Debian 10229 Published by

The following updates has been released for Debian GNU/Linux 7 LTS:

DLA 1053-1: firefox-esr security update
DLA 1054-1: libgxps security update

and the following for both Debian GNU/Linux 8 and 9:

DSA 3937-1: zabbix security update
DSA 3938-1: libgd2 security update



DLA 1053-1: firefox-esr security update

Package : firefox-esr
Version : 52.3.0esr-1~deb7u1
CVE ID : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785
CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
CVE-2017-7798 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802
CVE-2017-7803 CVE-2017-7807 CVE-2017-7809

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, use-after-frees, buffer
overflows and other implementation errors may lead to the execution of
arbitrary code, denial of service, bypass of the same-origin policy or
incorrect enforcement of CSP.

For Debian 7 "Wheezy", these problems have been fixed in version
52.3.0esr-1~deb7u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1054-1: libgxps security update

Package : libgxps
Version : 0.2.2-2+deb7u1
CVE ID : CVE-2017-11590
Debian Bug : #870183

It was discovered that there was a NULL pointer dereference in libgxps, a
library to handle XML Paper Specification specifications.

Specially-crafted input could lead to a remote denial of service attack.

For Debian 7 "Wheezy", this issue has been fixed in libgxps version
0.2.2-2+deb7u1.

We recommend that you upgrade your libgxps packages.


DSA 3937-1: zabbix security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-3937-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 12, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : zabbix
CVE ID : CVE-2017-2824 CVE-2017-2825

Lilith Wyatt discovered two vulnerabilities in the Zabbix network
monitoring system which may result in execution of arbitrary code or
database writes by malicious proxies.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:2.2.7+dfsg-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed
prior to the initial release.

We recommend that you upgrade your zabbix packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 3938-1: libgd2 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3938-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 12, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libgd2
CVE ID : CVE-2017-7890
Debian Bug : 869263

Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used
to load images from GIF format files in libgd2, a library for
programmatic graphics creation and manipulation, does not zero stack
allocated color map buffers before their use, which may result in
information disclosure if a specially crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.1.0-5+deb8u10.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.4-2+deb9u1.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/