Debian 10225 Published by

The following updates has been released for Debian 7 LTS:

[DLA 700-1] libxslt security update
[DLA 701-1] memcached security update
[DLA 702-1] tzdata new upstream version
[DLA 703-1] libdatetime-timezone-perl new upstream version
[DLA 704-1] openjdk-7 security update



[DLA 700-1] libxslt security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package : libxslt
Version : 1.1.26-14.1+deb7u2
CVE ID : CVE-2016-4738
Debian Bug : 842570

A heap overread bug was found in libxslt, which can cause arbitrary
code execution or denial of service.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.26-14.1+deb7u2.

We recommend that you upgrade your libxslt packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 701-1] memcached security update

Package : memcached
Version : 1.4.13-0.2+deb7u2
CVE ID : CVE-2013-7291 CVE-2016-8704 CVE-2016-8705 CVE-2016-8706
Debian Bug : 735314 842811 842812 842814


Multiple vulnerabilites have been found in memcached, a high-performance
memory object caching system. A remote attacker could take advantage of
these flaws to cause a denial of service (daemon crash), or potentially
to execute arbitrary code.

CVE-2013-7291

It was discovered that memcached, when running in verbose mode, can
be crashed by sending carefully crafted requests that trigger an
unbounded key print, resulting in a daemon crash.

CVE-2016-8704, CVE-2016-8705, CVE-2016-8706

Aleksandar Nikolic of Cisco Talos found several vulnerabilities in
memcached. A remote attacker could cause an integer overflow by
sending carefully crafted requests to the memcached server,
resulting in a daemon crash.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.13-0.2+deb7u2.

We recommend that you upgrade your memcached packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 702-1] tzdata new upstream version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package : tzdata
Version : 2016i-0+deb7u1

This update includes the changes in tzdata 2016i. Notable
changes are:

- Pacific/Tongatapu (DST starting on 2016-11-06 at 02:00).
- Northern Cyprus is now +03 year round, the Asia/Famagusta zone has
been added.
- Antarctica/Casey (switched from +08 to +11 on 2016-10-22).

For Debian 7 "Wheezy", these problems have been fixed in version
2016i-0+deb7u1.

We recommend that you upgrade your tzdata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 703-1] libdatetime-timezone-perl new upstream version

Package : libdatetime-timezone-perl
Version : 1:1.58-1+2016i

This update includes the changes in tzdata 2016i for the
Perl bindings. For the list of changes, see DLA-702-1.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.58-1+2016i.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 704-1] openjdk-7 security update

Package : openjdk-7
Version : 7u111-2.6.7-2~deb7u1
CVE ID : CVE-2016-5542 CVE-2016-5554 CVE-2016-5573 CVE-2016-5582
CVE-2016-5597
Debian Bug : 841692

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in
information disclosure, denial of service and arbitrary code
execution.

For Debian 7 "Wheezy", these problems have been fixed in version
7u111-2.6.7-2~deb7u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS