Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1362 replies to this topic

#1326 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 20 September 2017 - 07:07 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3980-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 20, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2017-9798
Debian Bug     : 876109

Hanno Boeck discovered that incorrect parsing of Limit directives of
.htaccess files by the Apache HTTP Server could result in memory
disclosure.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.4.10-10+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.25-3+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3981-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 20, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600
                 CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154
                 CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
                 CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112
                 CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371
                 CVE-2017-1000380
Debian Bug     : 866511 875881

Several vulnerabilities have been discovered in the Linux kernel that
may lead to privilege escalation, denial of service or information
leaks.

CVE-2017-7518

    Andy Lutomirski discovered that KVM is prone to an incorrect debug
    exception (#DB) error occurring while emulating a syscall
    instruction. A process inside a guest can take advantage of this
    flaw for privilege escalation inside a guest.

CVE-2017-7558 (stretch only)

    Stefano Brivio of Red Hat discovered that the SCTP subsystem is
    prone to a data leak vulnerability due to an out-of-bounds read
    flaw, allowing to leak up to 100 uninitialized bytes to userspace.

CVE-2017-10661 (jessie only)

    Dmitry Vyukov of Google reported that the timerfd facility does
    not properly handle certain concurrent operations on a single file
    descriptor.  This allows a local attacker to cause a denial of
    service or potentially execute arbitrary code.

CVE-2017-11600

    Bo Zhang reported that the xfrm subsystem does not properly
    validate one of the parameters to a netlink message. Local users
    with the CAP_NET_ADMIN capability can use this to cause a denial
    of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229

    Jan H. Schoenherr of Amazon discovered that when Linux is running
    in a Xen PV domain on an x86 system, it may incorrectly merge
    block I/O requests.  A buggy or malicious guest may trigger this
    bug in dom0 or a PV driver domain, causing a denial of service or
    potentially execution of arbitrary code.

    This issue can be mitigated by disabling merges on the underlying
    back-end block devices, e.g.:
        echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12146 (stretch only)

    Adrian Salido of Google reported a race condition in access to the
    "driver_override" attribute for platform devices in sysfs. If
    unprivileged users are permitted to access this attribute, this
    might allow them to gain privileges.

CVE-2017-12153

    bo Zhang reported that the cfg80211 (wifi) subsystem does not
    properly validate the parameters to a netlink message. Local users
    with the CAP_NET_ADMIN capability (in any user namespace with a
    wifi device) can use this to cause a denial of service.

CVE-2017-12154

    Jim Mattson of Google reported that the KVM implementation for
    Intel x86 processors did not correctly handle certain nested
    hypervisor configurations. A malicious guest (or nested guest in a
    suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106

    Andrey Konovalov discovered that a user-triggerable division by
    zero in the tcp_disconnect() function could result in local denial
    of service.

CVE-2017-14140

    Otto Ebeling reported that the move_pages() system call performed
    insufficient validation of the UIDs of the calling and target
    processes, resulting in a partial ASLR bypass. This made it easier
    for local users to exploit vulnerabilities in programs installed
    with the set-UID permission bit set.

CVE-2017-14156

    "sohu0106" reported an information leak in the atyfb video driver.
    A local user with access to a framebuffer device handled by this
    driver could use this to obtain sensitive information.

CVE-2017-14340

    Richard Wareing discovered that the XFS implementation allows the
    creation of files with the "realtime" flag on a filesystem with no
    realtime device, which can result in a crash (oops). A local user
    with access to an XFS filesystem that does not have a realtime
    device can use this for denial of service.

CVE-2017-14489

    ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not
    properly validate the length of a netlink message, leading to
    memory corruption. A local user with permission to manage iSCSI
    devices can use this for denial of service or possibly to execute
    arbitrary code.

CVE-2017-14497 (stretch only)

    Benjamin Poirier of SUSE reported that vnet headers are not
    properly handled within the tpacket_rcv() function in the raw
    packet (af_packet) feature. A local user with the CAP_NET_RAW
    capability can take advantage of this flaw to cause a denial of
    service (buffer overflow, and disk and memory corruption) or have
    other impact.

CVE-2017-1000111

    Andrey Konovalov of Google reported a race condition in the raw
    packet (af_packet) feature. Local users with the CAP_NET_RAW
    capability can use this for denial of service or possibly to
    execute arbitrary code.

CVE-2017-1000112

    Andrey Konovalov of Google reported a race condition flaw in the
    UDP Fragmentation Offload (UFO) code. A local user can use this
    flaw for denial of service or possibly to execute arbitrary code.

CVE-2017-1000251 / #875881

    Armis Labs discovered that the Bluetooth subsystem does not
    properly validate L2CAP configuration responses, leading to a
    stack buffer overflow. This is one of several vulnerabilities
    dubbed "Blueborne". A nearby attacker can use this to cause a
    denial of service or possibly to execute arbitrary code on a
    system with Bluetooth enabled.

CVE-2017-1000252 (stretch only)

    Jan H. Schoenherr of Amazon reported that the KVM implementation
    for Intel x86 processors did not correctly validate interrupt
    injection requests. A local user with permission to use KVM could
    use this for denial of service.

CVE-2017-1000370

    The Qualys Research Labs reported that a large argument or
    environment list can result in ASLR bypass for 32-bit PIE binaries.

CVE-2017-1000371

    The Qualys Research Labs reported that a large argument
    orenvironment list can result in a stack/heap clash for 32-bit
    PIE binaries.

CVE-2017-1000380

    Alexander Potapenko of Google reported a race condition in the ALSA
    (sound) timer driver, leading to an information leak. A local user
    with permission to access sound devices could use this to obtain
    sensitive information.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited
by any local user.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.43-2+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.30-2+deb9u5.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1327 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 22 September 2017 - 06:13 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3982-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 21, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2017-12837 CVE-2017-12883
Debian Bug     : 875596 875597

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-12837

    Jakub Wilk reported a heap buffer overflow flaw in the regular
    expression compiler, allowing a remote attacker to cause a denial of
    service via a specially crafted regular expression with the
    case-insensitive modifier.

CVE-2017-12883

    Jakub Wilk reported a buffer over-read flaw in the regular
    expression parser, allowing a remote attacker to cause a denial of
    service or information leak.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.20.2-3+deb8u9.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u2.

For the testing distribution (buster), these problems have been fixed
in version 5.26.0-8.

For the unstable distribution (sid), these problems have been fixed in
version 5.26.0-8.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3983-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 22, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2017-12150 CVE-2017-12151 CVE-2017-12163

Multiple security issues have been discoverd in Samba, a SMB/CIFS file,
print, and login server for Unix:

CVE-2017-12150

    Stefan Metzmacher discovered multiple code paths where SMB signing
    was not enforced.

CVE-2017-12151

    Stefan Metzmacher discovered that tools using libsmbclient did not
    enforce encryption when following DFS redirects, which could allow a
    man-in-the-middle attacker to read or modify connections which were
    meant to be encrypted.

CVE-2017-12163

    Yihan Lian and Zhibin Hu discovered that insufficient range checks
    in the processing of SMB1 write requests could result in disclosure
    of server memory.

For the oldstable distribution (jessie), these problems have been fixed
in version 2:4.2.14+dfsg-0+deb8u8.

For the stable distribution (stretch), these problems have been fixed in
version 2:4.5.8+dfsg-2+deb9u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1328 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 26 September 2017 - 07:31 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3984-1                   security@debian.org
https://www.debian.org/security/                           Florian Weimer
September 26, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
Debian Bug     : 876854

joernchen discovered that the git-cvsserver subcommand of Git, a
distributed version control system, suffers from a shell command
injection vulnerability due to unsafe use of the Perl backtick
operator.  The git-cvsserver subcommand is reachable from the
git-shell subcommand even if CVS support has not been configured
(however, the git-cvs package needs to be installed).

In addition to fixing the actual bug, this update removes the
cvsserver subcommand from git-shell by default.  Refer to the updated
documentation for instructions how to reenable in case this CVS
functionality is still needed.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.14.2-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1329 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 28 September 2017 - 08:23 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3985-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
September 28, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-5111 CVE-2017-5112 CVE-2017-5113 CVE-2017-5114
                 CVE-2017-5115 CVE-2017-5116 CVE-2017-5117 CVE-2017-5118
                 CVE-2017-5119 CVE-2017-5120 CVE-2017-5121 CVE-2017-5122

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2017-5111

    Luat Nguyen discovered a use-after-free issue in the pdfium library.

CVE-2017-5112

    Tobias Klein discovered a buffer overflow issue in the webgl
    library.

CVE-2017-5113

    A buffer overflow issue was discovered in the skia library.

CVE-2017-5114

    Ke Liu discovered a memory issue in the pdfium library.

CVE-2017-5115

    Marco Giovannini discovered a type confusion issue in the v8
    javascript library.

CVE-2017-5116

    Guang Gong discovered a type confusion issue in the v8 javascript
    library.

CVE-2017-5117

    Tobias Klein discovered an uninitialized value in the skia library.

CVE-2017-5118

    WenXu Wu discovered a way to bypass the Content Security Policy.

CVE-2017-5119

    Another uninitialized value was discovered in the skia library.

CVE-2017-5120

    Xiaoyin Liu discovered a way downgrade HTTPS connections during
    redirection.

CVE-2017-5121

    Jordan Rabet discovered an out-of-bounds memory access in the v8
    javascript library.

CVE-2017-5122

    Choongwoo Han discovered an out-of-bounds memory access in the v8
    javascript library.

For the stable distribution (stretch), these problems have been fixed in
version 61.0.3163.100-1~deb9u1.

For the testing distribution (buster), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 61.0.3163.100-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1330 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 30 September 2017 - 07:28 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3986-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 29, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2017-9611 CVE-2017-9612 CVE-2017-9726 CVE-2017-9727
                 CVE-2017-9739 CVE-2017-9835 CVE-2017-11714
Debian Bug     : 869907 869910 869913 869915 869916 869917 869977

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service if a
specially crafted Postscript file is processed.

For the oldstable distribution (jessie), these problems have been fixed
in version 9.06~dfsg-2+deb8u6.

For the stable distribution (stretch), these problems have been fixed in
version 9.20~dfsg-3.2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3987-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 29, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814
                 CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees, buffer
overflows and other implementation errors may lead to the execution of
arbitrary code, denial of service, cross-site scripting or bypass of
the phishing and malware protection feature.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.4.0esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.4.0esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3988-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 30, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libidn2-0
CVE ID         : CVE-2017-14062
Debian Bug     : 873902

An integer overflow vulnerability was discovered in decode_digit() in
libidn2-0, the GNU library for Internationalized Domain Names (IDNs),
allowing a remote attacker to cause a denial of service against an
application using the library (application crash).

For the oldstable distribution (jessie), this problem has been fixed
in version 0.10-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 0.16-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 2.0.2-4.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.2-4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1331 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 06 October 2017 - 06:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3989-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 02, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dnsmasq
CVE ID         : CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494
                 CVE-2017-14495 CVE-2017-14496

Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron
Bowes and Gynvael Coldwind of the Google Security Team discovered
several vulnerabilities in dnsmasq, a small caching DNS proxy and
DHCP/TFTP server, which may result in denial of service, information
leak or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.72-3+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 2.76-5+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3990-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 03, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
CVE ID         : CVE-2017-14603

Klaus-Peter Junghann discovered that insufficient validation of RTCP
packets in Asterisk may result in an information leak. Please see the
upstream advisory at
http://downloads.ast...T-2017-008.html for
additional details.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:11.13.1~dfsg-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 1:13.14.1~dfsg-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3991-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 03, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2017-9375 CVE-2017-12809 CVE-2017-13672 CVE-2017-13711
                 CVE-2017-14167

Multiple vulnerabilities were found in in qemu, a fast processor emulator:

CVE-2017-9375

    Denial of service via memory leak in USB XHCI emulation.
      
CVE-2017-12809

    Denial of service in the CDROM device drive emulation.

CVE-2017-13672

    Denial of service in VGA display emulation.

CVE-2017-13711

    Denial of service in SLIRP networking support.

CVE-2017-14167

    Incorrect validation of multiboot headers could result in the
    execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.8+dfsg-6+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3992-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 06, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254
Debian Bug     : 871554 871555 877671

Several vulnerabilities have been discovered in cURL, an URL transfer
library. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2017-1000100

    Even Rouault reported that cURL does not properly handle long file
    names when doing an TFTP upload. A malicious HTTP(S) server can take
    advantage of this flaw by redirecting a client using the cURL
    library to a crafted TFTP URL and trick it to send private memory
    contents to a remote server over UDP.

CVE-2017-1000101

    Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw
    in the globbing function that parses the numerical range, leading to
    an out-of-bounds read when parsing a specially crafted URL.

CVE-2017-1000254

    Max Dymond reported that cURL contains an out-of-bounds read flaw in
    the FTP PWD response parser. A malicious server can take advantage
    of this flaw to effectively prevent a client using the cURL library
    to work with it, causing a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u6.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3993-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 06, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2017-0380

It was discovered that the Tor onion service could leak sensitive
information to log files if the "SafeLogging" option is set to "0".

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 0.2.9.12-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1332 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 08 October 2017 - 06:18 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3994-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
October 07, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nautilus
CVE ID         : CVE-2017-14604
Debian Bug     : 860268

Christian Boxdörfer discovered a vulnerability in the handling of
FreeDesktop.org .desktop files in Nautilus, a file manager for the GNOME
desktop environment. An attacker can craft a .desktop file intended to run
malicious commands but displayed as a innocuous document file in Nautilus. An
user would then trust it and open the file, and Nautilus would in turn execute
the malicious content. Nautilus protection of only trusting .desktop files with
executable permission can be bypassed by shipping the .desktop file inside a
tarball.

For the oldstable distribution (jessie), this problem has not been fixed yet.

For the stable distribution (stretch), this problem has been fixed in
version 3.22.3-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 3.26.0-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.26.0-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1333 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 11 October 2017 - 06:43 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3995-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 10, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxfont
CVE ID         : CVE-2017-13720 CVE-2017-13722

Two vulnerabilities were found in libXfont, the X11 font rasterisation
library, which could result in denial of service or memory disclosure.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:1.5.1-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.0.1-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3996-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 10, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2017-14054 CVE-2017-14055 CVE-2017-14056
                 CVE-2017-14057 CVE-2017-14058 CVE-2017-14059
CVE-2017-14169 CVE-2017-14170 CVE-2017-14171
CVE-2017-14222 CVE-2017-14223 CVE-2017-14225
                 CVE-2017-14767

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed Real, MV, RL2, ASF, Apple HLS,
Phantom Cine, MXF, NSV, MOV or RTP H.264 files/streams are processed.

For the stable distribution (stretch), these problems have been fixed in
version 7:3.2.8-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3997-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
October 10, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2017-14718 CVE-2017-14719 CVE-2017-14720 CVE-2017-14721
                 CVE-2017-14722 CVE-2017-14723 CVE-2017-14724 CVE-2017-14725
                 CVE-2017-14726 CVE-2017-14990
Debian Bug     : 876274 877629

Several vulnerabilities were discovered in Wordpress, a web blogging tool.
They would allow remote attackers to exploit path-traversal issues, perform SQL
injections and various cross-site scripting attacks.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.1+dfsg-1+deb8u15.

For the stable distribution (stretch), these problems have been fixed in
version 4.7.5+dfsg-2+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 4.8.2+dfsg-2.

For the unstable distribution (sid), these problems have been fixed in
version 4.8.2+dfsg-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3998-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 11, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss
CVE ID         : CVE-2017-7805

Martin Thomson discovered that nss, the Mozilla Network Security Service
library, is prone to a use-after-free vulnerability in the TLS 1.2
implementation when handshake hashes are generated. A remote attacker
can take advantage of this flaw to cause an application using the nss
library to crash, resulting in a denial of service, or potentially to
execute arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 2:3.26-1+debu8u3.

For the stable distribution (stretch), this problem has been fixed in
version 2:3.26.2-1.1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 2:3.33-1.

For the unstable distribution (sid), this problem has been fixed in
version 2:3.33-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1334 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 16 October 2017 - 05:57 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3999-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
October 16, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpa
CVE ID         : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
                 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
                 CVE-2017-13088

Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered
multiple vulnerabilities in the WPA protocol, used for authentication in
wireless networks. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).

An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.

More information can be found in the researchers's paper, Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2.

CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way
                handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key
                handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation
                Request and reinstalling the pairwise key while processing it
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey
                (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a
                Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when
                processing a Wireless Network Management (WNM) Sleep Mode
                Response frame

For the oldstable distribution (jessie), these problems have been fixed
in version 2.3-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.

For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1335 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 19 October 2017 - 06:25 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4000-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 17, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xorg-server
CVE ID         : CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179
                 CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183
                 CVE-2017-12184 CVE-2017-12185 CVE-2017-12186 CVE-2017-12187
                 CVE-2017-13721 CVE-2017-13723

Several vulnerabilities have been discovered in the X.Org X server. An
attacker who's able to connect to an X server could cause a denial of
service or potentially the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 2:1.16.4-1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 2:1.19.2-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4001-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
October 19, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : yadifa
CVE ID         : CVE-2017-14339
Debian Bug     : 876315

It was discovered that YADIFA, an authoritative DNS server, did not
sufficiently check its input. This allowed a remote attacker to cause
a denial-of-service by forcing the daemon to enter an infinite loop.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.3-1+deb9u1.
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4002-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 19, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mysql-5.5
CVE ID         : CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384
Debian Bug     : 878402

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.58, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

https://dev.mysql.co...ews-5-5-58.html
http://www.oracle.co...17-3236626.html

For the oldstable distribution (jessie), these problems have been fixed
in version 5.5.58-0+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4003-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 19, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libvirt
CVE ID         : CVE-2017-1000256
Debian Bug     : 878799

Daniel P. Berrange reported that Libvirt, a virtualisation abstraction
library, does not properly handle the default_tls_x509_verify (and
related) parameters in qemu.conf when setting up TLS clients and servers
in QEMU, resulting in TLS clients for character devices and disk devices
having verification turned off and ignoring any errors while validating
the server certificate.

More informations in https://security.lib.../2017/0002.html .

For the stable distribution (stretch), this problem has been fixed in
version 3.0.0-4+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.8.0-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1336 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 20 October 2017 - 05:41 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4004-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
October 20, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jackson-databind
CVE ID         : CVE-2017-7525
Debian Bug     : 870848

Liao Xinxi discovered that jackson-databind, a Java library used to
parse JSON and other data formats, did not properly validate user
input before attemtping deserialization. This allowed an attacker to
perform code execution by providing maliciously crafted input.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.4.2-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.8.6-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4005-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 20, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjfx
CVE ID         : CVE-2017-10086 CVE-2017-10114

Two unspecified vulnerabilities were discovered in OpenJFX, a rich client
application platform for Java.

For the stable distribution (stretch), these problems have been fixed in
version 8u141-b14-3~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1337 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 24 October 2017 - 08:16 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4006-1                   security@debian.org
https://www.debian.org/security/                                        
October 24, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587
Debian Bug     : 877379 879055

Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which
may result in denial of service or the execution of arbitrary code.

CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687

     WangLin discovered that a crafted .xps file can crash MuPDF and
     potentially execute arbitrary code in several ways, since the
     application makes unchecked assumptions on the entry format.

CVE-2017-15587

    Terry Chia and Jeremy Heng discovered an integer overflow that can
    cause arbitrary code execution via a crafted .pdf file.

For the stable distribution (stretch), these problems have been fixed in
version 1.9a+ds1-4+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1338 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 28 October 2017 - 08:26 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4007-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
October 27, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2017-1000257

Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL
transfer library, incorrectly parsed an IMAP FETCH response with size 0,
leading to an out-of-bounds read.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.38.0-4+deb8u7.

For the stable distribution (stretch), this problem has been fixed in
version 7.52.1-5+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 7.56.1-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4008-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 28, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wget
CVE ID         : CVE-2017-13089 CVE-2017-13090

Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen
discovered two buffer overflows in the HTTP protocol handler of the Wget
download tool, which could result in the execution of arbitrary code
when connecting to a malicious HTTP server.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.16-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.18-5+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1339 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 30 October 2017 - 07:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4009-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 29, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : shadowsocks-libev
CVE ID         : CVE-2017-15924

Niklas Abel discovered that insufficient input sanitising in the the
ss-manager component of shadowsocks-libev, a lightweight socks5 proxy,
could result in arbitrary shell command execution.

For the stable distribution (stretch), this problem has been fixed in
version 2.6.3+ds-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4010-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
October 30, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git-annex
CVE ID         : CVE-2017-12976
Debian Bug     : 873088

It was discovered that git-annex, a tool to manage files with git
without checking their contents in, did not correctly handle
maliciously constructed ssh:// URLs. This allowed an attacker to run
an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed
in version 5.20141125+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 6.20170101-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4011-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 30, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : quagga
CVE ID         : CVE-2017-16227
Debian Bug     : 879474

It was discovered that the bgpd daemon in the Quagga routing suite does
not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.99.23.1-1+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.1-3+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1340 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 01 November 2017 - 07:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4013-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 31, 2017                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjpeg2
CVE ID         : CVE-2016-1628 CVE-2016-5152 CVE-2016-5157 CVE-2016-9118
                 CVE-2016-10504 CVE-2017-14039 CVE-2017-14040
CVE-2017-14041 CVE-2017-14151 CVE-2017-14152

Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression /
decompression library, may result in denial of service or the execution
of arbitrary code if a malformed JPEG 2000 file is processed.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.1.0-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 2.1.2-1.1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4014-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 01, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814
                 CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.4.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.4.0-1~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1341 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 03 November 2017 - 06:48 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4015-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 02, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2017-10274 CVE-2017-10281 CVE-2017-10285
                 CVE-2017-10295 CVE-2017-10345 CVE-2017-10346
CVE-2017-10347 CVE-2017-10348 CVE-2017-10349
CVE-2017-10350 CVE-2017-10355 CVE-2017-10356
                 CVE-2017-10357 CVE-2017-10388

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in impersonation
of Kerberos services, denial of service, sandbox bypass or HTTP header
injection.

For the stable distribution (stretch), these problems have been fixed in
version 8u151-b12-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4016-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 03, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : irssi
CVE ID         : CVE-2017-10965 CVE-2017-10966 CVE-2017-15227 CVE-2017-15228
                 CVE-2017-15721 CVE-2017-15722 CVE-2017-15723
Debian Bug     : 867598 879521

Multiple vulnerabilities have been discovered in Irssi, a terminal based
IRC client. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2017-10965

    Brian 'geeknik' Carpenter of Geeknik Labs discovered that Irssi does
    not properly handle receiving messages with invalid time stamps. A
    malicious IRC server can take advantage of this flaw to cause Irssi
    to crash, resulting in a denial of service.

CVE-2017-10966

    Brian 'geeknik' Carpenter of Geeknik Labs discovered that Irssi is
    susceptible to a use-after-free flaw triggered while updating the
    internal nick list. A malicious IRC server can take advantage of
    this flaw to cause Irssi to crash, resulting in a denial of service.

CVE-2017-15227

    Joseph Bisch discovered that while waiting for the channel
    synchronisation, Irssi may incorrectly fail to remove destroyed
    channels from the query list, resulting in use after free conditions
    when updating the state later on. A malicious IRC server can take
    advantage of this flaw to cause Irssi to crash, resulting in a
    denial of service.

CVE-2017-15228

    Hanno Boeck reported that Irssi does not properly handle installing
    themes with unterminated colour formatting sequences, leading to a
    denial of service if a user is tricked into installing a specially
    crafted theme.

CVE-2017-15721

    Joseph Bisch discovered that Irssi does not properly handle
    incorrectly formatted DCC CTCP messages. A malicious IRC server can
    take advantage of this flaw to cause Irssi to crash, resulting in a
    denial of service.

CVE-2017-15722

    Joseph Bisch discovered that Irssi does not properly verify Safe
    channel IDs. A malicious IRC server can take advantage of this flaw
    to cause Irssi to crash, resulting in a denial of service.

CVE-2017-15723

    Joseph Bisch reported that Irssi does not properly handle overlong
    nicks or targets resulting in a NULL pointer dereference when
    splitting the message and leading to a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 0.8.17-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-1+deb9u3. CVE-2017-10965 and CVE-2017-10966 were already
fixed in an earlier point release.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1342 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 04 November 2017 - 06:48 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4017-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 03, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3735

    It was discovered that OpenSSL is prone to a one-byte buffer
    overread while parsing a malformed IPAddressFamily extension in an
    X.509 certificate.

    Details can be found in the upstream advisory:
    https://www.openssl....dv/20170828.txt

CVE-2017-3736

    It was discovered that OpenSSL contains a carry propagation bug in
    the x86_64 Montgomery squaring procedure.

    Details can be found in the upstream advisory:
    https://www.openssl....dv/20171102.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2l-2+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.2m-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4018-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 04, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3735

    It was discovered that OpenSSL is prone to a one-byte buffer
    overread while parsing a malformed IPAddressFamily extension in an
    X.509 certificate.

    Details can be found in the upstream advisory:
    https://www.openssl....dv/20170828.txt

CVE-2017-3736

    It was discovered that OpenSSL contains a carry propagation bug in
    the x86_64 Montgomery squaring procedure.

    Details can be found in the upstream advisory:
    https://www.openssl....dv/20171102.txt

For the oldstable distribution (jessie), CVE-2017-3735 has been fixed in
version 1.0.1t-1+deb8u7. The oldstable distribution is not affected by
CVE-2017-3736.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0f-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.0g-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1343 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 05 November 2017 - 08:47 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4019-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 05, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-9500  CVE-2017-11446 CVE-2017-11523 CVE-2017-11533
                 CVE-2017-11535 CVE-2017-11537 CVE-2017-11639 CVE-2017-11640
CVE-2017-12428 CVE-2017-12431 CVE-2017-12432 CVE-2017-12434
CVE-2017-12587 CVE-2017-12640 CVE-2017-12671 CVE-2017-13139
CVE-2017-13140 CVE-2017-13141 CVE-2017-13142 CVE-2017-13143
                 CVE-2017-13144 CVE-2017-13145
Debian Bug     : 870526 870491 870116 870111 870109 870106 870119
                 870105 870065 870014 869210 870067 870012 869834
869830 869827 868950 869728 869712 869715 869713 867778

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising may
result in denial of service, memory disclosure or the execution of
arbitrary code if malformed image files are processed.

For the stable distribution (stretch), this problem has been fixed in
version 8:6.9.7.4+dfsg-11+deb9u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1344 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 07 November 2017 - 06:10 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4020-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
November 05, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-5124 CVE-2017-5125 CVE-2017-5126 CVE-2017-5127
                 CVE-2017-5128 CVE-2017-5129 CVE-2017-5131 CVE-2017-5132
                 CVE-2017-5133 CVE-2017-15386 CVE-2017-15387 CVE-2017-15388
                 CVE-2017-15389 CVE-2017-15390 CVE-2017-15391 CVE-2017-15392
                 CVE-2017-15393 CVE-2017-15394 CVE-2017-15395 CVE-2017-15396

Several vulnerabilities have been discovered in the chromium web browser.

In addition, this message serves as an annoucment that security support for
chromium in the oldstable release (jessie), Debian 8, is now discontinued.

Debian 8 chromium users that desire continued security updates are strongly
encouraged to upgrade now to the current stable release (stretch), Debian 9.

An alternative is to switch to the firefox browser, which will continue to
receive security updates in jessie for some time.

CVE-2017-5124

    A cross-site scripting issue was discovered in MHTML.

CVE-2017-5125

    A heap overflow issue was discovered in the skia library.

CVE-2017-5126

    Luat Nguyen discovered a use-after-free issue in the pdfium library.

CVE-2017-5127

    Luat Nguyen discovered another use-after-free issue in the pdfium
    library.

CVE-2017-5128

    Omair discovered a heap overflow issue in the WebGL implementation.

CVE-2017-5129

    Omair discovered a use-after-free issue in the WebAudio implementation.

CVE-2017-5131

    An out-of-bounds write issue was discovered in the skia library.

CVE-2017-5132

    Guarav Dewan discovered an error in the WebAssembly implementation.

CVE-2017-5133

    Aleksandar Nikolic discovered an out-of-bounds write issue in the skia
    library.

CVE-2017-15386

    WenXu Wu discovered a user interface spoofing issue.

CVE-2017-15387

    Jun Kokatsu discovered a way to bypass the content security policy.

CVE-2017-15388

    Kushal Arvind Shah discovered an out-of-bounds read issue in the skia
    library.

CVE-2017-15389

    xisigr discovered a URL spoofing issue.

CVE-2017-15390

    Haosheng Wang discovered a URL spoofing issue.

CVE-2017-15391

    Joao Lucas Melo Brasio discovered a way for an extension to bypass its
    limitations.

CVE-2017-15392

    Xiaoyin Liu discovered an error the implementation of registry keys.

CVE-2017-15393

    Svyat Mitin discovered an issue in the devtools.

CVE-2017-15394

    Sam discovered a URL spoofing issue.

CVE-2017-15395

    Johannes Bergman discovered a null pointer dereference issue.

CVE-2017-15396

    Yuan Deng discovered a stack overflow issue in the v8 javascript library.

For the oldstable distribution (jessie), security support for chromium has
been discontinued.

For the stable distribution (stretch), these problems have been fixed in
version 62.0.3202.75-1~deb9u1.

For the testing distribution (buster), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 62.0.3202.75-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4021-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 07, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : otrs2
CVE ID         : CVE-2017-14635

It was discovered that missing input validation in the Open Ticket
Request System could result in privilege escalation by an agent with
write permissions for statistics.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.3.18-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.16-1+deb9u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1345 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 08 November 2017 - 07:08 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4023-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 07, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : slurm-llnl
CVE ID         : CVE-2017-15566
Debian Bug     : 880530

Ryan Day discovered that the Simple Linux Utility for Resource
Management (SLURM), a cluster resource management and job scheduling
system, does not properly handle SPANK environment variables, allowing a
user permitted to submit jobs to execute code as root during the Prolog
or Epilog. All systems using a Prolog or Epilog script are vulnerable,
regardless of whether SPANK plugins are in use.

For the stable distribution (stretch), this problem has been fixed in
version 16.05.9-1+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 17.02.9-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4024-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
November 08, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-15398 CVE-2017-15399

Several vulnerabilities have been discovered in the chromium browser.

CVE-2017-15398

    Ned Williamson discovered a stack overflow issue.

CVE-2017-15399

    Zhao Qixun discovered a use-after-free issue in the v8 javascript
    library.

For the oldstable distribution (jessie), security support for chromium has
been discontinued.

For the stable distribution (stretch), these problems have been fixed in
version 62.0.3202.89-1~deb9u1.

For the testing distribution (buster), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 62.0.3202.89-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4022-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 07, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libreoffice
CVE ID         : CVE-2017-12607 CVE-2017-12608

Marcin Noga discovered two vulnerabilities in LibreOffice, which could
result in the execution of arbitrary code if a malformed PPT or DOC
document is opened.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:4.3.3-2+deb8u9.

These vulnerabilities were fixed in Libreoffice 5.0.2, so the version
in the stable distribution (stretch) is not affected.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4025-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 08, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libpam4j
CVE ID         : CVE-2017-12197

It was discovered that libpam4j, a Java library wrapper for the
integration of PAM did not call pam_acct_mgmt() during authentication.
As such a user who has a valid password, but a deactivated or disabled
account could still log in.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.4-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1346 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 10 November 2017 - 06:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4026-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
November 09, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bchunk
CVE ID         : CVE-2017-15953 CVE-2017-15954 CVE-2017-15955
Debian Bug     : 880116

Wen Bin discovered that bchunk, an application that converts a CD
image in bin/cue format into a set of iso and cdr/wav tracks files,
did not properly check its input. This would allow malicious users to
crash the application or potentially execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.2.0-12+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1.2.0-12+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4030-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 09, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2017-16651

A file disclosure vulnerability was discovered in roundcube, a skinnable
AJAX based webmail solution for IMAP servers. An authenticated attacker
can take advantage of this flaw to read roundcube's configuration files.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.3+dfsg.1-4+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.3+dfsg.1-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4027-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 09, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.4
CVE ID         : CVE-2017-15098

A vulnerabilitiy has been found in the PostgreSQL database system:
Denial of service and potential memory disclosure in the
json_populate_recordset() and jsonb_populate_recordset() functions.

For the oldstable distribution (jessie), this problem has been fixed
in version 9.4.15-0+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4028-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 09, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.6
CVE ID         : CVE-2017-15098 CVE-2017-15099

Several vulnerabilities have been found in the PostgreSQL database system:

CVE-2017-15098

    Denial of service and potential memory disclosure in the
    json_populate_recordset() and jsonb_populate_recordset() functions

CVE-2017-15099

    Insufficient permissions checks in "INSERT ... ON CONFLICT DO UPDATE"
    statements.

For the stable distribution (stretch), these problems have been fixed in
version 9.6.6-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4029-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 09, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-common
CVE ID         : CVE-2017-8806

It was discovered that the pg_ctlcluster, pg_createcluster and
pg_upgradecluster commands handled symbolic links insecurely which could
result in local denial of service by overwriting arbitrary files.

For the oldstable distribution (jessie), this problem has been fixed
in version 165+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 181+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4006-2                   security@debian.org
https://www.debian.org/security/                                        
November 10, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2017-15587
Debian Bug     : 879055

It was discovered that the original patch applied for CVE-2017-15587
in DSA-4006-1 was incomplete. Updated packages are now available to
address this problem. For reference, the relevant part of the original
advisory text follows.

CVE-2017-15587

    Terry Chia and Jeremy Heng discovered an integer overflow that can
    cause arbitrary code execution via a crafted .pdf file.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.5-1+deb8u3.

For the stable distribution (stretch), this problem have been fixed in
version 1.9a+ds1-4+deb9u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1347 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 12 November 2017 - 09:03 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4031-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 11, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.3
CVE ID         : CVE-2017-0898 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033
Debian Bug     : 875928 875931 875936 879231

Several vulnerabilities have been discovered in the interpreter for the
Ruby language. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2017-0898

    aerodudrizzt reported a buffer underrun vulnerability in the sprintf
    method of the Kernel module resulting in heap memory corruption or
    information disclosure from the heap.

CVE-2017-0903

    Max Justicz reported that RubyGems is prone to an unsafe object
    deserialization vulnerability. When parsed by an application which
    processes gems, a specially crafted YAML formatted gem specification
    can lead to remote code execution.

CVE-2017-10784

    Yusuke Endoh discovered an escape sequence injection vulnerability
    in the Basic authentication of WEBrick. An attacker can take
    advantage of this flaw to inject malicious escape sequences to the
    WEBrick log and potentially execute control characters on the
    victim's terminal emulator when reading logs.

CVE-2017-14033

    asac reported a buffer underrun vulnerability in the OpenSSL
    extension. A remote attacker can take advantage of this flaw to
    cause the Ruby interpreter to crash leading to a denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4032-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 12, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-12983 CVE-2017-13134 CVE-2017-13758
                 CVE-2017-13769 CVE-2017-14224 CVE-2017-14607
CVE-2017-14682 CVE-2017-14989 CVE-2017-15277
Debian Bug     : 873134 873099 878508 878507 876097 878527 876488 878562
                 878578

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure or the execution of
arbitrary code if malformed GIF, TTF, SVG, TIFF, PCX, JPG or SFW files
are processed.

For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1348 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 14 November 2017 - 08:23 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4033-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 13, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : konversation
CVE ID         : CVE-2017-15923
Debian Bug     : 881586

Joseph Bisch discovered that Konversation, an user friendly Internet
Relay Chat (IRC) client for KDE, could crash when parsing certain IRC
color formatting codes.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.5-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.2-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1349 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 15 November 2017 - 07:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4034-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 15, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : varnish
CVE ID         : CVE-2017-8807
Debian Bug     : 881808

'shamger' and Carlo Cannas discovered that a programming error in
Varnish, a state of the art, high-performance web accelerator, may
result in disclosure of memory contents or denial of service.

See https://varnish-cach...y/VSV00002.html for details.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.0-7+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4035-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 15, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-7826 CVE-2017-7828 CVE-2017-7830

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees and other
implementation errors may lead to the execution of arbitrary code, denial
of service or bypass of the same origin policy.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.5.0esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.5.0esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4036-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 15, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2017-8808 CVE-2017-8809 CVE-2017-8810 CVE-2017-8811
                 CVE-2017-8812 CVE-2017-8814 CVE-2017-8815

Multiple security vulnerabilities have been discovered in MediaWiki, a
website engine for collaborative work:

CVE-2017-8808

    Cross-site-scripting with non-standard URL escaping and
    $wgShowExceptionDetails disabled.

CVE-2017-8809

    Reflected file download in API.

CVE-2017-8810

    On private wikis the login form didn't distinguish between
    login failure due to bad username and bad password.

CVE-2017-8811

    It was possible to mangle HTML via raw message parameter
    expansion.

CVE-2017-8812

    id attributes in headlines allowed raw '>'.

CVE-2017-8814

    Language converter could be tricked into replacing text inside tags.

CVE-2017-8815

    Unsafe attribute injection via glossary rules in language converter.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.27.4-1~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1350 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,370 posts

Posted 16 November 2017 - 09:22 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4037-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
November 16, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jackson-databind
CVE ID         : CVE-2017-15095

It was discovered that jackson-databind, a Java library used to parse
JSON and other data formats, improperly validated user input prior to
deserializing: following DSA-4004-1 for CVE-2017-7525, an additional
set of classes was identified as unsafe for deserialization.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.4.2-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.8.6-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4038-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 16, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : shibboleth-sp2
CVE ID         : CVE-2017-16852
Debian Bug     : 881857

Rod Widdowson of Steading System Software LLP discovered a coding error
in the "Dynamic" metadata plugin of the Shibboleth Service Provider,
causing the plugin to fail configuring itself with the filters provided
and omitting whatever checks they are intended to perform.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.5.3+dfsg-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.6.0+dfsg1-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4039-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 16, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : opensaml2
CVE ID         : CVE-2017-16853
Debian Bug     : 881856

Rod Widdowson of Steading System Software LLP discovered a coding error
in the OpenSAML library, causing the DynamicMetadataProvider class to
fail configuring itself with the filters provided and omitting whatever
checks they are intended to perform.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.5.3-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.6.0-4+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users