Debian 10260 Published by

The following security updates has been released for Debian:

Debian GNU/Linux 7 LTS:
DLA 1068-1: git security update
DLA 1069-1: tenshi security update

Debian GNU/Linux 8 and 9:
DSA 3956-1: connman security update



DLA 1068-1: git security update




Package : git
Version : 1:1.7.10.4-1+wheezy5
CVE ID : CVE-2017-1000117

Joern Schneeweisz discovered that git, a distributed revision control
system, did not correctly handle maliciously constructed ssh://
URLs. This allowed an attacker to run an arbitrary shell command, for
instance via git submodules.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.7.10.4-1+wheezy5.

We recommend that you upgrade your git packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1069-1: tenshi security update




Package : tenshi
Version : 0.13-2+deb7u1
CVE ID : CVE-2017-11746
Debian Bug : 871321

Tenshi creates a tenshi.pid file after dropping privileges to a non-root
account, which might allow local users to kill arbitrary processes by
leveraging access to this non-root account for tenshi.pid modification before a
root script executes a "kill `cat /pathname/tenshi.pid`" command.

For Debian 7 "Wheezy", these problems have been fixed in version
0.13-2+deb7u1.

We recommend that you upgrade your tenshi packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 3956-1: connman security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3956-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
August 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : connman
CVE ID : CVE-2017-12865
Debian Bug : 872844

Security consultants in NRI Secure Technologies discovered a stack
overflow vulnerability in ConnMan, a network manager for embedded
devices. An attacker with control of the DNS responses to the DNS proxy
in ConnMan might crash the service and, in same cases, remotely execute
arbitrary commands in the host running the service.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.21-1.2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.33-3+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 1.33-3+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.35-1.

We recommend that you upgrade your connman packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/