[SECURITY] [DLA 1207-1] erlang security update
Package: erlang Version: 15.b.1-dfsg-4+deb7u2 CVE ID : CVE-2017-1000385 An erlang TLS server configured with cipher suites using RSA key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the serverâs private key itself. For Debian 7 "Wheezy", these problems have been fixed in version 15.b.1-dfsg-4+deb7u2. We recommend that you upgrade your erlang packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 1205-1] simplesamlphp security update
Package: simplesamlphp Version: 1.9.2-1+deb7u1 CVE ID : CVE-2017-12867 CVE-2017-12868 CVE-2017-12869 CVE-2017-12872 CVE-2017-12873 CVE-2017-12874 The simplesamlphp package in wheezy is vulnerable to multiple attacks on authentication-related code, leading to unauthorized access and information disclosure. CVE-2017-12867 The SimpleSAML_Auth_TimeLimitedToken class allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. CVE-2017-12869 The multiauth module allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. CVE-2017-12872 / CVE-2017-12868 The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote iattackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the initial patch released by upstream. We have used the correct patch. CVE-2017-12873 SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. CVE-2017-12874 The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities. For Debian 7 "Wheezy", these problems have been fixed in version 1.9.2-1+deb7u1. We recommend that you upgrade your simplesamlphp packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 1147-1] exiv2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: exiv2 Version: 0.23-1+deb7u2 CVE ID : CVE-2017-11591 CVE-2017-11683 CVE-2017-14859 CVE-2017-14862 CVE-2017-14864 Debian Bug : 876893 The exiv2 library is vulnerable to multiple issues that can all lead to denial of service of the applications relying on the library to parse images' metadata. CVE-2017-11591 Denial of service via floating point exception in the Exiv2::ValueType function. CVE-2017-11683 Denial of service through failing assertion triggered by crafted image. CVE-2017-14859 / CVE-2017-14862 / CVE-2017-14864 Denial of service through invalid memory access triggered by a crafted image. For Debian 7 "Wheezy", these problems have been fixed in version 0.23-1+deb7u2. We recommend that you upgrade your exiv2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ -BEGIN PGP SIGNATURE- Comment: Signed by Raphael Hertzog iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyFMkACgkQA4gdq+vC mrmRmQf/R3pDU+VnZFfaWgOcGRBfwDo/WxgnhfKwvwmcihnvTp2Yt5ojwnhXS83+ BGawVQhw0w66xlkDouHV2nHBUojD2UGlIwGS7XkTaiOz4GB7wO7HNQBnNojaM2sh 5ulqACieZ88qwG2LxwurLOFJdGTfKZoQj3Z8r6WzHv/i15sgMsvsQ3QPEh4pxn/a oXeHHFA5ESQ7eaR7/OHmICjwpju1HOHhCSWRL+ca5SebMYPCb0FZ3OnylWqfXTBl 8dZG8jgptWm+DpbzzZyt64Lj4VyCpEIohIyw4lBUIrGqZlZUPXnUapMW5Z17uDw/ GA51Co1dK4F/jDPiyhQewpP0/b4MvA== =XU66 -END PGP SIGNATURE-
[SECURITY] [DLA 1145-1] zoneminder security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: zoneminder Version: 1.25.0-4+deb7u2 CVE ID : CVE-2017-5595 Multiple vulnerabilities have been found in zoneminder. This update fixes only a serious file disclosure vulnerability (CVE-2017-5595). The application has been found to suffer from many other problems such as SQL injection vulnerabilities, cross-site scripting issues, cross-site request forgery, session fixation vulnerability. Due to the amount of issues and to the relative invasiveness of the relevant patches, those issues will not be fixed in Wheezy. We thus advise you to restrict access to zoneminder to trusted users only. If you want to review the list of ignored issues, you can check the security tracker: https://security-tracker.debian.org/tracker/source-package/zoneminder We recommend that you upgrade your zoneminder packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ -BEGIN PGP SIGNATURE- Comment: Signed by Raphael Hertzog iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyCsEACgkQA4gdq+vC mrlNNAf/YvyHZO1VnF28HRGDM4YQqS8bw1oOYBn4jQpvS2eAGdVjhhNgk696zWiD CvVBxdls2cd40I0xA5jbXyCRljuCGztRc6aRwd2yBqjD3COBBHt7NcBq1McznR6i 9DQAHs0eRlm/Z5WbtSoh7n2MJCSXo52N4V5AqAuhFRO7a2EGxtwpVTsJhvpeRrrS FIQ1H4dleSXITFsGOd0zzgaBNLQ1NUnzRIWv5cYQqtsil9FSO/JCPpdF0aFGBVJu 475XRM3CuJozck0wCjfgk15Z24DJ/iQseLXUUgKWxdfN3FYWkkAbW1+ohmM4Wiqe DQRI1nJUh6gENmLdHXzu2ugk3fachQ== =L6JT -END PGP SIGNATURE-
[SECURITY] [DLA 1146-1] mosquitto security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mosquitto Version: 0.15-2+deb7u2 CVE ID : CVE-2017-9868 Debian Bug : 865959 mosquitto's persistence file (mosquitto.db) was created in a world-readable way thus allowing local users to obtain sensitive MQTT topic information. While the application has been fixed to set proper permissions by default, you still have to manually fix the permissions on any existing file. For Debian 7 "Wheezy", these problems have been fixed in version 0.15-2+deb7u2. We recommend that you upgrade your mosquitto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ -BEGIN PGP SIGNATURE- Comment: Signed by Raphael Hertzog iQEyBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyB54ACgkQA4gdq+vC mrmk1Af3YmnqEQ6UnQ1msJuq1Wv4floBLSIo7/eQ36uoIwZAOX8uMBjkEjXDO1k3 sfdfYTKbyHQK6tY5dV+8OTU/6QwhoH/k/71DNog99Y3a9RP3B0lvjjkcb7om7IEW lgLddJhl/OrLGgySVmWcqEp4lopNxUbGZM8aMecH+7ZzgF+M2Ehl6+nncVdI5Krl JuDd0WyU0VD0hIdw/5MzNT23Cl9M46otDKx/U8PZi2kjHJ9jHFVLqy4FVusX2Qrk Cqc0zxqixpb+IM5iaVcyPE0V9JqJMVc0b/HreK4itVpfOQd3BPbkjDA8ZMukSu+H kmb2PHqRg2XQEAiOQWMTIeMPhPQg =KTO2 -END PGP SIGNATURE-
[SECURITY] [DLA 1010-1] vorbis-tools security update
Package: vorbis-tools Version: 1.4.0-1+deb7u1 CVE ID : CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749 Debian Bug : 797461 776086 771363 vorbis-tools is vulnerable to multiple issues that can result in denial of service. CVE-2014-9638 Divide by zero error in oggenc with a WAV file whose number of channels is set to zero. CVE-2014-9639 Integer overflow in oggenc via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access. CVE-2014-9640 Out-of bounds read in oggenc via a crafted raw file. CVE-2015-6749 Buffer overflow in the aiff_open function in oggenc/audio.c via a crafted AIFF file. For Debian 7 "Wheezy", these problems have been fixed in version 1.4.0-1+deb7u1. We recommend that you upgrade your vorbis-tools packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 984-1] tiff security update
Package: tiff Version: 4.0.2-6+deb7u14 CVE ID : CVE-2016-10095 CVE-2017-9147 CVE-2017-9403 CVE-2017-9404 Debian Bug : 863185 850316 tiff was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream. For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u14. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 983-1] tiff3 security update
Package: tiff3 Version: 3.9.6-11+deb7u6 CVE ID : CVE-2016-10095 CVE-2017-9147 CVE-2017-9403 CVE-2017-9404 tiff3 was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream. For Debian 7 "Wheezy", these problems have been fixed in version 3.9.6-11+deb7u6. We recommend that you upgrade your tiff3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 946-1] nss security update
Package: nss Version: 2:3.26-1+debu7u3 CVE ID : CVE-2017-5461 CVE-2017-5462 Debian Bug : 862958 The NSS library is vulnerable to two security issues: CVE-2017-5461 Out-of-bounds write in Base64 encoding. This can trigger a crash (denial of service) and might be exploitable for code execution. CVE-2017-5462 A flaw in DRBG number generation where the internal state V does not correctly carry bits over. For Debian 7 "Wheezy", these problems have been fixed in version 2:3.26-1+debu7u3. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 944-1] openvpn security update
Package: openvpn Version: 2.2.1-8+deb7u4 CVE ID : CVE-2017-7479 Denial of Service due to Exhaustion of Packet-ID counter An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196GB). For Debian 7 "Wheezy", these problems have been fixed in version 2.2.1-8+deb7u4. We recommend that you upgrade your openvpn packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 921-1] slurm-llnl security update
Package: slurm-llnl Version: 2.3.4-2+deb7u1 CVE ID : CVE-2016-10030 Debian Bug : 850491 With this vulnerability arbitrary files can be overwritten on nodes running jobs provided that the user can run a job that is able to trigger a failure of a Prolog script. For Debian 7 "Wheezy", these problems have been fixed in version 2.3.4-2+deb7u1. We recommend that you upgrade your slurm-llnl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 905-1] ghostscript security update
Package: ghostscript Version: 9.05~dfsg-6.3+deb7u5 CVE ID : CVE-2016-10219 CVE-2016-10220 CVE-2017-5951 ghostscript is vulnerable to multiple issues that can lead to denial of service when processing untrusted content. CVE-2016-10219 Application crash with division by 0 in scan conversion code triggered through crafted content. CVE-2016-10220 Application crash with a segfault in gx_device_finalize() triggered through crafted content. CVE-2017-5951 Application crash with a segfault in ref_stack_index() triggered through crafted content. For Debian 7 "Wheezy", these problems have been fixed in version 9.05~dfsg-6.3+deb7u5. We recommend that you upgrade your ghostscript packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 877-1] tiff security update
Package: tiff Version: 4.0.2-6+deb7u11 CVE ID : CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269 libtiff is vulnerable to multiple buffer overflows and integer overflows that can lead to application crashes (denial of service) or worse. CVE-2016-10266 Integer overflow that can lead to divide-by-zero in TIFFReadEncodedStrip (tif_read.c). CVE-2016-10267 Divide-by-zero error in OJPEGDecodeRaw (tif_ojpeg.c). CVE-2016-10268 Heap-based buffer overflow in TIFFReverseBits (tif_swab.c). CVE-2016-10269 Heap-based buffer overflow in _TIFFmemcpy (tif_unix.c). For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u11. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 866-1] libxslt security update
Package: libxslt Version: 1.1.26-14.1+deb7u3 CVE ID : CVE-2017-5029 Debian Bug : 858546 libxslt is vulnerable to an integer overflow in the xsltAddTextString function that can be exploited to trigger an out of bounds write on 64-bit systems. For Debian 7 "Wheezy", this problem has been fixed in version 1.1.26-14.1+deb7u3. We recommend that you upgrade your libxslt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 693-2] tiff regression update
Package: tiff Version: 4.0.2-6+deb7u10 Debian Bug : 852610 Version 4.0.2-6+deb7u7 introduced changes that resulted in libtiff being unable to write out tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image. This problem manifested itself with errors like those: $ tiffcp -r 16 -c jpeg sample.tif out.tif _TIFFVGetField: out.tif: Invalid tag "Predictor" (not supported by codec). _TIFFVGetField: out.tif: Invalid tag "BadFaxLines" (not supported by codec). tiffcp: tif_dirwrite.c:687: TIFFWriteDirectorySec: Assertion `0' failed. For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u10. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 610-2] tiff3 regression update
Package: tiff3 Version: 3.9.6-11+deb7u3 Debian Bug : 852610 Version 3.9.6-11+deb7u1 and 3.9.6-11+deb7u2 introduced changes that resulted in libtiff writing out invalid tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image. For Debian 7 "Wheezy", these problems have been fixed in version 3.9.6-11+deb7u3. We recommend that you upgrade your tiff3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 759-1] nss security update
Package: nss Version: 2:3.26-1+debu7u2 CVE ID : CVE-2016-9074 Franziskus Kiefer reported that the existing mitigations for some timing side-channel attacks were insufficient: https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/#CVE-2016-9074 For Debian 7 "Wheezy", these problems have been fixed in version 2:3.26-1+debu7u2. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 741-1] unzip security update
Package: unzip Version: 6.0-8+deb7u6 CVE ID : CVE-2014-9913 CVE-2016-9844 Debian Bug : 847485 847486 "unzip -l" (CVE-2014-9913) and "zipinfo" (CVE-2016-9844) were vulnerable to buffer overflows when provided malformed or maliciously-crafted ZIP files. For Debian 7 "Wheezy", these problems have been fixed in version 6.0-8+deb7u6. We recommend that you upgrade your unzip packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 721-1] libgc security update
Package: libgc Version: 1:7.1-9.1+deb7u1 CVE ID : CVE-2016-9427 Debian Bug : 844771 libgc is vulnerable to integer overflows in multiple places. In some cases, when asked to allocate a huge quantity of memory, instead of failing the request, it will return a pointer to a small amount of memory possibly tricking the application into a buffer overwrite. For Debian 7 "Wheezy", these problems have been fixed in version 1:7.1-9.1+deb7u1. We recommend that you upgrade your libgc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 716-1] tiff security update
Package: tiff Version: 4.0.2-6+deb7u8 CVE ID : CVE-2016-9273 CVE-2016-9297 CVE-2016-9532 Debian Bug : 844013 844226 844057 Multiple memory corruption issues have been identified in libtiff and its associated tools. CVE-2016-9273 Heap buffer overflow in cpStrips(). CVE-2016-9297 Read outside buffer in _TIFFPrintField(). CVE-2016-9532 Heap buffer overflow via writeBufferToSeparateStrips(). For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u8. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 693-1] tiff security update
Package: tiff Version: 4.0.2-6+deb7u7 CVE ID : CVE-2014-8128 CVE-2015-7554 CVE-2015-8668 CVE-2016-3186 CVE-2016-3619 CVE-2016-3620 CVE-2016-3621 CVE-2016-3631 CVE-2016-3632 CVE-2016-3633 CVE-2016-3634 CVE-2016-5102 CVE-2016-5318 CVE-2016-5319 CVE-2016-5652 CVE-2016-6223 CVE-2016-8331 Debian Bug : 842043 842046 842361 842270 The libtiff library and associated tools provided in libtiff-tools are vulnerable to many security problems. This update drops many tools which are no longer supported upstream and which are affected by multiple memory corruption issues: * bmp2tiff (CVE-2016-3619, CVE-2016-3620, CVE-2016-3621, CVE-2016-5319, CVE-2015-8668) * gif2tiff (CVE-2016-3186, CVE-2016-5102) * ras2tiff * sgi2tiff * sgisv * ycbcr * rgb2ycbcr (CVE-2016-3623, CVE-2016-3624) * thumbnail (CVE-2016-3631, CVE-2016-3632, CVE-2016-3633, CVE-2016-3634, CVE-2016-8331) This update also fixes the following issues: CVE-2014-8128, CVE-2015-7554, CVE-2016-5318 Multiple buffer overflows triggered through TIFFGetField() on unknown tags. Lacking an upstream fix, the list of known tags has been extended to cover all those that are in use by the TIFF tools. CVE-2016-5652 Heap based buffer overflow in tiff2pdf. CVE-2016-6223 Information leak in libtiff/tif_read.c. Fix out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value (reported by Mathias Svensson). For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u7. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 372-1] virtualbox-ose 3.2.x is no longer supported in Debian 6
Package: virtualbox-ose Oracle stopped supporting version 3.2 of VirtualBox last June. They also do not disclose enough information about vulnerabilities discovered and fixed in newer versions so that it is impossible for us to verify whether the vulnerability also applies to 3.2 and to backport the fix when needed. We are thus no longer supporting virtualbox-ose in Debian 6 Squeeze. If you rely on it, you should either consider using backports of newer versions (version 4.1.42 is available in squeeze-backports) or upgrade to Debian 7 Wheezy (or newer). -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 371-1] foomatic-filters security update
Package: foomatic-filters Version: 4.0.5-6+squeeze2+deb6u12 CVE ID : CVE-2015-8560 Debian Bug : 807993 Adam Chester discovered that there was an injection vulnerability in foomatic-filters which is used by printer spoolers to convert incoming PostScript data into the printer's native format. This could lead to the execution of arbitrary commands. The patch applied in DLA 365-1 prevented usage of (unescaped) backticks and this update complements the previous update by doing the same for semi-colons. For Debian 6 Squeeze, this issue has been fixed in foomatic-filters version 4.0.5-6+squeeze2+deb6u12. (Thanks to Yann Soubeyrand who prepared the updated Debian package) -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 366-1] arts security update
Package: arts Version: 1.5.9-3+deb6u1 CVE ID : CVE-2015-7543 It has been reported that arts uses the insecure mktemp() function to create the temporary directory it uses to host user-specific sockets. It is thus possible for another user to hijack this temporary directory and gain IPC access it should not have. In Debian 6 “Squeeze”, this issue has been addressed in arts 1.5.9-3+deb6u1 with the use of the safer mkdtemp() function. We recommend that you upgrade your arts packages. Other Debian releases do not have the arts package. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 367-1] kdelibs security update
Package: kdelibs Version: 3.5.10.dfsg.1-5+deb6u1 CVE ID : CVE-2015-7543 It has been reported that kdelibs uses the insecure mktemp() function to create the temporary directory it uses to host user-specific sockets. It is thus possible for another user to hijack this temporary directory and gain socket accesses it should not have. In Debian 6 “Squeeze”, this issue has been addressed in kdelibs 3.5.10.dfsg.1-5+deb6u1 with the use of the safer mkdtemp() function. We recommend that you upgrade your kdelibs packages. Other Debian releases have newer versions of the libraries (kdelibs4) that are not affected by this problem. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 361-1] bouncycastle security update
Package: bouncycastle Version: 1.44+dfsg-2+deb6u1 CVE ID : CVE-2015-7940 Debian Bug : 802671 The Bouncy Castle Java library before 1.51 does not validate that a point is within the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack." For Debian 6 “Squeeze”, this issue has been fixed in version 1.44+dfsg-2+deb6u1 of bouncycastle. Many thanks to upstream author Peter Dettmann who reviewed the backport that we prepared. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 353-1] imagemagick security update
Package: imagemagick Version: 8:6.6.0.4-3+squeeze7 Debian Bug : 806441 Submitting specially crafted icons (.ico) or .pict images to ImageMagick can trigger integer overflows that can lead to buffer overflows and memory allocations issues. Depending on the case, this can lead to a denial of service or possibly worse. For Debian 6 Squeeze, those issues have been fixed in imagemagick 8:6.6.0.4-3+squeeze7. We recommend that you upgrade your packages. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 350-1] eglibc security update
Package: eglibc Version: 2.11.3-4+deb6u8 CVE ID : not assigned yet Debian Bug : 803927 The strxfrm() function is vulnerable to integer overflows when computing memory allocation sizes (similar to CVE-2012-4412). Furthermore since it fallbacks to use alloca() when malloc() fails, it is vulnerable to stack-based buffer overflows (similar to CVE-2012-4424). Those issues have been fixed in Debian 6 Squeeze with eglibc 2.11.3-4+deb6u8. We recommend that you upgrade libc6 and other packages provided by eglibc. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 339-1] libhtml-scrubber-perl security update
Package: libhtml-scrubber-perl Version: 0.08-4+deb6u1 CVE ID : CVE-2015-5667 Debian bug : 803943 HTML::Scrubber is vulnerable to a cross-site scripting (XSS) vulnerability when the comment feature is enabled. It allows remote attackers to inject arbitrary web script or HTML via a crafted comment. For Debian 6 squeeze, this has been fixed in libhtml-scrubber-perl version 0.08-4+deb6u1. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 330-1] unzip security update
Package: unzip Version: 6.0-4+deb6u3 CVE ID : CVE-2015-7696 CVE-2015-7697 Debian Bug : 802160 802162 Gustavo Grieco discovered with a fuzzer that unzip was vulnerable to a heap overflow and to a denial of service with specially crafted password-protected ZIP archives. For the Debian 6 squeeze, these issues haven been fixed in unzip 6.0-4+deb6u3. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 286-1] squid3 security update
Package: squid3 Version: 3.1.6-1.2+squeeze5 CVE ID : CVE-2015-5400 Debian Bug : 793128 Alex Rousskov discovered that Squid configured with cache_peer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses. In some configurations, it allows remote clients to bypass security in an explicit gateway proxy. For Debian 6 Squeeze, this problem has been fixed in squid3 version 3.1.6-1.2+squeeze5. We recommend that you upgrade your squid3 packages. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 272-1] python-django security update
Package: python-django Version: 1.2.3-3+squeeze13 CVE ID : CVE-2015-2317 CVE-2015-5143 CVE-2015-5144 Several vulnerabilities were discovered in Django, a high-level Python web development framework: CVE-2015-2317 Daniel Chatfield discovered that python-django, a high-level Python web development framework, incorrectly handled user-supplied redirect URLs. A remote attacker could use this flaw to perform a cross-site scripting attack. CVE-2015-5143 Eric Peterson and Lin Hua Cheng discovered that a new empty record used to be created in the session storage every time a session was accessed and an unknown session key was provided in the request cookie. This could allow remote attackers to saturate the session store or cause other users' session records to be evicted. CVE-2015-5144 Sjoerd Job Postmus discovered that some built-in validators did not properly reject newlines in input values. This could allow remote attackers to inject headers in emails and HTTP responses. For the oldoldstable distribution (squeeze), these problems have been fixed in version 1.2.3-3+squeeze13. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 261-1] aptdaemon security update
Package: aptdaemon Version: 0.31+bzr413-1.1+deb6u1 CVE ID : CVE-2015-1323 Debian Bug : 789162 Tavis Ormandy discovered that Aptdeamon incorrectly handled the simulate dbus method. A local attacker could use this issue to possibly expose sensitive information, or perform other file access as the root user. For Debian 6 “Squeeze”, this problem has been fixed in version 0.31+bzr413-1.1+deb6u1 of aptdaemon. We recommend that you upgrade yout aptdaemon package. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 240-1] libapache-mod-jk security update
Package: libapache-mod-jk Version: 1:1.2.30-1squeeze2 CVE ID : CVE-2014-8111 Debian Bug : 783233 An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. For the squeeze distribution, this problem has been fixed in version 1:1.2.30-1squeeze2. We recommend that you upgrade your libapache-mod-jk packages. This update has been prepared by Markus Koschany. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 210-1] qt4-x11 security update
Package: qt4-x11 Version: 4:4.6.3-4+squeeze3 CVE ID : CVE-2013-0254 CVE-2015-0295 CVE-2015-1858 CVE-2015-1859 CVE-2015-1860 Debian Bug : 779550 783133 This update fixes multiple security issues in the Qt library. CVE-2013-0254 The QSharedMemory class uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. CVE-2015-0295 / CVE-2015-1858 / CVE-2015-1859 / CVE-2015-1860 Denial of service (via segmentation faults) through crafted images (BMP, GIF, ICO). -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 143-1] python-django security update
Package: python-django Version: 1.2.3-3+squeeze12 CVE ID : CVE-2015-0219 CVE-2015-0220 CVE-2015-0221 Multiple security issues have been found in Django: https://www.djangoproject.com/weblog/2015/jan/13/security/ For Debian 6 Squeeeze, they have been fixed in version 1.2.3-3+squeeze12 of python-django. Here is what the upstream developers have to say about those issues: CVE-2015-0219 - WSGI header spoofing via underscore/dash conflation When HTTP headers are placed into the WSGI environ, they are normalized by converting to uppercase, converting all dashes to underscores, and prepending HTTP_. For instance, a header X-Auth-User would become HTTP_X_AUTH_USER in the WSGI environ (and thus also in Django's request.META dictionary). Unfortunately, this means that the WSGI environ cannot distinguish between headers containing dashes and headers containing underscores: X-Auth-User and X-Auth_User both become HTTP_X_AUTH_USER. This means that if a header is used in a security-sensitive way (for instance, passing authentication information along from a front-end proxy), even if the proxy carefully strips any incoming value for X-Auth-User, an attacker may be able to provide an X-Auth_User header (with underscore) and bypass this protection. In order to prevent such attacks, both Nginx and Apache 2.4+ strip all headers containing underscores from incoming requests by default. Django's built-in development server now does the same. Django's development server is not recommended for production use, but matching the behavior of common production servers reduces the surface area for behavior changes during deployment. CVE-2015-0220 - Possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an on success URL. The security checks for these redirects (namely django.util.http.is_safe_url()) didn't strip leading whitespace on the tested URL and as such considered URLs like \njavascript:... safe. If a developer relied on is_safe_url() to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there. CVE-2015-0221 - Denial-of-service attack against django.views.static.serve In older versions of Django, the django.views.static.serve() view read the files it served one line at a time. Therefore, a big file with no newlines would result in memory usage equal to the size of that file. An attacker could exploit this and launch a denial-of-service attack by simultaneously requesting many large files. This view now reads the file in chunks to prevent large memory usage. Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid. Now may be a good time to audit your project and serve your files in production using a real front-end web server if you are not doing so. Note that the version of Django in use in Debian 6 Squeeze was not affected by CVE-2015-0222 (Database denial-of-service with ModelMultipleChoiceField) since that feature does not exist in this version. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 113-1] bsd-mailx security update
Package: bsd-mailx Version: 8.1.2-0.20100314cvs-1+deb6u1 CVE ID : CVE-2014-7844 It was discovered that bsd-mailx, an implementation of the mail command, had an undocumented feature which treats syntactically valid email addresses as shell commands to execute. Users who need this feature can re-enable it using the expandaddr in an appropriate mailrc file. This update also removes the obsolete -T option. An older security vulnerability, CVE-2004-2771, had already been addressed in the Debian's bsd-mailx package. Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the -- separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke mail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header. For the oldstable distribution (squeeze), this problem has been fixed in version 8.1.2-0.20100314cvs-1+deb6u1. We recommend that you upgrade your bsd-mailx packages. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 114-1] heirloom-mailx security update
Package: heirloom-mailx Version: 12.4-2+deb6u1 CVE ID : CVE-2004-2771 CVE-2014-7844 Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the mail command: CVE-2004-2771 mailx interprets interprets shell meta-characters in certain email addresses. CVE-2014-7844 An unexpected feature of mailx treats syntactically valid email addresses as shell commands to execute. Shell command execution can be re-enabled using the expandaddr option. Note that this security update does not remove all mailx facilities for command execution, though. Scripts which send mail to addresses obtained from an untrusted source (such as a web form) should use the -- separator before the email addresses (which was fixed to work properly in this update), or they should be changed to invoke mail -t or sendmail -i -t instead, passing the recipient addresses as part of the mail header. For the oldstable distribution (squeeze), these problems have been fixed in version 12.4-2+deb6u1. We recommend that you upgrade your heirloom-mailx packages. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 106-1] getmail4 security update
Package: getmail4 Version: 4.46.0-1~deb6u1 CVE ID : CVE-2014-7273 CVE-2014-7274 CVE-2014-7275 Debian Bug : 766670 Several vulnerabilities have been discovered in getmail4, a mail retriever with support for POP3, IMAP4 and SDPS, that could allow man-in-the-middle attacks. CVE-2014-7273 The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate. CVE-2014-7274 The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. CVE-2014-7275 The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate. For the squeeze distribution, those problems have been fixed by importing a new upstream version: 4.46.0-1~deb6u1. The updated package has been prepared by Osamu Aoki. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature
[SECURITY] [DLA 71-1] apache2 security update
Package: apache2 Version: 2.2.16-6+squeeze14 CVE ID : CVE-2013-5704 CVE-2014-3581 This update fixes two security issues with apache2. CVE-2013-5704 Disable the possibility to replace HTTP headers with HTTP trailers as this could be used to circumvent earlier header operations made by other modules. This can be restored with a new MergeTrailers directive. CVE-2014-3581 Fix denial of service where Apache can segfault when mod_cache is used and when the cached request contains an empty Content-Type header. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ signature.asc Description: Digital signature