Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 780-1] libav security update
[DLA 781-1] asterisk security update
[DSA 3760-1] ikiwiki security update
[DSA 3761-1] rabbitmq-server security update



[DLA 780-1] libav security update

Package : libav
Version : 6:0.8.19-0+deb7u1
CVE ID : CVE-2016-7424

Multiple vulnerabilities have been found in libav:

CVE-2016-7424

The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in
libav 11.7 and earlier allows remote attackers to cause a denial
of service (NULL pointer dereference and crash) via a crafted MP3
file.

(No CVE assigned)

The h264 codec is vulnerable to various crashes with invalid-free,
corrupted double-linked list or out-of-bounds read.

For Debian 7 "Wheezy", these problems have been fixed in version
6:0.8.19-0+deb7u1.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 781-1] asterisk security update

Package : asterisk
Version : 1:1.8.13.1~dfsg1-3+deb7u5
CVE ID : CVE-2014-2287 CVE-2016-7551
Debian Bug : 838832 741313

Two security vulnerabilities were discovered in Asterisk, an Open
Source PBX and telephony toolkit.

CVE-2014-2287

channels/chan_sip.c in Asterisk when chan_sip has a certain
configuration, allows remote authenticated users to cause a denial
of service (channel and file descriptor consumption) via an INVITE
request with a (1) Session-Expires or (2) Min-SE header with a
malformed or invalid value.

CVE-2016-7551

The overlap dialing feature in chan_sip allows chan_sip to report
to a device that the number that has been dialed is incomplete and
more digits are required. If this functionality is used with a
device that has performed username/password authentication RTP
resources are leaked. This occurs because the code fails to release
the old RTP resources before allocating new ones in this scenario.
If all resources are used then RTP port exhaustion will occur and
no RTP sessions are able to be set up.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.8.13.1~dfsg1-3+deb7u5.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3760-1] ikiwiki security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3760-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 12, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ikiwiki
CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356

Multiple vulnerabilities have been found in the Ikiwiki wiki compiler:

CVE-2016-9646

Commit metadata forgery via CGI::FormBuilder context-dependent APIs

CVE-2016-10026

Editing restriction bypass for git revert

CVE-2017-0356

Authentication bypass via repeated parameters

Additional details on these vulnerabilities can be found at
https://ikiwiki.info/security/

For the stable distribution (jessie), these problems have been fixed in
version 3.20141016.4.

For the unstable distribution (sid), these problems have been fixed in
version 3.20170111.

We recommend that you upgrade your ikiwiki packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3761-1] rabbitmq-server security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3761-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
January 13, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rabbitmq-server
CVE ID : CVE-2016-9877
Debian Bug : 849849

It was discovered that RabbitMQ, an implementation of the AMQP
protocol, didn't correctly validate MQTT (MQ Telemetry Transport)
connection authentication. This allowed anyone to login to an existing
user account without having to provide a password.

For the stable distribution (jessie), this problem has been fixed in
version 3.3.5-1.1+deb8u1.

For the testing (stretch) and unstable (sid) distributions, this
problem has been fixed in version 3.6.6-1.

We recommend that you upgrade your rabbitmq-server packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/