Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 770-1] libphp-phpmailer security update
[DLA 771-1] hdf5 security update
[DLA 772-1] linux security update
[DLA 773-1] python-crypto security update
[DLA 775-1] hplip security update
[DLA-774-1] postgresql-common security update
[DSA 3751-1] libgd2 security update



[DLA 770-1] libphp-phpmailer security update

Package : libphp-phpmailer
Version : 5.1-1.2
CVE ID : CVE-2016-10033
Debian Bug : 849365

Dawid Golunski discovered that PHPMailer, a popular library to send
email from PHP applications, allowed a remote attacker to execute
code if they were able to provide a crafted Sender address.

Note that for this issue also CVE-2016-10045 was assigned, which is a
regression in the original patch proposed for CVE-2016-10033. Because
the origial patch was not applied in Debian, Debian was not vulnerable
to CVE-2016-10045.

For Debian 7 "Wheezy", these problems have been fixed in version
5.1-1.2.

We recommend that you upgrade your libphp-phpmailer packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 771-1] hdf5 security update

Package : hdf5
Version : 1.8.8-9+deb7u1
CVE ID : CVE-2016-4330 CVE-2016-4331 CVE-2016-4332 CVE-2016-4333
Debian Bug : 845301

Cisco Talos discovered that hdf5, a file format and library for
storing scientific data, contained several vulnerabilities that could
lead to arbitrary code execution when handling untrusted data.

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.8-9+deb7u1.

We recommend that you upgrade your hdf5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 772-1] linux security update

Package : linux
Version : 3.2.84-1
CVE ID : CVE-2012-6704 CVE-2015-1350 CVE-2015-8962 CVE-2015-8963
CVE-2015-8964 CVE-2016-7097 CVE-2016-7910 CVE-2016-7911
CVE-2016-7915 CVE-2016-8399 CVE-2016-8633 CVE-2016-8645
CVE-2016-8655 CVE-2016-9178 CVE-2016-9555 CVE-2016-9576
CVE-2016-9756 CVE-2016-9793 CVE-2016-9794 CVE-2016-10088
Debian Bug : 770492

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2012-6704, CVE-2016-9793

Eric Dumazet found that a local user with CAP_NET_ADMIN capability
could set a socket's buffer size to be negative, leading to a
denial of service or other security impact. Additionally, in
kernel versions prior to 3.5, any user could do this if sysctl
net.core.rmem_max was changed to a very large value.

CVE-2015-1350 / #770492

Ben Harris reported that local users could remove set-capability
attributes from any file visible to them, allowing a denial of
service.

CVE-2015-8962

Calvin Owens fouund that removing a SCSI device while it was being
accessed through the SCSI generic (sg) driver led to a double-
free, possibly causing a denial of service (crash or memory
corruption) or privilege escalation. This could be exploited by
local users with permision to access a SCSI device node.

CVE-2015-8963

Sasha Levin reported that hot-unplugging a CPU resulted in a
use-after-free by the performance events (perf) subsystem,
possibly causing a denial of service (crash or memory corruption)
or privilege escalation. This could by exploited by any local
user.

CVE-2015-8964

It was found that the terminal/serial (tty) subsystem did not
reliably reset the terminal buffer state when the terminal line
discipline was changed. This could allow a local user with access
to a terminal device to read sensitive information from kernel
memory.

CVE-2016-7097

Jan Kara found that changing the POSIX ACL of a file never cleared
its set-group-ID flag, which should be done if the user changing
it is not a member of the group-owner. In some cases, this would
allow the user-owner of an executable to gain the privileges of
the group-owner.

CVE-2016-7910

Vegard Nossum discovered that a memory allocation failure while
handling a read of /proc/diskstats or /proc/partitions could lead
to a use-after-free, possibly causing a denial of service (crash
or memory corruption) or privilege escalation.

CVE-2016-7911

Dmitry Vyukov reported that a race between ioprio_get() and
ioprio_set() system calls could result in a use-after-free,
possibly causing a denial of service (crash) or leaking sensitive
information.

CVE-2016-7915

Benjamin Tissoires found that HID devices could trigger an out-of-
bounds memory access in the HID core. A physically present user
could possibly use this for denial of service (crash) or to leak
sensitive information.

CVE-2016-8399

Qidan He reported that the IPv4 ping socket implementation did
not validate the length of packets to be sent. A user with
permisson to use ping sockets could cause an out-of-bounds read,
possibly resulting in a denial of service or information leak.
However, on Debian systems no users have permission to create ping
sockets by default.

CVE-2016-8633

Eyal Itkin reported that the IP-over-Firewire driver
(firewire-net) did not validate the offset or length in link-layer
fragmentation headers. This allowed a remote system connected by
Firewire to write to memory after a packet buffer, leading to a
denial of service (crash) or remote code execution.

CVE-2016-8645

Marco Grassi reported that if a socket filter (BPF program)
attached to a TCP socket truncates or removes the TCP header, this
could cause a denial of service (crash). This was exploitable by
any local user.

CVE-2016-8655

Philip Pettersson found that the implementation of packet sockets
(AF_PACKET family) had a race condition between enabling a
transmit ring buffer and changing the version of buffers used,
which could result in a use-after-free. A local user with the
CAP_NET_ADMIN capability could exploit this for privilege
escalation.

CVE-2016-9178

Al Viro found that a failure to read data from user memory might
lead to a information leak on the x86 architecture (amd64 or i386).

CVE-2016-9555

Andrey Konovalov reported that the SCTP implementation does not
validate 'out of the blue' packet chunk lengths early enough. A
remote system able could use this to cause a denial of service
(crash) or other security impact for systems using SCTP.

CVE-2016-9576, CVE-2016-10088

Dmitry Vyukov reported that using splice() with the SCSI generic
driver led to kernel memory corruption. Local users with
permision to access a SCSI device node could exploit this for
privilege escalation.

CVE-2016-9756

Dmitry Vyukov reported that KVM for the x86 architecture (amd64 or
i386) did not correctly handle the failure of certain instructions
that require software emulation on older processors. This could
be exploited by guest systems to leak sensitive information or for
denial of service (log spam).

CVE-2016-9794

Baozeng Ding reported a race condition in the ALSA (sound)
subsystem that could result in a use-after-free. Local users with
access to a PCM sound device could exploit this for denial of
service (crash or memory corruption) or other security impact.

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.84-1. This version also includes bug fixes from upstream version
3.2.84 and updates the PREEMPT_RT featureset to version 3.2.84-rt122.
Finally, this version adds the option to mitigate security issues in
the performance events (perf) subsystem by disabling use by
unprivileged users. This can be done by setting sysctl
kernel.perf_event_paranoid=3.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.39-1 which will be included in the next point release (8.6).

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 773-1] python-crypto security update

Package : python-crypto
Version : 2.6-4+deb7u4
CVE ID : CVE-2013-7459
Debian Bug : 849495

It was discovered that there was a vulnerability in python-crypto, a library of
cryptographic algorithms and protocols for Python. Calling AES.new with an
invalid parameter could crash the Python interpreter:

https://github.com/dlitz/pycrypto/issues/176


For Debian 7 "Wheezy", this issue has been fixed in python-crypto version
2.6-4+deb7u4.

We recommend that you upgrade your python-crypto packages.

[DLA 775-1] hplip security update

Package : hplip
Version : 3.12.6-3.1+deb7u2
CVE ID : CVE-2015-0839
Debian Bug : #787353

CVE-2015-0839

The hplip plugin download function verifies the driver using a
short-key. This is not secure because it is trivial to
generate keys with arbitrary key IDs.

For Debian 7 "Wheezy", these problems have been fixed in version
3.12.6-3.1+deb7u2.

We recommend that you upgrade your hplip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA-774-1] postgresql-common security update

Package : postgresql-common
Version : 134wheezy5

A security vulnerability and a data loss bug have been found in
postgresql-common, Debian's PostgreSQL database cluster management
tools.

CVE-2016-1255

Dawid Golunski discovered that a symlink in /var/log/postgresql/
could be used by the "postgres" system user to write to arbitrary
files on the filesystem the next time PostgreSQL is started by
root.

#614374

Rafał Kupka discovered that pg_upgradecluster did not properly
upgrade databases that are owned by a non-login role (or group).

For Debian 7 "Wheezy", these problems have been fixed in version
134wheezy5.

We recommend that you upgrade your postgresql-common packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3751-1] libgd2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3751-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libgd2
CVE ID : CVE-2016-9933
Debian Bug : 849038

A stack overflow vulnerability was discovered within the
gdImageFillToBorder function in libgd2, a library for programmatic
graphics creation and manipulation, triggered when invalid colors are
used with truecolor images. A remote attacker can take advantage of this
flaw to cause a denial-of-service against an application using the
libgd2 library.

For the stable distribution (jessie), this problem has been fixed in
version 2.1.0-5+deb8u8.

For the testing distribution (stretch), this problem has been fixed
in version 2.2.2-29-g3c2b605-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.2-29-g3c2b605-1.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/