Debian 10225 Published by

The following two updates has been released for Debian:

[DSA 3197-2] openssl regression update
[DSA 3204-1] python-django security update



[DSA 3197-2] openssl regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3197-2 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288
CVE-2015-0289 CVE-2015-0292
Debian Bug : 781081

The openssl update issued as DSA 3197-1 caused regressions. This update
reverts the defective patch applied in that update causing these
problems. Additionally a follow-up fix for CVE-2015-0209 is applied.
For reference the original advisory text follows.

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2015-0286

Stephen Henson discovered that the ASN1_TYPE_cmp() function
can be crashed, resulting in denial of service.

CVE-2015-0287

Emilia Kaesper discovered a memory corruption in ASN.1 parsing.

CVE-2015-0289

Michal Zalewski discovered a NULL pointer dereference in the
PKCS#7 parsing code, resulting in denial of service.

CVE-2015-0292

It was discovered that missing input sanitising in base64 decoding
might result in memory corruption.

CVE-2015-0209

It was discovered that a malformed EC private key might result in
memory corruption.

CVE-2015-0288

It was discovered that missing input sanitising in the
X509_to_X509_REQ() function might result in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u16.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3204-1] python-django security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3204-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2015-2317
Debian Bug : 780873

Daniel Chatfield discovered that python-django, a high-level Python web
development framework, incorrectly handled user-supplied redirect URLs.
A remote attacker could use this flaw to perform a cross-site scripting
attack.

For the stable distribution (wheezy), this problem has been fixed in
version 1.4.5-1+deb7u11.

For the unstable distribution (sid), this problem has been fixed in
version 1.7.7-1.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/