Debian 10260 Published by

The following updates has been released for Debian:

[DLA 971-1] nss security update
[DSA 3869-1] tnef security update
[DSA 3870-1] wordpress security update



[DLA 971-1] nss security update

Package : nss
Version : 2:3.26-1+debu7u4
CVE ID : CVE-2017-7502
Debian Bug : 863839

CVE-2017-7502

A null pointer dereference vulnerability in NSS was found when server
receives empty SSLv2 messages. This issue was introduced with the recent
removal of SSLv2 protocol from upstream code in 3.24.0 and introduction
of dedicated parser able to handle just sslv2-style hello messages.

For Debian 7 "Wheezy", this problem has been fixed in version
2:3.26-1+debu7u4.

We recommend that you upgrade your nss packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3869-1] tnef security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3869-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tnef
CVE ID : CVE-2017-8911
Debian Bug : 862442

It was discovered that tnef, a tool used to unpack MIME attachments of
type "application/ms-tnef", did not correctly validate its input. An
attacker could exploit this by tricking a user into opening a
malicious attachment, which would result in a denial-of-service by
application crash.

For the stable distribution (jessie), this problem has been fixed in
version 1.4.9-1+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.12-1.2.

We recommend that you upgrade your tnef packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3870-1] wordpress security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3870-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2017-8295 CVE-2017-9061 CVE-2017-9062 CVE-2017-9063
CVE-2017-9064 CVE-2017-9065
Debian Bug : 862053 862816

Several vulnerabilities were discovered in wordpress, a web blogging
tool. They would allow remote attackers to force password resets, and
perform various cross-site scripting and cross-site request forgery
attacks.

For the stable distribution (jessie), these problems have been fixed in
version 4.1+dfsg-1+deb8u13.

For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 4.7.5+dfsg-1.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/