Debian 10225 Published by

The following updates has been released for Debian today:

[DLA 697-1] bsdiff security update
[DLA 698-1] qemu security update
[DLA 699-1] xen security update
[DSA 3704-1] memcached security update
[DSA 3705-1] curl security update



[DLA 697-1] bsdiff security update

Package : bsdiff
Version : 4.3-14+deb7u1
CVE ID : CVE-2014-9862

It was discovered that there was an "arbitrary write" vulnerability in bsdiff,
a tool to patches between binary files.

For Debian 7 "Wheezy", this issue has been fixed in bsdiff version
4.3-14+deb7u1.

We recommend that you upgrade your bsdiff packages.

[DLA 698-1] qemu security update

Package : qemu
Version : 1.1.2+dfsg-6+deb7u18
CVE ID : CVE-2016-7909 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9102 CVE-2016-9103 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106
Debian Bug : 839834 841950 841955 842455 842463

Several vulnerabilities were discovered in qemu, a fast processor
emulator. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2016-7909

Quick Emulator(Qemu) built with the AMD PC-Net II emulator support is
vulnerable to an infinite loop issue. It could occur while receiving
packets via pcnet_receive().

A privileged user/process inside guest could use this issue to crash
the Qemu process on the host leading to DoS.

CVE-2016-8909

Quick Emulator(Qemu) built with the Intel HDA controller emulation support
is vulnerable to an infinite loop issue. It could occur while processing the
DMA buffer stream while doing data transfer in 'intel_hda_xfer'.

A privileged user inside guest could use this flaw to consume excessive CPU
cycles on the host, resulting in DoS.

CVE-2016-8910

Quick Emulator(Qemu) built with the RTL8139 ethernet controller emulation
support is vulnerable to an infinite loop issue. It could occur while
transmitting packets in C+ mode of operation.

A privileged user inside guest could use this flaw to consume
excessive CPU cycles on the host, resulting in DoS situation.

CVE-2016-9101

Quick Emulator(Qemu) built with the i8255x (PRO100) NIC emulation
support is vulnerable to a memory leakage issue. It could occur while
unplugging the device, and doing so repeatedly would result in leaking
host memory affecting, other services on the host.

A privileged user inside guest could use this flaw to cause a DoS on the host
and/or potentially crash the Qemu process on the host.

CVE-2016-9102 CVE-2016-9105 CVE-2016-9106

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via
Plan 9 File System(9pfs) support, is vulnerable to a several memory
leakage issues.

A privileged user inside guest could use this flaws to leak the host
memory bytes resulting in DoS for other services.

CVE-2016-9104

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via
Plan 9 File System(9pfs) support, is vulnerable to an integer overflow
issue. It could occur by accessing xattributes values.

A privileged user inside guest could use this flaw to crash the Qemu
process instance resulting in DoS.

CVE-2016-9103

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via
Plan 9 File System(9pfs) support, is vulnerable to an information
leakage issue. It could occur by accessing xattribute value before
it's written to.

A privileged user inside guest could use this flaw to leak host memory
bytes.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u18.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 699-1] xen security update

Package : xen
Version : 4.1.6.lts1-3
CVE ID : CVE-2016-7777

Xen does not properly honor CR0.TS and CR0.EM, which allows local x86
HVM guest OS users to read or modify FPU, MMX, or XMM register state
information belonging to arbitrary tasks on the guest by modifying an
instruction while the hypervisor is preparing to emulate it.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.6.lts1-3.

We recommend that you upgrade your xen packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3704-1] memcached security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3704-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 03, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : memcached
CVE ID : CVE-2016-8704 CVE-2016-8705 CVE-2016-8706
Debian Bug : 842811 842812 842814

Aleksandar Nikolic of Cisco Talos discovered several integer overflow
vulnerabilities in memcached, a high-performance memory object caching
system. A remote attacker can take advantage of these flaws to cause a
denial of service (daemon crash), or potentially to execute arbitrary
code.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.21-1.1+deb8u1.

We recommend that you upgrade your memcached packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 3705-1] curl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3705-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
November 03, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618
CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622
CVE-2016-8623 CVE-2016-8624

Several vulnerabilities were discovered in cURL, an URL transfer library:

CVE-2016-8615

It was discovered that a malicious HTTP server could inject new
cookies for arbitrary domains into a cookie jar.

CVE-2016-8616

It was discovered that when re-using a connection, curl was doing case
insensitive comparisons of user name and password with the existing
connections.

CVE-2016-8617

It was discovered that on systems with 32-bit addresses in userspace
(e.g. x86, ARM, x32), the output buffer size value calculated in the
base64 encode function would wrap around if input size was at least
1GB of data, causing an undersized output buffer to be allocated.

CVE-2016-8618

It was discovered that the curl_maprintf() function could be tricked
into doing a double-free due to an unsafe size_t multiplication on
systems using 32 bit size_t variables.

CVE-2016-8619

It was discovered that that the Kerberos implementation could be
tricked into doing a double-free when reading one of the length fields
from a socket.

CVE-2016-8620

It was discovered that the curl tool's "globbing" feature could write
to invalid memory areas when parsing invalid ranges.

CVE-2016-8621

It was discovered that the function curl_getdate could read out of
bounds when parsing invalid date strings.

CVE-2016-8622

It was discovered that the URL percent-encoding decode function would
return a signed 32bit integer variable as length, even though it
allocated a destination buffer larger than 2GB, which would lead to
a out-of-bounds write.

CVE-2016-8623

It was discovered that libcurl could access an already-freed memory
area due to concurrent access to shared cookies. This could lead to
a denial of service or disclosure of sensitive information.

CVE-2016-8624

It was discovered that curl wouldn't parse the authority component of
a URL correctly when the host name part ends with a '#' character,
and could be tricked into connecting to a different host.

For the stable distribution (jessie), these problems have been fixed in
version 7.38.0-4+deb8u5.

For the unstable distribution (sid), these problems have been fixed in
version 7.51.0-1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/