Debian 10229 Published by

The following updates has been released for Debian:

[DLA 961-1] mosquitto security update
[DLA 965-1] qemu-kvm security update
[DLA 966-1] pngquant security update
[DLA 967-1] gajim security update
[DLA 968-1] libpodofo security update
[DLA 969-1] tiff security update
[DLA 970-1] sudo security update
[DSA 3866-1] strongswan security update
[DSA 3867-1] sudo security update
[DSA 3868-1] openldap security update



[DLA 961-1] mosquitto security update

Package : mosquitto
Version : 0.15-2+deb7u1
CVE ID : CVE-2017-7650
Debian Bug :

CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set their username/client id
This allows locally or remotely connected clients to access MQTT topics that they do have the rights to.
The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use,
or potentially where third party plugins are in use.

For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u1.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 965-1] qemu-kvm security update

Package : qemu-kvm
Version : 1.1.2+dfsg-6+deb7u22
CVE ID : CVE-2016-9602 CVE-2017-7377 CVE-2017-7471 CVE-2017-7493
CVE-2017-8086

Several vulnerabilities were discovered in qemu-kvm, a full
virtualization solution for Linux hosts on x86 hardware with x86 guests
based on the Quick Emulator(Qemu).

CVE-2016-9602

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via
Plan 9 File System(9pfs) support, is vulnerable to an improper link
following issue. It could occur while accessing symbolic link files
on a shared host directory.

A privileged user inside guest could use this flaw to access host file
system beyond the shared folder and potentially escalating their
privileges on a host.

CVE-2017-7377

Quick Emulator(Qemu) built with the virtio-9p back-end support is
vulnerable to a memory leakage issue. It could occur while doing a I/O
operation via v9fs_create/v9fs_lcreate routine.

A privileged user/process inside guest could use this flaw to leak
host memory resulting in Dos.

CVE-2017-7471

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via
Plan 9 File System(9pfs) support, is vulnerable to an improper access
control issue. It could occur while accessing files on a shared host
directory.

A privileged user inside guest could use this flaw to access host file
system beyond the shared folder and potentially escalating their
privileges on a host.

CVE-2017-7493

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via
Plan 9 File System(9pfs) support, is vulnerable to an improper access
control issue. It could occur while accessing virtfs metadata files
in mapped-file security mode.

A guest user could use this flaw to escalate their privileges inside
guest.

CVE-2017-8086

Quick Emulator(Qemu) built with the virtio-9p back-end support is
vulnerable to a memory leakage issue. It could occur while querying
file system extended attributes via 9pfs_list_xattr() routine.

A privileged user/process inside guest could use this flaw to leak
host memory resulting in Dos.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u22.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 966-1] pngquant security update

Package : pngquant
Version : 1.0-4.1+deb7u1
CVE ID : CVE-2016-5735
Debian Bug : 863469

It was found that pngquant is susceptible to a buffer overflow write
issue triggered by a maliciously crafted png image, which could lead
into denial of service or other issues.

For Debian 7 "Wheezy", these problems have been fixed in version
1.0-4.1+deb7u1.

We recommend that you upgrade your pngquant packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 967-1] gajim security update

Package : gajim
Version : 0.15.1-4.1+deb7u3
CVE ID : CVE-2016-10376
Debian Bug : 863445

Gajim implements XEP-0146, an XMPP extension to run commands remotely
from another client. However it was found that malicious servers can
trigger commands, which could lead to leaking private conversations
from encrypted sessions. To solve this, XEP-0146 support has been
disabled by default.

For Debian 7 "Wheezy", these problems have been fixed in version
0.15.1-4.1+deb7u3.

We recommend that you upgrade your gajim packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 968-1] libpodofo security update

Package : libpodofo
Version : 0.9.0-1.1+deb7u2
CVE ID : CVE-2017-6840 CVE-2017-6842 CVE-2017-6843
CVE-2017-6847 CVE-2017-6848 CVE-2017-7378
CVE-2017-7380 CVE-2017-7381 CVE-2017-7382
CVE-2017-7383
Debian Bug : 861557 861564 859330 859329

Several heap-based buffer overflows and NULL pointer
dereferences have been discovered in libpodofo, a library for
manipulating PDF files, that allow remote attackers to cause a denial
of service (application crash) or other unspecified impact via a
crafted PDF document.

For Debian 7 "Wheezy", these problems have been fixed in version
0.9.0-1.1+deb7u2.

We recommend that you upgrade your libpodofo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 969-1] tiff security update

Package : tiff
Version : 4.0.2-6+deb7u13
CVE ID : CVE-2016-3658 CVE-2016-10371
Debian Bug : 862929

Two vulnerabilities have been discovered in libtiff, a library
providing support for the Tag Image File Format, which may result in
denial of service (out-of-bounds read or assertion failure) via a
crafted TIFF file.

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u13.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 970-1] sudo security update

Package : sudo
Version : 1.8.5p2-1+nmu3+deb7u3
CVE ID : CVE-2017-1000367
Debian Bug : 863731

The Qualys Security team discovered that sudo, a program designed to
provide limited super user privileges to specific users, does not
properly parse "/proc/[pid]/stat" to read the device number of the tty
from field 7 (tty_nr). A sudoers user can take advantage of this flaw on
an SELinux-enabled system to obtain full root privileges.

For Debian 7 "Wheezy", this problem has been fixed in version
1.8.5p2-1+nmu3+deb7u3.

For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u4.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3866-1] strongswan security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3866-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
May 30, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2017-9022 CVE-2017-9023

Two denial of service vulnerabilities were identified in strongSwan, an
IKE/IPsec suite, using Google's OSS-Fuzz fuzzing project.

CVE-2017-9022

RSA public keys passed to the gmp plugin aren't validated sufficiently
before attempting signature verification, so that invalid input might
lead to a floating point exception and crash of the process.
A certificate with an appropriately prepared public key sent by a peer
could be used for a denial-of-service attack.

CVE-2017-9023

ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
parsing X.509 certificates with extensions that use such types. This could
lead to infinite looping of the thread parsing a specifically crafted
certificate.

A fix for a build failure was additionally included in the 5.2.1-6+deb8u4
revision of the strongSwan package.

For the stable distribution (jessie), these problems have been fixed in
version 5.2.1-6+deb8u3.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 5.5.1-4

For the unstable distribution (sid), these problems have been fixed in
version 5.5.1-4.

We recommend that you upgrade your strongswan packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3867-1] sudo security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3867-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 30, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : sudo
CVE ID : CVE-2017-1000367
Debian Bug : 863731

The Qualys Security team discovered that sudo, a program designed to
provide limited super user privileges to specific users, does not
properly parse "/proc/[pid]/stat" to read the device number of the tty
from field 7 (tty_nr). A sudoers user can take advantage of this flaw on
an SELinux-enabled system to obtain full root privileges.

For the stable distribution (jessie), this problem has been fixed in
version 1.8.10p3-1+deb8u4.

We recommend that you upgrade your sudo packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3868-1] openldap security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3868-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 30, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openldap
CVE ID : CVE-2017-9287
Debian Bug : 863563

Karsten Heymann discovered that the OpenLDAP directory server can be
crashed by performing a paged search with a page size of 0, resulting in
denial of service. This vulnerability is limited to the MDB storage
backend.

For the stable distribution (jessie), this problem has been fixed in
version 2.4.40+dfsg-1+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 2.4.44+dfsg-5.

We recommend that you upgrade your openldap packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/