en

The security updates of iceweasel, libtasn1-6, mercurial, ikiwiki, jansson, libidn, xerces-c and imagemagick.

 

Vulnerability Information

DSA-3559-1 iceweasel — Security Updates

Security database details:

  • Multiple security issues have been found in Iceweasel, Debian’s version of the Mozilla Firefox web browser: Multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service.

 

DSA-3568-1 libtasn1-6 — Security Updates

Security database details:

  • CVE-2016-4008: Pascal Cuoq and Miod Vallat discovered that Libtasn1, a library to manage ASN.1 structures, does not correctly handle certain malformed DER certificates. A remote attacker can take advantage of this flaw to cause an application using the Libtasn1 library to hang, resulting in a denial of service.

 

DSA-3570-1 mercurial— Security Updates

Security database details:

  • CVE-2016-3105: Blake Burkhart discovered an arbitrary code execution flaw in Mercurial, a distributed version control system, when using the convert extension on Git repositories with specially crafted names. This flaw in particular affects automated code conversion services that allow arbitrary repository names.

 

DSA-3571-1 ikiwiki— Security Updates

Security database details:

  • CVE-2016-4561: Simon McVittie discovered a cross-site scripting vulnerability in the error reporting of Ikiwiki, a wiki compiler. This update also hardens ikiwiki’s use of imagemagick in the img plugin.

 

DSA-3577-1 jansson— Security Updates

Security database details:

  • CVE-2016-4425: Gustavo Grieco discovered that jansson, a C library for encoding, decoding and manipulating JSON data, did not limit the recursion depth when parsing JSON arrays and objects. This could allow remote attackers to cause a denial of service (crash) via stack exhaustion, using crafted JSON data.

 

DSA-3578-1 libidn— Security Updates

Security database details:

  • CVE-2015-2059: It was discovered that libidn, the GNU library for Internationalized Domain Names (IDNs), did not correctly handle invalid UTF-8 input, causing an out-of-bounds read. This could allow attackers to disclose sensitive information from an application using the libidn library.

 

DSA-3579-1 xerces-c — Security Updates

Security database details:

  • CVE-2016-2099:Gustavo Grieco discovered an use-after-free vulnerability in xerces-c, a validating XML parser library for C++.

 

DSA-3580-1 imagemagick — Security Updates

Security database details:

  • Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code, make HTTP GET or FTP requests, or delete, move, or read local files.These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service. 

Fixing Status

iceweasel security vulnerabilities have been fixed in version 45.1.0esr-1 of firefox-esr and version 46.0-1 of firefox; libtasn1-6 security vulnerabilities have been fixed in version 4.8-1;

mercurial security vulnerabilities have been fixed in version 3.8.1-1; ikiwiki security vulnerabilities have been fixed in version 3.20160506;

jansson security vulnerabilities have been fixed in version 2.7-5; libidn security vulnerabilities have been fixed in version 1.31-1;

xerces-c security vulnerabilities have been fixed in version 3.1.3+debian-2; imagemagick security vulnerabilities have been fixed in version 8:6.8.9.9-10+d15u1.

We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.

One Comment

Leave a Reply