Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 799-1] ming security update
[DLA 800-1] firefox-esr security update
[DLA 801-1] libxpm security update
[DLA 802-1] openjdk-7 security update
[DLA 803-1] lcms2 security update
[DSA 3772-1] libxpm security update



[DLA 799-1] ming security update

Package : ming
Version : 1:0.4.4-1.1+deb7u1
CVE ID : CVE-2016-9264 CVE-2016-9265 CVE-2016-9266
CVE-2016-9827 CVE-2016-9828 CVE-2016-9829
CVE-2016-9831
Debian Bug : 843928


Multiple security issues have been found in Ming. They may lead
to the execution of arbitrary code or causing application crash.

CVE-2016-9264

global-buffer-overflow in printMP3Headers

CVE-2016-9265

divide-by-zero in printMP3Headers

CVE-2016-9266

left shift in listmp3.c

CVE-2016-9827

listswf: heap-based buffer overflow in _iprintf

CVE-2016-9828

listswf: heap-based buffer overflow in _iprintf

CVE-2016-9829

listswf: NULL pointer dereference in dumpBuffer

CVE-2016-9831

listswf: heap-based buffer overflow in parseSWF_RGBA

For Debian 7 "Wheezy", these problems have been fixed in version
0.4.4-1.1+deb7u1.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 800-1] firefox-esr security update

Package : firefox-esr
Version : 45.7.0esr-1~deb7u1
CVE ID : CVE-2017-5373 CVE-2017-5375 CVE-2017-5376 CVE-2017-5378
CVE-2017-5380 CVE-2017-5383 CVE-2017-5386 CVE-2017-5390
CVE-2017-5396

Multiple security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees and other
implementation errors may lead to the execution of arbitrary code or
information leaks or privilege escalation.

For Debian 7 "Wheezy", these problems have been fixed in version
45.7.0esr-1~deb7u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 801-1] libxpm security update

Package : libxpm
Version : 1:3.5.10-1+deb7u1
CVE ID : CVE-2016-10164

Tobias Stoeckmann discovered a vulnerability in the libXpm library
that could cause a malicious attacker to execute arbitrary code
via a specially crafted XPM file.

For Debian 7 "Wheezy", these problems have been fixed in version
1:3.5.10-1+deb7u1.

We recommend that you upgrade your libxpm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 802-1] openjdk-7 security update

Package : openjdk-7
Version : 7u121-2.6.8-1~deb7u1

openjdk-7 7u111-2.6.7-2~deb7u1 backported the security fixes from
7u121. openjdk-7 has now been updated to the full 7u121 version,
which includes extra bug fixes and other improvements.

For Debian 7 "Wheezy", these problems have been fixed in version
7u121-2.6.8-1~deb7u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 803-1] lcms2 security update

Package : lcms2
Version : 2.2+git20110628-2.2+deb7u2
CVE ID : CVE-2016-10165
Debian Bug : https://bugs.debian.org/852627

An out of bounds read was found in lcms2, which can lead to heap memory
leak or denial of service via a specially-crafted ICC profile.

For Debian 7 "Wheezy", these problems have been fixed in version
2.2+git20110628-2.2+deb7u2.

We recommend that you upgrade your lcms2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3772-1] libxpm security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3772-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 26, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libxpm
CVE ID : CVE-2016-10164

Tobias Stoeckmann discovered that the libXpm library contained two
integer overflow flaws, leading to a heap out-of-bounds write, while
parsing XPM extensions in a file. An attacker can provide a specially
crafted XPM file that, when processed by an application using the libXpm
library, would cause a denial-of-service against the application, or
potentially, the execution of arbitrary code with the privileges of the
user running the application.

For the stable distribution (jessie), this problem has been fixed in
version 1:3.5.12-0+deb8u1. This update is based on a new upstream
version of libxpm including additional bug fixes.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem has been fixed in version 1:3.5.12-1.

We recommend that you upgrade your libxpm packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/