Debian 10261 Published by

The following updates are available for Debian:

[DLA 107-1] unbound security update
[DLA 108-1] nfs-utils security update
[DSA 3100-1] mediawiki security update
[DSA 3101-1] c-icap security update
[DSA 3102-1] libyaml security update
[DSA 3103-1] libyaml-libyaml-perl security update



[DLA 107-1] unbound security update

Package : unbound
Version : 1.4.6-1+squeeze4
CVE ID : CVE-2014-8602
Debian Bug : 772622

Florian Maury from ANSSI discovered that unbound, a validating,
recursive, and caching DNS resolver, was prone to a denial of service
vulnerability. An attacker crafting a malicious zone and able to emit
(or make emit) queries to the server can trick the resolver into
following an endless series of delegations, leading to ressource
exhaustion and huge network usage.

[DLA 108-1] nfs-utils security update

Package : nfs-utils
Version : 1:1.2.2-4squeeze3
CVE ID : CVE-2012-3541

In the past, rpc.statd posted SM_NOTIFY requests using the same socket it
used for sending downcalls to the kernel. To receive replies from remote
hosts, the socket was bound to INADDR_ANY. To prevent unwanted data
injection, bind this socket to the loopback address.

[DSA 3100-1] mediawiki security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3100-1 security@debian.org
http://www.debian.org/security/ Sebastien Delafond
December 12, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mediawiki
CVE ID : CVE-2014-9277
Debian Bug : 772764

A flaw was discovered in mediawiki, a wiki engine: cross-domain-policy
mangling allows an article editor to inject code into API consumers
that deserialize PHP representations of the page from the API.

For the stable distribution (wheezy), this problem has been fixed in
version 1.19.20+dfsg-0+deb7u2.

We recommend that you upgrade your mediawiki packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3101-1] c-icap security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3101-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
December 13, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : c-icap
CVE ID : CVE-2013-7401 CVE-2013-7402

Several vulnerabilities were found in c-icap, an ICAP server
implementation, which could allow a remote attacker to cause c-icap to
crash, or have other, unspecified impacts.

For the stable distribution (wheezy), these problems have been fixed in
version 1:0.1.6-1.1+deb7u1.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 1:0.3.1-1.

For the unstable distribution (sid), these problems have been fixed in
version 1:0.3.1-1.

We recommend that you upgrade your c-icap packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3102-1] libyaml security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3102-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
December 13, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libyaml
CVE ID : CVE-2014-9130
Debian Bug : 771366

Jonathan Gray and Stanislaw Pitucha found an assertion failure in the
way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and
emitter library. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash.

For the stable distribution (wheezy), this problem has been fixed in
version 0.1.4-2+deb7u5.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 0.1.6-3.

For the unstable distribution (sid), this problem has been fixed in
version 0.1.6-3.

We recommend that you upgrade your libyaml packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3103-1] libyaml-libyaml-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3103-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
December 13, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libyaml-libyaml-perl
CVE ID : CVE-2014-9130
Debian Bug : 771365

Jonathan Gray and Stanislaw Pitucha found an assertion failure in the
way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and
emitter library. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash.

This update corrects this flaw in the copy that is embedded in the
libyaml-libyaml-perl package.

For the stable distribution (wheezy), this problem has been fixed in
version 0.38-3+deb7u3.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 0.41-6.

For the unstable distribution (sid), this problem has been fixed in
version 0.41-6.

We recommend that you upgrade your libyaml-libyaml-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/