Debian 10225 Published by

The following updates has been released for Debian:

[DLA 804-1] libgd2 security update
[DLA 805-1] bind9 security update
[DLA 806-1] zoneminder security update
[DLA 807-1] imagemagick security update
[DSA 3774-1] lcms2 security update
[DSA 3775-1] tcpdump security update



[DLA 804-1] libgd2 security update

Package : libgd2
Version : 2.0.36~rc1~dfsg-6.1+deb7u8
CVE ID : CVE-2016-9317 CVE-2016-10167 CVE-2016-10168

Multiple security issues have been found in the GD Graphics Library.
They may lead to the execution of arbitrary code or causing
application crash.

CVE-2016-9317

Signed integer overflow in gd_io.c

CVE-2016-10167

Improper handling of issing image data can cause crash

CVE-2016-10168

GD2 stores the number of horizontal and vertical chunks as words
(i.e. 2 byte unsigned). These values are multiplied and assigned to
an int when reading the image, what can cause integer overflows.

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.36~rc1~dfsg-6.1+deb7u8.

We recommend that you upgrade your libgd2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

bind9 security update

Package : bind9
Version : 1:9.8.4.dfsg.P1-6+nmu2+deb7u14
CVE ID : CVE-2016-9131 CVE-2016-9147 CVE-2016-9444

Several denial-of-service vulnerabilities (assertion failures) were
discovered in BIND, a DNS server implementation.

CVE-2016-9131

A crafted upstream response to an ANY query could cause an
assertion failure.

CVE-2016-9147

A crafted upstream response with self-contradicting DNSSEC data
could cause an assertion failure.

CVE-2016-9444

Specially-crafted upstream responses with a DS record could cause
an assertion failure.

These vulnerabilities predominantly affect DNS servers providing
recursive service. Client queries to authoritative-only servers
cannot trigger these assertion failures. These vulnerabilities are
present whether or not DNSSEC validation is enabled in the server
configuration.

For Debian 7 "Wheezy", these problems have been fixed in version
1:9.8.4.dfsg.P1-6+nmu2+deb7u14.

We recommend that you upgrade your bind9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 806-1] zoneminder security update

Package : zoneminder
Version : 1.25.0-4+deb7u1
CVE ID : CVE-2016-10140

Information disclosure and authentication bypass vulnerability exists in
the Apache HTTP Server configuration bundled with ZoneMinder v1.30.0,
which allows a remote unauthenticated attacker to browse all directories
in the web root, e.g., a remote unauthenticated attacker can view all
CCTV images on the server.

For new installations, the new config file will be automatically
installed. For existing installations, please follow the instructions in
NEWS, which will be viewed during upgrade.

For Debian 7 "Wheezy", these problems have been fixed in version
1.25.0-4+deb7u1.

We recommend that you upgrade your zoneminder packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 807-1] imagemagick security update

Package : imagemagick
Version : 8:6.7.7.10-5+deb7u11
CVE ID : CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506
CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511
Debian Bug : #851485, #851483, #851380, #851383, #851382, #851381, #851376, #851374

Numerous vulnerabilities were discovered in ImageMagick, an image
manipulation program. Issues include memory leaks, out of bound reads
and missing checks.

This update also includes an update of the fix for CVE-2016-8677 which
was incomplete in the previous version.

For Debian 7 "Wheezy", these problems have been fixed in version
8:6.7.7.10-5+deb7u11.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3774-1] lcms2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3774-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 29, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lcms2
CVE ID : CVE-2016-10165
Debian Bug : 852627

Ibrahim M. El-Sayed discovered an out-of-bounds heap read vulnerability
in the function Type_MLU_Read in lcms2, the Little CMS 2 color
management library, which can be triggered by an image with a specially
crafted ICC profile and leading to a heap memory leak or
denial-of-service for applications using the lcms2 library.

For the stable distribution (jessie), this problem has been fixed in
version 2.6-3+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem has been fixed in version 2.8-4.

We recommend that you upgrade your lcms2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3775-1] tcpdump security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3775-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 29, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tcpdump
CVE ID : CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925
CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929
CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933
CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937
CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973
CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984
CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993
CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203
CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342
CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485
CVE-2017-5486

Multiple vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial
of service or the execution of arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 4.9.0-1~deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 4.9.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.9.0-1.

We recommend that you upgrade your tcpdump packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/