Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3794-3 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 03, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : munin

Debian Bug : 856536

 

The update for munin issued as DSA-3794-2 caused a regression leading to

Perl warnings being appended to the munin-cgi-graph log file. Updated

packages are now available to correct this issue. For reference, the

original advisory text follows.

 

Stevie Trujillo discovered a local file write vulnerability in munin, a

network-wide graphing framework, when CGI graphs are enabled. GET

parameters are not properly handled, allowing to inject options into

munin-cgi-graph and overwriting any file accessible by the user running

the cgi-process.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.0.25-1+deb8u3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3801-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 04, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-zip

CVE ID : CVE-2017-5946

Debian Bug : 856269

 

It was discovered that ruby-zip, a Ruby module for reading and writing

zip files, is prone to a directory traversal vulnerability. An attacker

can take advantage of this flaw to overwrite arbitrary files during

archive extraction via a .. (dot dot) in an extracted filename.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.1.6-1+deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 1.2.0-1.1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.2.0-1.1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3802-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 05, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : zabbix

CVE ID : CVE-2016-10134

 

An SQL injection vulnerability has been discovered in the "Latest data"

page of the web frontend of the Zabbix network monitoring system

 

For the stable distribution (jessie), this problem has been fixed in

version 1:2.2.7+dfsg-2+deb8u2.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 1:3.0.7+dfsg-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:3.0.7+dfsg-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3803-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 08, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : texlive-base

CVE ID : CVE-2016-10243

 

It was discovered that texlive-base, the TeX Live package which provides

the essential TeX programs and files, whitelists mpost as an external

program to be run from within the TeX source code (called \write18).

Since mpost allows to specify other programs to be run, an attacker can

take advantage of this flaw for arbitrary code execution when compiling

a TeX document.

 

For the stable distribution (jessie), this problem has been fixed in

version 2014.20141024-2+deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 2016.20161130-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2016.20161130-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3804-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 08, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2016-9588 CVE-2017-2636 CVE-2017-5669 CVE-2017-5986

CVE-2017-6214 CVE-2017-6345 CVE-2017-6346 CVE-2017-6348

CVE-2017-6353

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service or have other

impacts.

 

CVE-2016-9588

 

Jim Mattson discovered that the KVM implementation for Intel x86

processors does not properly handle #BP and #OF exceptions in an

L2 (nested) virtual machine. A local attacker in an L2 guest VM

can take advantage of this flaw to cause a denial of service for

the L1 guest VM.

 

CVE-2017-2636

 

Alexander Popov discovered a race condition flaw in the n_hdlc

line discipline that can lead to a double free. A local

unprivileged user can take advantage of this flaw for privilege

escalation. On systems that do not already have the n_hdlc module

loaded, this can be mitigated by disabling it:

echo >> /etc/modprobe.d/disable-n_hdlc.conf install n_hdlc false

 

CVE-2017-5669

 

Gareth Evans reported that privileged users can map memory at

address 0 through the shmat() system call. This could make it

easier to exploit other kernel security vulnerabilities via a

set-UID program.

 

CVE-2017-5986

 

Alexander Popov reported a race condition in the SCTP

implementation that can be used by local users to cause a

denial-of-service (crash). The initial fix for this was incorrect

and introduced further security issues (CVE-2017-6353). This

update includes a later fix that avoids those. On systems that do

not already have the sctp module loaded, this can be mitigated by

disabling it:

echo >> /etc/modprobe.d/disable-sctp.conf install sctp false

 

CVE-2017-6214

 

Dmitry Vyukov reported a bug in the TCP implementation's handling

of urgent data in the splice() system call. This can be used by a

remote attacker for denial-of-service (hang) against applications

that read from TCP sockets with splice().

 

CVE-2017-6345

 

Andrey Konovalov reported that the LLC type 2 implementation

incorrectly assigns socket buffer ownership. This can be used

by a local user to cause a denial-of-service (crash). On systems

that do not already have the llc2 module loaded, this can be

mitigated by disabling it:

echo >> /etc/modprobe.d/disable-llc2.conf install llc2 false

 

CVE-2017-6346

 

Dmitry Vyukov reported a race condition in the raw packet (af_packet)

fanout feature. Local users with the CAP_NET_RAW capability (in any

user namespace) can use this for denial-of-service and possibly for

privilege escalation.

 

CVE-2017-6348

 

Dmitry Vyukov reported that the general queue implementation in

the IrDA subsystem does not properly manage multiple locks,

possibly allowing local users to cause a denial-of-service

(deadlock) via crafted operations on IrDA devices.

 

For the stable distribution (jessie), these problems have been fixed in

version 3.16.39-1+deb8u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3805-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 08, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402

CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408

CVE-2017-5410

 

Multiple security issues have been found in the Mozilla Firefox web

browser: Multiple memory safety errors, use-after-frees and other

implementation errors may lead to the execution of arbitrary code, ASLR

bypass, information disclosure or denial of service.

 

For the stable distribution (jessie), these problems have been fixed in

version 45.8.0esr-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 45.8.0esr-1 of firefox-esr and version 52.0-1 of firefox.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3806-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

March 10, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pidgin

CVE ID : CVE-2017-2640

 

It was discovered a vulnerability in Pidgin, a multi-protocol instant

messaging client. A server controlled by an attacker can send an invalid

XML that can trigger an out-of-bound memory access. This might lead to a

crash or, in some extreme cases, to remote code execution in the

client-side.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.11.0-0+deb8u2.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.12.0-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3807-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 12, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icoutils

CVE ID : CVE-2017-6009 CVE-2017-6010 CVE-2017-6011

 

Multiple vulnerabilities were discovered in the icotool and wrestool

tools of Icoutils, a set of programs that deal with MS Windows icons and

cursors, which may result in denial of service or the execution of

arbitrary code if a malformed .ico or .exe file is processed.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.31.0-2+deb8u3.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 0.31.2-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 0.31.2-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3808-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 13, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : imagemagick

CVE ID : CVE-2017-6498 CVE-2017-6499 CVE-2017-6500

Debian Bug : 856878 856879 856880 857426 844594

 

This update fixes several vulnerabilities in imagemagick: Various memory

handling problems and cases of missing or incomplete input sanitising

may result in denial of service or the execution of arbitrary code if

malformed TGA, Sun or PSD files are processed.

 

This update also fixes visual artefacts when running -sharpen on CMYK

images (no security impact, but piggybacked on top of the security

update with approval of the Debian stable release managers since it's

a regression in jessie compared to wheezy).

 

For the stable distribution (jessie), these problems have been fixed in

version 8:6.8.9.9-5+deb8u8.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 8:6.9.7.4+dfsg-2.

 

For the unstable distribution (sid), these problems have been fixed in

version 8:6.9.7.4+dfsg-2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3809-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 14, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mariadb-10.0

CVE ID : CVE-2017-3302 CVE-2017-3313

 

Several issues have been discovered in the MariaDB database server. The

vulnerabilities are addressed by upgrading MariaDB to the new upstream

version 10.0.30. Please see the MariaDB 10.0 Release Notes for further

details:

 

https://mariadb.com/kb/en/mariadb/mariadb-10030-release-notes/

 

For the stable distribution (jessie), these problems have been fixed in

version 10.0.30-0+deb8u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3810-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

March 15, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2017-5029 CVE-2017-5030 CVE-2017-5031 CVE-2017-5032

CVE-2017-5033 CVE-2017-5034 CVE-2017-5035 CVE-2017-5036

CVE-2017-5037 CVE-2017-5038 CVE-2017-5039 CVE-2017-5040

CVE-2017-5041 CVE-2017-5042 CVE-2017-5043 CVE-2017-5044

CVE-2017-5045 CVE-2017-5046

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2017-5029

 

Holger Fuhrmannek discovered an integer overflow issue in the libxslt

library.

 

CVE-2017-5030

 

Brendon Tiszka discovered a memory corruption issue in the v8 javascript

library.

 

CVE-2017-5031

 

Looben Yang discovered a use-after-free issue in the ANGLE library.

 

CVE-2017-5032

 

Ashfaq Ansari discovered an out-of-bounds write in the pdfium library.

 

CVE-2017-5033

 

Nicolai Grødum discovered a way to bypass the Content Security Policy.

 

CVE-2017-5034

 

Ke Liu discovered an integer overflow issue in the pdfium library.

 

CVE-2017-5035

 

Enzo Aguado discovered an issue with the omnibox.

 

CVE-2017-5036

 

A use-after-free issue was discovered in the pdfium library.

 

CVE-2017-5037

 

Yongke Wang discovered multiple out-of-bounds write issues.

 

CVE-2017-5038

 

A use-after-free issue was discovered in the guest view.

 

CVE-2017-5039

 

jinmo123 discovered a use-after-free issue in the pdfium library.

 

CVE-2017-5040

 

Choongwoo Han discovered an information disclosure issue in the v8

javascript library.

 

CVE-2017-5041

 

Jordi Chancel discovered an address spoofing issue.

 

CVE-2017-5042

 

Mike Ruddy discovered incorrect handling of cookies.

 

CVE-2017-5043

 

Another use-after-free issue was discovered in the guest view.

 

CVE-2017-5044

 

Kushal Arvind Shah discovered a heap overflow issue in the skia

library.

 

CVE-2017-5045

 

Dhaval Kapil discovered an information disclosure issue.

 

CVE-2017-5046

 

Masato Kinugawa discovered an information disclosure issue.

 

For the stable distribution (jessie), these problems have been fixed in

version 57.0.2987.98-1~deb8u1.

 

For the upcoming stable (stretch) and unstable (sid) distributions, these

problems have been fixed in version 57.0.2987.98-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3811-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 18, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2017-5596 CVE-2017-5597 CVE-2017-6014 CVE-2017-6467

CVE-2017-6468 CVE-2017-6469 CVE-2017-6470 CVE-2017-6471

CVE-2017-6472 CVE-2017-6473 CVE-2017-6474

 

It was discovered that wireshark, a network protocol analyzer, contained

several vulnerabilities in the dissectors for ASTERIX , DHCPv6,

NetScaler, LDSS, IAX2, WSP, K12 and STANAG 4607, that could lead to

various crashes, denial-of-service or execution of arbitrary code.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.12.1+g01b65bf-4+deb8u11.

 

For the unstable distribution (sid), these problems have been fixed in

version 2.2.5+g440fd4d-2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3812-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 18, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ioquake3

CVE ID : CVE-2017-6903

 

It was discovered that ioquake3, a modified version of the ioQuake3 game

engine performs insufficent restrictions on automatically downloaded

content (pk3 files or game code), which allows malicious game servers to

modify configuration settings including driver settings.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.36+u20140802+gca9eebb-2+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.36+u20161101+dfsg1-2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3813-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 19, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : r-base

CVE ID : CVE-2016-8714

 

Cory Duplantis discovered a buffer overflow in the R programming

langauage. A malformed encoding file may lead to the execution of

arbitrary code during PDF generation.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.1.1-1+deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 3.3.3-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 3.3.3-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3796-2 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 20, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : sitesummary

Debian Bug : 852623

 

DSA-3796-1 for apache2 introduced a regression in sitesummary: fixing

CVE-2016-8743 meant being more stringent when dealing with whitespace

patterns in HTTP requests, and that change broke the upload tool of

sitesummary-client.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.1.17+deb8u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3814-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 22, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : audiofile

CVE ID : CVE-2017-6827 CVE-2017-6828 CVE-2017-6829 CVE-2017-6830

CVE-2017-6831 CVE-2017-6832 CVE-2017-6833 CVE-2017-6834

CVE-2017-6835 CVE-2017-6836 CVE-2017-6837 CVE-2017-6838

CVE-2017-6839

Debian Bug : 857651

 

Several vulnerabilities have been discovered in the audiofile library,

which may result in denial of service or the execution of arbitrary code

if a malformed audio file is processed.

 

For the stable distribution (jessie), these problems have been fixed in

version 0.3.6-2+deb8u2.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 0.3.6-4.

 

For the unstable distribution (sid), these problems have been fixed in

version 0.3.6-4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3815-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 23, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

CVE ID : CVE-2017-6814 CVE-2017-6815 CVE-2017-6816 CVE-2017-6817

Debian Bug : 857026

 

Several vulnerabilities were discovered in wordpress, a web blogging

tool. They would allow remote attackers to delete unintended files,

mount Cross-Site Scripting attacks, or bypass redirect URL validation

mechanisms.

 

For the stable distribution (jessie), these problems have been fixed in

version 4.1+dfsg-1+deb8u13.

 

For the upcoming stable (stretch) and unstable (sid) distributions,

these problems have been fixed in version 4.7.3+dfsg-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3816-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 23, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

CVE ID : CVE-2017-2619

 

Jann Horn of Google discovered a time-of-check, time-of-use race

condition in Samba, a SMB/CIFS file, print, and login server for Unix. A

malicious client can take advantage of this flaw by exploting a symlink

race to access areas of the server file system not exported under a

share definition.

 

For the stable distribution (jessie), this problem has been fixed in

version 2:4.2.14+dfsg-0+deb8u4.

 

For the unstable distribution (sid), this problem has been fixed in

version 2:4.5.6+dfsg-2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3817-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 24, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jbig2dec

CVE ID : CVE-2016-9601

 

Multiple security issues have been found in the JBIG2 decoder library,

which may lead to lead to denial of service or the execution of arbitrary

code if a malformed image file (usually embedded in a PDF document) is

opened.

 

For the stable distribution (jessie), this problem has been fixed in

version 0.13-4~deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 0.13-4.

 

For the unstable distribution (sid), this problem has been fixed in

version 0.13-4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3818-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gst-plugins-bad1.0

CVE ID : CVE-2016-9809 CVE-2016-9812 CVE-2016-9813 CVE-2017-5843

CVE-2017-5848

 

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media

framework and its codecs and demuxers, which may result in denial of

service or the execution of arbitrary code if a malformed media file is

opened.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.4.4-2.1+deb8u2.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 1.10.4-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.10.4-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3819-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gst-plugins-base1.0

CVE ID : CVE-2016-9811 CVE-2017-5837 CVE-2017-5839 CVE-2017-5842

CVE-2017-5844

 

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media

framework and its codecs and demuxers, which may result in denial of

service or the execution of arbitrary code if a malformed media file is

opened.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.4.4-2+deb8u1.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 1.10.4-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.10.4-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3820-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gst-plugins-good1.0

CVE ID : CVE-2016-10198 CVE-2016-10199 CVE-2017-5840 CVE-2017-5841

CVE-2017-5845

 

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media

framework and its codecs and demuxers, which may result in denial of

service or the execution of arbitrary code if a malformed media file is

opened.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.4.4-2+deb8u3.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 1.10.3-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.10.3-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3821-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gst-plugins-ugly1.0

CVE ID : CVE-2017-5846 CVE-2017-5847

 

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media

framework and its codecs and demuxers, which may result in denial of

service or the execution of arbitrary code if a malformed media file is

opened.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.4.4-2+deb8u1.

 

For the upcoming stable distribution (stretch), these problems have been

fixed in version 1.10.4-1.

 

For the unstable distribution (sid), these problems have been fixed in

version 1.10.4-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3822-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gstreamer1.0

CVE ID : CVE-2017-5838

 

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media

framework and its codecs and demuxers, which may result in denial of

service or the execution of arbitrary code if a malformed media file is

opened.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4.4-2+deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 1.10.3-1.

 

For the unstable distribution (sid), this problem has been fixed in

version version 1.10.3-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3823-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 28, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : eject

CVE ID : CVE-2017-6964

Debian Bug : 858872

 

Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to

check if a given device is an encrypted device handled by devmapper, and

used in eject, does not check return values from setuid() and setgid()

when dropping privileges.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.1+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 2.1.5+deb1+cvs20081104-13.2.

Link to comment
Share on other sites

-------------------------------------------------------------------------

Debian Security Advisory DSA-3798-2 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 29, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tnef

Debian Bug : 857342

 

DSA-3798-1 for tnef introduced a regression that caused crashes on

some attachments.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4.9-1+deb8u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3824-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 29, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firebird2.5

CVE ID : CVE-2017-6369

Debian Bug : 858641

 

George Noseevich discovered that firebird2.5, a relational database

system, did not properly check User-Defined Functions (UDF), thus

allowing remote authenticated users to execute arbitrary code on the

firebird server.

 

For the stable distribution (jessie), this problem has been fixed in

version 2.5.3.26778.ds4-5+deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3825-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 31, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jhead

CVE ID : CVE-2016-3822

Debian Bug : 858213

 

It was discovered that jhead, a tool to manipulate the non-image part of

EXIF compliant JPEG files, is prone to an out-of-bounds access

vulnerability, which may result in denial of service or, potentially,

the execution of arbitrary code if an image with specially crafted EXIF

data is processed.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:2.97-1+deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 1:3.00-4.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:3.00-4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3816-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 02, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

Debian Bug : 858564 858590 858648 859101

 

Two regressions were introduced by the samba update in DSA-3816-1.

Updated packages are now available to address these problems.

Additionally a regression from DSA-3548-1 causing `net ads join` to

freeze when run a second time is fixed along with this update. For

reference, the original advisory text follows.

 

Jann Horn of Google discovered a time-of-check, time-of-use race

condition in Samba, a SMB/CIFS file, print, and login server for Unix. A

malicious client can take advantage of this flaw by exploiting a symlink

race to access areas of the server file system not exported under a

share definition.

 

For the stable distribution (jessie), these problems have been fixed in

version 2:4.2.14+dfsg-0+deb8u5.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3826-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 04, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tryton-server

CVE ID : CVE-2017-0360

 

It was discovered that the original patch to address CVE-2016-1242 did

not cover all cases, which may result in information disclosure of file

contents.

 

For the stable distribution (jessie), this problem has been fixed in

version 3.4.0-3+deb8u3.

 

For the unstable distribution (sid), this problem has been fixed in

version 4.2.1-2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3827-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 07, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jasper

CVE ID : CVE-2016-9591 CVE-2016-10249 CVE-2016-10251

 

Multiple vulnerabilities have been discovered in the JasPer library for

processing JPEG-2000 images, which may result in denial of service or

the execution of arbitrary code if a malformed image is processed.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.900.1-debian1-2.4+deb8u3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3828-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 10, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : dovecot

CVE ID : CVE-2017-2669

Debian Bug : 860049

 

It was discovered that the Dovecot email server is vulnerable to a

denial of service attack. When the "dict" passdb and userdb are used

for user authentication, the username sent by the IMAP/POP3 client is

sent through var_expand() to perform %variable expansion. Sending

specially crafted %variable fields could result in excessive memory

usage causing the process to crash (and restart).

 

For the stable distribution (jessie), this problem has been fixed in

version 1:2.2.13-12~deb8u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3828-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 11, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : dovecot

 

The Dovecot update issued as DSA-3828-1 introduced a regression, this

update reverts the backported patch. Further analysis by the Dovecot

team has shown that only versions starting from 2.2.26 are affected. For

reference, the original advisory text follows.

 

It was discovered that the Dovecot email server is vulnerable to a

denial of service attack. When the "dict" passdb and userdb are used

for user authentication, the username sent by the IMAP/POP3 client is

sent through var_expand() to perform %variable expansion. Sending

specially crafted %variable fields could result in excessive memory

usage causing the process to crash (and restart).

 

For the stable distribution (jessie), this problem has been fixed in

version 1:2.2.13-12~deb8u3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3829-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 11, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : bouncycastle

CVE ID : CVE-2015-6644

 

Quan Nguyen discovered that a missing boundary check in the

Galois/Counter mode implementation of Bouncy Castle (a Java

implementation of cryptographic algorithms) may result in information

disclosure.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.49+dfsg-3+deb8u2.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 1.54-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.54-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3830-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

April 19, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icu

CVE ID : CVE-2017-7867 CVE-2017-7868

Debian Bug : 860314

 

It was discovered that icu, the International Components for Unicode

library, did not correctly validate its input. An attacker could use

this problem to trigger an out-of-bound write through a heap-based

buffer overflow, thus causing a denial of service via application

crash, or potential execution of arbitrary code.

 

For the stable distribution (jessie), these problems have been fixed in

version 52.1-8+deb8u5.

 

For the upcoming stable (stretch) and unstable (sid) distributions,

these problems have been fixed in version 57.1-6.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3831-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 20, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2017-5429 CVE-2017-5432 CVE-2017-5433 CVE-2017-5434

CVE-2017-5435 CVE-2017-5436 CVE-2017-5438 CVE-2017-5439

CVE-2017-5440 CVE-2017-5441 CVE-2017-5442 CVE-2017-5443

CVE-2017-5444 CVE-2017-5445 CVE-2017-5446 CVE-2017-5447

CVE-2017-5448 CVE-2017-5459 CVE-2017-5460 CVE-2017-5461

CVE-2017-5462 CVE-2017-5464 CVE-2017-5465 CVE-2017-5469

 

Multiple security issues have been found in the Mozilla Firefox web

browser: Multiple memory safety errors, use-after-frees, buffer

overflows and other implementation errors may lead to the execution of

arbitrary code, information disclosure or denial of service.

 

For the stable distribution (jessie), these problems have been fixed in

version 45.9.0esr-1~deb8u1.

 

For the unstable distribution (sid), these problems have been fixed in

version 45.9.0esr-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3832-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 20, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : icedove

CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378

CVE-2017-5380 CVE-2017-5383 CVE-2017-5390 CVE-2017-5396

CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402

CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408

CVE-2017-5410

 

Multiple security issues have been found in Thunderbird, which may may

lead to the execution of arbitrary code or information leaks.

 

With this update, the Icedove packages are de-branded back to the official

Mozilla branding. With the removing of the Debian branding the packages

are also renamed back to the official names used by Mozilla.

 

The Thunderbird package is using a different default profile folder,

the default profile folder is now '$(HOME)/.thunderbird'.

The users profile folder, that was used in Icedove, will get migrated

to the new profile folder on the first start, that can take a little bit

more time.

 

Please read README.Debian for getting more information about the

changes.

 

For the stable distribution (jessie), these problems have been fixed in

version 1:45.8.0-3~deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3833-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 24, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libav

CVE ID : CVE-2016-9821 CVE-2016-9822

 

Several security issues have been corrected in multiple demuxers and

decoders of the libav multimedia library. A full list of the changes is

available at

https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.9

 

For the stable distribution (jessie), these problems have been fixed in

version 6:11.9-1~deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3834-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 25, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mysql-5.5

CVE ID : CVE-2017-3302 CVE-2017-3305 CVE-2017-3308 CVE-2017-3309

CVE-2017-3329 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461

CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3600

Debian Bug : 854713 860544

 

Several issues have been discovered in the MySQL database server. The

vulnerabilities are addressed by upgrading MySQL to the new upstream

version 5.5.55, which includes additional changes, such as performance

improvements, bug fixes, new features, and possibly incompatible

changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical

Patch Update advisory for further details:

 

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

 

For the stable distribution (jessie), these problems have been fixed in

version 5.5.55-0+deb8u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3835-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 26, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : python-django

CVE ID : CVE-2016-9013 CVE-2016-9014 CVE-2017-7233 CVE-2017-7234

Debian Bug : 842856 859515 859516

 

Several vulnerabilities were discovered in Django, a high-level Python

web development framework. The Common Vulnerabilities and Exposures

project identifies the following problems:

 

CVE-2016-9013

 

Marti Raudsepp reported that a user with a hardcoded password is

created when running tests with an Oracle database.

 

CVE-2016-9014

 

Aymeric Augustin discovered that Django does not properly validate

the Host header against settings.ALLOWED_HOSTS when the debug

setting is enabled. A remote attacker can take advantage of this

flaw to perform DNS rebinding attacks.

 

CVE-2017-7233

 

It was discovered that is_safe_url() does not properly handle

certain numeric URLs as safe. A remote attacker can take advantage

of this flaw to perform XSS attacks or to use a Django server as an

open redirect.

 

CVE-2017-7234

 

Phithon from Chaitin Tech discovered an open redirect vulnerability

in the django.views.static.serve() view. Note that this view is not

intended for production use.

 

For the stable distribution (jessie), these problems have been fixed in

version 1.7.11-1+deb8u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3836-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : weechat

CVE ID : CVE-2017-8073

Debian Bug : 861121

 

It was discovered that weechat, a fast and light chat client, is prone

to a buffer overflow vulnerability in the IRC plugin, allowing a remote

attacker to cause a denial-of-service by sending a specially crafted

filename via DCC.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.0.1-1+deb8u1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.7-3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3837-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 27, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libreoffice

CVE ID : CVE-2017-7870

 

It was discovered that a buffer overflow in processing Windows Metafiles

may result in denial of service or the execution of arbitrary code if

a malformed document is opened.

 

For the stable distribution (jessie), this problem has been fixed in

version 1:4.3.3-2+deb8u7.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 1:5.2.5-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 1:5.2.5-1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3838-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 28, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ghostscript

CVE ID : CVE-2016-10219 CVE-2016-10220 CVE-2017-5951 CVE-2017-7207

CVE-2017-8291

Debian Bug : 858350 859666 859694 859696 861295

 

Several vulnerabilities were discovered in Ghostscript, the GPL

PostScript/PDF interpreter, which may lead to the execution of arbitrary

code or denial of service if a specially crafted Postscript file is

processed.

 

For the stable distribution (jessie), these problems have been fixed in

version 9.06~dfsg-2+deb8u5.

 

For the unstable distribution (sid), these problems have been fixed in

version 9.20~dfsg-3.1 or earlier versions.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3839-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 28, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : freetype

CVE ID : CVE-2016-10244 CVE-2017-8105 CVE-2017-8287

Debian Bug : 856971 861220 861308

 

Several vulnerabilities were discovered in Freetype. Opening malformed

fonts may result in denial of service or the execution of arbitrary

code.

 

For the stable distribution (jessie), these problems have been fixed in

version 2.5.2-3+deb8u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3840-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 02, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mysql-connector-java

CVE ID : CVE-2017-3523

 

Thijs Alkemade discovered that unexpected automatic deserialisation of

Java objects in the MySQL Connector/J JDBC driver may result in the

execution of arbitary code. For additional details, please refer to the

advisory at

https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt

 

For the stable distribution (jessie), this problem has been fixed in

version 5.1.41-1~deb8u1.

 

For the upcoming stable distribution (stretch), this problem has been

fixed in version 5.1.41-1.

 

For the unstable distribution (sid), this problem has been fixed in

version 5.1.41-1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3841-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

May 02, 2017 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libxstream-java

CVE ID : CVE-2017-7957

 

It was discovered that XStream, a Java library to serialise objects to

XML and back again, was suspectible to denial of service during

unmarshalling.

 

For the stable distribution (jessie), this problem has been fixed in

version 1.4.7-2+deb8u2.

 

For the upcoming stable distribution (stretch), this problem will be

fixed soon.

 

For the unstable distribution (sid), this problem has been fixed in

version 1.4.9-2.

Link to comment
Share on other sites

×
×
  • Create New...