449-2] botan1.10 regression update
[DLA 464-1] libav security update
[DLA 465-1] debian-security-support update
[DSA 3574-1] libarchive security update
[DLA 449-2] botan1.10 regression update
[DLA 464-1] libav security update
[DLA 465-1] debian-security-support update
[DSA 3574-1] libarchive security update
[DLA 449-2] botan1.10 regression update
Package : botan1.10
Version : 1.10.5-1+deb7u1
Debian Bug : 823297
The security update for botan1.10 caused a regression in monotone due
to a ABI change. In order to fix this issue all reverse-dependencies
of botan1.10 have been rebuilt.
For Debian 7 "Wheezy", these problems have been fixed in
monotone 1.0-6+deb7u2
softhsm 1.3.3-2+deb7u1
We recommend that you upgrade both packages.
[DLA 464-1] libav security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : libav
Version : 6:0.8.17-2+deb7u1
CVE ID : CVE-2014-9676
It was discovered that there was a use-after free vulnerability in
libav, a multimedia player, server, encoder and transcoder library.
The seg_write_packet function in libavformat/segment.c in ffmpeg
2.1.4 and earlier does not free the correct memory location, which
allows remote attackers to cause a denial of service ("invalid
memory handler") and possibly execute arbitrary code via a crafted
video that triggers a use after free.
For Debian 7 Wheezy, this issue has been fixed in libav version
6:0.8.17-2+deb7u1.
We recommend that you upgrade your libav packages.
[DLA 465-1] debian-security-support update
Package : debian-security-support
Version : 2016.05.09+nmu1~deb7u1
It is not feasible to fully support some Debian packages through the releases
life cycle. The debian-security-support package provides the
check-support-status tool that helps to warn the administrator about installed
packages whose security support is limited or has to prematurely end.
For Debian 7 "Wheezy", debian-security-support version 2016.05.09+nmu1~deb7u1
updates the list of packages with restricted support in Wheezy LTS. In
particular, this version also includes a new feature to notify the user about
oncoming end-of-lifes.
We recommend you to install the debian-security-support and run
check-support-status to verify the status of installed packages. Please, refer
to the check-support-status (1) man page for more information about how to
use it.
[DSA 3574-1] libarchive security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3574-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 10, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libarchive
CVE ID : CVE-2016-1541
Debian Bug : 823893
Rock Stevens, Andrew Ruef and Marcin 'Icewall' Noga discovered a
heap-based buffer overflow vulnerability in the zip_read_mac_metadata
function in libarchive, a multi-format archive and compression library,
which may lead to the execution of arbitrary code if a user or automated
system is tricked into processing a specially crafted ZIP file.
For the stable distribution (jessie), this problem has been fixed in
version 3.1.2-11+deb8u1.
We recommend that you upgrade your libarchive packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
