The following updates has been released for Debian:
[DLA 839-2] tnef regression update
[DLA 870-1] libplist security update
[DLA 871-1] python3.2 security update
[DSA 3817-1] jbig2dec security update
[DLA 839-2] tnef regression update
[DLA 870-1] libplist security update
[DLA 871-1] python3.2 security update
[DSA 3817-1] jbig2dec security update
[DLA 839-2] tnef regression update
Package : tnef
Version : 1.4.9-1+deb7u2
CVE ID : CVE-2017-6307 CVE-2017-6308 CVE-2017-6309 CVE-2017-6310
Debian Bug : 857342
While fixing the above mentioned CVEs, upstream introduced a regression.
The new patches added for this upload take care of that.
For Debian 7 "Wheezy", these problems have been fixed in version
1.4.9-1+deb7u2.
We recommend that you upgrade your tnef packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 870-1] libplist security update
Package : libplist
Version : 1.8-1+deb7u3
CVE ID : CVE-2017-6435 CVE-2017-6436 CVE-2017-6439
More vulnerabilities were discovered in libplist, a library for
reading and writing the Apple binary and XML property lists format.
A maliciously crafted plist file could cause a denial-of-service
(application crash) by triggering a heap-based buffer overflow or
memory allocation error in the parse_string_node function.
For Debian 7 "Wheezy", these problems have been fixed in version
1.8-1+deb7u3.
We recommend that you upgrade your libplist packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 871-1] python3.2 security update
Package : python3.2
Version : 3.2.3-7+deb7u1
CVE ID : CVE-2016-0772
It was discovered that there was a TLS stripping vulnerability in the smptlib
library distributed with the CPython interpreter.
The library did not return an error if StartTLS failed, which might have
allowed man-in-the-middle attackers to bypass the TLS protections by leveraging
a network position to block the StartTLS command.
For Debian 7 "Wheezy", this issue has been fixed in python3.2 version
3.2.3-7+deb7u1.
We recommend that you upgrade your python3.2 packages.
[DSA 3817-1] jbig2dec security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3817-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : jbig2dec
CVE ID : CVE-2016-9601
Multiple security issues have been found in the JBIG2 decoder library,
which may lead to lead to denial of service or the execution of arbitrary
code if a malformed image file (usually embedded in a PDF document) is
opened.
For the stable distribution (jessie), this problem has been fixed in
version 0.13-4~deb8u1.
For the upcoming stable distribution (stretch), this problem has been
fixed in version 0.13-4.
For the unstable distribution (sid), this problem has been fixed in
version 0.13-4.
We recommend that you upgrade your jbig2dec packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/