Debian 10260 Published by

The following updates are available for Debian:

[DLA 564-1] tardiff security update
[DSA 3633-1] xen security update



[DLA 564-1] tardiff security update

Package : tardiff
Version : 0.1-1+deb7u1
CVE ID : CVE-2015-0857 CVE-2015-0858

Two vulnerabilities were found in tardiff:

CVE-2015-0857

Arbitrary command execution was possible via shell metacharacters
in the name of a (1) tar file or (2) file within a tar file.

CVE-2015-0858

Local users could write to arbitrary files via a symlink attack on
a pathname in a /tmp/tardiff-$$ temporary directory.

For Debian 7 "Wheezy", these problems have been fixed in version
0.1-1+deb7u1.

We recommend that you upgrade your tardiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3633-1] xen security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3633-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 27, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2015-8338 CVE-2016-4480 CVE-2016-4962 CVE-2016-5242
CVE-2016-6258

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2015-8338

Julien Grall discovered that Xen on ARM was susceptible to denial
of service via long running memory operations.

CVE-2016-4480

Jan Beulich discovered that incorrect page table handling could
result in privilege escalation inside a Xen guest instance.

CVE-2016-4962

Wei Liu discovered multiple cases of missing input sanitising in
libxl which could result in denial of service.

CVE-2016-5242

Aaron Cornelius discovered that incorrect resource handling on
ARM systems could result in denial of service.

CVE-2016-6258

Jeremie Boutoille discovered that incorrect pagetable handling in
PV instances could result in guest to host privilege escalation.

For the stable distribution (jessie), these problems have been fixed in
version 4.4.1-9+deb8u6.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/