Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1255 replies to this topic

#1226 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 22 February 2017 - 07:50 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3787-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 22, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat7

The update for tomcat7 issued as DSA-3787-1 caused that the server could
return HTTP 400 errors under certain circumstances. Updated packages are
now available to correct this issue. For reference, the original
advisory text follows.

It was discovered that a programming error in the processing of HTTPS
requests in the Apache Tomcat servlet and JSP engine may result in
denial of service via an infinite loop.

For the stable distribution (jessie), this problem has been fixed in
version 7.0.56-3+deb8u9.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3788-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 22, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat8

The update for tomcat8 issued as DSA-3788-1 caused that the server could
return HTTP 400 errors under certain circumstances. Updated packages are
now available to correct this issue. For reference, the original
advisory text follows.

It was discovered that a programming error in the processing of HTTPS
requests in the Apache Tomcat servlet and JSP engine may result in
denial of service via an infinite loop.

For the stable distribution (jessie), this problem has been fixed in
version 8.0.14-1+deb8u8.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3791-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 22, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2016-6786 CVE-2016-6787 CVE-2016-8405 CVE-2016-9191
                 CVE-2017-2583 CVE-2017-2584 CVE-2017-2596 CVE-2017-2618
                 CVE-2017-5549 CVE-2017-5551 CVE-2017-5897 CVE-2017-5970
                 CVE-2017-6001 CVE-2017-6074

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or have other
impacts.

CVE-2016-6786 / CVE-2016-6787

    It was discovered that the performance events subsystem does not
    properly manage locks during certain migrations, allowing a local
    attacker to escalate privileges.  This can be mitigated by
    disabling unprivileged use of performance events:
    sysctl kernel.perf_event_paranoid=3

CVE-2016-8405

    Peter Pi of Trend Micro discovered that the frame buffer video
    subsystem does not properly check bounds while copying color maps to
    userspace, causing a heap buffer out-of-bounds read, leading to
    information disclosure.

CVE-2016-9191

    CAI Qian discovered that reference counting is not properly handled
    within proc_sys_readdir in the sysctl implementation, allowing a
    local denial of service (system hang) or possibly privilege
    escalation.

CVE-2017-2583

    Xiaohan Zhang reported that KVM for amd64 does not correctly
    emulate loading of a null stack selector.  This can be used by a
    user in a guest VM for denial of service (on an Intel CPU) or to
    escalate privileges within the VM (on an AMD CPU).

CVE-2017-2584

    Dmitry Vyukov reported that KVM for x86 does not correctly emulate
    memory access by the SGDT and SIDT instructions, which can result
    in a use-after-free and information leak.

CVE-2017-2596

    Dmitry Vyukov reported that KVM leaks page references when
    emulating a VMON for a nested hypervisor.  This can be used by a
    privileged user in a guest VM for denial of service or possibly
    to gain privileges in the host.

CVE-2017-2618

    It was discovered that an off-by-one in the handling of SELinux
    attributes in /proc/pid/attr could result in local denial of
    service.

CVE-2017-5549

    It was discovered that the KLSI KL5KUSB105 serial USB device
    driver could log the contents of uninitialised kernel memory,
    resulting in an information leak.

CVE-2017-5551

    Jan Kara found that changing the POSIX ACL of a file on tmpfs never
    cleared its set-group-ID flag, which should be done if the user
    changing it is not a member of the group-owner. In some cases, this
    would allow the user-owner of an executable to gain the privileges
    of the group-owner.

CVE-2017-5897

    Andrey Konovalov discovered an out-of-bounds read flaw in the
    ip6gre_err function in the IPv6 networking code.

CVE-2017-5970

    Andrey Konovalov discovered a denial-of-service flaw in the IPv4
    networking code.  This can be triggered by a local or remote
    attacker if a local UDP or raw socket has the IP_RETOPTS option
    enabled.

CVE-2017-6001

    Di Shen discovered a race condition between concurrent calls to
    the performance events subsystem, allowing a local attacker to
    escalate privileges. This flaw exists because of an incomplete fix
    of CVE-2016-6786.  This can be mitigated by disabling unprivileged
    use of performance events: sysctl kernel.perf_event_paranoid=3

CVE-2017-6074

    Andrey Konovalov discovered a use-after-free vulnerability in the
    DCCP networking code, which could result in denial of service or
    local privilege escalation.  On systems that do not already have
    the dccp module loaded, this can be mitigated by disabling it:
    echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

For the stable distribution (jessie), these problems have been fixed in
version 3.16.39-1+deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1227 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 24 February 2017 - 06:53 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3792-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 23, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libreoffice
CVE ID         : CVE-2017-3157

Ben Hayak discovered that objects embedded in Writer and Calc documents
may result in information disclosure. Please see
https://www.libreoff.../cve-2017-3157/
for additional information.

For the stable distribution (jessie), this problem has been fixed in
version 1:4.3.3-2+deb8u6.

For the testing distribution (stretch), this problem has been fixed
in version 1:5.2.3-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.2.3-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3793-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 24, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : shadow
CVE ID         : CVE-2016-6252 CVE-2017-2616
Debian Bug     : 832170 855943

Several vulnerabilities were discovered in the shadow suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2016-6252

    An integer overflow vulnerability was discovered, potentially
    allowing a local user to escalate privileges via crafted input to
    the newuidmap utility.

CVE-2017-2616

    Tobias Stoeckmann discovered that su does not properly handle
    clearing a child PID. A local attacker can take advantage of this
    flaw to send SIGKILL to other processes with root privileges,
    resulting in denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 1:4.2-3+deb8u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1228 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 26 February 2017 - 05:22 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3794-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 25, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : munin
CVE ID         : CVE-2017-6188
Debian Bug     : 855705

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET
parameters are not properly handled, allowing to inject options into
munin-cgi-graph and overwriting any file accessible accessible by the
user running the cgi-process.

For the stable distribution (jessie), this problem has been fixed in
version 2.0.25-1+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3795-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
February 26, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2017-3135
Debian Bug     : 855520

It was discovered that a maliciously crafted query can cause ISC's
BIND DNS server (named) to crash if both Response Policy Zones (RPZ)
and DNS64 (a bridge between IPv4 and IPv6 networks) are enabled.  It
is uncommon for both of these options to be used in combination, so
very few systems will be affected by this problem in practice.

This update also corrects an additional regression caused by the fix
for CVE-2016-8864, which was applied in a previous security update.

For the stable distribution (jessie), this problem has been fixed in
version 1:9.9.5.dfsg-9+deb8u10.

For the testing (stretch) and unstable (sid) distributions, this
problem has been fixed in version 1:9.10.3.dfsg.P4-12.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1229 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 26 February 2017 - 06:47 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3796-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 26, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2016-0736 CVE-2016-2161 CVE-2016-8743

Several vulnerabilities were discovered in the Apache2 HTTP server.

CVE-2016-0736

  RedTeam Pentesting GmbH discovered that mod_session_crypto was
  vulnerable to padding oracle attacks, which could allow an attacker
  to guess the session cookie.

CVE-2016-2161

  Maksim Malyutin discovered that malicious input to mod_auth_digest
  could cause the server to crash, causing a denial of service.

CVE-2016-8743

  David Dennerline, of IBM Security's X-Force Researchers, and Régis
  Leroy discovered problems in the way Apache handled a broad pattern
  of unusual whitespace patterns in HTTP requests. In some
  configurations, this could lead to response splitting or cache
  pollution vulnerabilities.  To fix these issues, this update makes
  Apache httpd be more strict in what HTTP requests it accepts.

  If this causes problems with non-conforming clients, some checks can
  be relaxed by adding the new directive "HttpProtocolOptions unsafe"
  to the configuration.

This update also fixes the issue where mod_reqtimeout was not enabled
by default on new installations.

For the stable distribution (jessie), these problems have been fixed in
version 2.4.10-10+deb8u8.

For the testing (stretch) and unstable (sid) distributions, these
problems have been fixed in version 2.4.25-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1230 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 02 March 2017 - 11:20 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3797-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 28, 2017                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2016-8674 CVE-2017-5896 CVE-2017-5991

Multiple vulnerabilities have been found in the PDF viewer MuPDF, which
may result in denial of service or the execution of arbitrary code if
a malformed PDF file is opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.5-1+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 1.9a+ds1-4.

For the unstable distribution (sid), these problems have been fixed in
version 1.9a+ds1-4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3798-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 01, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tnef
CVE ID         : CVE-2017-6307 CVE-2017-6308 CVE-2017-6309 CVE-2017-6310
Debian Bug     : 856117

Eric Sesterhenn, from X41 D-Sec GmbH, discovered several
vulnerabilities in tnef, a tool used to unpack MIME attachments of
type "application/ms-tnef". Multiple heap overflows, type confusions
and out of bound reads and writes could be exploited by tricking a
user into opening a malicious attachment. This would result in denial
of service via application crash, or potential arbitrary code
execution.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.9-1+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3799-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 01, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2016-8707 CVE-2016-10062 CVE-2016-10144
                 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506
CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511
Debian Bug     : 851485 851483 851380 848139 851383 851382 851381
                 851374 851376 849439

This update fixes several vulnerabilities in imagemagick: Various
memory handling problems and cases of missing or incomplete input
sanitising may result in denial of service or the execution of arbitrary
code if malformed TIFF, WPG, IPL, MPC or PSB files are processed.

For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u7.

For the testing distribution (stretch), these problems have been fixed
in version 8:6.9.7.4+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 8:6.9.7.4+dfsg-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3794-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 02, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : munin
Debian Bug     : 856455

The update for munin issues as DSA-3794-1 caused a regression in the
zooming functionality in munin-cgi-graph. Updated packages are now
available to correct this issue. For reference, the original advisory
text follows.

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET
parameters are not properly handled, allowing to inject options into
munin-cgi-graph and overwriting any file accessible by the user running
the cgi-process.

For the stable distribution (jessie), this problem has been fixed in
version 2.0.25-1+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.32-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3800-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 02, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libquicktime
CVE ID         : CVE-2016-2399
Debian Bug     : 855099

Marco Romano discovered that libquicktime, a library for reading and
writing QuickTime files, was vulnerable to an integer overflow
attack. When opened, a specially crafted MP4 file would cause a denial
of service by crashing the application.

For the stable distribution (jessie), this problem has been fixed in
version 2:1.2.4-7+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.2.4-10.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1231 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 05 March 2017 - 06:57 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3794-3                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 03, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : munin
Debian Bug     : 856536

The update for munin issued as DSA-3794-2 caused a regression leading to
Perl warnings being appended to the munin-cgi-graph log file. Updated
packages are now available to correct this issue. For reference, the
original advisory text follows.

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET
parameters are not properly handled, allowing to inject options into
munin-cgi-graph and overwriting any file accessible by the user running
the cgi-process.

For the stable distribution (jessie), this problem has been fixed in
version 2.0.25-1+deb8u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3801-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 04, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-zip
CVE ID         : CVE-2017-5946
Debian Bug     : 856269

It was discovered that ruby-zip, a Ruby module for reading and writing
zip files, is prone to a directory traversal vulnerability. An attacker
can take advantage of this flaw to overwrite arbitrary files during
archive extraction via a .. (dot dot) in an extracted filename.

For the stable distribution (jessie), this problem has been fixed in
version 1.1.6-1+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1.2.0-1.1.

For the unstable distribution (sid), this problem has been fixed in
version 1.2.0-1.1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3802-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 05, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zabbix
CVE ID         : CVE-2016-10134

An SQL injection vulnerability has been discovered in the "Latest data"
page of the web frontend of the Zabbix network monitoring system

For the stable distribution (jessie), this problem has been fixed in
version 1:2.2.7+dfsg-2+deb8u2.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1:3.0.7+dfsg-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:3.0.7+dfsg-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1232 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 08 March 2017 - 04:57 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3803-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 08, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : texlive-base
CVE ID         : CVE-2016-10243

It was discovered that texlive-base, the TeX Live package which provides
the essential TeX programs and files, whitelists mpost as an external
program to be run from within the TeX source code (called \write18).
Since mpost allows to specify other programs to be run, an attacker can
take advantage of this flaw for arbitrary code execution when compiling
a TeX document.

For the stable distribution (jessie), this problem has been fixed in
version 2014.20141024-2+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 2016.20161130-1.

For the unstable distribution (sid), this problem has been fixed in
version 2016.20161130-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3804-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 08, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2016-9588 CVE-2017-2636 CVE-2017-5669 CVE-2017-5986
                 CVE-2017-6214 CVE-2017-6345 CVE-2017-6346 CVE-2017-6348
                 CVE-2017-6353

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or have other
impacts.

CVE-2016-9588

    Jim Mattson discovered that the KVM implementation for Intel x86
    processors does not properly handle #BP and #OF exceptions in an
    L2 (nested) virtual machine. A local attacker in an L2 guest VM
    can take advantage of this flaw to cause a denial of service for
    the L1 guest VM.

CVE-2017-2636

    Alexander Popov discovered a race condition flaw in the n_hdlc
    line discipline that can lead to a double free. A local
    unprivileged user can take advantage of this flaw for privilege
    escalation. On systems that do not already have the n_hdlc module
    loaded, this can be mitigated by disabling it:
    echo >> /etc/modprobe.d/disable-n_hdlc.conf install n_hdlc false

CVE-2017-5669

    Gareth Evans reported that privileged users can map memory at
    address 0 through the shmat() system call. This could make it
    easier to exploit other kernel security vulnerabilities via a
    set-UID program.

CVE-2017-5986

    Alexander Popov reported a race condition in the SCTP
    implementation that can be used by local users to cause a
    denial-of-service (crash). The initial fix for this was incorrect
    and introduced further security issues (CVE-2017-6353). This
    update includes a later fix that avoids those. On systems that do
    not already have the sctp module loaded, this can be mitigated by
    disabling it:
    echo >> /etc/modprobe.d/disable-sctp.conf install sctp false

CVE-2017-6214

    Dmitry Vyukov reported a bug in the TCP implementation's handling
    of urgent data in the splice() system call. This can be used by a
    remote attacker for denial-of-service (hang) against applications
    that read from TCP sockets with splice().

CVE-2017-6345

    Andrey Konovalov reported that the LLC type 2 implementation
    incorrectly assigns socket buffer ownership. This can be used
    by a local user to cause a denial-of-service (crash). On systems
    that do not already have the llc2 module loaded, this can be
    mitigated by disabling it:
    echo >> /etc/modprobe.d/disable-llc2.conf install llc2 false

CVE-2017-6346

    Dmitry Vyukov reported a race condition in the raw packet (af_packet)
    fanout feature. Local users with the CAP_NET_RAW capability (in any
    user namespace) can use this for denial-of-service and possibly for
    privilege escalation.

CVE-2017-6348

    Dmitry Vyukov reported that the general queue implementation in
    the IrDA subsystem does not properly manage multiple locks,
    possibly allowing local users to cause a denial-of-service
    (deadlock) via crafted operations on IrDA devices.

For the stable distribution (jessie), these problems have been fixed in
version 3.16.39-1+deb8u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1233 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 09 March 2017 - 10:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3805-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 08, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402
                 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408
                 CVE-2017-5410

Multiple security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees and other
implementation errors may lead to the execution of arbitrary code, ASLR
bypass, information disclosure or denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 45.8.0esr-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 45.8.0esr-1 of firefox-esr and version 52.0-1 of firefox.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1234 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 10 March 2017 - 07:08 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3806-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
March 10, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pidgin
CVE ID         : CVE-2017-2640

It was discovered a vulnerability in Pidgin, a multi-protocol instant
messaging client. A server controlled by an attacker can send an invalid
XML that can trigger an out-of-bound memory access. This might lead to a
crash or, in some extreme cases, to remote code execution in the
client-side.

For the stable distribution (jessie), this problem has been fixed in
version 2.11.0-0+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.12.0-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1235 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 13 March 2017 - 06:46 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3807-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 12, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icoutils
CVE ID         : CVE-2017-6009 CVE-2017-6010 CVE-2017-6011

Multiple vulnerabilities were discovered in the icotool and wrestool
tools of Icoutils, a set of programs that deal with MS Windows icons and
cursors, which may result in denial of service or the execution of
arbitrary code if a malformed .ico or .exe file is processed.

For the stable distribution (jessie), these problems have been fixed in
version 0.31.0-2+deb8u3.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 0.31.2-1.

For the unstable distribution (sid), these problems have been fixed in
version 0.31.2-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3808-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 13, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-6498 CVE-2017-6499 CVE-2017-6500
Debian Bug     : 856878 856879 856880 857426 844594

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service or the execution of arbitrary code if
malformed TGA, Sun or PSD files are processed.

This update also fixes visual artefacts when running -sharpen on CMYK
images (no security impact, but piggybacked on top of the security
update with approval of the Debian stable release managers since it's
a regression in jessie compared to wheezy).

For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u8.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 8:6.9.7.4+dfsg-2.

For the unstable distribution (sid), these problems have been fixed in
version 8:6.9.7.4+dfsg-2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1236 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 17 March 2017 - 11:00 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3809-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 14, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mariadb-10.0
CVE ID         : CVE-2017-3302 CVE-2017-3313

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.30. Please see the MariaDB 10.0 Release Notes for further
details:

https://mariadb.com/...-release-notes/

For the stable distribution (jessie), these problems have been fixed in
version 10.0.30-0+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3810-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 15, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-5029 CVE-2017-5030 CVE-2017-5031 CVE-2017-5032
                 CVE-2017-5033 CVE-2017-5034 CVE-2017-5035 CVE-2017-5036
                 CVE-2017-5037 CVE-2017-5038 CVE-2017-5039 CVE-2017-5040
                 CVE-2017-5041 CVE-2017-5042 CVE-2017-5043 CVE-2017-5044
                 CVE-2017-5045 CVE-2017-5046

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2017-5029

    Holger Fuhrmannek discovered an integer overflow issue in the libxslt
    library.

CVE-2017-5030

    Brendon Tiszka discovered a memory corruption issue in the v8 javascript
    library.

CVE-2017-5031

    Looben Yang discovered a use-after-free issue in the ANGLE library.

CVE-2017-5032

    Ashfaq Ansari discovered an out-of-bounds write in the pdfium library.

CVE-2017-5033

    Nicolai Grødum discovered a way to bypass the Content Security Policy.

CVE-2017-5034

    Ke Liu discovered an integer overflow issue in the pdfium library.

CVE-2017-5035

    Enzo Aguado discovered an issue with the omnibox.

CVE-2017-5036

    A use-after-free issue was discovered in the pdfium library.

CVE-2017-5037

    Yongke Wang discovered multiple out-of-bounds write issues.

CVE-2017-5038

    A use-after-free issue was discovered in the guest view.

CVE-2017-5039

    jinmo123 discovered a use-after-free issue in the pdfium library.

CVE-2017-5040

    Choongwoo Han discovered an information disclosure issue in the v8
    javascript library.

CVE-2017-5041

    Jordi Chancel discovered an address spoofing issue.

CVE-2017-5042

    Mike Ruddy discovered incorrect handling of cookies.

CVE-2017-5043

    Another use-after-free issue was discovered in the guest view.

CVE-2017-5044

    Kushal Arvind Shah discovered a heap overflow issue in the skia
    library.

CVE-2017-5045

    Dhaval Kapil discovered an information disclosure issue.

CVE-2017-5046

    Masato Kinugawa discovered an information disclosure issue.

For the stable distribution (jessie), these problems have been fixed in
version 57.0.2987.98-1~deb8u1.

For the upcoming stable (stretch) and unstable (sid) distributions, these
problems have been fixed in version 57.0.2987.98-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1237 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 18 March 2017 - 10:35 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3811-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 18, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2017-5596 CVE-2017-5597 CVE-2017-6014 CVE-2017-6467
                 CVE-2017-6468 CVE-2017-6469 CVE-2017-6470 CVE-2017-6471
                 CVE-2017-6472 CVE-2017-6473 CVE-2017-6474

It was discovered that wireshark, a network protocol analyzer, contained
several vulnerabilities in the dissectors for ASTERIX , DHCPv6,
NetScaler, LDSS, IAX2, WSP, K12 and STANAG 4607, that could lead to
various crashes, denial-of-service or execution of arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 1.12.1+g01b65bf-4+deb8u11.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.5+g440fd4d-2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3812-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 18, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ioquake3
CVE ID         : CVE-2017-6903

It was discovered that ioquake3, a modified version of the ioQuake3 game
engine performs insufficent restrictions on automatically downloaded
content (pk3 files or game code), which allows malicious game servers to
modify configuration settings including driver settings.

For the stable distribution (jessie), this problem has been fixed in
version 1.36+u20140802+gca9eebb-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.36+u20161101+dfsg1-2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1238 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 19 March 2017 - 05:52 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3813-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 19, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : r-base
CVE ID         : CVE-2016-8714

Cory Duplantis discovered a buffer overflow in the R programming
langauage. A malformed encoding file may lead to the execution of
arbitrary code during PDF generation.

For the stable distribution (jessie), this problem has been fixed in
version 3.1.1-1+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 3.3.3-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.3.3-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1239 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 20 March 2017 - 06:54 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3796-2                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 20, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sitesummary
Debian Bug     : 852623

DSA-3796-1 for apache2 introduced a regression in sitesummary: fixing
CVE-2016-8743 meant being more stringent when dealing with whitespace
patterns in HTTP requests, and that change broke the upload tool of
sitesummary-client.

For the stable distribution (jessie), this problem has been fixed in
version 0.1.17+deb8u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1240 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 22 March 2017 - 07:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3814-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 22, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : audiofile
CVE ID         : CVE-2017-6827 CVE-2017-6828 CVE-2017-6829 CVE-2017-6830
                 CVE-2017-6831 CVE-2017-6832 CVE-2017-6833 CVE-2017-6834
                 CVE-2017-6835 CVE-2017-6836 CVE-2017-6837 CVE-2017-6838
                 CVE-2017-6839
Debian Bug     : 857651

Several vulnerabilities have been discovered in the audiofile library,
which may result in denial of service or the execution of arbitrary code
if a malformed audio file is processed.

For the stable distribution (jessie), these problems have been fixed in
version 0.3.6-2+deb8u2.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 0.3.6-4.

For the unstable distribution (sid), these problems have been fixed in
version 0.3.6-4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1241 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 23 March 2017 - 05:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3815-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 23, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2017-6814 CVE-2017-6815 CVE-2017-6816 CVE-2017-6817
Debian Bug     : 857026

Several vulnerabilities were discovered in wordpress, a web blogging
tool. They would allow remote attackers to delete unintended files,
mount Cross-Site Scripting attacks, or bypass redirect URL validation
mechanisms.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u13.

For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 4.7.3+dfsg-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3816-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 23, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2017-2619

Jann Horn of Google discovered a time-of-check, time-of-use race
condition in Samba, a SMB/CIFS file, print, and login server for Unix. A
malicious client can take advantage of this flaw by exploting a symlink
race to access areas of the server file system not exported under a
share definition.

For the stable distribution (jessie), this problem has been fixed in
version 2:4.2.14+dfsg-0+deb8u4.

For the unstable distribution (sid), this problem has been fixed in
version 2:4.5.6+dfsg-2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1242 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 25 March 2017 - 01:59 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3817-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 24, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jbig2dec
CVE ID         : CVE-2016-9601

Multiple security issues have been found in the JBIG2 decoder library,
which may lead to lead to denial of service or the execution of arbitrary
code if a malformed image file (usually embedded in a PDF document) is
opened.

For the stable distribution (jessie), this problem has been fixed in
version 0.13-4~deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 0.13-4.

For the unstable distribution (sid), this problem has been fixed in
version 0.13-4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1243 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 27 March 2017 - 06:06 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3818-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0
CVE ID         : CVE-2016-9809 CVE-2016-9812 CVE-2016-9813 CVE-2017-5843
                 CVE-2017-5848

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2.1+deb8u2.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3819-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-base1.0
CVE ID         : CVE-2016-9811 CVE-2017-5837 CVE-2017-5839 CVE-2017-5842
                 CVE-2017-5844

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3820-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-good1.0
CVE ID         : CVE-2016-10198 CVE-2016-10199 CVE-2017-5840 CVE-2017-5841
                 CVE-2017-5845

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u3.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.3-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.3-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3821-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-ugly1.0
CVE ID         : CVE-2017-5846 CVE-2017-5847

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3822-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gstreamer1.0
CVE ID         : CVE-2017-5838

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), this problem has been fixed in
version 1.4.4-2+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1.10.3-1.

For the unstable distribution (sid), this problem has been fixed in
version version 1.10.3-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1244 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 28 March 2017 - 08:28 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3823-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 28, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : eject
CVE ID         : CVE-2017-6964
Debian Bug     : 858872

Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to
check if a given device is an encrypted device handled by devmapper, and
used in eject, does not check return values from setuid() and setgid()
when dropping privileges.

For the stable distribution (jessie), this problem has been fixed in
version 2.1.5+deb1+cvs20081104-13.1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.1.5+deb1+cvs20081104-13.2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1245 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 29 March 2017 - 05:38 PM

-------------------------------------------------------------------------
Debian Security Advisory DSA-3798-2                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 29, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tnef
Debian Bug     : 857342

DSA-3798-1 for tnef introduced a regression that caused crashes on
some attachments.

For the stable distribution (jessie), this problem has been fixed in
version 1.4.9-1+deb8u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3824-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 29, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firebird2.5
CVE ID         : CVE-2017-6369
Debian Bug     : 858641

George Noseevich discovered that firebird2.5, a relational database
system, did not properly check User-Defined Functions (UDF), thus
allowing remote authenticated users to execute arbitrary code on the
firebird server.

For the stable distribution (jessie), this problem has been fixed in
version 2.5.3.26778.ds4-5+deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1246 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 01 April 2017 - 10:04 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3825-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 31, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jhead
CVE ID         : CVE-2016-3822
Debian Bug     : 858213

It was discovered that jhead, a tool to manipulate the non-image part of
EXIF compliant JPEG files, is prone to an out-of-bounds access
vulnerability, which may result in denial of service or, potentially,
the execution of arbitrary code if an image with specially crafted EXIF
data is processed.

For the stable distribution (jessie), this problem has been fixed in
version 1:2.97-1+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1:3.00-4.

For the unstable distribution (sid), this problem has been fixed in
version 1:3.00-4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1247 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 02 April 2017 - 07:02 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3816-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 02, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
Debian Bug     : 858564 858590 858648 859101

Two regressions were introduced by the samba update in DSA-3816-1.
Updated packages are now available to address these problems.
Additionally a regression from DSA-3548-1 causing `net ads join` to
freeze when run a second time is fixed along with this update. For
reference, the original advisory text follows.

Jann Horn of Google discovered a time-of-check, time-of-use race
condition in Samba, a SMB/CIFS file, print, and login server for Unix. A
malicious client can take advantage of this flaw by exploiting a symlink
race to access areas of the server file system not exported under a
share definition.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.2.14+dfsg-0+deb8u5.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1248 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 04 April 2017 - 08:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3826-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 04, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tryton-server
CVE ID         : CVE-2017-0360

It was discovered that the original patch to address CVE-2016-1242 did
not cover all cases, which may result in information disclosure of file
contents.

For the stable distribution (jessie), this problem has been fixed in
version 3.4.0-3+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 4.2.1-2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1249 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 07 April 2017 - 09:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3827-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 07, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jasper
CVE ID         : CVE-2016-9591 CVE-2016-10249 CVE-2016-10251

Multiple vulnerabilities have been discovered in the JasPer library for
processing JPEG-2000 images, which may result in denial of service or
the execution of arbitrary code if a malformed image is processed.

For the stable distribution (jessie), these problems have been fixed in
version 1.900.1-debian1-2.4+deb8u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1250 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,132 posts

Posted 10 April 2017 - 08:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3828-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 10, 2017                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dovecot
CVE ID         : CVE-2017-2669
Debian Bug     : 860049

It was discovered that the Dovecot email server is vulnerable to a
denial of service attack. When the "dict" passdb and userdb are used
for user authentication, the username sent by the IMAP/POP3 client is
sent through var_expand() to perform %variable expansion. Sending
specially crafted %variable fields could result in excessive memory
usage causing the process to crash (and restart).

For the stable distribution (jessie), this problem has been fixed in
version 1:2.2.13-12~deb8u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users