Debian 10225 Published by

The following Debian updates has been released:

[DLA 68-1] fex security update
[DSA 3040-1] rsyslog security update



[DLA 68-1] fex security update

Package : fex
Version : 20100208+debian1-1+squeeze4
CVE ID : CVE-2014-3875 CVE-2014-3876 CVE-2014-3877

[CVE-2014-3875]

When inserting encoded newline characters into a request to rup,
additional HTTP headers can be injected into the reply, as well
as new HTML code on the top of the website.

[CVE-2014-3876]
The parameter akey is reflected unfiltered as part of the HTML
page. Some characters are forbidden in the GET parameter due
to filtering of the URL, but this can be circumvented by using
a POST parameter.
Nevertheless, this issue is exploitable via the GET parameter
alone, with some user interaction.

[CVE-2014-3877]
The parameter addto is reflected only slightly filtered back to
the user as part of the HTML page. Some characters are forbidden
in the GET parameter due to filtering of the URL, but this can
be circumvented by using a POST parameter. Nevertheless, this
issue is exploitable via the GET parameter alone, with some user
interaction.

[DSA 3040-1] rsyslog security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-3040-1 security@debian.org
http://www.debian.org/security/
September 30, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rsyslog
CVE ID : CVE-2014-3634

Rainer Gerhards, the rsyslog project leader, reported a vulnerability in
Rsyslog, a system for log processing. As a consequence of this
vulnerability an attacker can send malformed messages to a server, if
this one accepts data from untrusted sources, and trigger a denial of
service attack.

For the stable distribution (wheezy), this problem has been fixed in
version 5.8.11-3+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 8.4.1-1.

We recommend that you upgrade your rsyslog packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/