The following updates has been released for Debian 6 LTS:
[DLA 331-1] polarssl security update
[DLA 332-1] optipng security update
[DLA 331-1] polarssl security update
[DLA 332-1] optipng security update
[DLA 331-1] polarssl security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : polarssl
Version : 1.2.9-1~deb6u5
CVE ID : CVE-2015-5291
A flaw was found in PolarSSl and mbed TLS:
When the client creates its ClientHello message, due to insufficient
bounds checking it can overflow the heap-based buffer containing the
message while writing some extensions. Two extensions in particular could
be used by a remote attacker to trigger the overflow: the session ticket
extension and the server name indication (SNI) extension.
Although most of the vulnerable code is not present in the Squeeze
version, this upload contains at least a length check for incoming data.
[DLA 332-1] optipng security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : optipng
Version : 0.6.4-1+deb6u11
CVE ID : CVE-2015-7801
Gustavo Grieco discovered a use-after-free causing an invalid/double
free in optipng 0.6.4.
For Debian 6 Squeeze, this issue has been fixed in optipng version
0.6.4-1+deb6u11.
