The following updates has been released for Debian 7 LTS:
[DLA 1007-1] icedove/thunderbird security update
[DLA 1009-1] apache2 security update
[DSA 3901-1] libgcrypt20 security update
[DLA 1007-1] icedove/thunderbird security update
[DLA 1009-1] apache2 security update
[DSA 3901-1] libgcrypt20 security update
[DLA 1007-1] icedove/thunderbird security update
Package : icedove
Version : 1:52.2.1-1~deb7u1
CVE ID : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750
CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756
CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771
CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775
CVE-2017-7776 CVE-2017-7777 CVE-2017-7778
Multiple security issues have been found in the Mozilla Thunderbird mail
client: Multiple memory safety errors, buffer overflows and other
implementation errors may lead to the execution of arbitrary code or
spoofing.
For Debian 7 "Wheezy", these problems have been fixed in version
1:52.2.1-1~deb7u1.
We recommend that you upgrade your icedove packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 1009-1] apache2 security update
Package : apache2
Version : 2.2.22-13+deb7u9
CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7668 CVE-2017-7679
Several vulnerabilities have been found in the Apache HTTPD server.
CVE-2017-3167
Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by
third-party modules outside of the authentication phase may lead to
authentication requirements being bypassed.
CVE-2017-3169
Vasileios Panopoulos of AdNovum Informatik AG discovered that
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port
leading to a denial of service.
CVE-2017-7668
Javier Jimenez reported that the HTTP strict parsing contains a flaw
leading to a buffer overread in ap_find_token(). A remote attacker
can take advantage of this flaw by carefully crafting a sequence of
request headers to cause a segmentation fault, or to force
ap_find_token() to return an incorrect value.
CVE-2017-7679
ChenQin and Hanno Boeck reported that mod_mime can read one byte
past the end of a buffer when sending a malicious Content-Type
response header.
For Debian 7 "Wheezy", these problems have been fixed in version
2.2.22-13+deb7u9.
We recommend that you upgrade your apache2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 3901-1] libgcrypt20 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3901-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 02, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libgcrypt20
CVE ID : CVE-2017-7526
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
Yuval Yarom discovered that Libgcrypt is prone to a local side-channel
attack allowing full key recovery for RSA-1024.
See https://eprint.iacr.org/2017/627 for details.
For the oldstable distribution (jessie), this problem has been fixed
in version 1.6.3-2+deb8u4.
For the stable distribution (stretch), this problem has been fixed in
version 1.7.6-2+deb9u1.
For the testing distribution (buster), this problem has been fixed
in version 1.7.8-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.7.8-1.
We recommend that you upgrade your libgcrypt20 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
