Debian 10225 Published by

The following updates are available for Debian GNU/Linux:

[DLA 676-1] nspr security update
[DLA 677-1] nss security update
[DLA 678-1] qemu security update
[DLA 679-1] qemu-kvm security update
[DSA 3699-1] virtualbox end of life
[DSA 3700-1] asterisk security update
[DSA 3701-1] nginx security update



[DLA 676-1] nspr security update

Package : nspr
Version : 4.12-1+deb7u1

The Network Security Service (NSS) libraries uses
environment variables to configure lots of things, some of which refer to
file system locations. Others can be degrade the operation of NSS in various
ways, forcing compatibility modes and so on.

Previously, these environment variables were not ignored SUID
binaries. This version of NetScape Portable Runtime Library (NSPR)
introduce a new API, PR_GetEnVSecure, to address this.

Both NSPR and NSS need to be upgraded to address this problem.

For Debian 7 "Wheezy", these problems have been fixed in NSPR version
4.12-1+deb7u1.

We recommend that you upgrade your nspr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 677-1] nss security update

Package : nss
Version : 3.26-1+debu7u1

The Network Security Service (NSS) libraries uses
environment variables to configure lots of things, some of which refer to
file system locations. Others can be degrade the operation of NSS in various
ways, forcing compatibility modes and so on.

Previously, these environment variables were not ignored SUID
binaries. This version of NetScape Portable Runtime Library (NSPR)
introduce a new API, PR_GetEnVSecure, to address this.

Both NSPR and NSS need to be upgraded to address this problem.

For Debian 7 "Wheezy", these problems have been fixed in NSS version
3.26-1+debu7u1.

We recommend that you upgrade your nss packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 678-1] qemu security update

Package : qemu
Version : 1.1.2+dfsg-6+deb7u17
CVE ID : CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8669

Multiple vulnerabilities have been found in QEMU:

CVE-2016-8576

Quick Emulator (Qemu) built with the USB xHCI controller emulation support
is vulnerable to an infinite loop issue. It could occur while processing USB
command ring in 'xhci_ring_fetch'.

CVE-2016-8577

Quick Emulator (Qemu) built with the virtio-9p back-end support is
vulnerable to a memory leakage issue. It could occur while doing a I/O read
operation in v9fs_read() routine.

CVE-2016-8578

Quick Emulator (Qemu) built with the virtio-9p back-end support is
vulnerable to a null pointer dereference issue. It could occur while doing
an I/O vector unmarshalling operation in v9fs_iov_vunmarshal() routine.

CVE-2016-8669

Quick Emulator (Qemu) built with the 16550A UART emulation support is
vulnerable to a divide by zero issue. It could occur while updating serial
device parameters in 'serial_update_parameters'.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u17.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 679-1] qemu-kvm security update

Package : qemu-kvm
Version : 1.1.2+dfsg-6+deb7u17
CVE ID : CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8669

Multiple vulnerabilities have been found in qemu-kvm:

CVE-2016-8576

qemu-kvm built with the USB xHCI controller emulation support is vulnerable
to an infinite loop issue. It could occur while processing USB command ring
in 'xhci_ring_fetch'.

CVE-2016-8577

qemu-kvm built with the virtio-9p back-end support is vulnerable to a memory
leakage issue. It could occur while doing a I/O read operation in
v9fs_read() routine.

CVE-2016-8578

qemu-kvm built with the virtio-9p back-end support is vulnerable to a null
pointer dereference issue. It could occur while doing an I/O vector
unmarshalling operation in v9fs_iov_vunmarshal() routine.

CVE-2016-8669

qemu-kvm built with the 16550A UART emulation support is vulnerable to a
divide by zero issue. It could occur while updating serial device parameters
in 'serial_update_parameters'.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u17.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3699-1] virtualbox end of life

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3699-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : virtualbox

Upstream support for the 4.3 release series has ended and since no
information is available which would allow backports of isolated
security fixes, security support for virtualbox in jessie needed to be
ended as well.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

[DSA 3700-1] asterisk security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3700-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : asterisk
CVE ID : CVE-2015-3008 CVE-2016-2232 CVE-2016-2316 CVE-2016-7551

Multiple vulnerabilities have been discovered in Asterisk, an open source
PBX and telephony toolkit, which may result in denial of service or
incorrect certificate validation.

For the stable distribution (jessie), these problems have been fixed in
version 1:11.13.1~dfsg-2+deb8u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3701-1] nginx security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3701-1 security@debian.org
https://www.debian.org/security/ Florian Weimer
October 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nginx
CVE ID : CVE-2016-1247

Dawid Golunski reported the nginx web server packages in Debian
suffered from a privilege escalation vulnerability (www-data to root)
due to the way log files are handled. This security update changes
ownership of the /var/log/nginx directory root. In addition,
/var/log/nginx has to be made accessible to local users, and local
users may be able to read the log files themselves local until the
next logrotate invocation.

For the stable distribution (jessie), this problem has been fixed in
version 1.6.2-5+deb8u3.

We recommend that you upgrade your nginx packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/