Debian 10260 Published by

The following 5 security updates has been released for Debian GNU/Linux: [DSA 2468-1] libjakarta-poi-java security update, [DSA 2422-2] file regression fix, [DSA 2467-1] mahara security update, [DSA 2466-1] rails security update, and [DSA 2465-1] php5 security update



[SECURITY] [DSA 2468-1] libjakarta-poi-java security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2468-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libjakarta-poi-java
Vulnerability : unbounded memory allocation
Problem type : local
Debian-specific: no
CVE ID : CVE-2012-0213

It was discovered that Apache POI, a Java implementation of the
Microsoft Office file formats, would allocate arbitrary amounts of
memory when processing crafted documents. This could impact the
stability of the Java virtual machine.

For the stable distribution (squeeze), this problem has been fixed in
version 3.6+dfsg-1+squeeze1.

We recommend that you upgrade your libjakarta-poi-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[SECURITY] [DSA 2422-2] file regression fix
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2422-2 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : file
Vulnerability : regression fix
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1571

A regression was discovered in the security update for file, which
lead to false positives on the CDF format. This update fixes that
regression. For reference the original advisory text follows.

The file type identification tool, file, and its associated library,
libmagic, do not properly process malformed files in the Composite
Document File (CDF) format, leading to crashes.

Note that after this update, file may return different detection
results for CDF files (well-formed or not). The new detections are
believed to be more accurate.

For the stable distribution (squeeze), this problem has been fixed in
version 5.04-5+squeeze2.

We recommend that you upgrade your file packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

[SECURITY] [DSA 2467-1] mahara security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2467-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mahara
Vulnerability : insecure defaults
Problem type : remote
Debian-specific: no

It was discovered that Mahara, the portfolio, weblog, and resume builder,
had an insecure default with regards to SAML-based authentication used
with more than one SAML identity provider. Someone with control over one
IdP could impersonate users from other IdP's.

For the stable distribution (squeeze), this problem has been fixed in
version 1.2.6-2+squeeze4.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 1.4.2-1.

We recommend that you upgrade your mahara packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2466-1] rails security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2466-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rails
Vulnerability : cross site scripting
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1099
Debian Bug : 668607

Sergey Nartimov discovered that in Rails, a Ruby based framework for
web development, when developers generate html options tags manually,
user input concatenated with manually built tags may not be escaped
and an attacker can inject arbitrary HTML into the document.

For the stable distribution (squeeze), this problem has been fixed in
version 2.3.5-1.2+squeeze3.

For the testing distribution (wheezy) and unstable distribution (sid),
this problem has been fixed in version 2.3.14.

We recommend that you upgrade your rails packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
[SECURITY] [DSA 2465-1] php5 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2465-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 09, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-1172 CVE-2012-1823 CVE-2012-2311

De Eindbazen discovered that PHP, when run with mod_cgi, will
interpret a query string as command line parameters, allowing to
execute arbitrary code.

Additionally, this update fixes insufficient validation of upload
name which lead to corrupted $_FILES indices.

For the stable distribution (squeeze), this problem has been fixed in
version 5.3.3-7+squeeze9.

The testing distribution (wheezy) will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 5.4.3-1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/