The following updates has been released for Debian GNU/Linux:

[DLA 998-1] c-ares security update
[DLA 999-1] openvpn security update
[DSA 3896-1] apache2 security update

[DLA 998-1] c-ares security update

Package : c-ares
Version : 1.9.1-3+deb7u2
CVE ID : CVE-2017-1000381

CVE-2017-1000381
The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response
packet was crafted in a particular way.


For Debian 7 "Wheezy", these problems have been fixed in version
1.9.1-3+deb7u2.

We recommend that you upgrade your c-ares packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 999-1] openvpn security update

Package : openvpn
Version : 2.2.1-8+deb7u5
CVE ID : CVE-2017-7520
Debian Bug : #865480

It was discovered that there were multiple out-of-bounds memory read
vulnerabilities in openvpn, a popular virtual private network (VPN) daemon.

If clients used a HTTP proxy with NTLM authentication, a man-in-the-middle
attacker could cause the client to crash or disclose at most 96 bytes of stack
memory, likely to contain the proxy password.

For Debian 7 "Wheezy", this issue has been fixed in openvpn version
2.2.1-8+deb7u5.

We recommend that you upgrade your openvpn packages.

[DSA 3896-1] apache2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3896-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
CVE-2017-7679

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-3167

Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by
third-party modules outside of the authentication phase may lead to
authentication requirements being bypassed.

CVE-2017-3169

Vasileios Panopoulos of AdNovum Informatik AG discovered that
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port
leading to a denial of service.

CVE-2017-7659

Robert Swiecki reported that a specially crafted HTTP/2 request
could cause mod_http2 to dereference a NULL pointer and crash the
server process.

CVE-2017-7668

Javier Jimenez reported that the HTTP strict parsing contains a
flaw leading to a buffer overread in ap_find_token(). A remote
attacker can take advantage of this flaw by carefully crafting a
sequence of request headers to cause a segmentation fault, or to
force ap_find_token() to return an incorrect value.

CVE-2017-7679

ChenQin and Hanno Boeck reported that mod_mime can read one byte
past the end of a buffer when sending a malicious Content-Type
response header.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not
affected by CVE-2017-7659.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.25-4.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/