The following security updates has been released for Debian:
[DLA 536-1] wget security update
[DLA 537-1] roundcube security update
[DLA 538-1] wireshark security update
[DSA 3611-1] libcommons-fileupload-java security update
[DLA 536-1] wget security update
[DLA 537-1] roundcube security update
[DLA 538-1] wireshark security update
[DSA 3611-1] libcommons-fileupload-java security update
[DLA 536-1] wget security update
Package : wget
Version : 1.13.4-3+deb7u3
CVE ID : CVE-2016-4971
Debian Bug : 827003
On a server redirect from HTTP to a FTP resource, wget would trust
the HTTP server and uses the name in the redirected URL as the
destination filename.
This behaviour was changed and now it works similarly as a redirect
from HTTP to another HTTP resource so the original name is used as
the destination file. To keep the previous behaviour the user must
provide --trust-server-names.
For Debian 7 "Wheezy", these problems have been fixed in version
1.13.4-3+deb7u3.
We recommend that you upgrade your wget packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 537-1] roundcube security update
Package : roundcube
Version : 0.7.2-9+deb7u3
CVE ID : CVE-2015-8864
Roundcube, a webmail solution for IMAP servers, was susceptible to
cross-site-scripting (XSS) vulnerabilities when handling SVG images.
When right-clicking on the download link of an attached image, it was
possible that embedded Javascript could be executed in a separate Tab.
The update disables displaying of SVG images in e-mails and TABS.
Downloading attachments is still possible. This security update also
mitigates against other ways to exploit this issue in SVG images.
(CVE-2016-4068)
For Debian 7 "Wheezy", these problems have been fixed in version
0.7.2-9+deb7u3.
We recommend that you upgrade your roundcube packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 538-1] wireshark security update
Package : wireshark
Version : 1.12.1+g01b65bf-4+deb8u6~deb7u2
CVE ID : CVE-2016-5350 CVE-2016-5351 CVE-2016-5353
CVE-2016-5354 CVE-2016-5355 CVE-2016-5356
CVE-2016-5357 CVE-2016-5359
The following vulnerabilities have been discovered in the Wheezy's
Wireshark version:
CVE-2016-5350
The SPOOLS dissector could go into an infinite loop
CVE-2016-5351
The IEEE 802.11 dissector could crash
CVE-2016-5353
The UMTS FP dissector could crash
CVE-2016-5354
Some USB dissectors could crash
CVE-2016-5355
The Toshiba file parser could crash
CVE-2016-5356
The CoSine file parser could crash
CVE-2016-5357
The NetScreen file parser could crash
CVE-2016-5359
The WBXML dissector could go into an infinite loop
For Debian 7 "Wheezy", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u6~deb7u2.
We recommend that you upgrade your wireshark packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 3611-1] libcommons-fileupload-java security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3611-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libcommons-fileupload-java
CVE ID : CVE-2016-3092
The TERASOLUNA Framework Development Team discovered a denial of service
vulnerability in Apache Commons FileUpload, a package to make it
easy to add robust, high-performance, file upload capability to servlets
and web applications. A remote attacker can take advantage of this flaw
by sending file upload requests that cause the HTTP server using the
Apache Commons Fileupload library to become unresponsive, preventing the
server from servicing other requests.
For the stable distribution (jessie), this problem has been fixed in
version 1.3.1-1+deb8u1.
For the testing distribution (stretch), this problem has been fixed
in version 1.3.2-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.3.2-1.
We recommend that you upgrade your libcommons-fileupload-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/