Debian 10260 Published by

The following updates has been released for Debian:

[DLA 372-1] virtualbox-ose 3.2.x is no longer supported in Debian 6
[DSA 3427-1] blueman security update
[DSA 3428-1] tomcat8 security update



[DLA 372-1] virtualbox-ose 3.2.x is no longer supported in Debian 6

Package : virtualbox-ose

Oracle stopped supporting version 3.2 of VirtualBox last June. They also
do not disclose enough information about vulnerabilities discovered
and fixed in newer versions so that it is impossible for us to
verify whether the vulnerability also applies to 3.2 and to backport
the fix when needed.

We are thus no longer supporting virtualbox-ose in Debian 6 Squeeze.
If you rely on it, you should either consider using backports of newer
versions (version 4.1.42 is available in squeeze-backports) or
upgrade to Debian 7 Wheezy (or newer).

[DSA 3427-1] blueman security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3427-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 18, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : blueman
CVE ID : not yet available

It was discovered that the Mechanism plugin of Blueman, a graphical
Bluetooth manager, allows local privilege escalation.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.23-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 1.99~alpha1-1+deb8u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your blueman packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3428-1] tomcat8 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3428-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 18, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat8
CVE ID : CVE-2014-7810

It was discovered that malicious web applications could use the
Expression Language to bypass protections of a Security Manager as
expressions were evaluated within a privileged code section.

For the stable distribution (jessie), this problem has been fixed in
version 8.0.14-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 8.0.21-2.

For the unstable distribution (sid), this problem has been fixed in
version 8.0.21-2.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/