Debian 10206 Published by

The following Debian updates has been released today:

[DLA 584-1] libsys-syslog-perl security update
[DLA 585-1] firefox-esr security update
[DLA 586-1] curl security update
[DSA 3641-1] openjdk-7 security update



[DLA 584-1] libsys-syslog-perl security update

Package : libsys-syslog-perl
Version : 0.29-1+deb7u1
CVE ID : CVE-2016-1238

John Lightsey and Todd Rinaldo reported that the opportunistic loading
of optional modules can make many programs unintentionally load code
from the current working directory (which might be changed to another
directory without the user realising) and potentially leading to
privilege escalation, as demonstrated in Debian with certain
combinations of installed packages.

The problem relates to Perl loading modules from the includes directory
array ("@INC") in which the last element is the current directory (".").
That means that, when "perl" wants to load a module (during first
compilation or during lazy loading of a module in run time), perl will
look for the module in the current directory at the end, since '.' is
the last include directory in its array of include directories to seek.
The issue is with requiring libraries that are in "." but are not
otherwise installed.

With this update the Sys::Syslog Perl module is updated to not load
modules from current directory.

For Debian 7 "Wheezy", these problems have been fixed in version
0.29-1+deb7u1.

We recommend that you upgrade your libsys-syslog-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 585-1] firefox-esr security update

Package : firefox-esr
Version : 45.3.0esr-1~deb7u1
CVE ID : CVE-2016-2830 CVE-2016-2836 CVE-2016-2837
CVE-2016-2838 CVE-2016-5252 CVE-2016-5254
CVE-2016-5258 CVE-2016-5259 CVE-2016-5262
CVE-2016-5263 CVE-2016-5264 CVE-2016-5265



Multiple security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, buffer overflows and other
implementation errors may lead to the execution of arbitrary code,
cross-site scriping, information disclosure and bypass of the
same-origin policy.


For Debian 7 "Wheezy", these problems have been fixed in version
45.3.0esr-1~deb7u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 586-1] curl security update

Package : curl
Version : 7.26.0-1+wheezy14
CVE ID : CVE-2016-5419 CVE-2016-5420


CVE-2016-5419
Bru Rom discovered that libcurl would attempt to resume a TLS
session even if the client certificate had changed.

CVE-2016-5420
It was discovered that libcurl did not consider client certificates
when reusing TLS connections.

For Debian 7 "Wheezy", these problems have been fixed in version
7.26.0-1+wheezy14.

We recommend that you upgrade your curl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3641-1] openjdk-7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3641-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 04, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2016-3458 CVE-2016-3500 CVE-2016-3508 CVE-2016-3550
CVE-2016-3606

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts of
the Java sandbox or denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 7u111-2.6.7-1~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/