Debian 10228 Published by

Two new updates has been released for Debian:

[DSA 3251-2] dnsmasq regression update
[DSA 3253-1] pound security update



[DSA 3251-2] dnsmasq regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3251-2 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 07, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dnsmasq
Debian Bug : 784571

The update for dnsmasq issued as DSA-3251-1 introduced a regression for
the armel and armhf builds causing dnsmasq failing to start under
certain configurations. Updated packages are now available to address
this regression. Additionally dnsmasq was patched to handle the case
were the libc headers defined SO_REUSEPORT, but is not supported by the
running kernel. For reference, the original advisory text follows.

Nick Sampanis discovered that dnsmasq, a small caching DNS proxy and
DHCP/TFTP server, did not properly check the return value of the
setup_reply() function called during a TCP connection, which is used
then as a size argument in a function which writes data on the client's
connection. A remote attacker could exploit this issue via a specially
crafted DNS request to cause dnsmasq to crash, or potentially to obtain
sensitive information from process memory.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.62-3+deb7u3.

We recommend that you upgrade your dnsmasq packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3253-1] pound security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3253-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
May 07, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pound
CVE ID : CVE-2009-3555 CVE-2012-4929 CVE-2014-3566
Debian Bug : 723731 727197 765539 765649

Pound, a HTTP reverse proxy and load balancer, had several issues
related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

For Debian 7 (wheezy) this update adds a missing part to make it
actually possible to disable client-initiated renegotiation and
disables it by default (CVE-2009-3555). TLS compression is disabled
(CVE-2012-4929), although this is normally already disabled by the OpenSSL
system library. Finally it adds the ability to disable the SSLv3 protocol
(CVE-2014-3566) entirely via the new "DisableSSLv3" configuration
directive, although it will not disabled by default in this update.
Additionally a non-security sensitive issue in redirect encoding is
addressed.

For Debian 8 (jessie) these issues have been fixed prior to the release,
with the exception of client-initiated renegotiation (CVE-2009-3555).
This update addresses that issue for jessie.

For the oldstable distribution (wheezy), these problems have been fixed
in version 2.6-2+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 2.6-6+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 2.6-6.1.

We recommend that you upgrade your pound packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/