Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1285 replies to this topic

#1276 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 05 June 2017 - 03:14 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3873-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 05, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2017-6512
Debian Bug     : 863870

The cPanel Security Team reported a time of check to time of use
(TOCTTOU) race condition flaw in File::Path, a core module from Perl to
create or remove directory trees. An attacker can take advantage of this
flaw to set the mode on an attacker-chosen file to a attacker-chosen
value.

For the stable distribution (jessie), this problem has been fixed in
version 5.20.2-3+deb8u7.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 5.24.1-3.

For the unstable distribution (sid), this problem has been fixed in
version 5.24.1-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1277 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 09 June 2017 - 07:05 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3874-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ettercap
CVE ID         : CVE-2017-6430 CVE-2017-8366
Debian Bug     : 857035 861604

Agostino Sarubbo and AromalUllas discovered that ettercap, a network
security tool for traffic interception, contains vulnerabilities that
allowed an attacker able to provide maliciously crafted filters to
cause a denial-of-service via application crash.

For the stable distribution (jessie), these problems have been fixed in
version 1:0.8.1-3+deb8u1.

For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 1:0.8.2-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3875-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libmwaw
CVE ID         : CVE-2017-9433

It was discovered that a buffer overflow in libmwaw, a library to open
old Mac text documents might result in the execution of arbitrary code
if a malformed document is opened.

For the stable distribution (jessie), this problem has been fixed in
version 0.3.1-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.3.9-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3876-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 09, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : otrs2
CVE ID         : CVE-2017-9324

Joerg-Thomas Vogt discovered that the SecureMode was insufficiently
validated in the OTRS ticket system, which could allow agents to
escalate their privileges.

For the stable distribution (jessie), this problem has been fixed in
version 3.3.9-3+deb8u1.

For the upcoming stable distribution (stretch), this problem will be
fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 5.0.20-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1278 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 10 June 2017 - 07:17 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3877-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 10, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2017-0376
Debian Bug     : 864424

It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contain a flaw in the hidden service
code when receiving a BEGIN_DIR cell on a hidden service rendezvous
circuit. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).

For the stable distribution (jessie), this problem has been fixed in
version 0.2.5.14-1.

For the upcoming stable distribution (stretch), this problem will be
fixed in version 0.2.9.11-1~deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.2.9.11-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1279 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 12 June 2017 - 07:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3878-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 12, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zziplib
CVE ID         : CVE-2017-5974 CVE-2017-5975 CVE-2017-5976 CVE-2017-5978
                 CVE-2017-5979 CVE-2017-5980 CVE-2017-5981

Agostino Sarubbo discovered multiple vulnerabilities in zziplib, a
library to access Zip archives, which could result in denial of service
and potentially the execution of arbitrary code if a malformed archive
is processed.

For the stable distribution (jessie), these problems have been fixed in
version 0.13.62-3+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 0.13.62-3.1.

For the unstable distribution (sid), these problems have been fixed in
version 0.13.62-3.1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1280 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 13 June 2017 - 06:53 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3879-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 13, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libosip2
CVE ID         : CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853

Multiple security vulnerabilities have been found in oSIP, a library
implementing the Session Initiation Protocol, which might result in
denial of service through malformed SIP messages.

For the stable distribution (jessie), these problems have been fixed in
version 4.1.0-2+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 4.1.0-2.1.

For the unstable distribution (sid), these problems have been fixed in
version 4.1.0-2.1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1281 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 14 June 2017 - 11:23 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3880-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt20
CVE ID         : CVE-2017-9526

It was discovered that a side channel attack in the EdDSA session key
handling in Libgcrypt may result in information disclosure.

For the stable distribution (jessie), this problem has been fixed in
version 1.6.3-2+deb8u3.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1.7.6-2.

For the unstable distribution (sid), this problem has been fixed in
version 1.7.6-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3881-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 14, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750
                 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756
                 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771
                 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775
                 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees, buffer overflows
and other implementation errors may lead to the execution of arbitrary
code, denial of service or domain spoofing.

Debian follows the extended support releases (ESR) of Firefox. Support
for the 45.x series has ended, so starting with this update we're now
following the 52.x releases.

For the stable distribution (jessie), these problems have been fixed in
version 52.2.0esr-1~deb8u1.

For the upcoming stable distribution (stretch), these problems will be
fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 52.2.0esr-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1282 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 15 June 2017 - 07:20 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3882-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 15, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker4
CVE ID         : CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2016-6127

    It was discovered that Request Tracker is vulnerable to a cross-site
    scripting (XSS) attack if an attacker uploads a malicious file with
    a certain content type. Installations which use the
    AlwaysDownloadAttachments config setting are unaffected by this
    flaw. The applied fix addresses all existant and future uploaded
    attachments.

CVE-2017-5361

    It was discovered that Request Tracker is vulnerable to timing
    side-channel attacks for user passwords.

CVE-2017-5943

    It was discovered that Request Tracker is prone to an information
    leak of cross-site request forgery (CSRF) verification tokens if a
    user is tricked into visiting a specially crafted URL by an
    attacker.


CVE-2017-5944

    It was discovered that Request Tracker is prone to a remote code
    execution vulnerability in the dashboard subscription interface. A
    privileged attacker can take advantage of this flaw through
    carefully-crafted saved search names to cause unexpected code to be
    executed. The applied fix addresses all existant and future saved
    searches.

Additionally to the above mentioned CVEs, this update workarounds
CVE-2015-7686 in Email::Address which could induce a denial of service
of Request Tracker itself.

For the stable distribution (jessie), these problems have been fixed in
version 4.2.8-3+deb8u2.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 4.4.1-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 4.4.1-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3883-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 15, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : rt-authen-externalauth
CVE ID         : CVE-2017-5361

It was discovered that RT::Authen::ExternalAuth, an external
authentication module for Request Tracker, is vulnerable to timing
side-channel attacks for user passwords. Only ExternalAuth in DBI
(database) mode is vulnerable.

For the stable distribution (jessie), this problem has been fixed in
version 0.25-1+deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1283 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 16 June 2017 - 09:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3884-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 16, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnutls28
CVE ID         : CVE-2017-7507
Debian Bug     : 864560

Hubert Kario discovered that GnuTLS, a library implementing the TLS and
SSL protocols, does not properly decode a status response TLS extension,
allowing a remote attacker to cause an application using the GnuTLS
library to crash (denial of service).

For the stable distribution (jessie), this problem has been fixed in
version 3.3.8-6+deb8u6.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 3.5.8-5+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.5.8-6.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1284 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 18 June 2017 - 07:37 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3885-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 18, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : irssi
CVE ID         : CVE-2017-9468 CVE-2017-9469
Debian Bug     : 864400

Multiple vulnerabilities have been discovered in Irssi, a terminal based
IRC client. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2017-9468

    Joseph Bisch discovered that Irssi does not properly handle DCC
    messages without source nick/host. A malicious IRC server can take
    advantage of this flaw to cause Irssi to crash, resulting in a
    denial of service.

CVE-2017-9469

    Joseph Bisch discovered that Irssi does not properly handle
    receiving incorrectly quoted DCC files. A remote attacker can take
    advantage of this flaw to cause Irssi to crash, resulting in a
    denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 0.8.17-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-1+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.3-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1285 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 19 June 2017 - 08:25 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3887-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : glibc
CVE ID         : CVE-2017-1000366

The Qualys Research Labs discovered various problems in the dynamic
linker of the GNU C Library which allow local privilege escalation by
clashing the stack. For the full details, please refer to their advisory
published at:
https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 2.19-18+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.24-11+deb9u1.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3888-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2017-1000369

The Qualys Research Labs discovered a memory leak in the Exim mail
transport agent. This is not a security vulnerability in Exim by itself,
but can be used to exploit a vulnerability in stack handling. For the
full details, please refer to their advisory published at:
https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 4.84.2-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 4.89-2+deb9u1.

For the unstable distribution (sid), this problem will be fixed soon.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3886-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2017-0605 CVE-2017-7487 CVE-2017-7645 CVE-2017-7895
                 CVE-2017-8064 CVE-2017-8890 CVE-2017-8924 CVE-2017-8925
                 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
                 CVE-2017-9242 CVE-2017-1000364

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-0605

    A buffer overflow flaw was discovered in the trace subsystem.

CVE-2017-7487

    Li Qiang reported a reference counter leak in the ipxitf_ioctl
    function which may result into a use-after-free vulnerability,
    triggerable when a IPX interface is configured.

CVE-2017-7645

    Tuomas Haanpaa and Matti Kamunen from Synopsys Ltd discovered that
    the NFSv2 and NFSv3 server implementations are vulnerable to an
    out-of-bounds memory access issue while processing arbitrarily long
    arguments sent by NFSv2/NFSv3 PRC clients, leading to a denial of
    service.

CVE-2017-7895

    Ari Kauppi from Synopsys Ltd discovered that the NFSv2 and NFSv3
    server implementations do not properly handle payload bounds
    checking of WRITE requests. A remote attacker with write access to a
    NFS mount can take advantage of this flaw to read chunks of
    arbitrary memory from both kernel-space and user-space.

CVE-2017-8064

    Arnd Bergmann found that the DVB-USB core misused the device
    logging system, resulting in a use-after-free vulnerability, with
    unknown security impact.

CVE-2017-8890

    It was discovered that the net_csk_clone_lock() function allows a
    remote attacker to cause a double free leading to a denial of
    service or potentially have other impact.

CVE-2017-8924

    Johan Hovold found that the io_ti USB serial driver could leak
    sensitive information if a malicious USB device was connected.

CVE-2017-8925

    Johan Hovold found a reference counter leak in the omninet USB
    serial driver, resulting in a use-after-free vulnerability.  This
    can be triggered by a local user permitted to open tty devices.

CVE-2017-9074

    Andrey Konovalov reported that the IPv6 fragmentation
    implementation could read beyond the end of a packet buffer.  A
    local user or guest VM might be able to use this to leak sensitive
    information or to cause a denial of service (crash).

CVE-2017-9075

    Andrey Konovalov reported that the SCTP/IPv6 implementation
    wrongly initialised address lists on connected sockets, resulting
    in a use-after-free vulnerability, a similar issue to
    CVE-2017-8890.  This can be triggered by any local user.

CVE-2017-9076 / CVE-2017-9077

    Cong Wang found that the TCP/IPv6 and DCCP/IPv6 implementations
    wrongly initialised address lists on connected sockets, a similar
    issue to CVE-2017-9075.

CVE-2017-9242

    Andrey Konovalov reported a packet buffer overrun in the IPv6
    implementation.  A local user could use this for denial of service
    (memory corruption; crash) and possibly for privilege escalation.

CVE-2017-1000364

    The Qualys Research Labs discovered that the size of the stack guard
    page is not sufficiently large. The stack-pointer can jump over the
    guard-page and moving from the stack into another memory region
    without accessing the guard-page. In this case no page-fault
    exception is raised and the stack extends into the other memory
    region. An attacker can exploit this flaw for privilege escalation.

    The default stack gap protection is set to 256 pages and can be
    configured via the stack_guard_gap kernel parameter on the kernel
    command line.

    Further details can be found at
    https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.43-2+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.30-2+deb9u1 or earlier versions before the stretch release.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3889-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
June 19, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libffi
CVE ID         : CVE-2017-1000376
Debian Bug     : 751907

libffi, a library used to call code written in one language from code written
in a different language, was enforcing an executable stack on the i386
architecture. While this might not be considered a vulnerability by itself,
this could be leveraged when exploiting other vulnerabilities, like for example
the "stack clash" class of vulnerabilities discovered by Qualys Research Labs.
For the full details, please refer to their advisory published at:
https://www.qualys.c...stack-clash.txt

For the oldstable distribution (jessie), this problem has been fixed
in version 3.1-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 3.2.1-4.

For the testing distribution (buster), this problem has been fixed
in version 3.2.1-4.

For the unstable distribution (sid), this problem has been fixed in
version 3.2.1-4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1286 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,201 posts

Posted 21 June 2017 - 08:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3890-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 21, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2017-9736
Debian Bug     : 864921

Emeric Boit of ANSSI reported that SPIP, a website engine for
publishing, insufficiently sanitises the value from the X-Forwarded-Host
HTTP header field. An unauthenticated attacker can take advantage of
this flaw to cause remote code execution.

For the stable distribution (stretch), this problem has been fixed in
version 3.1.4-3~deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 3.1.4-3.

For the unstable distribution (sid), this problem has been fixed in
version 3.1.4-3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users