Debian 10228 Published by

3 updates for Debian 6 LTS, and 2 updates for Debian 7/8:

[DLA 427-1] nss security update
[DLA 428-1] websvn security update
[DLA 429-1] pixman security update
[DSA 3490-1] websvn security update
[DSA 3491-1] icedove security update



[DLA 427-1] nss security update

Package : nss
Version : 3.12.8-1+squeeze14
CVE ID : CVE-2016-1938

The s_mp_div function in Mozilla Network Security Services (NSS) before
3.21, improperly divides numbers, which might make it easier for remote
attackers to defeat cryptographic protection mechanisms by leveraging
use of the (1) mp_div or (2) mp_exptmod function.

For the oldoldstable distribution (squeeze), these problem has been fixed
in version 3.12.8-1+squeeze14.

We recommend that you upgrade your nss packages.


[DLA 428-1] websvn security update

Package : websvn
Version : 2.3.1-1+deb6u2
CVE ID : CVE-2016-2511

It was discovered that there was a cross-site scripting vulnerability
in websvn, a web-based Subversion repository browser

For Debian 6 Squeeze, this issue has been fixed in websvn version
2.3.1-1+deb6u2.


[DLA 429-1] pixman security update

Package : pixman
Version : 0.16.4-1+deb6u2
CVE ID : CVE-2014-9766

It was discovered that there was a buffer overflow in pixman, a
pixel-manipulation library for X and cairo.

For Debian 6 Squeeze, this issue has been fixed in pixman version
0.16.4-1+deb6u2.

[DSA 3490-1] websvn security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3490-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
February 23, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : websvn
CVE ID : CVE-2016-2511

Jakub Palaczynski discovered that websvn, a web viewer for Subversion
repositories, does not correctly sanitize user-supplied input, which
allows a remote user to run reflected cross-site scripting attacks.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.3.3-1.1+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.3.3-1.2+deb8u1.

We recommend that you upgrade your websvn packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3491-1] icedove security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3491-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 24, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icedove
CVE ID : CVE-2015-7575 CVE-2016-1523 CVE-2016-1930 CVE-2016-1935

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail client: Multiple memory safety errors,
integer overflows, buffer overflows and other implementation errors may
lead to the execution of arbitrary code or denial of service.

For the oldstable distribution (wheezy), these problems have been fixed
in version 38.6.0-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 38.6.0-1~deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 38.6.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 38.6.0-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/