Debian 10228 Published by

The following updates has been released for Debian 6 LTS:

[DLA 288-2] openssh regression update
[DLA 313-1] virtualbox-ose security update
[DLA 317-1] vorbis-tools security update
[DLA 318-1] flightgear security update
[DLA 319-1] freetype security update
[DLA 320-1] libemail-address-perl security update



[DLA 288-2] openssh regression update

Package : openssh
Version : 1:5.5p1-6+squeeze7
CVE ID : CVE-2015-5600

In Debian LTS (squeeze), the fix for CVE-2015-5600[1] in openssh
1:5.5p1-6+squeeze7 breaks authentication mechanisms that rely on the
keyboard-interactive method. Thanks to Colin Watson for making aware of
that.

The patch fixing CVE-2015-5600 introduces the field 'devices_done' to the
KbdintAuthctxt struct, but does not initialize the field in the
kbdint_alloc() function. On Linux, this ends up filling that field with
junk data. The result of this are random login failures when
keyboard-interactive authentication is used.

This upload of openssh 1:5.5p1-6+squeeze7 to Debian LTS (squeeze) adds
that initialization of the `devices_done` field alongside the existing
initialization code.

People relying on keyboard-interactive based authentication mechanisms with
OpenSSH on Debian squeeze(-lts) systems are recommended to upgrade
OpenSSH to 1:5.5p1-6+squeeze7.

[1] https://lists.debian.org/debian-lts-announce/2015/08/msg00001.html

[DLA 313-1] virtualbox-ose security update

Package : virtualbox-ose
Version : 3.2.28-dfsg-1+squeeze1
CVE ID : CVE-2013-3792 CVE-2014-2486 CVE-2014-2488 CVE-2014-2489
CVE-2015-2594
Bugs : #715327 #754939 #792446

The latest maintenance release of the VirtualBox (OSE) 3.2.x series
(i.e., version 3.2.28) has been uploaded to Debian LTS (squeeze). Thanks
to Gianfranco Costamagna for preparing packages for review and upload by
the Debian LTS Team.

Unfortunately, Oracle no longer provides information on specific security
vulnerabilities in VirtualBox, thus we provide their latest 3.2.28
maintenance release in Debian LTS (squeeze) directly.

CVE-2013-3792

Oracle reported an unspecified vulnerability in the Oracle VM
VirtualBox component in Oracle Virtualization VirtualBox prior to
3.2.18, 4.0.20, 4.1.28, and 4.2.18 allows local users to affect
availability via unknown vectors related to Core.

The fix for CVE-2013-3792 prevents a virtio-net host DoS
vulnerability by adding large frame support to IntNet, VirtioNet and
NetFilter plus dropping oversized frames.

CVE-2014-2486

Unspecified vulnerability in the Oracle VM VirtualBox component
in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26,
4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity
and availability via unknown vectors related to Core.

No further details have been provided, the attack range has been
given as local, severity low.

CVE-2014-2488

Unspecified vulnerability in the Oracle VM VirtualBox component in
Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34,
4.2.26, and 4.3.12 allows local users to affect confidentiality via
unknown vectors related to Core.

No further details can been provided, the attack range has been
given as local, severity low.

CVE-2014-2489

Unspecified vulnerability in the Oracle VM VirtualBox component in
Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34,
4.2.26, and 4.3.12 allows local users to affect confidentiality,
integrity, and availability via unknown vectors related to Core.

No further details can been provided, the attack range has been
given as local, severity medium.

CVE-2015-2594

Unspecified vulnerability in the Oracle VM VirtualBox component
in Oracle Virtualization VirtualBox prior to 4.0.32, 4.1.40,
4.2.32, and 4.3.30 allows local users to affect confidentiality,
integrity, and availability via unknown vectors related to Core.

This update fixes an issue related to guests using bridged networking
via WiFi.

[DLA 317-1] vorbis-tools security update

Package : vorbis-tools
Version : 1.4.0-1+deb6u1
CVE ID : CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749
Debian Bug : #771363 #797461 #776086

Various issues have been fixed in Debian LTS (squeeze) for package
vorbis-tools.

CVE-2014-9638

A crafted WAV file with number of channels set to 0 will cause oggenc
to crash due to a division by zero issue. This issue has been fixed
upstream by providing a fix for CVE-2014-9639. Reported upstream by
"zuBux".

CVE-2014-9639

An integer overflow issue was discovered in oggenc, related to the
number of channels in the input WAV file. The issue triggers an
out-of-bounds memory access which causes oggenc to crash here
(audio.c). Reported upstream by "zuBux".

The upstream fix for this has been backported to vorbis-tools in
Debian LTS (squeeze).

CVE-2014-9640

Fix for a crash on closing raw input (dd if=/dev/zero bs=1 count=1 |
oggenc -r - -o out.ogg). Reported upstream by "hanno".

The upstream fix for this has been backported to vorbis-tools in
Debian LTS (squeeze).

CVE-2015-6749

Buffer overflow in the aiff_open function in oggenc/audio.c in
vorbis-tools 1.4.0 and earlier allowed remote attackers to cause a
denial of service (crash) via a crafted AIFF file. Reported upstream
by "pengsu".

The upstream fix for this has been backported to vorbis-tools in
Debian LTS (squeeze).

[DLA 318-1] flightgear security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package : flightgear
Version : 1.9.1-1.1
Debian Bug : 780712

It was discovered that flightgear, a Flight Gear Flight Simulator
game, did not perform adequate filesystem validation checks in its
fgValidatePath routine.

[DLA 319-1] freetype security update

Package : freetype
Version : 2.4.2-2.1+squeeze6
CVE ID : CVE-2014-9745 CVE-2014-9746 CVE-2014-9747
Debian Bug : 798619 798620

Sergey Gorbaty reported issues related to the FreeType font engine.
FreeType improperly handled certain malformed font files, allowing
remote attackers to cause a Denial of Service when specially crafted
font files were used.

For Debian 6 “Squeeze”, these issues have been fixed in freetype version
2.4.2-2.1+squeeze6. We recommend you to upgrade your freetype packages.

Learn more about the Debian Long Term Support (LTS) Project and how to
apply these updates at: https://wiki.debian.org/LTS/


[DLA 320-1] libemail-address-perl security update

Package : libemail-address-perl
Version : 1.889-2+deb6u2