Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1333 replies to this topic

#1276 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 05 June 2017 - 03:14 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3873-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 05, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2017-6512
Debian Bug     : 863870

The cPanel Security Team reported a time of check to time of use
(TOCTTOU) race condition flaw in File::Path, a core module from Perl to
create or remove directory trees. An attacker can take advantage of this
flaw to set the mode on an attacker-chosen file to a attacker-chosen
value.

For the stable distribution (jessie), this problem has been fixed in
version 5.20.2-3+deb8u7.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 5.24.1-3.

For the unstable distribution (sid), this problem has been fixed in
version 5.24.1-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1277 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 09 June 2017 - 07:05 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3874-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ettercap
CVE ID         : CVE-2017-6430 CVE-2017-8366
Debian Bug     : 857035 861604

Agostino Sarubbo and AromalUllas discovered that ettercap, a network
security tool for traffic interception, contains vulnerabilities that
allowed an attacker able to provide maliciously crafted filters to
cause a denial-of-service via application crash.

For the stable distribution (jessie), these problems have been fixed in
version 1:0.8.1-3+deb8u1.

For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 1:0.8.2-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3875-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libmwaw
CVE ID         : CVE-2017-9433

It was discovered that a buffer overflow in libmwaw, a library to open
old Mac text documents might result in the execution of arbitrary code
if a malformed document is opened.

For the stable distribution (jessie), this problem has been fixed in
version 0.3.1-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.3.9-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3876-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : otrs2
CVE ID         : CVE-2017-9324

Joerg-Thomas Vogt discovered that the SecureMode was insufficiently
validated in the OTRS ticket system, which could allow agents to
escalate their privileges.

For the stable distribution (jessie), this problem has been fixed in
version 3.3.9-3+deb8u1.

For the upcoming stable distribution (stretch), this problem will be
fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 5.0.20-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1278 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 10 June 2017 - 07:17 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3877-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 10, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2017-0376
Debian Bug     : 864424

It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contain a flaw in the hidden service
code when receiving a BEGIN_DIR cell on a hidden service rendezvous
circuit. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).

For the stable distribution (jessie), this problem has been fixed in
version 0.2.5.14-1.

For the upcoming stable distribution (stretch), this problem will be
fixed in version 0.2.9.11-1~deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.2.9.11-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1279 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 12 June 2017 - 07:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3878-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 12, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zziplib
CVE ID         : CVE-2017-5974 CVE-2017-5975 CVE-2017-5976 CVE-2017-5978
                 CVE-2017-5979 CVE-2017-5980 CVE-2017-5981

Agostino Sarubbo discovered multiple vulnerabilities in zziplib, a
library to access Zip archives, which could result in denial of service
and potentially the execution of arbitrary code if a malformed archive
is processed.

For the stable distribution (jessie), these problems have been fixed in
version 0.13.62-3+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 0.13.62-3.1.

For the unstable distribution (sid), these problems have been fixed in
version 0.13.62-3.1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1280 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 13 June 2017 - 06:53 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3879-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 13, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libosip2
CVE ID         : CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853

Multiple security vulnerabilities have been found in oSIP, a library
implementing the Session Initiation Protocol, which might result in
denial of service through malformed SIP messages.

For the stable distribution (jessie), these problems have been fixed in
version 4.1.0-2+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 4.1.0-2.1.

For the unstable distribution (sid), these problems have been fixed in
version 4.1.0-2.1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1281 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 14 June 2017 - 11:23 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3880-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt20
CVE ID         : CVE-2017-9526

It was discovered that a side channel attack in the EdDSA session key
handling in Libgcrypt may result in information disclosure.

For the stable distribution (jessie), this problem has been fixed in
version 1.6.3-2+deb8u3.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1.7.6-2.

For the unstable distribution (sid), this problem has been fixed in
version 1.7.6-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3881-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750
                 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756
                 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771
                 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775
                 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees, buffer overflows
and other implementation errors may lead to the execution of arbitrary
code, denial of service or domain spoofing.

Debian follows the extended support releases (ESR) of Firefox. Support
for the 45.x series has ended, so starting with this update we're now
following the 52.x releases.

For the stable distribution (jessie), these problems have been fixed in
version 52.2.0esr-1~deb8u1.

For the upcoming stable distribution (stretch), these problems will be
fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 52.2.0esr-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1282 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 15 June 2017 - 07:20 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3882-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 15, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker4
CVE ID         : CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2016-6127

    It was discovered that Request Tracker is vulnerable to a cross-site
    scripting (XSS) attack if an attacker uploads a malicious file with
    a certain content type. Installations which use the
    AlwaysDownloadAttachments config setting are unaffected by this
    flaw. The applied fix addresses all existant and future uploaded
    attachments.

CVE-2017-5361

    It was discovered that Request Tracker is vulnerable to timing
    side-channel attacks for user passwords.

CVE-2017-5943

    It was discovered that Request Tracker is prone to an information
    leak of cross-site request forgery (CSRF) verification tokens if a
    user is tricked into visiting a specially crafted URL by an
    attacker.


CVE-2017-5944

    It was discovered that Request Tracker is prone to a remote code
    execution vulnerability in the dashboard subscription interface. A
    privileged attacker can take advantage of this flaw through
    carefully-crafted saved search names to cause unexpected code to be
    executed. The applied fix addresses all existant and future saved
    searches.

Additionally to the above mentioned CVEs, this update workarounds
CVE-2015-7686 in Email::Address which could induce a denial of service
of Request Tracker itself.

For the stable distribution (jessie), these problems have been fixed in
version 4.2.8-3+deb8u2.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 4.4.1-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 4.4.1-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3883-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 15, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : rt-authen-externalauth
CVE ID         : CVE-2017-5361

It was discovered that RT::Authen::ExternalAuth, an external
authentication module for Request Tracker, is vulnerable to timing
side-channel attacks for user passwords. Only ExternalAuth in DBI
(database) mode is vulnerable.

For the stable distribution (jessie), this problem has been fixed in
version 0.25-1+deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1283 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 16 June 2017 - 09:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3884-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 16, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnutls28
CVE ID         : CVE-2017-7507
Debian Bug     : 864560

Hubert Kario discovered that GnuTLS, a library implementing the TLS and
SSL protocols, does not properly decode a status response TLS extension,
allowing a remote attacker to cause an application using the GnuTLS
library to crash (denial of service).

For the stable distribution (jessie), this problem has been fixed in
version 3.3.8-6+deb8u6.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 3.5.8-5+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.5.8-6.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1284 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 18 June 2017 - 07:37 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3885-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 18, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : irssi
CVE ID         : CVE-2017-9468 CVE-2017-9469
Debian Bug     : 864400

Multiple vulnerabilities have been discovered in Irssi, a terminal based
IRC client. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2017-9468

    Joseph Bisch discovered that Irssi does not properly handle DCC
    messages without source nick/host. A malicious IRC server can take
    advantage of this flaw to cause Irssi to crash, resulting in a
    denial of service.

CVE-2017-9469

    Joseph Bisch discovered that Irssi does not properly handle
    receiving incorrectly quoted DCC files. A remote attacker can take
    advantage of this flaw to cause Irssi to crash, resulting in a
    denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 0.8.17-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-1+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.3-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1285 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 19 June 2017 - 08:25 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3887-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : glibc
CVE ID         : CVE-2017-1000366

The Qualys Research Labs discovered various problems in the dynamic
linker of the GNU C Library which allow local privilege escalation by
clashing the stack. For the full details, please refer to their advisory
published at:
https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 2.19-18+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.24-11+deb9u1.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3888-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2017-1000369

The Qualys Research Labs discovered a memory leak in the Exim mail
transport agent. This is not a security vulnerability in Exim by itself,
but can be used to exploit a vulnerability in stack handling. For the
full details, please refer to their advisory published at:
https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 4.84.2-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 4.89-2+deb9u1.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3886-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2017-0605 CVE-2017-7487 CVE-2017-7645 CVE-2017-7895
                 CVE-2017-8064 CVE-2017-8890 CVE-2017-8924 CVE-2017-8925
                 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
                 CVE-2017-9242 CVE-2017-1000364

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-0605

    A buffer overflow flaw was discovered in the trace subsystem.

CVE-2017-7487

    Li Qiang reported a reference counter leak in the ipxitf_ioctl
    function which may result into a use-after-free vulnerability,
    triggerable when a IPX interface is configured.

CVE-2017-7645

    Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that
    the NFSv2 and NFSv3 server implementations are vulnerable to an
    out-of-bounds memory access issue while processing arbitrarily long
    arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of
    service.

CVE-2017-7895

    Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3
    server implementations do not properly handle payload bounds
    checking of WRITE requests. A remote attacker with write access to a
    NFS mount can take advantage of this flaw to read chunks of
    arbitrary memory from both kernel-space and user-space.

CVE-2017-8064

    Arnd Bergmann found that the DVB-USB core misused the device
    logging system, resulting in a use-after-free vulnerability, with
    unknown security impact.

CVE-2017-8890

    It was discovered that the net_csk_clone_lock() function allows a
    remote attacker to cause a double free leading to a denial of
    service or potentially have other impact.

CVE-2017-8924

    Johan Hovold found that the io_ti USB serial driver could leak
    sensitive information if a malicious USB device was connected.

CVE-2017-8925

    Johan Hovold found a reference counter leak in the omninet USB
    serial driver, resulting in a use-after-free vulnerability.  This
    can be triggered by a local user permitted to open tty devices.

CVE-2017-9074

    Andrey Konovalov reported that the IPv6 fragmentation
    implementation could read beyond the end of a packet buffer.  A
    local user or guest VM might be able to use this to leak sensitive
    information or to cause a denial of service (crash).

CVE-2017-9075

    Andrey Konovalov reported that the SCTP/IPv6 implementation
    wrongly initialised address lists on connected sockets, resulting
    in a use-after-free vulnerability, a similar issue to
    CVE-2017-8890.  This can be triggered by any local user.

CVE-2017-9076 / CVE-2017-9077

    Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations
    wrongly initialised address lists on connected sockets, a similar
    issue to CVE-2017-9075.

CVE-2017-9242

    Andrey Konovalov reported a packet buffer overrun in the IPv6
    implementation.  A local user could use this for denial of service
    (memory corruption; crash) and possibly for privilege escalation.

CVE-2017-1000364

    The Qualys Research Labs discovered that the size of the stack guard
    page is not sufficiently large. The stack-pointer can jump over the
    guard-page and moving from the stack into another memory region
    without accessing the guard-page. In this case no page-fault
    exception is raised and the stack extends into the other memory
    region. An attacker can exploit this flaw for privilege escalation.

    The default stack gap protection is set to 256 pages and can be
    configured via the stack_guard_gap kernel parameter on the kernel
    command line.

    Further details can be found at
    https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.43-2+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.30-2+deb9u1 or earlier versions before the stretch release.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3889-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libffi
CVE ID         : CVE-2017-1000376
Debian Bug     : 751907

libffi, a library used to call code written in one language from code written
in a different language, was enforcing an executable stack on the i386
architecture. While this might not be considered a vulnerability by itself,
this could be leveraged when exploiting other vulnerabilities, like for example
the "stack clash" class of vulnerabilities discovered by Qualys Research Labs.
For the full details, please refer to their advisory published at:
https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 3.1-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 3.2.1-4.

For the testing distribution (buster), this problem has been fixed
in version 3.2.1-4.

For the unstable distribution (sid), this problem has been fixed in
version 3.2.1-4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1286 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 21 June 2017 - 08:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3890-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 21, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2017-9736
Debian Bug     : 864921

Emeric Boit of ANSSI reported that SPIP, a website engine for
publishing, insufficiently sanitises the value from the X-Forwarded-Host
HTTP header field. An unauthenticated attacker can take advantage of
this flaw to cause remote code execution.

For the stable distribution (stretch), this problem has been fixed in
version 3.1.4-3~deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 3.1.4-3.

For the unstable distribution (sid), this problem has been fixed in
version 3.1.4-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1287 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 25 June 2017 - 09:17 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3891-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 22, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat8
CVE ID         : CVE-2017-5664
Debian Bug     : 864447 802312

Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and
JSP engine, static error pages used the original request's HTTP method
to serve content, instead of systematically using the GET method. This
could under certain conditions result in undesirable results,
including the replacement or removal of the custom error page.

For the oldstable distribution (jessie), this problem has been fixed
in version 8.0.14-1+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 8.5.14-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 8.5.14-2.

For the unstable distribution (sid), this problem has been fixed in
version 8.5.14-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3892-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 22, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat7
CVE ID         : CVE-2017-5664
Debian Bug     : 864447 802312

Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and
JSP engine, static error pages used the original request's HTTP method
to serve content, instead of systematically using the GET method. This
could under certain conditions result in undesirable results,
including the replacement or removal of the custom error page.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.0.56-3+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 7.0.72-3.

For the testing distribution (buster), this problem has been fixed
in version 7.0.72-3.

For the unstable distribution (sid), this problem has been fixed in
version 7.0.72-3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3893-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 22, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jython
CVE ID         : CVE-2016-4000
Debian Bug     : 864859

Alvaro Munoz and Christian Schneider discovered that jython, an
implementation of the Python language seamlessly integrated with Java,
is prone to arbitrary code execution triggered when sending a serialized
function to the deserializer.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.5.3-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.5.3-16+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.5.3-17.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3894-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 22, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : graphite2
CVE ID         : CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774
                 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778

Multiple vulnerabilities have been found in the Graphite font rendering
engine which might result in denial of service or the execution of
arbitrary code if a malformed font file is processed.
      
For the oldstable distribution (jessie), these problems have been fixed
in version 1.3.10-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed
prior to the initial release.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1288 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 26 June 2017 - 06:10 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3895-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 22, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : flatpak
CVE ID         : CVE-2017-9780

It was discovered that Flatpak, an application deployment framework for
desktop apps insufficiently restricted file permissinons in third-party
repositories, which could result in privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 0.8.5-2+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3896-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 22, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
                 CVE-2017-7679

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-3167

    Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by
    third-party modules outside of the authentication phase may lead to
    authentication requirements being bypassed.

CVE-2017-3169

    Vasileios Panopoulos of AdNovum Informatik AG discovered that
    mod_ssl may dereference a NULL pointer when third-party modules call
    ap_hook_process_connection() during an HTTP request to an HTTPS port
    leading to a denial of service.

CVE-2017-7659

    Robert Swiecki reported that a specially crafted HTTP/2 request
    could cause mod_http2 to dereference a NULL pointer and crash the
    server process.

CVE-2017-7668

    Javier Jimenez reported that the HTTP strict parsing contains a
    flaw leading to a buffer overread in ap_find_token(). A remote
    attacker can take advantage of this flaw by carefully crafting a
    sequence of request headers to cause a segmentation fault, or to
    force ap_find_token() to return an incorrect value.

CVE-2017-7679

    ChenQin and Hanno Boeck reported that mod_mime can read one byte
    past the end of a buffer when sending a malicious Content-Type
    response header.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not
affected by CVE-2017-7659.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.25-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3897-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 24, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : CVE-2015-7943 CVE-2017-6922
Debian Bug     : 865498

Two vulnerabilities were discovered in Drupal, a fully-featured content
management framework. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2015-7943

    Samuel Mortenson and Pere Orga discovered that the overlay module
    does not sufficiently validate URLs prior to displaying their
    contents, leading to an open redirect vulnerability.

    More information can be found at
    https://www.drupal.o...A-CORE-2015-004

CVE-2017-6922

    Greg Knaddison, Mori Sugimoto and iancawthorne discovered that files
    uploaded by anonymous users into a private file system can be
    accessed by other anonymous users leading to an access bypass
    vulnerability.

    More information can be found at
    https://www.drupal.o...A-CORE-2017-003

For the oldstable distribution (jessie), these problems have been fixed
in version 7.32-1+deb8u9.

For the stable distribution (stretch), these problems have been fixed in
version 7.52-2+deb9u1. For the stable distribution (stretch),
CVE-2015-7943 was already fixed before the initial release.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3898-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 25, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : expat
CVE ID         : CVE-2016-9063 CVE-2017-9233

Multiple vulnerabilities have been discovered in Expat, an XML parsing C
library. The Common Vulnerabilities and Exposures project identifies the
following problems:


CVE-2016-9063

    Gustavo Grieco discovered an integer overflow flaw during parsing of
    XML. An attacker can take advantage of this flaw to cause a denial
    of service against an application using the Expat library.

CVE-2017-9233

    Rhodri James discovered an infinite loop vulnerability within the
    entityValueInitProcessor() function while parsing malformed XML
    in an external entity. An attacker can take advantage of this
    flaw to cause a denial of service against an application using
    the Expat library.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.1.0-6+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 2.2.0-2+deb9u1. For the stable distribution (stretch),
CVE-2016-9063 was already fixed before the initial release.

For the testing distribution (buster), these problems have been fixed
in version 2.2.1-1 or earlier version.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.1-1 or earlier version.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1289 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 01 July 2017 - 08:13 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3899-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 27, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2017-8310 CVE-2017-8311 CVE-2017-8312 CVE-2017-8313

Several vulnerabilities have been found in VLC, the VideoLAN project's
media player. Processing malformed subtitles or movie files could lead
to denial of service and potentially the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.2.6-1~deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3886-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 27, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
Debian Bug     : 865303

The security update announced as DSA-3886-1 caused regressions for some
applications using Java - including jsvc, LibreOffice and Scilab - due
to the fix for CVE-2017-1000364. Updated packages are now available to
correct this issue. For reference, the relevant part of the original
advisory text follows.

CVE-2017-1000364

    The Qualys Research Labs discovered that the size of the stack guard
    page is not sufficiently large. The stack-pointer can jump over the
    guard-page and moving from the stack into another memory region
    without accessing the guard-page. In this case no page-fault
    exception is raised and the stack extends into the other memory
    region. An attacker can exploit this flaw for privilege escalation.

    The default stack gap protection is set to 256 pages and can be
    configured via the stack_guard_gap kernel parameter on the kernel
    command line.

    Further details can be found at
    https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 3.16.43-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 4.9.30-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3900-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 27, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openvpn
CVE ID         : CVE-2017-7479 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521
Debian Bug     : 865480

Several issues were discovered in openvpn, a virtual private network
application.

CVE-2017-7479

    It was discovered that openvpn did not properly handle the
    rollover of packet identifiers. This would allow an authenticated
    remote attacker to cause a denial-of-service via application
    crash.

CVE-2017-7508

    Guido Vranken discovered that openvpn did not properly handle
    specific malformed IPv6 packets. This would allow a remote
    attacker to cause a denial-of-service via application crash.

CVE-2017-7520

    Guido Vranken discovered that openvpn did not properly handle
    clients connecting to an HTTP proxy with NTLMv2
    authentication. This would allow a remote attacker to cause a
    denial-of-service via application crash, or potentially leak
    sensitive information like the user's proxy password.

CVE-2017-7521

    Guido Vranken discovered that openvpn did not properly handle
    some x509 extensions. This would allow a remote attacker to cause
    a denial-of-service via application crash.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.3.4-5+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.0-6+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 2.4.3-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.3-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1290 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 02 July 2017 - 07:50 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3901-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 02, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt20
CVE ID         : CVE-2017-7526

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
Yuval Yarom discovered that Libgcrypt is prone to a local side-channel
attack allowing full key recovery for RSA-1024.

See https://eprint.iacr.org/2017/627 for details.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.6.3-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 1.7.6-2+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 1.7.8-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.7.8-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1291 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 05 July 2017 - 08:22 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3902-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 05, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jabberd2
CVE ID         : CVE-2017-10807
Debian Bug     : 867032

It was discovered that jabberd2, a Jabber instant messenger server,
allowed anonymous SASL connections, even if disabled in the
configuration.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.0-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3903-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 05, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2016-10095 CVE-2017-9147 CVE-2017-9403 CVE-2017-9404
                 CVE-2017-9936 CVE-2017-10688

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 4.0.8-3.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.8-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1292 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 08 July 2017 - 09:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3904-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 08, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2017-3142 CVE-2017-3143
Debian Bug     : 866564

Clément Berthaux from Synaktiv discovered two vulnerabilities in BIND, a DNS
server implementation. They allow an attacker to bypass TSIG authentication by
sending crafted DNS packets to a server.

CVE-2017-3142

    An attacker who is able to send and receive messages to an authoritative
    DNS server and who has knowledge of a valid TSIG key name may be able to
    circumvent TSIG authentication of AXFR requests via a carefully constructed
    request packet. A server that relies solely on TSIG keys for protection
    with no other ACL protection could be manipulated into:
    - providing an AXFR of a zone to an unauthorized recipient
    - accepting bogus NOTIFY packets

CVE-2017-3143

    An attacker who is able to send and receive messages to an authoritative
    DNS server and who has knowledge of a valid TSIG key name for the zone and
    service being targeted may be able to manipulate BIND into accepting an
    unauthorized dynamic update.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:9.9.5.dfsg-9+deb8u12.

For the stable distribution (stretch), these problems have been fixed in
version 1:9.10.3.dfsg.P4-12.4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1293 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 10 July 2017 - 08:12 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3905-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xorg-server
CVE ID         : CVE-2017-10971 CVE-2017-10972
Debian Bug     : 867492

Two security issues have been discovered in the X.org X server, which
may lead to privilege escalation or an information leak.
  
For the oldstable distribution (jessie), these problems have been fixed
in version 2:1.16.4-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 2:1.19.2-1+deb9u1. Setups running root-less X are not affected.

For the testing distribution (buster), these problems have been fixed
in version 2:1.19.3-2.

For the unstable distribution (sid), these problems have been fixed in
version 2:1.19.3-2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1294 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 11 July 2017 - 08:59 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3906-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 11, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : undertow
CVE ID         : CVE-2017-2666 CVE-2017-2670

Two vulnerabilities have been discovered in Undertow, a web server
written in Java, which may lead to denial of service or HTTP request
smuggling.

For the stable distribution (stretch), these problems have been fixed in
version 1.4.8-1+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 1.4.18-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.18-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3907-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 11, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spice
CVE ID         : CVE-2017-7506

Frediano Ziglio discovered a buffer overflow in spice, a SPICE protocol
client and server library which may result in memory disclosure, denial
of service and potentially the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.12.5-1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 0.12.8-2.1+deb9u1.

For the unstable distribution (sid), this problem will be fixed soon.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1295 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 12 July 2017 - 09:23 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3908-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 12, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nginx
CVE ID         : CVE-2017-7529

An integer overflow has been found in the HTTP range module of Nginx, a
high-performance web and reverse proxy server, which may result in
information disclosure.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.6.2-5+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 1.10.3-1+deb9u1.

For the unstable distribution (sid), this problem will be fixed soon.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1296 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 15 July 2017 - 08:13 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3909-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2017-11103
Debian Bug     : 868209

Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual
authentication bypass vulnerability in samba, the SMB/CIFS file, print, and
login server. Also known as Orpheus' Lyre, this vulnerability is located in
Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by
an attacker on the network path to impersonate a server.

More details can be found on the vulnerability website
(https://orpheus-lyre.info/) and on the Samba project website
(https://www.samba.or...2017-11103.html)

For the oldstable distribution (jessie), this problem has been fixed
in version 2:4.2.14+dfsg-0+deb8u7.

For the stable distribution (stretch), this problem has been fixed in
version 2:4.5.8+dfsg-2+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 2:4.6.5+dfsg-4.

For the unstable distribution (sid), this problem has been fixed in
version 2:4.6.5+dfsg-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3911-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : evince
CVE ID         : CVE-2017-1000083

Felix Wilhelm discovered that the Evince document viewer made insecure
use of tar when opening tar comic book archives (CBT). Opening a
malicious CBT archive could result in the execution of arbitrary code.
This update disables the CBT format entirely

For the oldstable distribution (jessie), this problem has been fixed
in version 3.14.1-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 3.22.1-3+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.22.1-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3910-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : knot
CVE ID         : CVE-2017-11104
Debian Bug     : 865678

Clément Berthaux from Synaktiv discovered a signature forgery vulnerability in
knot, an authoritative-only DNS server. This vulnerability allows an attacker
to bypass TSIG authentication by sending crafted DNS packets to a server.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.6.0-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.0-3+deb9u1.

For the testing (buster) and unstable (sid), this problem will be fixed
in a later update.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1297 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 16 July 2017 - 08:22 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3912-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 16, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : heimdal
CVE ID         : CVE-2017-11103
Debian Bug     : 868208

Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams reported that
Heimdal, an implementation of Kerberos 5 that aims to be compatible with
MIT Kerberos, trusts metadata taken from the unauthenticated plaintext
(Ticket), rather than the authenticated and encrypted KDC response. A
man-in-the-middle attacker can use this flaw to impersonate services to
the client.

See https://orpheus-lyre.info/ for details.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.6~rc2+dfsg-9+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 7.1.0+dfsg-13+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 7.4.0.dfsg.1-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1298 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 18 July 2017 - 09:43 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3913-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 18, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2017-9788
Debian Bug     : 868467

Robert Swiecki reported that mod_auth_digest does not properly
initialize or reset the value placeholder in [Proxy-]Authorization
headers of type 'Digest' between successive key=value assignments,
leading to information disclosure or denial of service.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.4.10-10+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.25-3+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.4.27-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3914-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 18, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-9439 CVE-2017-9440 CVE-2017-9500 CVE-2017-9501
                 CVE-2017-10928 CVE-2017-11141 CVE-2017-11170  
                 CVE-2017-11360 CVE-2017-11188
Debian Bug     : 863126 867367 867778 867721 864273 864274 867806 868264
                 868184 867810 867808 867811 867812 867896 867798 867821
                 867824 867825 867826 867893 867823 867894 867897

This updates fixes several vulnerabilities in imagemagick: Various
memory handling problems and cases of missing or incomplete input
sanitising may result in denial of service, memory disclosure or the
execution of arbitrary code if malformed RLE, SVG, PSD, PDB, DPX, MAT,
TGA, VST, CIN, DIB, MPC, EPT, JNG, DJVU, JPEG, ICO, PALM or MNG
files are processed.
      
For the oldstable distribution (jessie), these problems have been fixed
in version 8:6.8.9.9-5+deb8u10.

For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 8:6.9.7.4+dfsg-12.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1299 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 22 July 2017 - 09:57 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3915-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
July 20, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-mixlib-archive
CVE ID         : CVE-2017-1000026
Debian Bug     : 868572

It was discovered that ruby-mixlib-archive, a Chef Software's library
used to handle various archive formats, was vulnerable to a directory
traversal attack. This allowed attackers to overwrite arbitrary files
by using a malicious tar archive containing ".." in its entries.

For the stable distribution (stretch), this problem has been fixed in
version 0.2.0-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3916-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 21, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : atril
CVE ID         : CVE-2017-1000083
Debian Bug     : 868500

It was discovered that Atril, the MATE document viewer, made insecure
use of tar when opening tar comic book archives (CBT). Opening a
malicious CBT archive could result in the execution of arbitrary code.
This update disables the CBT format entirely.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.8.1+dfsg1-4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.16.1-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1300 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,321 posts

Posted 24 July 2017 - 06:51 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3917-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 23, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : catdoc
CVE ID         : CVE-2017-11110
Debian Bug     : 867717

A heap-based buffer underflow flaw was discovered in catdoc, a text
extractor for MS-Office files, which may lead to denial of service
(application crash) or have unspecified other impact, if a specially
crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.94.4-1.1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1:0.94.3~git20160113.dbc9ec6+dfsg-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 1:0.95-3.

For the unstable distribution (sid), this problem has been fixed in
version 1:0.95-3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3904-2                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 23, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
Debian Bug     : 868952

The security update announced as DSA-3904-1 in bind9 introduced a regression.
The fix for CVE-2017-3142 broke verification of TSIG signed TCP message
sequences where not all the messages contain TSIG records. This is conform to
the spec and may be used in AXFR and IXFR response.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:9.9.5.dfsg-9+deb8u13.

For the stable distribution (stretch), this problem has been fixed in
version 1:9.10.3.dfsg.P4-12.3+deb9u2.

For the testing distribution (buster), this problem has been fixed
in version 1:9.10.3.dfsg.P4-12.5.

For the unstable distribution (sid), this problem has been fixed in
version 1:9.10.3.dfsg.P4-12.5.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users