Debian 10228 Published by

The following updates has been released for Debian:

[DLA 741-1] unzip security update
[DLA 742-1] chrony security update
[DSA 3732-1] php5 security update
[DSA 3733-1] apt security update



[DLA 741-1] unzip security update

Package : unzip
Version : 6.0-8+deb7u6
CVE ID : CVE-2014-9913 CVE-2016-9844
Debian Bug : 847485 847486

"unzip -l" (CVE-2014-9913) and "zipinfo" (CVE-2016-9844) were vulnerable
to buffer overflows when provided malformed or maliciously-crafted ZIP
files.

For Debian 7 "Wheezy", these problems have been fixed in version
6.0-8+deb7u6.

We recommend that you upgrade your unzip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 742-1] chrony security update

Package : chrony
Version : 1.24-3.1+deb7u4
CVE ID : CVE-2016-1567
Debian Bug : 812923 568492

It was discovered that Chrony, a versatile implementation of the
Network Time Protocol, did not verify peer associations of symmetric
keys when authenticating packets, which might allow remote attackers
to conduct impersonation attacks via an arbitrary trusted key, aka a
"skeleton key."

This update also resolves Debian bug #568492.

For Debian 7 "Wheezy", these problems have been fixed in version
1.24-3.1+deb7u4.

We recommend that you upgrade your chrony packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3732-1] php5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3732-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
December 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2016-9138 CVE-2016-9933 CVE-2016-9934

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream
version 5.6.28, which includes additional bug fixes. Please refer to
the upstream changelog for more information:

https://secure.php.net/ChangeLog-5.php#5.6.28

For the stable distribution (jessie), these problems have been fixed in
version 5.6.28+dfsg-0+deb8u1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3733-1] apt security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3733-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 13, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : apt
CVE ID : CVE-2016-1252

Jann Horn of Google Project Zero discovered that APT, the high level
package manager, does not properly handle errors when validating
signatures on InRelease files. An attacker able to man-in-the-middle
HTTP requests to an apt repository that uses InRelease files
(clearsigned Release files), can take advantage of this flaw to
circumvent the signature of the InRelease file, leading to arbitrary
code execution.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.9.8.4.

For the unstable distribution (sid), this problem has been fixed in
version 1.4~beta2.

We recommend that you upgrade your apt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/