Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1353 replies to this topic

#1301 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 25 July 2017 - 07:14 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3918-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 25, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
CVE ID         : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750
                 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756
                 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771
                 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775
                 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.

Debian follows the extended support releases (ESR) of Thunderbird.
Support for the 45.x series has ended, so starting with this update
we're now following the 52.x releases.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.2.1-4~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.2.1-4~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3919-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 25, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2017-10053 CVE-2017-10067 CVE-2017-10074
                 CVE-2017-10078 CVE-2017-10081 CVE-2017-10087
CVE-2017-10089 CVE-2017-10090 CVE-2017-10096
CVE-2017-10101 CVE-2017-10102 CVE-2017-10107
                 CVE-2017-10108 CVE-2017-10109 CVE-2017-10110
CVE-2017-10111 CVE-2017-10115 CVE-2017-10116
CVE-2017-10118 CVE-2017-10135 CVE-2017-10176
CVE-2017-10193 CVE-2017-10198

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in sandbox bypass,
use of insecure cryptography, side channel attacks, information
disclosure, the execution of arbitrary code, denial of service or
bypassing Jar verification.

For the stable distribution (stretch), these problems have been fixed in
version 8u141-b15-1~deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 8u141-b15-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3920-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 25, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2017-9310 CVE-2017-9330 CVE-2017-9373 CVE-2017-9374
                 CVE-2017-9375 CVE-2017-9524 CVE-2017-10664 CVE-2017-10911

Multiple vulnerabilities were found in in qemu, a fast processor
emulator:

CVE-2017-9310

    Denial of service via infinite loop in e1000e NIC emulation.

CVE-2017-9330

    Denial of service via infinite loop in USB OHCI emulation.

CVE-2017-9373

    Denial of service via memory leak in IDE AHCI emulation.

CVE-2017-9374

    Denial of service via memory leak in USB EHCI emulation.

CVE-2017-9375

    Denial of service via memory leak in USB XHCI emulation.

CVE-2017-9524

    Denial of service in qemu-nbd server.

CVE-2017-10664

    Denial of service in qemu-nbd server.

CVE-2017-10911

    Information leak in Xen blkif response handling.

For the oldstable distribution (jessie), a separate DSA will be issued.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.8+dfsg-6+deb9u1.

For the unstable distribution (sid), these problems will be fixed soon.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1302 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 28 July 2017 - 09:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3921-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 28, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : enigmail
Debian Bug     : 869774

In DSA 3918 Thunderbird was upgraded to the latest ESR series. This
update upgrades Enigmail, the OpenPGP extention for Thunderbird,
to version 1.9.8.1 to restore full compatibility.

For the oldstable distribution (jessie), this problem has been fixed
in version 2:1.9.8.1-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.9.8.1-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3922-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 28, 2017                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mysql-5.5
CVE ID         : CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648
                 CVE-2017-3651 CVE-2017-3652 CVE-2017-3653
Debian Bug     : 868788

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.57, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

https://dev.mysql.co...ews-5-5-56.html
https://dev.mysql.co...ews-5-5-57.html
http://www.oracle.co...17-3236622.html

For the oldstable distribution (jessie), these problems have been fixed
in version 5.5.57-0+deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1303 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 05 August 2017 - 08:11 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3923-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 01, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : freerdp
CVE ID         : CVE-2017-2834 CVE-2017-2835 CVE-2017-2836 CVE-2017-2837
                 CVE-2017-2838 CVE-2017-2839
Debian Bug     : 869880

Tyler Bohan of Talos discovered that FreeRDP, a free implementation of
the Remote Desktop Protocol (RDP), contained several vulnerabilities
that allowed a malicious remote server or a man-in-the-middle to
either cause a DoS by forcibly terminating the client, or execute
arbitrary code on the client side.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.0~git20140921.1.440916e+dfsg1-14.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3924-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 02, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : varnish
CVE ID         : not yet assigned
Debian Bug     : 870467

A denial of service vulnerability was discovered in Varnish, a state of
the art, high-performance web accelerator. Specially crafted HTTP
requests can cause the Varnish daemon to assert and restart, clearing
the cache in the process.

See https://varnish-cach...y/VSV00001.html for details.

For the oldstable distribution (jessie), this problem has been fixed
in version 4.0.2-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.0-7+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3925-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 04, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2017-9524 CVE-2017-10806 CVE-2017-11334
                 CVE-2017-11443
Debian Bug     : 865755 869171 869173 867751 869945

Multiple vulnerabilities were found in qemu, a fast processor emulator:

CVE-2017-9524

    Denial of service in qemu-nbd server

CVE-2017-10806

    Buffer overflow in USB redirector

CVE-2017-11334

    Out-of-band memory access in DMA operations

CVE-2017-11443

    Out-of-band memory access in SLIRP/DHCP

For the stable distribution (stretch), these problems have been fixed in
version 1:2.8+dfsg-6+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3926-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
August 04, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2017-5087 CVE-2017-5088 CVE-2017-5089 CVE-2017-5091
                 CVE-2017-5092 CVE-2017-5093 CVE-2017-5094 CVE-2017-5095
                 CVE-2017-5097 CVE-2017-5098 CVE-2017-5099 CVE-2017-5100
                 CVE-2017-5101 CVE-2017-5102 CVE-2017-5103 CVE-2017-5104
                 CVE-2017-5105 CVE-2017-5106 CVE-2017-5107 CVE-2017-5108
                 CVE-2017-5109 CVE-2017-5110 CVE-2017-7000

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2017-5087

    Ned Williamson discovered a way to escape the sandbox.

CVE-2017-5088

    Xiling Gong discovered an out-of-bounds read issue in the v8 javascript
    library.

CVE-2017-5089

    Michal Bentkowski discovered a spoofing issue.

CVE-2017-5091

    Ned Williamson discovered a use-after-free issue in IndexedDB.

CVE-2017-5092

    Yu Zhou discovered a use-after-free issue in PPAPI.

CVE-2017-5093

    Luan Herrera discovered a user interface spoofing issue.

CVE-2017-5094

    A type confusion issue was discovered in extensions.

CVE-2017-5095

    An out-of-bounds write issue was discovered in the pdfium library.

CVE-2017-5097

    An out-of-bounds read issue was discovered in the skia library.

CVE-2017-5098

    Jihoon Kim discover a use-after-free issue in the v8 javascript library.

CVE-2017-5099

    Yuan Deng discovered an out-of-bounds write issue in PPAPI.

CVE-2017-5100

    A use-after-free issue was discovered in Chrome Apps.

CVE-2017-5101

    Luan Herrera discovered a URL spoofing issue.

CVE-2017-5102

    An uninitialized variable was discovered in the skia library.

CVE-2017-5103

    Another uninitialized variable was discovered in the skia library.

CVE-2017-5104

    Khalil Zhani discovered a user interface spoofing issue.

CVE-2017-5105

    Rayyan Bijoora discovered a URL spoofing issue.

CVE-2017-5106

    Jack Zac discovered a URL spoofing issue.

CVE-2017-5107

    David Kohlbrenner discovered an information leak in SVG file handling.

CVE-2017-5108

    Guang Gong discovered a type confusion issue in the pdfium library.

CVE-2017-5109

    Jose Maria Acuna Morgado discovered a user interface spoofing issue.

CVE-2017-5110

    xisigr discovered a way to spoof the payments dialog.

CVE-2017-7000

    Chaitin Security Research Lab discovered an information disclosure
    issue in the sqlite library.

For the stable distribution (stretch), these problems have been fixed in
version 60.0.3112.78-1~deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 60.0.3112.78-1 or earlier versions.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1304 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 08 August 2017 - 03:56 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3927-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 07, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541
                 CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911
                 CVE-2017-11176 CVE-2017-1000365

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2017-7346

    Li Qiang discovered that the DRM driver for VMware virtual GPUs does
    not properly check user-controlled values in the
    vmw_surface_define_ioctl() functions for upper limits. A local user
    can take advantage of this flaw to cause a denial of service.

CVE-2017-7482

    Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does
    not properly verify metadata, leading to information disclosure,
    denial of service or potentially execution of arbitrary code.

CVE-2017-7533

    Fan Wu and Shixiong Zhao discovered a race condition between inotify
    events and VFS rename operations allowing an unprivileged local
    attacker to cause a denial of service or escalate privileges.

CVE-2017-7541

    A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN
    driver could allow a local user to cause kernel memory corruption,
    leading to a denial of service or potentially privilege escalation.

CVE-2017-7542

    An integer overflow vulnerability in the ip6_find_1stfragopt()
    function was found allowing a local attacker with privileges to open
    raw sockets to cause a denial of service.

CVE-2017-9605

    Murray McAllister discovered that the DRM driver for VMware virtual
    GPUs does not properly initialize memory, potentially allowing a
    local attacker to obtain sensitive information from uninitialized
    kernel memory via a crafted ioctl call.

CVE-2017-10810

    Li Qiang discovered a memory leak flaw within the VirtIO GPU driver
    resulting in denial of service (memory consumption).

CVE-2017-10911 / XSA-216

    Anthony Perard of Citrix discovered an information leak flaw in Xen
    blkif response handling, allowing a malicious unprivileged guest to
    obtain sensitive information from the host or other guests.

CVE-2017-11176

    It was discovered that the mq_notify() function does not set the
    sock pointer to NULL upon entry into the retry logic. An attacker
    can take advantage of this flaw during a user-space close of a
    Netlink socket to cause a denial of service or potentially cause
    other impact.

CVE-2017-1000365

    It was discovered that argument and environment pointers are not
    taken properly into account to the imposed size restrictions on
    arguments and environmental strings passed through
    RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of
    this flaw in conjunction with other flaws to execute arbitrary code.

For the oldstable distribution (jessie), these problems will be fixed in
a subsequent DSA.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.30-2+deb9u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1305 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 10 August 2017 - 06:39 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3928-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785
                 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
                 CVE-2017-7798 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802
                 CVE-2017-7803 CVE-2017-7807 CVE-2017-7809

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees, buffer
overflows and other implementation errors may lead to the execution of
arbitrary code, denial of service, bypass of the same-origin policy or
incorrect enforcement of CSP.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.3.0esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.3.0esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3929-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libsoup2.4
CVE ID         : CVE-2017-2885
Debian Bug     : 871650

Aleksandar Nikolic of Cisco Talos discovered a stack-based buffer
overflow vulnerability in libsoup2.4, a HTTP library implementation in
C. A remote attacker can take advantage of this flaw by sending a
specially crafted HTTP request to cause an application using the
libsoup2.4 library to crash (denial of service), or potentially execute
arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.48.0-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.56.0-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3930-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : freeradius
CVE ID         : CVE-2017-10978 CVE-2017-10979 CVE-2017-10980 CVE-2017-10981
                 CVE-2017-10982 CVE-2017-10983 CVE-2017-10984 CVE-2017-10985
                 CVE-2017-10986 CVE-2017-10987
Debian Bug     : 868765

Guido Vranken discovered that FreeRADIUS, an open source
implementation of RADIUS, the IETF protocol for AAA (Authorisation,
Authentication, and Accounting), did not properly handle memory when
processing packets. This would allow a remote attacker to cause a
denial-of-service by application crash, or potentially execute
arbitrary code.

All those issues are covered by this single DSA, but it's worth noting
that not all issues affect all releases:

  - CVE-2017-10978 and CVE-2017-10983 affect both jessie and stretch

  - CVE-2017-10979, CVE-2017-10980, CVE-2017-10981 and CVE-2017-10982
    affect only jessie

  - CVE-2017-10984, CVE-2017-10985, CVE-2017-10986 and CVE-2017-10987
    affect only stretch.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.2.5+dfsg-0.2+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.0.12+dfsg-5+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3933-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pjproject
CVE ID         : CVE-2017-9359 CVE-2017-9372

Two vulnerabilities were found in the PJSIP/PJProject communication
library, which may result in denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.1.0.0.ast20130823-1+deb8u1.

For the stable distribution (stretch), these problems had been fixed
prior to the initial release.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3932-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : subversion
CVE ID         : CVE-2016-8734 CVE-2017-9800

Several problems were discovered in Subversion, a centralised version
control system.

CVE-2016-8734 (jessie only)

    Subversion's mod_dontdothat server module and Subversion clients
    using http(s):// were vulnerable to a denial-of-service attack
    caused by exponential XML entity expansion.

CVE-2017-9800

    Joern Schneeweisz discovered that Subversion did not correctly
    handle maliciously constructed svn+ssh:// URLs. This allowed an
    attacker to run an arbitrary shell command, for instance via
    svn:externals properties or when using 'svnsync sync'.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.8.10-6+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.9.5-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3934-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2017-1000117

Joern Schneeweisz discovered that git, a distributed revision control
system, did not correctly handle maliciously constructed ssh://
URLs. This allowed an attacker to run an arbitrary shell command, for
instance via git submodules.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3935-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.4
CVE ID         : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7546

    In some authentication methods empty passwords were accepted.

CVE-2017-7547

    User mappings could leak data to unprivileged users.

CVE-2017-7548

    The lo_put() function ignored ACLs.

For more in-depth descriptions of the security vulnerabilities,
please see https://www.postgres...bout/news/1772/

For the oldstable distribution (jessie), these problems have been fixed
in version 9.4.13-0+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3936-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.6
CVE ID         : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7546

    In some authentication methods empty passwords were accepted.

CVE-2017-7547

    User mappings could leak data to unprivileged users.

CVE-2017-7548

    The lo_put() function ignored ACLs.

For more in-depth descriptions of the security vulnerabilities,
please see https://www.postgres...bout/news/1772/

For the stable distribution (stretch), these problems have been fixed in
version 9.6.4-0+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1306 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 11 August 2017 - 10:22 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3937-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 12, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zabbix
CVE ID         : CVE-2017-2824 CVE-2017-2825

Lilith Wyatt discovered two vulnerabilities in the Zabbix network
monitoring system which may result in execution of arbitrary code or
database writes by malicious proxies.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:2.2.7+dfsg-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed
prior to the initial release.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1307 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 14 August 2017 - 07:56 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3938-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 12, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgd2
CVE ID         : CVE-2017-7890
Debian Bug     : 869263

Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used
to load images from GIF format files in libgd2, a library for
programmatic graphics creation and manipulation, does not zero stack
allocated color map buffers before their use, which may result in
information disclosure if a specially crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.1.0-5+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.4-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3939-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 12, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : botan1.10
CVE ID         : CVE-2017-2801

Aleksandar Nikolic discovered that an error in the x509 parser of the
Botan crypto library could result in an out-of-bounds memory read,
resulting in denial of service or an information leak if processing
a malformed certificate.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.10.8-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed
prior to the initial release.


- -------------------------------------------------------------------------
Debian Security Advisory DSA-3940-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 13, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : cvs
CVE ID         : CVE-2017-12836
Debian Bug     : 871810

It was discovered that CVS, a centralised version control system, did
not correctly handle maliciously constructed repository URLs, which
allowed an attacker to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed
in version 2:1.12.13+real-15+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.12.13+real-22+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3940-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 13, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : iortcw
CVE ID         : CVE-2017-11721

A read buffer overflow was discovered in the idtech3 (Quake III Arena)
family of game engines. This allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted packet.

For the stable distribution (stretch), this problem has been fixed in
version 1.50a+dfsg1-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3942-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 13, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : supervisor
CVE ID         : CVE-2017-11610
Debian Bug     : 870187

Calum Hutton reported that the XML-RPC server in supervisor, a system
for controlling process state, does not perform validation on requested
XML-RPC methods, allowing an authenticated client to send a malicious
XML-RPC request to supervisord that will run arbitrary shell commands on
the server as the same user as supervisord.

The vulnerability has been fixed by disabling nested namespace lookup
entirely. supervisord will now only call methods on the object
registered to handle XML-RPC requests and not any child objects it may
contain, possibly breaking existing setups. No publicly available
plugins are currently known that use nested namespaces. Plugins that use
a single namespace will continue to work as before. Details can be found
on the upstream issue at
https://github.com/S...isor/issues/964 .

For the oldstable distribution (jessie), this problem has been fixed
in version 3.0r1-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 3.3.1-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3943-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 14, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gajim
CVE ID         : CVE-2016-10376
Debian Bug     : 863445

Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the
"XEP-0146: Remote Controlling Clients" extension, allowing a malicious
XMPP server to trigger commands to leak private conversations from
encrypted sessions. With this update XEP-0146 support has been disabled
by default and made opt-in via the 'remote_commands' option.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.16-1+deb8u2.

For the stable distribution (stretch), this problem has been fixed prior
to the initial release.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1308 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 17 August 2017 - 07:36 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3928-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 16, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785
                 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
                 CVE-2017-7798 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802
                 CVE-2017-7803 CVE-2017-7807 CVE-2017-7809

The update shipped in DSA 3928-1 failed to build on the mips, mipsel
and powerpc architectures for the oldstable distribution (jessie).
This has been fixed in 52.3.0esr-1~deb8u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3944-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 17, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mariadb-10.0
CVE ID         : CVE-2017-3308 CVE-2017-3309 CVE-2017-3453 CVE-2017-3456
                 CVE-2017-3464 CVE-2017-3636 CVE-2017-3641 CVE-2017-3653

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.32. Please see the MariaDB 10.0 Release Notes for further
details:

https://mariadb.com/...-release-notes/
https://mariadb.com/...-release-notes/

For the oldstable distribution (jessie), these problems have been fixed
in version 10.0.32-0+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3945-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 17, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2014-9940 CVE-2017-7346 CVE-2017-7482 CVE-2017-7533
                 CVE-2017-7541 CVE-2017-7542 CVE-2017-7889 CVE-2017-9605
                 CVE-2017-10911 CVE-2017-11176 CVE-2017-1000363
                 CVE-2017-1000365

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2014-9940

    A use-after-free flaw in the voltage and current regulator driver
    could allow a local user to cause a denial of service or potentially
    escalate privileges.

CVE-2017-7346

    Li Qiang discovered that the DRM driver for VMware virtual GPUs does
    not properly check user-controlled values in the
    vmw_surface_define_ioctl() functions for upper limits. A local user
    can take advantage of this flaw to cause a denial of service.

CVE-2017-7482

    Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does
    not properly verify metadata, leading to information disclosure,
    denial of service or potentially execution of arbitrary code.

CVE-2017-7533

    Fan Wu and Shixiong Zhao discovered a race condition between inotify
    events and VFS rename operations allowing an unprivileged local
    attacker to cause a denial of service or escalate privileges.

CVE-2017-7541

    A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN
    driver could allow a local user to cause kernel memory corruption,
    leading to a denial of service or potentially privilege escalation.

CVE-2017-7542

    An integer overflow vulnerability in the ip6_find_1stfragopt()
    function was found allowing a local attacker with privileges to open
    raw sockets to cause a denial of service.

CVE-2017-7889

    Tommi Rantala and Brad Spengler reported that the mm subsystem does
    not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism,
    allowing a local attacker with access to /dev/mem to obtain
    sensitive information or potentially execute arbitrary code.

CVE-2017-9605

    Murray McAllister discovered that the DRM driver for VMware virtual
    GPUs does not properly initialize memory, potentially allowing a
    local attacker to obtain sensitive information from uninitialized
    kernel memory via a crafted ioctl call.

CVE-2017-10911 / XSA-216

    Anthony Perard of Citrix discovered an information leak flaw in Xen
    blkif response handling, allowing a malicious unprivileged guest to
    obtain sensitive information from the host or other guests.

CVE-2017-11176

    It was discovered that the mq_notify() function does not set the
    sock pointer to NULL upon entry into the retry logic. An attacker
    can take advantage of this flaw during a userspace close of a
    Netlink socket to cause a denial of service or potentially cause
    other impact.

CVE-2017-1000363

    Roee Hay reported that the lp driver does not properly bounds-check
    passed arguments, allowing a local attacker with write access to the
    kernel command line arguments to execute arbitrary code.

CVE-2017-1000365

    It was discovered that argument and environment pointers are not
    taken properly into account to the imposed size restrictions on
    arguments and environmental strings passed through
    RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of
    this flaw in conjunction with other flaws to execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.43-2+deb8u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1309 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 19 August 2017 - 08:21 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3946-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 18, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libmspack
CVE ID         : CVE-2017-6419 CVE-2017-11423
Debian Bug     : 868956 871263

It was discovered that libsmpack, a library used to handle Microsoft
compression formats, did not properly validate its input. A remote
attacker could craft malicious CAB or CHM files and use this flaw to
cause a denial of service via application crash, or potentially
execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 0.5-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 0.5-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3947-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 18, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : newsbeuter
CVE ID         : CVE-2017-12904

Jeriko One discovered that newsbeuter, a text-mode RSS feed reader,
did not properly escape the title and description of a news article
when bookmarking it. This allowed a remote attacker to run an
arbitrary shell command on the client machine.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.8-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.9-5+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3948-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 19, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ioquake3
CVE ID         : CVE-2017-11721

A read buffer overflow was discovered in the idtech3 (Quake III Arena)
family of game engines. This allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted packet.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.36+u20140802+gca9eebb-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 1.36+u20161101+dfsg1-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1310 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 21 August 2017 - 09:10 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3949-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 21, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : augeas
CVE ID         : CVE-2017-7555
Debian Bug     : 872400

Han Han of Red Hat discovered that augeas, a configuration editing
tool, improperly handled some escaped strings. A remote attacker could
leverage this flaw by sending maliciously crafted strings, thus
causing an augeas-enabled application to crash or potentially execute
arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.0-0.2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 1.8.0-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3950-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
August 21, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libraw
CVE ID         : CVE-2017-6886 CVE-2017-6887
Debian Bug     : 864183

Hossein Lotfi and Jakub Jirasek from Secunia Research have discovered
multiple vulnerabilities in LibRaw, a library for reading RAW images. An
attacker could cause a memory corruption leading to a DoS (Denial of
Service) with craft KDC or TIFF file.

For the oldstable distribution (jessie), these problems have been fixed
in version 0.16.0-9+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 0.17.2-6+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1311 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 23 August 2017 - 07:40 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3951-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 22, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : smb4k
CVE ID         : CVE-2017-8849

Sebastian Krahmer discovered that a programming error in the mount
helper binary of the Smb4k Samba network share browser may result in
local privilege escalation.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.1-2~deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3952-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 23, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxml2
CVE ID         : CVE-2017-0663 CVE-2017-7375 CVE-2017-7376 CVE-2017-9047
                 CVE-2017-9048 CVE-2017-9049 CVE-2017-9050
Debian Bug     : 863018 863019 863021 863022 870865 870867 870870

Several vulnerabilities were discovered in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML or HTML file that, when processed
by an application using libxml2, would cause a denial-of-service against
the application, information leaks, or potentially, the execution of
arbitrary code with the privileges of the user running the application.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.9.1+dfsg1-5+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 2.9.4+dfsg1-2.2+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 2.9.4+dfsg1-3.1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3953-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
August 23, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : aodh
CVE ID         : CVE-2017-12440
Debian Bug     : 872605

Zane Bitter from Red Hat discovered a vulnerability in Aodh, the alarm
engine for OpenStack. Aodh does not verify that the user creating the
alarm is the trustor or has the same rights as the trustor, nor that the
trust is for the same project as the alarm. The bug allows that an
authenticated users without a Keystone token with knowledge of trust IDs
to perform unspecified authenticated actions by adding alarm actions.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.0-4+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1312 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 25 August 2017 - 08:04 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3954-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 25, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-7
CVE ID         : CVE-2017-10053 CVE-2017-10067 CVE-2017-10074 CVE-2017-10081
                 CVE-2017-10087 CVE-2017-10089 CVE-2017-10090 CVE-2017-10096
                 CVE-2017-10101 CVE-2017-10102 CVE-2017-10107 CVE-2017-10108
                 CVE-2017-10109 CVE-2017-10110 CVE-2017-10115 CVE-2017-10116
                 CVE-2017-10118 CVE-2017-10135 CVE-2017-10176 CVE-2017-10193
                 CVE-2017-10198 CVE-2017-10243

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in sandbox bypass,
incorrect authentication, the execution of arbitrary code, denial of
service, information disclosure, use of insecure cryptography or
bypassing Jar verification.

For the oldstable distribution (jessie), these problems have been fixed
in version 7u151-2.6.11-1~deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1313 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 28 August 2017 - 08:07 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3955-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 26, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mariadb-10.1
CVE ID         : CVE-2017-3636 CVE-2017-3641 CVE-2017-3653

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.1.26. Please see the MariaDB 10.1 Release Notes for further
details:

https://mariadb.com/...-release-notes/
https://mariadb.com/...-release-notes/
https://mariadb.com/...-release-notes/

For the stable distribution (stretch), these problems have been fixed in
version 10.1.26-0+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 10.1.26-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3956-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
August 27, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : connman
CVE ID         : CVE-2017-12865
Debian Bug     : 872844

Security consultants in NRI Secure Technologies discovered a stack
overflow vulnerability in ConnMan, a network manager for embedded
devices. An attacker with control of the DNS responses to the DNS proxy
in ConnMan might crash the service and, in same cases, remotely execute
arbitrary commands in the host running the service.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.21-1.2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.33-3+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 1.33-3+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.35-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3957-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
August 28, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2017-9608 CVE-2017-9993 CVE-2017-11399 CVE-2017-11665
                 CVE-2017-11719

Several vulnerabilities have been discovered in FFmpeg, a multimedia
player, server and encoder. These issues could lead to Denial-of-Service
and, in some situation, the execution of arbitrary code.

CVE-2017-9608

    Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when
    parsing a crafted MOV file.

CVE-2017-9993

    Thierry Foucu discovered that it was possible to leak information from
    files and symlinks ending in common multimedia extensions, using the
    HTTP Live Streaming.

CVE-2017-11399

    Liu Bingchang of IIE discovered an integer overflow in the APE decoder
    that can be triggered by a crafted APE file.

CVE-2017-11665

    JunDong Xie of Ant-financial Light-Year Security Lab discovered that
    an attacker able to craft a RTMP stream can crash FFmpeg.

CVE-2017-11719

    Liu Bingchang of IIE discovered an out-of-bound access that can be
    triggered by a crafted DNxHD file.

For the stable distribution (stretch), these problems have been fixed in
version 7:3.2.7-1~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1314 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 29 August 2017 - 08:22 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3958-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 29, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : fontforge
CVE ID         : CVE-2017-11568 CVE-2017-11569 CVE-2017-11571 CVE-2017-11572
                 CVE-2017-11574 CVE-2017-11575 CVE-2017-11576 CVE-2017-11577
Debian Bug     : 869614

It was discovered that FontForge, a font editor, did not correctly
validate its input. An attacker could use this flaw by tricking a user
into opening a maliciously crafted OpenType font file, thus causing a
denial-of-service via application crash, or execution of arbitrary
code.

For the oldstable distribution (jessie), these problems have been fixed
in version 20120731.b-5+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:20161005~dfsg-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3959-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 29, 2017                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt20
CVE ID         : CVE-2017-0379
Debian Bug     : 873383

Daniel Genkin, Luke Valenta and Yuval Yarom discovered that Libgcrypt
is prone to a local side-channel attack against the ECDH encryption with
Curve25519, allowing recovery of the private key.

See https://eprint.iacr.org/2017/806 for details.

For the stable distribution (stretch), this problem has been fixed in
version 1.7.6-2+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 1.7.9-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1315 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 01 September 2017 - 06:47 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3960-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 01, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg
CVE ID         : CVE-2017-7526

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
Yuval Yarom discovered that GnuPG is prone to a local side-channel
attack allowing full key recovery for RSA-1024.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4.18-7+deb8u4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1316 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 03 September 2017 - 07:56 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3961-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 03, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgd2
CVE ID         : CVE-2017-6362

A double-free vulnerability was discovered in the gdImagePngPtr()
function in libgd2, a library for programmatic graphics creation and
manipulation, which may result in denial of service or potentially the
execution of arbitrary code if a specially crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.1.0-5+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.4-2+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.5-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3962-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
September 03, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2017-11185
Debian Bug     : 872155

A denial of service vulnerability was identified in strongSwan, an IKE/IPsec
suite, using Google's OSS-Fuzz fuzzing project.

The gmp plugin in strongSwan had insufficient input validation when verifying
RSA signatures. This coding error could lead to a null pointer dereference,
leading to process crash.

For the oldstable distribution (jessie), this problem has been fixed
in version 5.2.1-6+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 5.5.1-4+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 5.6.0-1.

For the unstable distribution (sid), this problem has been fixed in
version 5.6.0-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1317 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 04 September 2017 - 08:21 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3963-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
September 04, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mercurial
CVE ID         : CVE-2017-9462 CVE-2017-1000115 CVE-2017-1000116
Debian Bug     : 861243 871709 871710

Several issues were discovered in Mercurial, a distributed revision
control system.

CVE-2017-9462 (fixed in stretch only)

  Jonathan Claudius of Mozilla discovered that repositories served
  over stdio could be tricked into granting authorized users access to
  the Python debugger.

CVE-2017-1000115

  Mercurial's symlink auditing was incomplete, and could be abused to
  write files outside the repository.

CVE-2017-1000116

  Joern Schneeweisz discovered that Mercurial did not correctly handle
  maliciously constructed ssh:// URLs. This allowed an attacker to run
  an arbitrary shell command.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.2-2+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 4.0-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3964-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 04, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
CVE ID         : CVE-2017-14099 CVE-2017-14100

Multiple vulnerabilities have been discovered in Asterisk, an open source
PBX and telephony toolkit, which may result in disclosure of RTP
connections or the execution of arbitrary shell commands.

For additional information please refer to the upstream advisories:
http://downloads.ast...T-2017-005.html
http://downloads.ast...T-2017-006.html

For the oldstable distribution (jessie), these problems have been fixed
in version 1:11.13.1~dfsg-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 1:13.14.1~dfsg-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1318 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 05 September 2017 - 06:21 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3965-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 05, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : file
CVE ID         : CVE-2017-1000249

Thomas Jarosch discovered a stack-based buffer overflow flaw in file, a
file type classification tool, which may result in denial of service if
an ELF binary with a specially crafted .notes section is processed.

For the stable distribution (stretch), this problem has been fixed in
version 1:5.30-1+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.32-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3966-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 05, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.3
CVE ID         : CVE-2015-9096 CVE-2016-7798 CVE-2017-0899 CVE-2017-0900
                 CVE-2017-0901 CVE-2017-0902 CVE-2017-14064

Multiple vulnerabilities were discovered in the interpreter for the Ruby
language:

CVE-2015-9096

    SMTP command injection in Net::SMTP.

CVE-2016-7798

    Incorrect handling of initialization vector in the GCM mode in the
    OpenSSL extension.

CVE-2017-0900

    Denial of service in the RubyGems client.

CVE-2017-0901

    Potential file overwrite in the RubyGems client.

CVE-2017-0902

    DNS hijacking in the RubyGems client.

CVE-2017-14064

    Heap memory disclosure in the JSON library.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u1. This update also hardens RubyGems against
malicious termonal escape sequences (CVE-2017-0899).
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1319 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 11 September 2017 - 09:31 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3967-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 08, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mbedtls
CVE ID         : CVE-2017-14032
Debian Bug     : 873557

An authentication bypass vulnerability was discovered in mbed TLS, a
lightweight crypto and SSL/TLS library, when the authentication mode is
configured as 'optional'. A remote attacker can take advantage of this
flaw to mount a man-in-the-middle attack and impersonate an intended
peer via an X.509 certificate chain with many intermediates.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.2-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 2.6.0-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.6.0-1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3968-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 11, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
CVE ID         : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785
                 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
                 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802 CVE-2017-7803
                 CVE-2017-7807 CVE-2017-7809

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.3.0-4~deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 52.3.0-4~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1320 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 12 September 2017 - 08:23 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3969-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 12, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2017-10912 CVE-2017-10913 CVE-2017-10914
                 CVE-2017-10915 CVE-2017-10916 CVE-2017-10917
CVE-2017-10918 CVE-2017-10919 CVE-2017-10920
CVE-2017-10921 CVE-2017-10922 CVE-2017-12135
                 CVE-2017-12136 CVE-2017-12137 CVE-2017-12855

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2017-10912

    Jann Horn discovered that incorrectly handling of page transfers might
    result in privilege escalation.

CVE-2017-10913 / CVE-2017-10914

    Jann Horn discovered that race conditions in grant handling might
    result in information leaks or privilege escalation.

CVE-2017-10915

    Andrew Cooper discovered that incorrect reference counting with
    shadow paging might result in privilege escalation.

CVE-2017-10916

    Andrew Cooper discovered an information leak in the handling
    of the the Memory Protection Extensions (MPX) and Protection
    Key (PKU) CPU features. This only affects Debian stretch.

CVE-2017-10917

    Ankur Arora discovered a NULL pointer dereference in event
    polling, resulting in denial of service.

CVE-2017-10918

    Julien Grall discovered that incorrect error handling in
    physical-to-machine memory mappings may result in privilege
    escalation, denial of service or an information leak.

CVE-2017-10919

    Julien Grall discovered that that incorrect handling of
    virtual interrupt injection on ARM systems may result in
    denial of service.

CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922

    Jan Beulich discovered multiple places where reference
    counting on grant table operations was incorrect, resulting
    in potential privilege escalation

CVE-2017-12135

    Jan Beulich found multiple problems in the handling of
    transitive grants which could result in denial of service
    and potentially privilege escalation.

CVE-2017-12136

    Ian Jackson discovered that race conditions in the allocator
    for grant mappings may result in denial of service or privilege
    escalation. This only affects Debian stretch.

CVE-2017-12137

    Andrew Cooper discovered that incorrect validation of
    grants may result in privilege escalation.

CVE-2017-12855

    Jan Beulich discovered that incorrect grant status handling, thus
    incorrectly informing the guest that the grant is no longer in use.

XSA-235 (no CVE yet)

    Wei Liu discovered that incorrect locking of add-to-physmap
    operations on ARM may result in denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.4.1-9+deb8u10.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.1-1+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3970-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 12, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : emacs24
CVE ID         : not yet available

Charles A. Roelli discovered that Emacs is vulnerable to arbitrary code
execution when rendering text/enriched MIME data (e.g. when using
Emacs-based mail clients).

For the oldstable distribution (jessie), this problem has been fixed
in version 24.4+1-5+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 24.5+1-11+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1321 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 13 September 2017 - 07:32 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3971-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 13, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tcpdump
CVE ID         : CVE-2017-11108 CVE-2017-11541 CVE-2017-11542 CVE-2017-11543
                 CVE-2017-12893 CVE-2017-12894 CVE-2017-12895 CVE-2017-12896
                 CVE-2017-12897 CVE-2017-12898 CVE-2017-12899 CVE-2017-12900
                 CVE-2017-12901 CVE-2017-12902 CVE-2017-12985 CVE-2017-12986
                 CVE-2017-12987 CVE-2017-12988 CVE-2017-12989 CVE-2017-12990
                 CVE-2017-12991 CVE-2017-12992 CVE-2017-12993 CVE-2017-12994
                 CVE-2017-12995 CVE-2017-12996 CVE-2017-12997 CVE-2017-12998
                 CVE-2017-12999 CVE-2017-13000 CVE-2017-13001 CVE-2017-13002
                 CVE-2017-13003 CVE-2017-13004 CVE-2017-13005 CVE-2017-13006
                 CVE-2017-13007 CVE-2017-13008 CVE-2017-13009 CVE-2017-13010
                 CVE-2017-13011 CVE-2017-13012 CVE-2017-13013 CVE-2017-13014
                 CVE-2017-13015 CVE-2017-13016 CVE-2017-13017 CVE-2017-13018
                 CVE-2017-13019 CVE-2017-13020 CVE-2017-13021 CVE-2017-13022
                 CVE-2017-13023 CVE-2017-13024 CVE-2017-13025 CVE-2017-13026
                 CVE-2017-13027 CVE-2017-13028 CVE-2017-13029 CVE-2017-13030
                 CVE-2017-13031 CVE-2017-13032 CVE-2017-13033 CVE-2017-13034
                 CVE-2017-13035 CVE-2017-13036 CVE-2017-13037 CVE-2017-13038
                 CVE-2017-13039 CVE-2017-13040 CVE-2017-13041 CVE-2017-13042
                 CVE-2017-13043 CVE-2017-13044 CVE-2017-13045 CVE-2017-13046
                 CVE-2017-13047 CVE-2017-13048 CVE-2017-13049 CVE-2017-13050
                 CVE-2017-13051 CVE-2017-13052 CVE-2017-13053 CVE-2017-13054
                 CVE-2017-13055 CVE-2017-13687 CVE-2017-13688 CVE-2017-13689
                 CVE-2017-13690 CVE-2017-13725
Debian Bug     : 867718 873804 873805 873806

Several vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial
of service or, potentially, execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.9.2-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.2-1~deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 4.9.2-1 or earlier versions.

For the unstable distribution (sid), these problems have been fixed in
version 4.9.2-1 or earlier versions.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3972-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 13, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bluez
CVE ID         : CVE-2017-1000250
Debian Bug     : 875633

An information disclosure vulnerability was discovered in the Service
Discovery Protocol (SDP) in bluetoothd, allowing a proximate attacker to
obtain sensitive information from bluetoothd process memory, including
Bluetooth encryption keys.

For the oldstable distribution (jessie), this problem has been fixed
in version 5.23-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 5.43-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1322 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 14 September 2017 - 07:18 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3973-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 14, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress-shibboleth
CVE ID         : CVE-2017-14313
Debian Bug     : 874416

A cross-site-scripting vulnerability has been discovered in the login
form of the Shibboleth identity provider module for Wordpress.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.4-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1323 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 15 September 2017 - 06:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3974-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
September 15, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat8
CVE ID         : CVE-2017-7674 CVE-2017-7675
Debian Bug     : 802312

Two issues were discovered in the Tomcat servlet and JSP engine.

CVE-2017-7674

    Rick Riemer discovered that the Cross-Origin Resource Sharing
    filter did not add a Vary header indicating possible different
    responses, which could lead to cache poisoning.

CVE-2017-7675 (stretch only)

    Markus Dörschmidt found that the HTTP/2 implementation bypassed
    some security checks, thus allowing an attacker to conduct
    directory traversal attacks by using specially crafted URLs.

For the oldstable distribution (jessie), these problems have been fixed
in version 8.0.14-1+deb8u11.

For the stable distribution (stretch), these problems have been fixed in
version 8.5.14-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3975-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 15, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : emacs25
CVE ID         : CVE-2017-14482

Charles A. Roelli discovered that Emacs is vulnerable to arbitrary code
execution when rendering text/enriched MIME data (e.g. when using
Emacs-based mail clients).

For the stable distribution (stretch), this problem has been fixed in
version 25.1+1-4+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1324 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 17 September 2017 - 07:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3976-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 17, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : freexl
CVE ID         : CVE-2017-2923 CVE-2017-2924
Debian Bug     : 875690 875691

Marcin 'Icewall' Noga of Cisco Talos discovered two vulnerabilities in
freexl, a library to read Microsoft Excel spreadsheets, which might
result in denial of service or the execution of arbitrary code if a
malformed Excel file is opened.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.0g-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-2+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.4-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1325 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,349 posts

Posted 19 September 2017 - 06:08 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3977-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 18, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : newsbeuter
CVE ID         : CVE-2017-14500
Debian Bug     : 876004

It was discovered that podbeuter, the podcast fetcher in newsbeuter, a
text-mode RSS feed reader, did not properly escape the name of the media
enclosure (the podcast file), allowing a remote attacker to run an
arbitrary shell command on the client machine. This is only exploitable
if the file is also played in podbeuter.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.8-2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.9-5+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.9-7.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3978-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 18, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gdk-pixbuf
CVE ID         : CVE-2017-2862
Debian Bug     : 874552

Marcin Noga discovered a buffer overflow in the JPEG loader of the GDK
Pixbuf library, which may result in the execution of arbitrary code if
a malformed file is opened.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.31.1-2+deb8u6.

For the stable distribution (stretch), this problem has been fixed in
version 2.36.5-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3979-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 19, 2017                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pyjwt
CVE ID         : CVE-2017-11424

It was discovered that PyJWT, a Python implementation of JSON Web Token
performed insufficient validation of some public key types, which could
allow a remote attacker to craft JWTs from scratch.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.2.1-1+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 1.4.2-1+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users