Debian 10241 Published by

The following updates has been released for Debian:

[DLA 178-1] tor security update
[DLA 179-1] tzdata new upstream version
[DSA 3201-1] iceweasel security update
[DSA 3202-1] mono security update
[DSA 3203-1] tor security update



[DLA 178-1] tor security update

Package : tor
Version : 0.2.4.26-1~deb6u1

Several issues have been discovered and fixed in Tor, a connection-based
low-latency anonymous communication system.

o Jowr discovered that very high DNS query load on a relay could
trigger an assertion error.

o A relay could crash with an assertion error if a buffer of exactly
the wrong layout was passed to buf_pullup() at exactly the wrong
time.

o When sending the address of the chosen rendezvous point to a hidden
service clients were leaking to the hidden service they were on a
little-endian or big-endian systems.

Furthermore, this update disables support for SSLv3 in Tor. All
versions of OpenSSL in use with Tor today support TLS 1.0 or later.

Additionally, this release updates the geoIP database used by Tor as
well as the list of directory authority servers, which Tor clients use
to bootstrap and trust to sign the Tor directory consensus document.

[DLA 179-1] tzdata new upstream version

Package : tzdata
Version : 2015b-0squeeze1

Upstream published version 2015b.

Changes since 2014h-0squeeze1 currently in squeeze-lts are the following:
- New leap second 2015-06-30 23:59:60 UTC.
- New DST for Mongolia.
- New DST for Palestine.
- New DST for Cancun (Mexico).
- New DST for Chile.
- New DST for Fiji.
- Timezone change for Turks & Caicos.
- New timezone for Bougainville (Papua New Guinea).
- New timezone abbreviation for Belarus.

[DSA 3201-1] iceweasel security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3201-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
March 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceweasel
CVE ID : CVE-2015-0817 CVE-2015-0818

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2015-0817

ilxu1a reported a flaw in Mozilla's implementation of typed array
bounds checking in JavaScript just-in-time compilation (JIT) and its
management of bounds checking for heap access. This flaw can be
leveraged into the reading and writing of memory allowing for
arbitary code execution on the local system.

CVE-2015-0818

Mariusz Mlynski discovered a method to run arbitrary scripts in a
privileged context. This bypassed the same-origin policy protections
by using a flaw in the processing of SVG format content navigation.

For the stable distribution (wheezy), these problems have been fixed in
version 31.5.3esr-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 31.5.3esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3202-1] mono security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3202-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
March 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mono
CVE ID : CVE-2015-2318 CVE-2015-2319 CVE-2015-2320
Debian Bug : 780751

Researchers at INRIA and Xamarin discovered several vulnerabilities in
mono, a platform for running and developing applications based on the
ECMA/ISO Standards. Mono's TLS stack contained several problems that
hampered its capabilities: those issues could lead to client
impersonation (via SKIP-TLS), SSLv2 fallback, and encryption weakening
(via FREAK).

For the stable distribution (wheezy), these problems have been fixed in
version 2.10.8.1-8+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 3.2.8+dfsg-10.

We recommend that you upgrade your mono packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3203-1] tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3203-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
March 22, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor

Several denial-of-service issues have been discovered in Tor, a
connection-based low-latency anonymous communication system.

o Jowr discovered that very high DNS query load on a relay could
trigger an assertion error.

o A relay could crash with an assertion error if a buffer of exactly
the wrong layout was passed to buf_pullup() at exactly the wrong
time.

For the stable distribution (wheezy), these problems have been fixed
in version 0.2.4.26-1.

For the testing distribution (jessie) and unstable distribution (sid),
these problems have been fixed in version 0.2.5.11-1.

Furthermore, this update disables support for SSLv3 in Tor. All
versions of OpenSSL in use with Tor today support TLS 1.0 or later.

Additionally, this release updates the geoIP database used by Tor as
well as the list of directory authority servers, which Tor clients use
to bootstrap and who sign the Tor directory consensus document.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/