Debian 10225 Published by

The following two updates has been released for Debian 6 LTS:

[DLA 242-1] imagemagick security update
[DLA 244-1] strongswan security update



[DLA 242-1] imagemagick security update

Package : imagemagick
Version : 8:6.6.0.4-3+squeeze6
CVE ID : CVE-2012-3437 CVE-2014-8354 CVE-2014-8355 CVE-2014-8562
Debian Bug : #773834 #767240 #683285 #692367

This update fixes a large number of potential security problems due to
insufficient data validation when parsing different input
formats. Most of those potential security problems do not have a CVE
number assigned.

While the security implications of all of these problems are not all
fully known, it is highly recommended to update.

The update fixes the following identified vulnerabilities:

CVE-2012-3437

Incorrect validation of PNG buffer size, leading to DoS using
specially crafted PNG files.

CVE-2014-8354

Out of bounds memory access in resize

CVE-2014-8355

Buffer overflow in PCX reader

CVE-2014-8562

Buffer overflow in DCM readers

[DLA 244-1] strongswan security update

Package : strongswan
Version : 4.4.1-5.7
CVE ID : CVE-2015-4171

Alexander E. Patrakov discovered an issue in strongSwan, an IKE/IPsec
suite used to establish IPsec protected links.

When a client authenticate the server with certificates and the client
authenticates using pre-shared key or EAP, the constraints on the server
certificate are only enforced by the client after all authentication
steps are completed successfully. A rogue server which can authenticate
using a valid certificate issued by any CA trusted by the client could
trick the user into continuing the authentication, revealing the
username and password digest (for EAP) or even the cleartext password
(if EAP-GTC is accepted).