[SECURITY] [DSA 2968-1] gnupg2 security update

- ------------------------------------------------------------
-------------
Debian Security Advisory DSA-2968-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
June 27, 2014                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg2
CVE ID         : CVE-2014-4617
Debian Bug     : 752498

Jean-Rene Reinhard, Olivier Levillain and Florian Maury reported that
GnuPG, the GNU Privacy Guard, did not properly parse certain garbled
compressed data packets. A remote attacker could use this flaw to mount
a denial of service against GnuPG by triggering an infinite loop.

For the stable distribution (wheezy), this problem has been fixed in
version 2.0.19-2+deb7u2.

For the testing distribution (jessie), this problem has been fixed in
version 2.0.24-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.24-1.

We recommend that you upgrade your gnupg2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

[SECURITY] [DSA 2969-1] libemail-address-perl security update

- ------------------------------------------------------------
-------------
Debian Security Advisory DSA-2969-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
June 27, 2014                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libemail-address-perl
CVE ID         : CVE-2014-0477

Bastian Blank reported a denial of service vulnerability in
Email::Address, a Perl module for RFC 2822 address parsing and creation.
Email::Address::parse used significant time on parsing empty quoted
strings. A remote attacker able to supply specifically crafted input to
an application using Email::Address for parsing, could use this flaw to
mount a denial of service attack against the application.

For the stable distribution (wheezy), this problem has been fixed in
version 1.895-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 1.905-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.905-1.

We recommend that you upgrade your libemail-address-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

[RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution

Advisory: Python CGIHTTPServer File Disclosure and Potential Code
          Execution

The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs. This may enable attackers to disclose a CGI
script's source code or execute arbitrary CGI scripts in the server's
document root.

Details
=======

Product: Python CGIHTTPServer
Affected Versions:
  2.7 - 2.7.7,
  3.2 - 3.2.4,
  3.3 - 3.3.2,
  3.4 - 3.4.1,
  3.5 pre-release
Fixed Versions:
  2.7 rev b4bab0788768,
  3.2 rev e47422855841,
  3.3 rev 5676797f3a3e,
  3.4 rev 847e288d6e93,
  3.5 rev f8b3bb5eb190
Vulnerability Type: File Disclosure, Directory Traversal, Code Execution
Security Risk: high
Vendor URL: https://docs.python.org/2/library/cgihttpserver.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008
Advisory Status: published
CVE: CVE-2014-4650
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650

[security bulletin] HPSBMU03061 rev.1 - HP Release Control, Disclosure of Privileged Information and Elevation of Privilege

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04352674

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04352674
Version: 1

HPSBMU03061 rev.1 - HP Release Control, Disclosure of Privileged Information
and Elevation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-06-26
Last Updated: 2014-06-26

[security bulletin] HPSBMU03057 rev.1 - HP Version Control Agent (HP VCA) running OpenSSL on Linux and Windows, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Disclosure of Information

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04349897

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04349897
Version: 1

HPSBMU03057 rev.1 - HP Version Control Agent (HP VCA) running OpenSSL on
Linux and Windows, Remote Denial of Service (DoS), Code Execution,
Unauthorized Access, Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-06-27
Last Updated: 2014-06-27