apticron report [Fri, 10 Apr 2015 16:44:06 +0000] ======================================================================== apticron has detected that some packages need upgrading on: baldrick [ 138.231.142.239 2a01:240:fe3d:4:62:61ff:fe6c:6401 138.231.142.239 ] [ 2a01:240:fe3d:4:62:61ff:fe6c:6401 ] The following packages are currently pending an upgrade: dpkg 1.16.16 ======================================================================== Package Details: Lecture des fichiers de modifications (« changelog »)... --- Modifications pour dpkg --- dpkg (1.16.16) wheezy-security; urgency=high [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. * Do not leak the filepackages iterator when a directory is used by other packages. * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. * Fix memory leaks in buffer_copy() on error conditions. * Fix possible out of bounds buffer read access in the error output on bogus ar member sizes. * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. * Do not run qsort() over the scandir() list in libcompat if it is NULL. * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX. Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. Closes: #731530 * Fix off-by-one error in libdpkg command argv size calculation. Based on a patch by Bálint Réczey <balint(a)balintreczey.hu>hu>. Closes: #760690 * Escape package and architecture names on control file parsing warning, as those get injected into a variable that is used as a format string, and they come from the package fields, which are under user control. Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers <megamansec(a)gmail.com>om>. * Do not match partial field names in control files. Closes: #769119 Regression introduced in dpkg 1.10. * Fix out-of-bounds buffer read accesses when parsing field and trigger names or checking package ownership of conffiles and directories. Reported by Joshua Rogers <megamansec(a)gmail.com>om>. * Add powerpcel support to cputable. Thanks to Jae Junh <jaejunh(a)embian.com>om>. * Fix OpenPGP Armor Header Line parsing in Dpkg::Control::Hash. We should only accept [\r\t ] as trailing whitespace, although RFC4880 does not clarify what whitespace really maps to, we should really match the GnuPG implementation anyway, as that's what we use to verify the signatures. Reported by Jann Horn <jann(a)thejh.net>et>. Fixes CVE-2015-0840. [ Raphaël Hertzog ] * Drop myself from Uploaders. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). [ Updated man page translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). -- Guillem Jover <guillem(a)debian.org> Thu, 09 Apr 2015 08:45:47 +0200 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on baldrick -- apticron