{"id":12796,"date":"2016-05-23T16:33:52","date_gmt":"2016-05-23T08:33:52","guid":{"rendered":"https:\/\/www.deepin.org\/?p=12796"},"modified":"2017-08-31T10:43:42","modified_gmt":"2017-08-31T02:43:42","slug":"security-updates%ef%bc%88dsa-3559-1-dsa-3568-1-dsa-3570-1-dsa-3571-1-dsa-3577-1-dsa-3578-1-dsa-3579-1-dsa-3580-1%ef%bc%89","status":"publish","type":"post","link":"https:\/\/www.deepin.org.cn\/en\/security-updates%ef%bc%88dsa-3559-1-dsa-3568-1-dsa-3570-1-dsa-3571-1-dsa-3577-1-dsa-3578-1-dsa-3579-1-dsa-3580-1%ef%bc%89\/","title":{"rendered":"Security Updates (DSA-3559-1, DSA-3568-1, DSA-3570-1, DSA-3571-1, DSA-3577-1, DSA-3578-1, DSA-3579-1 and DSA-3580-1\uff09"},"content":{"rendered":"<a href=\"http:\/\/blog.deepin.org\/wp-content\/uploads\/en32.jpg\" target=\"_blank\"><img loading=\"lazy\" class=\"aligncenter wp-image-9838\" src=\"http:\/\/blog.deepin.org\/wp-content\/uploads\/en32.jpg\" alt=\"en\" width=\"749\" height=\"321\" \/><\/a><\/p>\n<p>The security updates of\u00a0iceweasel, libtasn1-6, mercurial, ikiwiki, jansson, libidn, xerces-c and imagemagick.<\/p>\n<p>&nbsp;<\/p>\n<h2><b>Vulnerability Information<\/b><\/h2>\n<p><strong>DSA-3559-1 iceweasel \u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li>Multiple security issues have been found in Iceweasel, Debian\u2019s version of the Mozilla Firefox web browser: Multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3568-1 libtasn1-6 \u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-4008\" target=\"_blank\" rel=\"nofollow\">CVE-2016-4008<\/a>:\u00a0Pascal Cuoq and Miod Vallat discovered that Libtasn1, a library to manage ASN.1 structures, does not correctly handle certain malformed DER certificates. A remote attacker can take advantage of this flaw to cause an application using the Libtasn1 library to hang, resulting in a denial of service.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3570-1 mercurial\u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-3105\" target=\"_blank\" rel=\"nofollow\">CVE-2016-3105<\/a>:\u00a0Blake Burkhart discovered an arbitrary code execution flaw in Mercurial, a distributed version control system, when using the convert extension on Git repositories with specially crafted names. This flaw in particular affects automated code conversion services that allow arbitrary repository names.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3571-1 ikiwiki\u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-4561\" target=\"_blank\" rel=\"nofollow\">CVE-2016-4561<\/a>:\u00a0Simon McVittie discovered a cross-site scripting vulnerability in the error reporting of Ikiwiki, a wiki compiler. This update also hardens ikiwiki\u2019s use of imagemagick in the img plugin.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3577-1 jansson\u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-4425\" target=\"_blank\" rel=\"nofollow\">CVE-2016-4425<\/a>:\u00a0Gustavo Grieco discovered that jansson, a C library for encoding, decoding and manipulating JSON data, did not limit the recursion depth when parsing JSON arrays and objects. This could allow remote attackers to cause a denial of service (crash) via stack exhaustion, using crafted JSON data.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3578-1 libidn\u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2015-2059\" target=\"_blank\" rel=\"nofollow\">CVE-2015-2059<\/a>:\u00a0It was discovered that libidn, the GNU library for Internationalized Domain Names (IDNs), did not correctly handle invalid UTF-8 input, causing an out-of-bounds read. This could allow attackers to disclose sensitive information from an application using the libidn library.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3579-1 xerces-c \u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2016-2099\" target=\"_blank\" rel=\"nofollow\">CVE-2016-2099<\/a>\uff1aGustavo Grieco discovered an use-after-free vulnerability in xerces-c, a validating XML parser library for C++.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>DSA-3580-1 imagemagick \u2014 Security Updates<\/strong><\/p>\n<p>Security database details:<\/p>\n<ul>\n<li>Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered several vulnerabilities in ImageMagick, a program suite for image manipulation. These vulnerabilities, collectively known as ImageTragick, are the consequence of lack of sanitization of untrusted input. An attacker with control on the image input could, with the privileges of the user running the application, execute code, make HTTP GET or FTP requests, or delete, move, or read\u00a0local files.These vulnerabilities are particularly critical if Imagemagick processes images coming from remote parties, such as part of a web service.&nbsp;<\/li>\n<\/ul>\n<h2><b>Fixing Status<\/b><\/h2>\n<p>iceweasel security vulnerabilities have been fixed in version\u00a045.1.0esr-1 of firefox-esr and version 46.0-1 of firefox; libtasn1-6 security vulnerabilities have been fixed in version\u00a04.8-1;<\/p>\n<p>mercurial security vulnerabilities have been fixed in version\u00a03.8.1-1; ikiwiki security vulnerabilities have been fixed in version\u00a03.20160506;<\/p>\n<p>jansson security vulnerabilities have been fixed in version\u00a02.7-5; libidn security vulnerabilities have been fixed in version\u00a01.31-1;<\/p>\n<p>xerces-c security vulnerabilities have been fixed in version\u00a03.1.3+debian-2; imagemagick security vulnerabilities have been fixed in version\u00a08:6.8.9.9-10+d15u1.<\/p>\n<p>We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.","protected":false},"excerpt":{"rendered":"<p>The security updates of\u00a0iceweasel, libtasn1-6, mercurial, ikiwiki, jansson, libidn, xerces-c and imagemagick. &nbsp; Vulnerability Information DSA-3559-1 iceweasel \u2014 Security Updates Security database details: Multiple security issues have been found in Iceweasel, Debian\u2019s version of the Mozilla Firefox web browser: Multiple memory safety errors and buffer overflows may lead to the execution of arbitrary code or denial of service. &nbsp; DSA-3568-1 libtasn1-6 \u2014 Security Updates Security database details: CVE-2016-4008:\u00a0Pascal Cuoq and Miod Vallat discovered that Libtasn1, a library to manage ASN.1 structures, does not correctly handle certain malformed DER certificates. A remote attacker can take advantage of this flaw to cause ...<a href=https:\/\/www.deepin.org.cn\/en\/security-updates%ef%bc%88dsa-3559-1-dsa-3568-1-dsa-3570-1-dsa-3571-1-dsa-3577-1-dsa-3578-1-dsa-3579-1-dsa-3580-1%ef%bc%89\/>Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":12802,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[75],"tags":[],"_links":{"self":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts\/12796"}],"collection":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/comments?post=12796"}],"version-history":[{"count":10,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts\/12796\/revisions"}],"predecessor-version":[{"id":25291,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/posts\/12796\/revisions\/25291"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/media?parent=12796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/categories?post=12796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.deepin.org.cn\/en\/wp-json\/wp\/v2\/tags?post=12796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}