Debian 10225 Published by

The following updates has been released for Debian:

[DLA 839-2] tnef regression update
[DLA 870-1] libplist security update
[DLA 871-1] python3.2 security update
[DSA 3817-1] jbig2dec security update



[DLA 839-2] tnef regression update

Package : tnef
Version : 1.4.9-1+deb7u2
CVE ID : CVE-2017-6307 CVE-2017-6308 CVE-2017-6309 CVE-2017-6310
Debian Bug : 857342


While fixing the above mentioned CVEs, upstream introduced a regression.
The new patches added for this upload take care of that.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.9-1+deb7u2.

We recommend that you upgrade your tnef packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 870-1] libplist security update

Package : libplist
Version : 1.8-1+deb7u3
CVE ID : CVE-2017-6435 CVE-2017-6436 CVE-2017-6439

More vulnerabilities were discovered in libplist, a library for
reading and writing the Apple binary and XML property lists format.
A maliciously crafted plist file could cause a denial-of-service
(application crash) by triggering a heap-based buffer overflow or
memory allocation error in the parse_string_node function.

For Debian 7 "Wheezy", these problems have been fixed in version
1.8-1+deb7u3.

We recommend that you upgrade your libplist packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 871-1] python3.2 security update

Package : python3.2
Version : 3.2.3-7+deb7u1
CVE ID : CVE-2016-0772

It was discovered that there was a TLS stripping vulnerability in the smptlib
library distributed with the CPython interpreter.

The library did not return an error if StartTLS failed, which might have
allowed man-in-the-middle attackers to bypass the TLS protections by leveraging
a network position to block the StartTLS command.

For Debian 7 "Wheezy", this issue has been fixed in python3.2 version
3.2.3-7+deb7u1.

We recommend that you upgrade your python3.2 packages.

[DSA 3817-1] jbig2dec security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3817-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jbig2dec
CVE ID : CVE-2016-9601

Multiple security issues have been found in the JBIG2 decoder library,
which may lead to lead to denial of service or the execution of arbitrary
code if a malformed image file (usually embedded in a PDF document) is
opened.

For the stable distribution (jessie), this problem has been fixed in
version 0.13-4~deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 0.13-4.

For the unstable distribution (sid), this problem has been fixed in
version 0.13-4.

We recommend that you upgrade your jbig2dec packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/