Debian 10260 Published by

The following updates has been released for Debian:

[DLA 472-1] icedove security update
[DLA 473-1] wpa security update
[DSA 3577-1] jansson security update
[DSA 3578-1] libidn security update



[DLA 472-1] icedove security update

Package : icedove
Version : 38.8.0-1~deb7u1
CVE ID : CVE-2016-1979 CVE-2016-2805 CVE-2016-2807

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail client. Multiple memory safety errors may
lead to the execution of arbitrary code or denial of service.

For Debian 7 "Wheezy", this problem has been fixed in version
38.8.0-1~deb7u1.

We recommend that you upgrade your icedove packages.

[DLA 473-1] wpa security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package : wpa
Version : 1.0-3+deb7u4
CVE ID : CVE-2016-4476 CVE-2016-4477
Debian Bug : 823411

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If
this parameter has been updated to include control characters either
through a WPS operation (CVE-2016-4476) or through local configuration
change over the wpa_supplicant control interface (CVE-2016-4477), the
resulting configuration file may prevent the hostapd and
wpa_supplicant from starting when the updated file is used. In
addition for wpa_supplicant, it may be possible to load a local
library file and execute code from there with the same privileges
under which the wpa_supplicant process runs.

CVE-2016-4476
hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do
not reject \n and \r characters in passphrase parameters, which
allows remote attackers to cause a denial of service (daemon
outage) via a crafted WPS operation.

CVE-2016-4477
wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r
characters in passphrase parameters, which allows local users to
trigger arbitrary library loading and consequently gain privileges,
or cause a denial of service (daemon outage), via a crafted (1)
SET, (2) SET_CRED, or (3) SET_NETWORK command.


For Debian 7 "Wheezy", these problems have been fixed in version
1.0-3+deb7u4.

We recommend that you upgrade your wpa packages.

[DSA 3577-1] jansson security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3577-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
May 14, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jansson
CVE ID : CVE-2016-4425
Debian Bug : 823238

Gustavo Grieco discovered that jansson, a C library for encoding,
decoding and manipulating JSON data, did not limit the recursion depth
when parsing JSON arrays and objects. This could allow remote attackers
to cause a denial of service (crash) via stack exhaustion, using crafted
JSON data.

For the stable distribution (jessie), this problem has been fixed in
version 2.7-1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.7-5.

We recommend that you upgrade your jansson packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3578-1] libidn security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3578-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
May 14, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libidn
CVE ID : CVE-2015-2059

It was discovered that libidn, the GNU library for Internationalized
Domain Names (IDNs), did not correctly handle invalid UTF-8 input,
causing an out-of-bounds read. This could allow attackers to disclose
sensitive information from an application using the libidn library.

For the stable distribution (jessie), this problem has been fixed in
version 1.29-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 1.31-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.31-1.

We recommend that you upgrade your libidn packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/