Debian 10225 Published by

The following two updates has been released for Debian 6.0 LTS:

[DLA 50-1] file security update
[DLA 51-1] gnupg2 security update



[DLA 50-1] file security update

Package : file
Version : 5.04-5+squeeze7
CVE ID : CVE-2014-3538 CVE-2014-3587
Debian Bug : -

CVE-2014-3538

file does not properly restrict the amount of data read during
a regex search, which allows remote attackers to cause a
denial of service (CPU consumption).

CVE-2014-3587

Integer overflow in the cdf_read_property_info function in
cdf.c allows remote attackers to cause a denial of service
(application crash).


Note: The other seven issues for wheezy, fixed in 5.11-2+deb7u4
(DSA-3021-1), were already handled in 5.04-5+squeeze6 (DLA 27-1) in
July 2014. Also, as an amendment, as a side effect of the changes
done back then then, the MIME type detection of some files had
improved from "application/octet-stream" to something more specific
like "application/x-dosexec" or "application/x-iso9660-image".

[DLA 51-1] gnupg2 security update

Package : gnupg2
Version : 2.0.14-2+squeeze3
CVE ID : CVE-2014-4617
Debian Bug : 752498

Jean-Rene Reinhard, Olivier Levillain and Florian Maury reported that
GnuPG, the GNU Privacy Guard, did not properly parse certain garbled
compressed data packets. A remote attacker could use this flaw to mount
a denial of service against GnuPG by triggering an infinite loop.