Debian 10225 Published by

The following Debian updates has been released:

[DLA 209-1] jruby security update
[DLA 211-1] curl security update
[DLA 212-1] php5 security update
[DLA 213-1] openjdk-6 security update
[DLA 214-1] libxml-libxml-perl security update
[DLA 215-1] libjson-ruby security update
[DSA 3239-1] icecast2 security update
[DSA 3240-1] curl security update
[DSA 3241-1] elasticsearch security update



[DLA 209-1] jruby security update

Package : jruby
Version : 1.5.1-1+deb6u1
CVE ID : CVE-2011-4838
Debian Bug : 686867

JRuby before 1.6.5.1 computes hash values without restricting the ability to
trigger hash collisions predictably, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via crafted input to an
application that maintains a hash table. Note: This update includes
corrections to the original fix for later Debian releases to avoid the issues
identified in CVE-2012-5370.


[DLA 211-1] curl security update

Package : curl
Version : 7.21.0-2.1+squeeze12
CVE ID : CVE-2015-3143 CVE-2015-3148

Several vulnerabilities were discovered in cURL, an URL transfer library:

CVE-2015-3143

NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent
over the connection authenticated as a different user. This is
similar to the issue fixed in DSA-2849-1.

CVE-2015-3148

When doing HTTP requests using the Negotiate authentication method
along with NTLM, the connection used would not be marked as
authenticated, making it possible to reuse it and send requests for
one user over the connection authenticated as a different user.

[DLA 212-1] php5 security update

Package : php5
Version : 5.3.3.1-7+squeeze26
CVE ID : CVE-2014-9705 CVE-2015-0232 CVE-2015-2301 CVE-2015-2331
CVE-2015-2783 CVE-2015-2787 CVE-2015-3329 CVE-2015-3330

CVE-2014-9705
Heap-based buffer overflow in the enchant_broker_request_dict
function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x
before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers
to execute arbitrary code via vectors that trigger creation of
multiple dictionaries.

CVE-2015-0232
The exif_process_unicode function in ext/exif/exif.c in PHP
before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5
allows remote attackers to execute arbitrary code or cause a
denial of service (uninitialized pointer free and application
crash) via crafted EXIF data in a JPEG image.

CVE-2015-2301
Use-after-free vulnerability in the phar_rename_archive function
in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6
allows remote attackers to cause a denial of service or possibly
have unspecified other impact via vectors that trigger an attempted
renaming of a Phar archive to the name of an existing file.

CVE-2015-2331
Integer overflow in the _zip_cdir_new function in zip_dirent.c
in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP
before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and
other products, allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code
via a ZIP archive that contains many entries, leading to a
heap-based buffer overflow.

CVE-2015-2783
Buffer Over-read in unserialize when parsing Phar

CVE-2015-2787
Use-after-free vulnerability in the process_nested_data function
in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x
before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to
execute arbitrary code via a crafted unserialize call that
leverages use of the unset function within an __wakeup function,
a related issue to CVE-2015-0231.

CVE-2015-3329
Buffer Overflow when parsing tar/zip/phar in phar_set_inode)

CVE-2015-3330
PHP potential remote code execution with apache 2.4 apache2handler

CVE-2015-temp-68819
denial of service when processing a crafted file with Fileinfo

[DLA 213-1] openjdk-6 security update

Package : openjdk-6
Version : 6b35-1.13.7-1~deb6u1
CVE ID : CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477
CVE-2015-0478 CVE-2015-0480 CVE-2015-0488

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information
disclosure or denial of service.

For Debian 6 “Squeeze”, these problems have been fixed in version
6b35-1.13.7-1~deb6u1.

We recommend that you upgrade your openjdk-6 packages.

[DLA 214-1] libxml-libxml-perl security update

Package : libxml-libxml-perl
Version : 1.70.ds-1+deb6u1
CVE ID : CVE-2015-3451
Debian Bug : 783443

In some cases, XML::LibXML did not respect the request to disable entities
expansion. Applications handling untrusted XML files can then be tricked
into disclosing the content of local files.

In Debian 6 “Squeeze”, this issue has been fixed in libxml-libxml-perl
version 1.70.ds-1+deb6u1.

[DLA 215-1] libjson-ruby security update

Package : libjson-ruby
Version : 1.1.9-1+deb6u1
CVE ID : CVE-2013-0269

The JSON gem for Ruby allowed remote attackers to cause a denial of
service (resource consumption) or bypass the mass assignment protection
mechanism via a crafted JSON document that triggers the creation of
arbitrary Ruby symbols or certain internal objects, as demonstrated by
conducting a SQL injection attack against Ruby on Rails, aka "Unsafe
Object Creation Vulnerability."

For Debian 6 “Squeeze”, this issue has been fixed in libjson-ruby
version 1.1.9-1+deb6u1.

[DSA 3239-1] icecast2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3239-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
April 29, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : icecast2
CVE ID : CVE-2015-3026
Debian Bug : 782120

Juliane Holzt discovered that Icecast2, a streaming media server, could
dereference a NULL pointer when URL authentication is configured and the
stream_auth URL is trigged by a client without setting any credentials.
This could allow remote attackers to cause a denial of service (crash).

For the stable distribution (jessie), this problem has been fixed in
version 2.4.0-1.1+deb8u1.

For the testing distribution (stretch), this problem will be fixed in
version 2.4.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.4.2-1.

We recommend that you upgrade your icecast2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3240-1] curl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3240-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
April 29, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2015-3153
Debian Bug :

It was discovered that cURL, an URL transfer library, if configured to
use a proxy server with the HTTPS protocol, by default could send to the
proxy the same HTTP headers it sends to the destination server, possibly
leaking sensitive information.

For the stable distribution (jessie), this problem has been fixed in
version 7.38.0-4+deb8u2.

For the testing distribution (stretch), this problem will be fixed in
version 7.42.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 7.42.1-1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3241-1] elasticsearch security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3241-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 29, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : elasticsearch
CVE ID : CVE-2015-3337

John Heasman discovered that the site plugin handling of the
Elasticsearch search engine was susceptible to directory traversal.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.3+dfsg-5+deb8u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your elasticsearch packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/