Operating System:

[Debian]

Published:

09 January 2014

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2014.0028 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0028
                           spice security update
                              9 January 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           spice
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4282 CVE-2013-4130 

Reference:         ESB-2013.1542
                   ESB-2013.1541
                   ESB-2013.1204
                   ESB-2013.1157

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2839

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2839-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
January 08, 2014                       http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : spice
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-4130 CVE-2013-4282
Debian Bug     : 717030 728314

Multiple vulnerabilities have been found in spice, a SPICE protocol
client and server library. The Common Vulnerabilities and Exposures
project identifies the following issues:

CVE-2013-4130

  David Gibson of Red Hat discovered that SPICE incorrectly handled
  certain network errors. A remote user able to initiate a SPICE
  connection to an application acting as a SPICE server could use this
  flaw to crash the application.

CVE-2013-4282

  Tomas Jamrisko of Red Hat discovered that SPICE incorrectly handled
  long passwords in SPICE tickets. A remote user able to initiate a
  SPICE connection to an application acting as a SPICE server could use
  this flaw to crash the application.

Applications acting as a SPICE server must be restarted for this update
to take effect.

For the stable distribution (wheezy), these problems have been fixed in
version 0.11.0-1+deb7u1.

For the testing distribution (jessie), these problems have been fixed in
version 0.12.4-0nocelt2.

For the unstable distribution (sid), these problems have been fixed in
version 0.12.4-0nocelt2.

We recommend that you upgrade your spice packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSzWHvAAoJEAVMuPMTQ89ECeMP/RKh+Bulij5HYH8l9VSvud9w
P8Gavk71gDVe82bGIwrzTe5/TiomsecoyS+0Bha8pVymtQT5pigTReZDKKlRg5Ht
6Vo2YyMadoZr76g2js5AEgVPsZsx+ASj0PtdLGm6zl6czVuYIyAoUSRJKwHBkClc
B9latcQcWppsVvfxhz7kG205TNqB9xxyo+yMVUxvW6SmwQ75jQyOubVP2hwQisZB
2Cbf78oFulJduLrcQRYNF6r9cb8+F6JX7H3w5GzpWjqbXauGtZgU2aQFmweCTPUY
u7GxpwUgebZyeWuI8uqbzcu91cVtRD3o5yyopNtQgGBGORXmn6h1jvxwirFEiSy2
DZC5UljqOdK+SrPPdjPlGfB1oF8xhchJyVyYIsk7Ge8ouR0BJDBGYJPCqTeGRCkw
D5TQWC4mRtyIC+guZnm9BK+o6aW8DRte5OqBNA2iMsI06hTyMbHOnpUMJnSKKQQh
zDFuhN1ZFOmfhBXbHC56+zk86zvBXTE/vUv1gRiIrqWzgrWOods/S3e84z1BNF3s
r2smYSCD/JgXHH3M9FQ7315C0E7GAamNYYpgVeQJW700Z6asuXUvusLA/Q6tpkFV
7TkFl8iouzd0Ao8OB15FdsdjMAEpP8vlxuoQOrzcd7llio9O0JlDmai2TENTMv9v
0gO6v7k8T0JTGZvW/CZF
=odYS
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUs5IyBLndAQH1ShLAQKnUA/+P0KZzckFptBG08XXJEkNZWyY+VvVGuCI
urYOvJD8OF2Wnx+72DeJUm+0eZJDEVfgfIvaxWeK4cJJSs0SSfS9BW1x0P7ZQfBr
46cuxDJfU4MJyEdTA+Fv/grv3TWdbKkYnMfwKY++7Wd0QBHwZjyvPBnOisqiQVMp
OXDrhY0JLWcCGMRG0kbAbMUppl6XZ/tkyJOp5bCjd0bMmOHF6KbQS2TjCKbowVjN
WkP18ycRKpvR1DRO+fQS+RN2x+5aox+5ubhC5kFe7WGjMfQdLYOCvjjH+SVjkpry
SVOOmuRhRI9DmJWB9mkRvjaI6bbCXnbVWNFUkXp2fpRWODp89R6nI5SL99Z7eStQ
kPVN20OndvHR26yy2OaFy828l67v46UuLHWFA1VAxBIbT9eeVvNFFO3yI3QSS7ix
O1wzHet07vJHMXQ5/d0PTfU4Am9tESATNN1zOnbA1OaCL8E7gxelM5dBQGtG6LmV
ZxuHjVHXJ3n/Xe1o2cVKdqAixJWwEQN8qpmfkzeztktpZBcd3NW+COk5kWG2lvn9
5znz3Jx8fUXa1rtr7shey7AipBgLZ3GJIQ6zF6E/LD5qJAuQ72IDvc5kgiA/WDbF
Ms/g7sWxJz5So2BPumhCbp62AYT1ht8DuR2HAUbyvgsZl0CJANuMuWnAy4A2dcCU
Y3E/0b8o6Rs=
=py7W
-----END PGP SIGNATURE-----