Debian 10225 Published by

The following updates has been released for Debian:

[DLA 404-1] nginx security update
[DSA 3455-1] curl security update
[DSA 3456-1] chromium-browser security update
[DSA 3457-1] iceweasel security update
[DSA 3458-1] openjdk-7 security update



[DLA 404-1] nginx security update

Package : nginx
Version : 0.7.67-3+squeeze4+deb6u1
CVE ID : CVE-2016-0742
Debian Bug : 812806

It was discovered that there was a invalid pointer deference in nginx, a
small, powerful, scalable web/proxy server. An invalid pointer
dereference might occur during DNS server response processing, allowing
an attacker who is able to forge UDP packets from the DNS server to cause
worker process crash

For Debian 6 Squeeze, this issue has been fixed in nginx version
0.7.67-3+squeeze4+deb6u1.


[DSA 3455-1] curl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3455-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
January 27, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2016-0755

Isaac Boukris discovered that cURL, an URL transfer library, reused
NTLM-authenticated proxy connections without properly making sure that
the connection was authenticated with the same credentials as set for
the new transfer. This could lead to HTTP requests being sent over the
connection authenticated as a different user.

For the stable distribution (jessie), this problem has been fixed in
version 7.38.0-4+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 7.47.0-1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3456-1] chromium-browser security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3456-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
January 27, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2015-6792 CVE-2016-1612 CVE-2016-1613 CVE-2016-1614
CVE-2016-1615 CVE-2016-1616 CVE-2016-1617 CVE-2016-1618
CVE-2016-1619 CVE-2016-1620

Several vulnerabilities were discovered in the chromium web browser.

CVE-2015-6792

An issue was found in the handling of MIDI files.

CVE-2016-1612

cloudfuzzer discovered a logic error related to receiver
compatibility in the v8 javascript library.

CVE-2016-1613

A use-after-free issue was discovered in the pdfium library.

CVE-2016-1614

Christoph Diehl discovered an information leak in Webkit/Blink.

CVE-2016-1615

Ron Masas discovered a way to spoof URLs.

CVE-2016-1616

Luan Herrera discovered a way to spoof URLs.

CVE-2016-1617

jenuis discovered a way to discover whether an HSTS web site had
been visited.

CVE-2016-1618

Aaron Toponce discovered the use of weak random number generator.

CVE-2016-1619

Keve Nagy discovered an out-of-bounds-read issue in the pdfium library.

CVE-2016-1620

The chrome 48 development team found and fixed various issues
during internal auditing. Also multiple issues were fixed in
the v8 javascript library, version 4.7.271.17.

For the stable distribution (jessie), these problems have been fixed in
version 48.0.2564.82-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 48.0.2564.82-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3457-1] iceweasel security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3457-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceweasel
CVE ID : CVE-2015-7575 CVE-2016-1930 CVE-2016-1935

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors and a
buffer overflow may lead to the execution of arbitrary code. In addition
the bundled NSS crypto library addresses the SLOTH attack on TLS 1.2.

For the oldstable distribution (wheezy), these problems have been fixed
in version 38.6.0esr-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 38.6.0esr-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 44.0-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3458-1] openjdk-7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3458-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466
CVE-2016-0483 CVE-2016-0494

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts of
the Java sandbox, information disclosur, denial of service and insecure
cryptography.

For the oldstable distribution (wheezy), these problems have been fixed
in version 7u95-2.6.4-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 7u95-2.6.4-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 7u95-2.6.4-1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/