Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1084-1: libidn security update
DLA 1085-1: libidn2-0 security update

Debian GNU/Linux 8 and 9:
DSA 3961-1: libgd2 security update
DSA 3962-1: strongswan security update



DLA 1084-1: libidn security update




Package : libidn
Version : 1.25-2+deb7u3
CVE ID : CVE-2017-14062
Debian Bug : #873903

It was discovered that there was an integer overflow vulnerability in
libidn's Punycode handling (an encoding used to convert Unicode characters
to ASCII) which would have allowed remote attackers to cause a denial of
service.

For Debian 7 "Wheezy", this issue has been fixed in libidn version
1.25-2+deb7u3.

We recommend that you upgrade your libidn packages.




DLA 1085-1: libidn2-0 security update




Package : libidn2-0
Version : 0.8-2+deb7u1
CVE ID : CVE-2017-14062
Debian Bug : #873902

It was discovered that there was an integer overflow vulnerability
in libidn2-0's Punycode handling (an encoding used to convert Unicode
characters to ASCII) which would have allowed attackers to cause a
remote denial of service.

For Debian 7 "Wheezy", this issue has been fixed in libidn2-0 version
0.8-2+deb7u1.

We recommend that you upgrade your libidn2-0 packages.




DSA 3961-1: libgd2 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3961-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 03, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libgd2
CVE ID : CVE-2017-6362

A double-free vulnerability was discovered in the gdImagePngPtr()
function in libgd2, a library for programmatic graphics creation and
manipulation, which may result in denial of service or potentially the
execution of arbitrary code if a specially crafted file is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.1.0-5+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.4-2+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.2.5-1.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 3962-1: strongswan security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3962-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
September 03, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : strongswan
CVE ID : CVE-2017-11185
Debian Bug : 872155

A denial of service vulnerability was identified in strongSwan, an IKE/IPsec
suite, using Google's OSS-Fuzz fuzzing project.

The gmp plugin in strongSwan had insufficient input validation when verifying
RSA signatures. This coding error could lead to a null pointer dereference,
leading to process crash.

For the oldstable distribution (jessie), this problem has been fixed
in version 5.2.1-6+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 5.5.1-4+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 5.6.0-1.

For the unstable distribution (sid), this problem has been fixed in
version 5.6.0-1.

We recommend that you upgrade your strongswan packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/