Debian 10225 Published by

3 for Debian 6 LTS and 5 for Debian 7/8:

[DLA 436-1] ia32-libs security update
[DLA 437-1] clamav version update
[DLA 440-1] dansguardian package update
[DSA 3492-2] gajim regression update
[DSA 3496-1] php-horde-core security update
[DSA 3497-1] php-horde security update
[DSA 3498-1] drupal7 security advisory
[DSA 3499-1] pillow security update



[DLA 436-1] ia32-libs security update

Package : ia32-libs, ia32-libs-gtk
Version : 20160228

The ia32-libs and ia32-libs-gtk packages contain 32 bit versions of various
libraries for use on 64 bit systems. This update rolls in all security
fixes made to these libraries since the start of Squeeze LTS.

[DLA 437-1] clamav version update

Package : clamav
Version : 0.99+dfsg-0+deb6u1
Debian Bug : 813894

Upstream published version 0.99. This update updates sqeeze-lts to the latest
upstream release in line with the approach used for other Debian releases.

The changes are not strictly required for operation, but users of the previous
version in Squeeze may not be able to make use of all current virus signatures
and might get warnings.

Due to a change in soname included with this release, libclamav has been
updated to libclamav7. This requires updates to external users of libclamav.
For python-clamav, klamav, and libclamunrar, these changes are, or will be
shortly, available.

Unfortunately, for dansguardian, it was released for squeeze with latent
issues that preclude rebuilding the package. If you are using dansguardian,
do not attempt to upgrade to the new clamav.

Otherwise, if you use clamav, we strongly recommend that you upgrade to this
version.

[DLA 440-1] dansguardian package update

Package : dansguardian
Version : 2.10.1.1-3+deb6u1
Debian Bug : 813894

As described in DLA-437-1, clamav has been updated to the most recent upstream
version, 0.99. Due to a soname change in libclamav, packages depending on
libclamav needed to be recompiled to work with the new libclamav7. At the
time DLA-437-1 was sent, updated dansguardian packages were not available.

An update to dansguardian has now been uploaded and packages should be
available shortly. The recommendation in DLA-437-1 not to upgrade clamav if
using it with dansguardian in no longer applicable.

Upgrading clamav and dansguardian is recommended for the reasons described in
DLA-437-1.

[DSA 3492-2] gajim regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3492-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 28, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gajim
Debian Bug : 816158

The wheezy part of the previous gajim update, DSA-3492-1, was
incorrectly built resulting in an unsatisfiable dependency. This update
corrects that problem. For reference, the original advisory text
follows.

Daniel Gultsch discovered a vulnerability in Gajim, an XMPP/jabber
client. Gajim didn't verify the origin of roster update, allowing an
attacker to spoof them and potentially allowing her to intercept
messages.

For the oldstable distribution (wheezy), this problem has been fixed
in version 0.15.1-4.1+deb7u2.

We recommend that you upgrade your gajim packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3496-1] php-horde-core security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3496-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 28, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php-horde-core
CVE ID : CVE-2015-8807
Debian Bug : 813590

It was discovered that php-horde-core, a set of classes providing the
core functionality of the Horde Application Framework, is prone to a
cross-site scripting vulnerability.

For the stable distribution (jessie), this problem has been fixed in
version 2.15.0+debian0-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2.22.4+debian0-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.22.4+debian0-1.

We recommend that you upgrade your php-horde-core packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3497-1] php-horde security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3497-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 28, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php-horde
CVE ID : CVE-2016-2228
Debian Bug : 813573

It was discovered that php-horde, a flexible, modular, general-purpose
web application framework written in PHP, is prone to a cross-site
scripting vulnerability.

For the stable distribution (jessie), this problem has been fixed in
version 5.2.1+debian0-2+deb8u3.

For the testing distribution (stretch), this problem has been fixed
in version 5.2.9+debian0-1.

For the unstable distribution (sid), this problem has been fixed in
version 5.2.9+debian0-1.

We recommend that you upgrade your php-horde packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3498-1] drupal7 security advisory

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3498-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 28, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : drupal7
CVE ID : not yet available

Multiple security vulnerabilities have been found in the Drupal content
management framework. For additional information, please refer to the
upstream advisory at https://www.drupal.org/SA-CORE-2016-001

For the oldstable distribution (wheezy), this problem has been fixed
in version 7.14-2+deb7u12.

For the stable distribution (jessie), this problem has been fixed in
version 7.32-1+deb8u6.

For the unstable distribution (sid), this problem has been fixed in
version 7.43-1.

We recommend that you upgrade your drupal7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3499-1] pillow security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3499-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 28, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pillow
CVE ID : CVE-2016-0740 CVE-2016-0775 CVE-2016-2533

Multiple security vulnerabilities have been found in Pillow, a Python
imaging library, which may result in denial of service or the execution
of arbitrary code if a malformed FLI, PCD or Tiff files is processed.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.1.7-4+deb7u2 of the python-imaging source package.

For the stable distribution (jessie), this problem has been fixed in
version 2.6.1-2+deb8u2.

For the testing distribution (stretch), this problem has been fixed
in version 3.1.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.1.1-1.

We recommend that you upgrade your pillow packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/