-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 16 Jan 2015 20:46:29 +0100 Source: ia32-libs Binary: ia32-libs ia32-libs-dev Architecture: source amd64 Version: 20150116 Distribution: squeeze-lts Urgency: low Maintainer: Debian ia32-libs Team <pkg-ia32-libs-maintainers@lists.alioth.debian.org> Changed-By: Thijs Kinkhorst <thijs@debian.org> Description: ia32-libs - ia32 shared libraries for use on amd64 and ia64 systems ia32-libs-dev - ia32 development files for use on amd64 and ia64 systems Changes: ia32-libs (20150116) squeeze-lts; urgency=low . * Packages updated . [ curl (7.21.0-2.1+squeeze11) squeeze-lts; urgency=high ] . * Non-maintainer upload. * Fix URL request injection as in CVE-2014-8150 http://curl.haxx.se/docs/adv_20150108B.html . [ curl (7.21.0-2.1+squeeze10) squeeze-lts; urgency=high ] . * Non-maintainer upload by the Squeeze LTS Team. * Fix duphandle read out of bounds as per CVE-2014-3707 http://curl.haxx.se/docs/adv_20141105.html . [ curl (7.21.0-2.1+squeeze9) squeeze-lts; urgency=high ] . * Non-maintainer upload by the Squeeze LTS Team. * Fix security issue: - Only use full host matches for hosts used as IP address as per CVE-2014-3613 * This patch is applied to Wheezy but not really needed, so it is omitted here (needed for version > 7.38) - Reject incoming cookies set for TLDs as per CVE-2014-3620 . [ dbus (1.2.24-4+squeeze3) squeeze-lts; urgency=medium ] . * Security upload by the Debian LTS team. * CVE-2014-3477: Backport patch from upstream to fix a denial of service (failure to obtain bus name) in newly-activated system services that not all users are allowed to access. * CVE-2014-3638: Backport patch from upstream to reduce maximum number of pending replies per connection to avoid algorithmic complexity DoS. * CVE-2014-3639: Backport patch from upstream to not accept() new connections when all unauthenticated connection slots are in use, so that malicious processes cannot prevent new connections to the system bus. Note that the patch that reduced the authentication delay to 5s has not been applied due to known regressions: https://bugs.freedesktop.org/show_bug.cgi?id=86431 . [ flac (1.2.1-2+deb6u1) squeeze-lts; urgency=high ] . * Non-maintainer upload by the Squeeze LTS Team. * Fix CVE-2014-8962: heap-based buffer overflow in stream_decoder.c, allowing remote attackers to execute arbitrary code via a specially crafted .flac file. * Fix CVE-2014-9028: stack-based buffer overflow in stream_decoder.c, allowing remote attackers to execute arbitrary code via a specially crafted .flac file. . [ libgcrypt11 (1.4.5-2+squeeze2) squeeze-lts; urgency=medium ] . * Non-maintainer upload by the Debian LTS team. * Add 37_Replace-deliberate-division-by-zero-with-_gcry_divid.patch patch. Replace deliberate division by zero with _gcry_divide_by_zero. * Add 38_CVE-2014-5270.patch patch. CVE-2014-5270: side-channel attack on Elgamal encryption subkeys. Cryptanalysis attack as described by Genkin, Pipman and Tromer. See <http://www.cs.tau.ac.il/~tromer/handsoff/> * Both patches have been backported from the 1.5.0-5+deb7u2 wheezy security update. . [ libtasn1-3 (2.7-1+squeeze+2) squeeze-lts; urgency=low ] . * CVE-2014-3467 (the DECR_LEN changes were omitted, since too intrusive to backport for little impact) * CVE-2014-3468 * CVE-2014-3469 . [ libxml2 (2.7.8.dfsg-2+squeeze10) squeeze-lts; urgency=high ] . * Non-maintainer upload by the Squeeze LTS Team. * Fix wrongly applied patch for CVE-2014-0191 (#762864) * Add patch for CVE-2014-3660 (#765722) . [ nss (3.12.8-1+squeeze10) squeeze-lts; urgency=low ] . * Non-maintainer upload by the Squeeze LTS Team. * Fix CVE-2014-1544: improper removal of an NSSCertificate structure from a trust domain. . [ nss (3.12.8-1+squeeze9) squeeze-lts; urgency=low ] . * Non-maintainer upload by the Squeeze LTS Team. * Fix CVE-2014-1568: RSA signature verification bypass. . [ openssl (0.9.8o-4squeeze19) squeeze-lts; urgency=medium ] . * Fix CVE-2014-8275 * Fix CVE-2014-3572 * Fix CVE-2015-0204 * Fix CVE-2014-3570 * Fix CVE-2014-3571 * Fix typo related to CVE-2015-0205 . [ openssl (0.9.8o-4squeeze18) squeeze-lts; urgency=medium ] . * Fix CVE-2014-3567 * Fix CVE-2014-3568 * Add Fallback SCSV support to mitigate CVE-2014-3566 * Fix CVE-2014-3569 Checksums-Sha1: 75712b434821bf895f31c1645f94ed194fb6e228 1546 ia32-libs_20150116.dsc e45153806f05a8bc0e683a2dde8ac6d749f75929 334744906 ia32-libs_20150116.tar.gz 330a2d14e0d668e46fd33008f1ec08807ff788e8 34258100 ia32-libs_20150116_amd64.deb 2b6e42afd332a58776d8fa95e52a806b402839a8 13089186 ia32-libs-dev_20150116_amd64.deb Checksums-Sha256: 4d9bc2bde84aad7890953ef26b4df551c1c35f2a118a997229ca849bb0bf069d 1546 ia32-libs_20150116.dsc 5bd75b6e021bea76b086910671394bd2561ab211f9dd540d990097d584b1ae59 334744906 ia32-libs_20150116.tar.gz ae0717978b41747bd7e7a555dc3e706bcccc51e0a457393d507eeba3aae2bbc7 34258100 ia32-libs_20150116_amd64.deb 33afe39c8a5246319b0b90d36d02c79795b10fa404e6392360e65eb18a6859ba 13089186 ia32-libs-dev_20150116_amd64.deb Files: 3c13965c1a36ae970a13d86aca47437a 1546 libs optional ia32-libs_20150116.dsc 3634d9fba1880cc5462b9a649d68a085 334744906 libs optional ia32-libs_20150116.tar.gz 792cc4dcd286b4dd9343833805b2fce8 34258100 libs optional ia32-libs_20150116_amd64.deb 4be2db49517a8b22ccc660b46b6ca703 13089186 libdevel extra ia32-libs-dev_20150116_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUuXkzAAoJEFb2GnlAHawEnDoH/0Ks5p9DvaQpbhCEkpL8lti8 y5BQKCPglVOpHYKewa/g/5+WaX8gQzzOpXIEIoQ+GLYakQN9LxXtTWTHQvAfyS8z UH6bBqKc7CiGsA1tMUD/2PuQ4tEcZEqjnDQ2qIjd9jeMeYOx2ySG+RiMA+PXqglp D00QiJ5p20iIPMeTGUQPhImcbFAqbBfxnEXt2f77rXD3SPBM9aYqxDPnx7Lh6mix j99nEFxNMAWxOWYgreMUd3ij2qeiT8UZjTyiVxv/cCMpt67ajy26xlr2SP6BJTGf 34ItnZzSvtkJadM4oygJrktsVKEWWamEjccesj7grkTOXhpu9oHMx9OarfXhxhI= =EfWU -----END PGP SIGNATURE-----
