Debian 10264 Published by

The following updates has been released for Debian:

[DLA 1014-1] libclamunrar security update
[DSA 3902-1] jabberd2 security update
[DSA 3903-1] tiff security update



[DLA 1014-1] libclamunrar security update

Package : libclamunrar
Version : 0.99-0+deb7u2
CVE ID : CVE-2017-7520
Debian Bug : #867223

It was discovered that there was an arbitrary code execution vulnerability in
libcamunrar, a library to add unrar support to the Clam anti-virus software.

This was caused by an integer overflow resulting in a negative value of the
``DestPos`` variable, which allows the attacker to write out of bounds when
setting ``Mem[DestPos]``.

For Debian 7 "Wheezy", this issue has been fixed in libclamunrar version
0.99-0+deb7u2.

We recommend that you upgrade your libclamunrar packages.

[DSA 3902-1] jabberd2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3902-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 05, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jabberd2
CVE ID : CVE-2017-10807
Debian Bug : 867032

It was discovered that jabberd2, a Jabber instant messenger server,
allowed anonymous SASL connections, even if disabled in the
configuration.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.0-3+deb9u1.

We recommend that you upgrade your jabberd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3903-1] tiff security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3903-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 05, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2016-10095 CVE-2017-9147 CVE-2017-9403 CVE-2017-9404
CVE-2017-9936 CVE-2017-10688

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 4.0.8-3.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.8-3.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/