Debian 10241 Published by

The following updates has been released for Debian:

[DLA 97-1] eglibc security update
[DSA 3079-1] ppp security update
[DSA 3080-1] openjdk-7 security update
[DSA 3081-1] libvncserver security update



[DLA 97-1] eglibc security update

Package : eglibc
Version : 2.11.3-4+deb6u2
CVE ID : CVE-2012-6656 CVE-2014-6040 CVE-2014-7817

CVE-2012-6656

Fix validation check when converting from ibm930 to utf.
When converting IBM930 code with iconv(), if IBM930 code which
includes invalid multibyte character "0xffff" is specified, then
iconv() segfaults.

CVE-2014-6040

Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.

CVE-2014-7817

The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.

[DSA 3079-1] ppp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3079-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
November 28, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ppp
CVE ID : CVE-2014-3158
Debian Bug : 762789

A vulnerability was discovered in ppp, an implementation of the
Point-to-Point Protocol: an integer overflow in the routine
responsible for parsing user-supplied options potentially allows a
local attacker to gain root privileges.

For the stable distribution (wheezy), this problem has been fixed in
version 2.4.5-5.1+deb7u1.

For the upcoming stable distribution (jessie) and unstable
distribution (sid), this problem has been fixed in version 2.4.6-3.

We recommend that you upgrade your ppp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3080-1] openjdk-7 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3080-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
November 29, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506
CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519
CVE-2014-6531 CVE-2014-6558

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, information disclosure or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 7u71-2.5.3-2~deb7u1.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 7u71-2.5.3-1.

For the unstable distribution (sid), these problems have been fixed in
version 7u71-2.5.3-1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3081-1] libvncserver security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3081-1 security@debian.org
http://www.debian.org/security/ Luciano Bello
November 29, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvncserver
CVE ID : CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054
CVE-2014-6055
Debian Bug : 762745

Several vulnerabilities have been discovered in libvncserver, a library to
implement VNC server functionality. These vulnerabilities might result in the
execution of arbitrary code or denial of service in both the client and the
server side.

For the stable distribution (wheezy), these problems have been fixed in
version 0.9.9+dfsg-1+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 0.9.9+dfsg-6.1.

We recommend that you upgrade your libvncserver packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/