Debian 10260 Published by

3 new updates for Debian 7 LTS and 1 for Debian 8:

[DLA 467-1] xerces-c security update
[DLA 468-1] libuser security update
[DLA 469-1] libgwenhywfar security update
[DSA 3575-1] libxstream-java security update



[DLA 467-1] xerces-c security update

Package : xerces-c
Version : 3.1.1-3+deb7u3
CVE ID : CVE-2016-2099
Debian Bug : 823863

XMLReader class can raise an exception if an invalid character is
encountered, and the exception crosses stack frames in an unsafe way that
causes a higher level exception handler to access an already-freed object.

[DLA 468-1] libuser security update

Package : libuser
Version : 1:0.56.9.dfsg.1-1.2+deb7u1
CVE ID : CVE-2015-3245 CVE-2015-3246
Debian Bug : 793465

Two security vulnerabilities were discovered in libuser, a library
that implements a standardized interface for manipulating and
administering user and group accounts, that could lead to a denial of
service or privilege escalation by local users.

CVE-2015-3245
Incomplete blacklist vulnerability in the chfn function in libuser
before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper
program in the usermode package, allows local users to cause a
denial of service (/etc/passwd corruption) via a newline character
in the GECOS field.

CVE-2015-3246
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the
userhelper program in the usermode package, directly modifies
/etc/passwd, which allows local users to cause a denial of service
(inconsistent file state) by causing an error during the
modification. NOTE: this issue can be combined with CVE-2015-3245
to gain privileges.

In addition the usermode package, which depends on libuser, was
rebuilt against the updated version.

For Debian 7 "Wheezy", these problems have been fixed in

libuser 1:0.56.9.dfsg.1-1.2+deb7u1
usermode 1.109-1+deb7u2

We recommend that you upgrade your libuser and usermode packages.

[DLA 469-1] libgwenhywfar security update

Package : libgwenhywfar
Version : 4.3.3-1+deb7u1
CVE ID : CVE-2015-7542
Debian Bug : 748955

It was discovered that libgwenhywfar (an OS abstraction layer that
allows porting of software to different operating systems like Linux,
*BSD, Windows etc.) used an outdated CA certificate bundle.

For Debian 7 "Wheezy", this issue has been fixed in libgwenhywfar version
4.3.3-1+deb7u1 by utilising the ca-certificates package.

We recommend that you upgrade your libgwenhywfar packages.

[DSA 3575-1] libxstream-java security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3575-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 12, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxstream-java
CVE ID : CVE-2016-3674

It was discovered that XStream, a Java library to serialize objects to
XML and back again, was susceptible to XML External Entity attacks.

For the stable distribution (jessie), this problem has been fixed in
version 1.4.7-2+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 1.4.9-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.9-1.

We recommend that you upgrade your libxstream-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/