Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 982-1] tor security update
[DSA 3875-1] libmwaw security update
[DSA 3876-1] otrs2 security update
[DSA 3877-1] tor security update



[DLA 982-1] tor security update

Package : tor
Version : 0.2.4.29-1
CVE ID : CVE-2017-0376
Debian Bug : 864424

It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contains a flaw in the hidden service
code. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).

For Debian 7 "Wheezy", this problem has been fixed in version
0.2.4.29-1.

We recommend that you upgrade your tor packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3875-1] libmwaw security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3875-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libmwaw
CVE ID : CVE-2017-9433

It was discovered that a buffer overflow in libmwaw, a library to open
old Mac text documents might result in the execution of arbitrary code
if a malformed document is opened.

For the stable distribution (jessie), this problem has been fixed in
version 0.3.1-2+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.3.9-2.

We recommend that you upgrade your libmwaw packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3876-1] otrs2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3876-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : otrs2
CVE ID : CVE-2017-9324

Joerg-Thomas Vogt discovered that the SecureMode was insufficiently
validated in the OTRS ticket system, which could allow agents to
escalate their privileges.

For the stable distribution (jessie), this problem has been fixed in
version 3.3.9-3+deb8u1.

For the upcoming stable distribution (stretch), this problem will be
fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 5.0.20-1.

We recommend that you upgrade your otrs2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3877-1] tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3877-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor
CVE ID : CVE-2017-0376
Debian Bug : 864424

It has been discovered that Tor, a connection-based low-latency
anonymous communication system, contain a flaw in the hidden service
code when receiving a BEGIN_DIR cell on a hidden service rendezvous
circuit. A remote attacker can take advantage of this flaw to cause a
hidden service to crash with an assertion failure (TROVE-2017-005).

For the stable distribution (jessie), this problem has been fixed in
version 0.2.5.14-1.

For the upcoming stable distribution (stretch), this problem will be
fixed in version 0.2.9.11-1~deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.2.9.11-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/