Debian 10225 Published by

Eight updates are available for Debian 7 LTS and one for Debian 8:

[DLA 571-1] xen security update
[DLA 572-1] icedove security update
[DLA 573-1] qemu security update
[DLA 574-1] qemu-kvm security update
[DLA 575-1] collectd security update
[DLA 576-1] libdbd-mysql-perl security update
[DLA 577-1] redis security update
[DLA 578-1] openssh security update
[DSA 3634-1] redis security update



[DLA 571-1] xen security update

Package : xen
Version : 4.1.6.lts1-1
CVE ID : CVE-2014-3672 CVE-2016-3158 CVE-2016-3159 CVE-2016-3710
CVE-2016-3712 CVE-2016-3960 CVE-2016-4480 CVE-2016-6258
Debian Bug :

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2014-3672 (XSA-180)

Andrew Sorensen discovered that a HVM domain can exhaust the hosts
disk space by filling up the log file.

CVE-2016-3158, CVE-2016-3159 (XSA-172)

Jan Beulich from SUSE discovered that Xen does not properly handle
writes to the hardware FSW.ES bit when running on AMD64 processors.
A malicious domain can take advantage of this flaw to obtain address
space usage and timing information, about another domain, at a
fairly low rate.

CVE-2016-3710 (XSA-179)

Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds
read and write flaw in the QEMU VGA module. A privileged guest user
could use this flaw to execute arbitrary code on the host with the
privileges of the hosting QEMU process.

CVE-2016-3712 (XSA-179)

Zuozhi Fzz of Alibaba Inc discovered potential integer overflow
or out-of-bounds read access issues in the QEMU VGA module. A
privileged guest user could use this flaw to mount a denial of
service (QEMU process crash).

CVE-2016-3960 (XSA-173)

Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360
discovered an integer overflow in the x86 shadow pagetable code. A
HVM guest using shadow pagetables can cause the host to crash. A PV
guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, potentially leading to privilege
escalation.

CVE-2016-4480 (XSA-176)

Jan Beulich discovered that incorrect page table handling could
result in privilege escalation inside a Xen guest instance.

CVE-2016-6258 (XSA-182)

:copyright::copyright:mie Boutoille discovered that incorrect pagetable handling in
PV instances could result in guest to host privilege escalation.

Additionally this Xen Security Advisory without a CVE was fixed:

XSA-166

Konrad Rzeszutek Wilk and Jan Beulich discovered that ioreq handling
is possibly susceptible to a multiple read issue.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.6.lts1-1.

We recommend that you upgrade your xen packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 572-1] icedove security update

Package : icedove
Version : 1:45.2.0-2~deb7u1
CVE ID : CVE-2016-2818

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail client: Multiple memory safety errors may
lead to the execution of arbitrary code or denial of service.

For Debian 7 "Wheezy", these problems have been fixed in version
1:45.2.0-2~deb7u1.

We recommend that you upgrade your icedove packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 573-1] qemu security update

Package : qemu
Version : 1.1.2+dfsg-6+deb7u14
CVE ID : CVE-2015-5239 CVE-2016-2857 CVE-2016-4020 CVE-2016-4439
CVE-2016-5403 CVE-2016-6351

Multiple vulnerabilities have been discovered in QEMU, a fast processor
emulator. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2015-5239

Lian Yihan discovered that QEMU incorrectly handled certain payload
messages in the VNC display driver. A malicious guest could use this
issue to cause the QEMU process to hang, resulting in a denial of
service.

CVE-2016-2857

Ling Liu discovered that QEMU incorrectly handled IP checksum
routines. An attacker inside the guest could use this issue to cause
QEMU to crash, resulting in a denial of service, or possibly leak
host memory bytes.

CVE-2016-4020

Donghai Zdh discovered that QEMU incorrectly handled the Task
Priority Register(TPR). A privileged attacker inside the guest could
use this issue to possibly leak host memory bytes.

CVE-2016-4439, CVE-2016-6351

Li Qiang disovered that the emulation of the 53C9X Fast SCSI
Controller is affected by out of bound access issues.

CVE-2016-5403

Zhenhao Hong discovered that a malicious guest administrator can
cause unbounded memory allocation in QEMU (which can cause an
Out-of-Memory condition) by submitting virtio requests without
bothering to wait for completion.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u14.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 574-1] qemu-kvm security update

Package : qemu-kvm
Version : 1.1.2+dfsg-6+deb7u14
CVE ID : CVE-2015-5239 CVE-2016-2857 CVE-2016-4020 CVE-2016-4439
CVE-2016-5403 CVE-2016-6351

Multiple vulnerabilities have been discovered in qemu-kvm, a full
virtualization solution on x86 hardware. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2015-5239

Lian Yihan discovered that QEMU incorrectly handled certain payload
messages in the VNC display driver. A malicious guest could use this
issue to cause the QEMU process to hang, resulting in a denial of
service.

CVE-2016-2857

Ling Liu discovered that QEMU incorrectly handled IP checksum
routines. An attacker inside the guest could use this issue to cause
QEMU to crash, resulting in a denial of service, or possibly leak
host memory bytes.

CVE-2016-4020

Donghai Zdh discovered that QEMU incorrectly handled the Task
Priority Register(TPR). A privileged attacker inside the guest could
use this issue to possibly leak host memory bytes.

CVE-2016-4439, CVE-2016-6351

Li Qiang disovered that the emulation of the 53C9X Fast SCSI
Controller is affected by out of bound access issues.

CVE-2016-5403

Zhenhao Hong discovered that a malicious guest administrator can
cause unbounded memory allocation in QEMU (which can cause an
Out-of-Memory condition) by submitting virtio requests without
bothering to wait for completion.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u14.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 575-1] collectd security update

Package : collectd
Version : 5.1.0-3+deb7u1
CVE ID : CVE-2016-6254
Debian Bug : 832507 832577

Emilien Gaspar discovered that collectd, a statistics collection and
monitoring daemon, incorrectly processed incoming network
packets. This resulted in a heap overflow, allowing a remote attacker
to either cause a DoS via application crash, or potentially execute
arbitrary code.

Additionally, security researchers at Columbia University and the
University of Virginia discovered that collectd failed to verify a
return value during initialization. This meant the daemon could
sometimes be started without the desired, secure settings.

For Debian 7 "Wheezy", these problems have been fixed in version
5.1.0-3+deb7u1.

We recommend that you upgrade your collectd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 576-1] libdbd-mysql-perl security update

Package : libdbd-mysql-perl
Version : 4.021-1+deb7u1
CVE ID : CVE-2014-9906 CVE-2015-8949


Two use-after-free vulnerabilities were discovered in DBD::mysql, a Perl
DBI driver for the MySQL database server. A remote attacker can take
advantage of these flaws to cause a denial-of-service against an
application using DBD::mysql (application crash), or potentially to
execute arbitrary code with the privileges of the user running the
application.

For Debian 7 "Wheezy", these problems have been fixed in version
4.021-1+deb7u1.

We recommend that you upgrade your libdbd-mysql-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 577-1] redis security update

Package : redis
Version : 2:2.4.14-1+deb7u1
CVE ID : CVE-2013-7458
Debian Bug : 832460

It was discovered that the redis-cli tool in redis (an in-memory
key-value database) created world-readable history files.

For Debian 7 "Wheezy", this issue has been fixed in redis version
2:2.4.14-1+deb7u1.

We recommend that you upgrade your redis packages.

[DLA 578-1] openssh security update

Package : openssh
Version : 6.0p1-4+deb7u5
CVE ID : CVE-2016-6210

OpenSSH secure shell client and server had a user enumeration
problem reported.

CVE-2016-6210

User enumeration via covert timing channel


For Debian 7 "Wheezy", this problem has been fixed in version
6.0p1-4+deb7u5.

We recommend that you upgrade your openssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3634-1] redis security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3634-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
July 30, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : redis
CVE ID : CVE-2013-7458
Debian Bug : 832460

It was discovered that redis, a persistent key-value database, did not
properly protect redis-cli history files: they were created by default
with world-readable permissions.

Users and systems administrators may want to proactively change
permissions on existing ~/rediscli_history files, instead of waiting
for the updated redis-cli to do so the next time it is run.

For the stable distribution (jessie), this problem has been fixed in
version 2:2.8.17-1+deb8u5.

For the testing (stretch) and unstable (sid) distributions, this
problem has been fixed in version 2:3.2.1-4.

We recommend that you upgrade your redis packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/