Debian 10225 Published by

The following Debian updates are available:

[DSA 2941-1] lxml security update
[DSA 2942-1] typo3-src security update
[DSA 2943-1] php5 security update
[DSA 2944-1] gnutls26 security update



[DSA 2941-1] lxml security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2941-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
Jun 01, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lxml
CVE ID : CVE-2014-3146

It was discovered that clean_html() function of lxml (pythonic bindings
for the libxml2 and libxslt libraries) performed insufficient
sanitisation for some non-printable characters. This could lead to
cross-site scripting.

For the stable distribution (wheezy), this problem has been fixed in
version 2.3.2-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 3.3.5-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.3.5-1.

We recommend that you upgrade your lxml packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2942-1] typo3-src security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2942-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
Jun 01, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : typo3-src
CVE ID : not available yet
Debian Bug : 749215

Multiple security issues have been discovered in the Typo3 CMS. More
information can be found in the upstream advisory:
http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2014-001/

For the stable distribution (wheezy), this problem has been fixed in
version 4.5.19+dfsg1-5+wheezy3.

For the testing distribution (jessie), this problem has been fixed in
version 4.5.34+dfsg1-1.

For the unstable distribution (sid), this problem has been fixed in
version 4.5.34+dfsg1-1.

We recommend that you upgrade your typo3-src packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2943-1] php5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2943-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2014-0185 CVE-2014-0237 CVE-2014-0238 CVE-2014-2270

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development:

CVE-2014-0185

The default PHP FPM socket permission has been changed from 0666
to 0660 to mitigate a security vulnerability (CVE-2014-0185) in PHP
FPM that allowed any local user to run a PHP code under the active
user of FPM process via crafted FastCGI client.

The default Debian setup now correctly sets the listen.owner and
listen.group to www-data:www-data in default php-fpm.conf. If you
have more FPM instances or a webserver not running under www-data
user you need to adjust the configuration of FPM pools in
/etc/php5/fpm/pool.d/ so the accessing process has rights to
access the socket.

CVE-2014-0237 / CVE-2014-0238:

Denial of service in the CDF parser of the fileinfo module.

CVE-2014-2270

Denial of service in the fileinfo module.

For the stable distribution (wheezy), these problems have been fixed in
version 5.4.4-14+deb7u10.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[DSA 2944-1] gnutls26 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2944-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gnutls26
CVE ID : CVE-2014-3466

Joonas Kuorilehto discovered that GNU TLS performed insufficient
validation of session IDs during TLS/SSL handshakes. A malicious server
could use this to execute arbitrary code or perform denial or service.

For the stable distribution (wheezy), this problem has been fixed in
version 2.12.20-8+deb7u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.12.23-16.

We recommend that you upgrade your gnutls26 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/