Hash: SHA256

Package        : bzr
Version        : 2.6.0~bzr6526-1+deb7u1
CVE ID         : CVE-2013-2099 CVE-2017-14176
Debian Bug     : 709068 874429

CVE-2013-2099

    Bazaar bundles SSL certificate checking code from Python, which
    had a bug that could cause a denial of service via resource
    consumption through multiple wildcards in certificate hostnames.

CVE-2017-14176

    Adam Collard found that host names in 'bzr+ssh' URLs were not
    parsed correctly by Bazaar, allowing remote attackers to run
    arbitrary code by tricking a user into a maliciously crafted
    URL.

For Debian 7 "Wheezy", these problems have been fixed in version
2.6.0~bzr6526-1+deb7u1.

We recommend that you upgrade your bzr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS