The following updates has been released for Debian GNU/Linux:
[DLA 924-2] tomcat7 regression update
[DLA 935-1] lxterminal security update
[DLA 936-1] libtirpc security update
[DLA 937-1] rpcbind security update
[DLA 938-1] git security update
[DSA 3848-1] git security update
[DLA 924-2] tomcat7 regression update
[DLA 935-1] lxterminal security update
[DLA 936-1] libtirpc security update
[DLA 937-1] rpcbind security update
[DLA 938-1] git security update
[DSA 3848-1] git security update
[DLA 924-2] tomcat7 regression update
Package : tomcat7
Version : 7.0.28-4+deb7u13
Debian Bug : 861872
The security update announced as DLA-924-1 introduced a regression in
Tomcat's APR protocol due to the fix for CVE-2017-5647 and prevented a
successful sendfile request.
For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u13.
We recommend that you upgrade your tomcat7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 935-1] lxterminal security update
Package : lxterminal
Version : 0.1.11-4+deb7u1
CVE ID : CVE-2016-10369
Debian Bug : #862098
It was discovered that there was a local denial of service vulnerability in
lxterminal, the terminal emulator for the LXDE desktop environment.
This was caused by an insecure use of temporary files for a socket file.
For Debian 7 "Wheezy", this issue has been fixed in lxterminal version
0.1.11-4+deb7u1.
We recommend that you upgrade your lxterminal packages.
[DLA 936-1] libtirpc security update
Package : libtirpc
Version : 0.2.2-5+deb7u1
CVE ID : CVE-2017-8779
Debian Bug : 861834
Guido Vranken discovered that incorrect memory management in libtirpc,
a transport-independent RPC library used by rpcbind and other programs
may result in denial of service via memory exhaustion (depending on
memory management settings).
For Debian 7 "Wheezy", these problems have been fixed in version
0.2.2-5+deb7u1.
We recommend that you upgrade your libtirpc packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 937-1] rpcbind security update
Package : rpcbind
Version : 0.2.0-8+deb7u2
CVE ID : CVE-2017-8779
Debian Bug : 861835
Guido Vranken discovered that incorrect memory management in libtirpc,
a transport-independent RPC library used by rpcbind and other programs
may result in denial of service via memory exhaustion (depending on
memory management settings).
For Debian 7 "Wheezy", these problems have been fixed in version
0.2.0-8+deb7u2.
We recommend that you upgrade your rpcbind packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 938-1] git security update
Package : git
Version : 1:1.7.10.4-1+wheezy4
CVE ID : CVE-2017-8386
Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".
For Debian 7 "Wheezy", these problems have been fixed in version
1:1.7.10.4-1+wheezy4.
We recommend that you upgrade your git packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 3848-1] git security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3848-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : git
CVE ID : CVE-2017-8386
Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".
For the stable distribution (jessie), this problem has been fixed in
version 1:2.1.4-2.1+deb8u3.
For the unstable distribution (sid), this problem has been fixed in
version 1:2.11.0-3.
We recommend that you upgrade your git packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/