The maintainers of Debian have released new packages to fix several vulnerabilities, including a number of bugs in PHP and an unspecified flaw in Oracle’s VirtualBox application.
Among the patches is one for the VirtualBox bug, which is difficult to describe, because Oracle no longer publishes any security information on VirtualBox.
“This update fixes an unspecified security issue in VirtualBox related to guests using bridged networking via WiFi. Oracle no longer provides information on specific security vulnerabilities in VirtualBox. To still support users of the already released Debian releases we’ve decided to update these to the respective 4.1.40 and 4.3.30 bugfix releases,” the Debian advisory says.
There also is a new package that includes the fixes for five vulnerabilities in PHP. Those vulnerabilities include a use-after-free, a NULL pointer dereference, a type-confusion flaw, and others.
The final security fix is for a bug in vzctl.
“It was discovered that vzctl, a set of control tools for the OpenVZ server virtualisation solution, determined the storage layout of containers based on the presense of an XML file inside the container. An attacker with local root privileges in a simfs-based container could gain control over ploop-based containers,” the Debian advisory says.
This story was updated on Sept. 15 to reflect that new packages, and not new versions, were released.
Image from Flickr photos of ghostcero.