The following security update has been released for Debian: [DSA 2859-1] pidgin security update, and [DSA 2858-1] iceweasel security update
[DSA 2859-1] pidgin security update
[DSA 2859-1] pidgin security update
- -------------------------------------------------------------------------[DSA 2858-1] iceweasel security update
Debian Security Advisory DSA-2859-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 10, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : pidgin
Vulnerability : several
CVE ID : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481
CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485
CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol
instant messaging client:
CVE-2013-6477
Jaime Breva Ribes discovered that a remote XMPP user can trigger a
crash by sending a message with a timestamp in the distant future.
CVE-2013-6478
Pidgin could be crashed through overly wide tooltip windows.
CVE-2013-6479
Jacob Appelbaum discovered that a malicious server or a "man in the
middle" could send a malformed HTTP header resulting in denial of
service.
CVE-2013-6481
Daniel Atallah discovered that Pidgin could be crashed through
malformed Yahoo! P2P messages.
CVE-2013-6482
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
could be crashed through malformed MSN messages.
CVE-2013-6483
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
could be crashed through malformed XMPP messages.
CVE-2013-6484
It was discovered that incorrect error handling when reading the
response from a STUN server could result in a crash.
CVE-2013-6485
Matt Jones discovered a buffer overflow in the parsing of malformed
HTTP responses.
CVE-2013-6487
Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
Gadu-Gadu messages.
CVE-2013-6489
Yves Younan and Pawel Janic discovered an integer overflow when parsing
MXit emoticons.
CVE-2013-6490
Yves Younan discovered a buffer overflow when parsing SIMPLE headers.
CVE-2014-0020
Daniel Atallah discovered that Pidgin could be crashed via malformed
IRC arguments.
For the oldstable distribution (squeeze), no direct backport is provided.
A fixed packages will be provided through backports.debian.org shortly
For the stable distribution (wheezy), these problems have been fixed in
version 2.10.9-1~deb7u1.
For the unstable distribution (sid), these problems have been fixed in
version 2.10.9-1.
We recommend that you upgrade your pidgin packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2858-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 10, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : iceweasel
Vulnerability : several
CVE ID : CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482
CVE-2014-1486 CVE-2014-1487 CVE-2014-1490 CVE-2014-1491
Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-frees, too-verbose error messages and missing permission checks
may lead to the execution of arbitrary code, the bypass of security
checks or information disclosure. This update also addresses security
issues in the bundled version of the NSS crypto library.
This update updates Iceweasel to the ESR24 series of Firefox.
For the stable distribution (wheezy), these problems have been fixed in
version 24.3.0esr-1~deb7u1.
For the unstable distribution (sid), these problems have been fixed in
version 24.3.0esr-1.
We recommend that you upgrade your iceweasel packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/