Debian 10241 Published by

The following updates has been released for Debian GNU/Linux:

[SECURITY] [DSA 3891-1] tomcat8 security update
[SECURITY] [DSA 3892-1] tomcat7 security update
[SECURITY] [DSA 3893-1] jython security update
[SECURITY] [DSA 3894-1] graphite2 security update
[SECURITY] [DSA 3895-1] flatpak security update



[SECURITY] [DSA 3891-1] tomcat8 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3891-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat8
CVE ID : CVE-2017-5664
Debian Bug : 864447 802312

Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and
JSP engine, static error pages used the original request's HTTP method
to serve content, instead of systematically using the GET method. This
could under certain conditions result in undesirable results,
including the replacement or removal of the custom error page.

For the oldstable distribution (jessie), this problem has been fixed
in version 8.0.14-1+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 8.5.14-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 8.5.14-2.

For the unstable distribution (sid), this problem has been fixed in
version 8.5.14-2.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3892-1] tomcat7 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3892-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat7
CVE ID : CVE-2017-5664
Debian Bug : 864447 802312

Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and
JSP engine, static error pages used the original request's HTTP method
to serve content, instead of systematically using the GET method. This
could under certain conditions result in undesirable results,
including the replacement or removal of the custom error page.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.0.56-3+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 7.0.72-3.

For the testing distribution (buster), this problem has been fixed
in version 7.0.72-3.

For the unstable distribution (sid), this problem has been fixed in
version 7.0.72-3.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3893-1] jython security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3893-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jython
CVE ID : CVE-2016-4000
Debian Bug : 864859

Alvaro Munoz and Christian Schneider discovered that jython, an
implementation of the Python language seamlessly integrated with Java,
is prone to arbitrary code execution triggered when sending a serialized
function to the deserializer.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.5.3-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.5.3-16+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.5.3-17.

We recommend that you upgrade your jython packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3894-1] graphite2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3894-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : graphite2
CVE ID : CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774
CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778

Multiple vulnerabilities have been found in the Graphite font rendering
engine which might result in denial of service or the execution of
arbitrary code if a malformed font file is processed.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.3.10-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed
prior to the initial release.

We recommend that you upgrade your graphite2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3895-1] flatpak security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3895-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : flatpak
CVE ID : CVE-2017-9780

It was discovered that Flatpak, an application deployment framework for
desktop apps insufficiently restricted file permissinons in third-party
repositories, which could result in privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 0.8.5-2+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7-1.

We recommend that you upgrade your flatpak packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/