[SECURITY] [DLA 810-1] libarchive security update

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: libarchive
Version: 3.0.4-3+wheezy5+deb7u1
CVE ID : CVE-2017-5601
Debian Bug : #853278

It was discovered that there was a heap buffer overflow in libarchive,
a multi-format archive and compression library.

For Debian 7 "Wheezy", this issue has been fixed in libarchive version
3.0.4-3+wheezy5+deb7u1.

We recommend that you upgrade your libarchive packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAliQQIYACgkQHpU+J9Qx
HlhWBBAArVcNIQgBYFQR6A6+zk37Z6q4pslH2JiaRW4Ol2ySH6H7LS6UiU4Rpvgo
QH8/fXujvt1/242Fx2W8cjv4L8HnE4GVszLML6bMiyWhLVZ9TLRMmlTyvBk6xdy8
fpJTeC3rCEzTvID5KsIciJhDIssGnlgyGBTyxqFE03hmtO5aWn9cPxs0aFY8dTXa
aH+CWaG3M4efMxKFNJWiSY8R8jayUHoUaBCNeKeP7fR8Q9qROQX+tFaV14el24C0
W2MQgBH3E8sCXYMbLvnCDFWq0bAKkF/1KUGXnfYBTbft6G9s/BD7s1hQ3a1ZhGDY
RRwNgj9Ss+zR1znBfNvm3l9331Vgwdnt4ihNvbiAzgqDY1SrdkzGvqts5w1T2cDQ
R0uy3VozWbUEjjTEVSwDhEtSNpZF52Nv2EHNbSg8b3r/Lgcsl2oUHUZ0IKJgjeP0
CveFujs5kN+W/DfBpwXTKvLV6UrjwsQ87p02OOCep9Hiw+CheGeugR+JZNpB1uCV
Z9R+6nhxBOE25ZP66Yt5axjjgsZmD+k+z527KJD6+Z8UEQM4wOQ1B5VRcNdSlfbD
R6j/cPKJH9IgDScdk9MGx8jDNAdf/RfM+g4At+aGgCTl0oweFtP89uW8ebOmB0+y
Cf+29NWULOuMeye9y2zXj7u+D6O7242mp5P48eDKEVzJqCCKJo8=
=9PcV
-END PGP SIGNATURE-

Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

[Emilio Pozuelo Monfort]

On 27/01/17 22:18, Ola Lundqvist wrote:
> Hi Emilio
> 
> I saw that you have uploaded a new openjdk-7 package. Were that
> package supposed to fix the current issues reported for openjdk-7 or
> was that corrections for earlier version?

It doesn't fix the latest round of CVEs.

> I'm asking because:
> 1) I have not seen the DLA. It seems to have gone missing.

afaics it's there:

https://lists.debian.org/debian-lts-announce/2017/01/msg00037.html

> 2) I would like to know whether I should (re-)add the openjdk-7
> package to dla-needed.txt or not.

I did that. Still waiting for upstream to release the update.

Cheers,
Emilio

Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable

[Emilio Pozuelo Monfort]

On 30/01/17 22:19, Ola Lundqvist wrote:
> Hi
> 
> Will you send the DLA or do you want me to do that?

Adding Romain to Cc.

Cheers,
Emilio

> 
> // Ola
> 
> On 30 January 2017 at 19:40, Romain Francoise  wrote:
> Format: 1.8
> Date: Sun, 29 Jan 2017 22:17:21 +0100
> Source: tcpdump
> Binary: tcpdump
> Architecture: amd64 source
> Version: 4.9.0-1~deb7u1
> Distribution: wheezy-security
> Urgency: high
> Maintainer: Romain Francoise 
> Changed-By: Romain Francoise 
> Description:
>  tcpdump- command-line network traffic analyzer
> Changes:
>  tcpdump (4.9.0-1~deb7u1) wheezy-security; urgency=high
>  .
>* Backport to wheezy.
>* Disable the pppoes_id test, and reset B-D on libpcap-dev to what it
>  was in wheezy.
> Checksums-Sha1:
>  f9d5b9e50181e205fa1b713bf906cc9aaa311ddd 1952 tcpdump_4.9.0-1~deb7u1.dsc
>  c241ea71d658ea46edc1bb0a0867ab7cda59973a 12776 
> tcpdump_4.9.0-1~deb7u1.debian.tar.xz
>  90de03d602d41e824dd5073bffb510af74a5974c 484900 
> tcpdump_4.9.0-1~deb7u1_amd64.deb
> Checksums-Sha256:
>  f8d328894bf0e23c28d153a8ea10975579bdbc7ccb25e566d42fb8d071dec076 1952 
> tcpdump_4.9.0-1~deb7u1.dsc
>  cfde49ea7cc7250571a76e1451cfe85d4adc80a86dbb1251720845b81f973253 12776 
> tcpdump_4.9.0-1~deb7u1.debian.tar.xz
>  11ec542ca49d79755637b41413205cb7158c01e4dd4f2bab9209b7aa439378f0 484900 
> tcpdump_4.9.0-1~deb7u1_amd64.deb
> Files:
>  9e84eb9b5b63d542cd072b1c607706b8 1952 net optional tcpdump_4.9.0-1~deb7u1.dsc
>  ea4321a8ad585e590ee8f85db8c8dd9c 12776 net optional 
> tcpdump_4.9.0-1~deb7u1.debian.tar.xz
>  1d2032e577c6aa2c9c6e375a04c4f1f5 484900 net optional 
> tcpdump_4.9.0-1~deb7u1_amd64.deb
> 
>>
> 
> 
> 

[SECURITY] [DLA 809-1] tcpdump security update

[Ola Lundqvist]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: tcpdump
Version: 4.9.0-1~deb7u1
CVE ID : CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 
 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 
 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 
 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 
 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 
 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 
 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 
 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 
 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 
 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 
 CVE-2017-5486


Multiple vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial of
service or the execution of arbitrary code.

CVE-2016-7922

Buffer overflow in parser.

CVE-2016-7923

Buffer overflow in parser.

CVE-2016-7924

Buffer overflow in parser.

CVE-2016-7925

Buffer overflow in parser.

CVE-2016-7926

Buffer overflow in parser.

CVE-2016-7927

Buffer overflow in parser.

CVE-2016-7928

Buffer overflow in parser.

CVE-2016-7929

Buffer overflow in parser.

CVE-2016-7930

Buffer overflow in parser.

CVE-2016-7931

Buffer overflow in parser.

CVE-2016-7932

Buffer overflow in parser.

CVE-2016-7933

Buffer overflow in parser.

CVE-2016-7934

Buffer overflow in parser.

CVE-2016-7935

Buffer overflow in parser.

CVE-2016-7936

Buffer overflow in parser.

CVE-2016-7937

Buffer overflow in parser.

CVE-2016-7938

Buffer overflow in parser.

CVE-2016-7939

Buffer overflow in parser.

CVE-2016-7940

Buffer overflow in parser.

CVE-2016-7973

Buffer overflow in parser.

CVE-2016-7974

Buffer overflow in parser.

CVE-2016-7975

Buffer overflow in parser.

CVE-2016-7983

Buffer overflow in parser.

CVE-2016-7984

Buffer overflow in parser.

CVE-2016-7985

Buffer overflow in parser.

CVE-2016-7986

Buffer overflow in parser.

CVE-2016-7992

Buffer overflow in parser.

CVE-2016-7993

Buffer overflow in parser.

CVE-2016-8574

Buffer overflow in parser.

CVE-2016-8575

Buffer overflow in parser.

CVE-2017-5202

Buffer overflow in parser.

CVE-2017-5203

Buffer overflow in parser.

CVE-2017-5204

Buffer overflow in parser.

CVE-2017-5205

Buffer overflow in parser.

CVE-2017-5341

Buffer overflow in parser.

CVE-2017-5342

Buffer overflow in parser.

CVE-2017-5482

Buffer overflow in parser.

CVE-2017-5483

Buffer overflow in parser.

CVE-2017-5484

Buffer overflow in parser.

CVE-2017-5485

Buffer overflow in parser.

CVE-2017-5486

Buffer overflow in parser.

For Debian 7 "Wheezy", these problems have been fixed in version
4.9.0-1~deb7u1.

We recommend that you upgrade your tcpdump packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
 -- Ola Lundqvist 
/  o...@debian.org   GPG fingerprint  \
|  o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 |
|  http://inguza.com/0A6A 5E90 DCFA 9426 876F /
 -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJYj7kVAAoJEF6Q3PqUJodv760P/iglBWp9kHkBlTtX3CqZDulq
MbOU9fZxjqXeDgo3WIyRd1OCRMoWjIr0NqkYfa/XTqIQTIBSqY4U0yeKe2B90Xeg
ZJzVxd8hiY0VZ1e4InlaXObGZWvRUX7kGZ3/zRDTr0CTSvNPG4Mv64+Y/Wrj4Ts9
NnyQmWyiG66571EOYeh+nTL7UVXo3U4HWp9/UJL0b0MmxwbON370qETBcNQvoKmx
V1SVWAFsVgtIXHLToSMGGlA0IDhBrvaONOUpwUzzihOTpjJm1Zci7LKRJZc/Sb85
07819v4qTNaONA5q58SBu/rEaI+kufKYBKAhcDfb1iIJ5PUCD8hNafIQSFsTALWX
71gXAGPPA95932PSLfMknudifuOfemsVXqv41M9807Gf0dz4JbLkWUfg8UZIc+EB
p+vOWwUqUpXPAD0PmeSxKZkIh+cqKTbODWqYnR0pLIHL1/wzZKsQAmQQgD1RHTMA
iloV+4WMBD/bvqR6HSDu+VGSfeIwNZXLxoiTTWL6XoEvv8SpUeNfPxuv6rfAoFeE
MgMvOQxu+ae7GVvdVFH5uPNQpCp1YQd3tEnMIpAU0a6NYNDCI9E1rAQOYgpHlTjD
lipSE2iF/iMn3AFUpekxw5IL8Qeps1rUe7vsDvOxDtlrTmDtrgu1BBoP1YmbIJ3N
Z3+wp0QwMaYEJukmbwHI
=/Lay
-END PGP SIGNATURE-

Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable

[Ola Lundqvist]

Hi

Will you send the DLA or do you want me to do that?

// Ola

On 30 January 2017 at 19:40, Romain Francoise  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Format: 1.8
> Date: Sun, 29 Jan 2017 22:17:21 +0100
> Source: tcpdump
> Binary: tcpdump
> Architecture: amd64 source
> Version: 4.9.0-1~deb7u1
> Distribution: wheezy-security
> Urgency: high
> Maintainer: Romain Francoise 
> Changed-By: Romain Francoise 
> Description:
>  tcpdump- command-line network traffic analyzer
> Changes:
>  tcpdump (4.9.0-1~deb7u1) wheezy-security; urgency=high
>  .
>* Backport to wheezy.
>* Disable the pppoes_id test, and reset B-D on libpcap-dev to what it
>  was in wheezy.
> Checksums-Sha1:
>  f9d5b9e50181e205fa1b713bf906cc9aaa311ddd 1952 tcpdump_4.9.0-1~deb7u1.dsc
>  c241ea71d658ea46edc1bb0a0867ab7cda59973a 12776 
> tcpdump_4.9.0-1~deb7u1.debian.tar.xz
>  90de03d602d41e824dd5073bffb510af74a5974c 484900 
> tcpdump_4.9.0-1~deb7u1_amd64.deb
> Checksums-Sha256:
>  f8d328894bf0e23c28d153a8ea10975579bdbc7ccb25e566d42fb8d071dec076 1952 
> tcpdump_4.9.0-1~deb7u1.dsc
>  cfde49ea7cc7250571a76e1451cfe85d4adc80a86dbb1251720845b81f973253 12776 
> tcpdump_4.9.0-1~deb7u1.debian.tar.xz
>  11ec542ca49d79755637b41413205cb7158c01e4dd4f2bab9209b7aa439378f0 484900 
> tcpdump_4.9.0-1~deb7u1_amd64.deb
> Files:
>  9e84eb9b5b63d542cd072b1c607706b8 1952 net optional tcpdump_4.9.0-1~deb7u1.dsc
>  ea4321a8ad585e590ee8f85db8c8dd9c 12776 net optional 
> tcpdump_4.9.0-1~deb7u1.debian.tar.xz
>  1d2032e577c6aa2c9c6e375a04c4f1f5 484900 net optional 
> tcpdump_4.9.0-1~deb7u1_amd64.deb
>
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEEvjSXQsqYfs1+d+QtrRX0NfBfli0FAliPhkUACgkQrRX0NfBf
> li0acRAAkIF5gYBNVEej0OUl5XzQiq5TNtXGFJlHmSPPG+pOg9Pv6PaNSWSWMRTv
> Ml+L43VDJrZuwBGalbLbw47zJPmvpU9TUBJ6vxn3VPHOiOZpmRo5VvYD2LO8WJps
> BYCKHMY47zTNlwn7edKKOOx+CTHPiLUdGVd/EON5Y0OP9EWUzyWkXJR7dXyM1ABu
> z1OU12upCU3ZIYHtzfzhPWrg764NNAIGGKBAcnV6fDPqu+wc1BtjEUBBrEAC1D/y
> t45DRBZ/3L/oXlJE7I9SrloNxz2a8P5lkITriXo7FPoF/NTnfzIdo9M1Mp/EI/lY
> XHxNx8Vy9EmtULP7gngfNuwOnP3lsH+vQj2BIpDKCuuXSA+gwD58d3HvITpyyqeF
> mC7Pci0zwMleRaYbluLHrudgdYG0sJasZDYZvxToslxD8s/iy72vLQTUuKCsZcWA
> TVFywbRJjRIKEkieeEfRK/q9XiH3nfHzPOQEru3cDNmZ+pICaESbRuJki97Ax+Br
> zA8gtIWwfO2eZmPAB15qW/7sz1z32yJdOA3RDhI/uNZL/pz+Bbe3yPkGtUfDzXS9
> z87gjEZMtpPFSV/GEl6/rkwIJeHs4m/9JmDqFojnisw8jxzsi/EQnmX39e8d/TbJ
> NSLYwaBQ+Oll7daD2miI53Nh9tQwvD/tyw9Mn9tNKCyoiEACAhM=
> =pY0x
> -END PGP SIGNATURE-
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: possible regressing in tiff4/libtiff3 update (deb7u1)

[Raphael Hertzog]

On Fri, 27 Jan 2017, Matthias Geerdsen wrote:
> > The full upload is available:
> > $ dget 
> > https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u3_amd64.changes
> 
> I took your patched libtiff4 and tested several images and compression
> schemes using ImageMagick and GraphicsMagick in a wheezy chroot without
> any problems. I have not encountered any unexpected error messages or
> any corrupted images.

Ok, thanks for the tests. I uploaded the fixed version.

> > If we are satisfied by this fix, then we should do something similar on
> > source package tiff 4.x (which provides libtiff5 4.x).

I'll take care of this later this week if no one beats me to it.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Re: Anyone having more information about the tcpdump security CVEs?

[Guido Günther]

On Mon, Jan 30, 2017 at 07:34:59PM +0100, Romain Francoise wrote:
> On Sun, Jan 29, 2017 at 05:14:33PM +0100, Romain Francoise wrote:
> > Ok, I will prepare the package and upload it next week.
> 
> Done! I didn't include the upstream tarball as I already uploaded it to
> jessie-security and IIUC it's the same archive, but I'm not absolutely
> certain this is right--if the upload gets rejected, I will reupload.

It is correct. The upstream tarball can only be uploaded to
securit-master once.
Cheers,
 -- Guido

Re: Anyone having more information about the tcpdump security CVEs?

[Romain Francoise]

On Sun, Jan 29, 2017 at 05:14:33PM +0100, Romain Francoise wrote:
> Ok, I will prepare the package and upload it next week.

Done! I didn't include the upstream tarball as I already uploaded it to
jessie-security and IIUC it's the same archive, but I'm not absolutely
certain this is right--if the upload gets rejected, I will reupload.

-- 
Romain Francoise 
http://people.debian.org/~rfrancoise/

[SECURITY] [DLA 610-2] tiff3 regression update

[Raphael Hertzog]

Package: tiff3
Version: 3.9.6-11+deb7u3
Debian Bug : 852610

Version 3.9.6-11+deb7u1 and 3.9.6-11+deb7u2 introduced changes that
resulted in libtiff writing out invalid tiff files when the compression
scheme in use relies on codec-specific TIFF tags embedded in the image.

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u3.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/


signature.asc
Description: PGP signature

[SECURITY] [DLA 807-1] imagemagick security update

[Guido Günther]

Package: imagemagick
Version: 8:6.7.7.10-5+deb7u11
CVE ID : CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 
 CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511
Debian Bug : #851485, #851483, #851380, #851383, #851382, #851381, #851376, 
#851374

Numerous vulnerabilities were discovered in ImageMagick, an image
manipulation program. Issues include memory leaks, out of bound reads
and missing checks.

This update also includes an update of the fix for CVE-2016-8677 which
was incomplete in the previous version.

For Debian 7 "Wheezy", these problems have been fixed in version
8:6.7.7.10-5+deb7u11.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature