Debian 10225 Published by

The following security updates has been released for Debian:

Debian GNU/Linux 7 LTS:
DLA 1057-1: libraw security update
DLA 1058-1: krb5 security update

Debian GNU/Linux 8 and 9:
DSA 3943-1: gajim security update



DLA 1057-1: libraw security update

Package : libraw
Version : 0.14.6-2+deb7u2
CVE ID : CVE-2017-6886 CVE-2017-6887
Debian Bug : 864183

Some memory corruption bugs were discovered in libraw, a raw image
decoder library, which could be triggered via maliciously crafted
input files to cause denial of service or other unspecified impact.

For Debian 7 "Wheezy", these problems have been fixed in version
0.14.6-2+deb7u2.

We recommend that you upgrade your libraw packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1058-1: krb5 security update

Package : krb5
Version : 1.10.1+dfsg-5+deb7u8
CVE ID : CVE-2017-11368
Debian Bug : 869260


In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker
can cause a KDC assertion failure by sending invalid S4U2Self or
S4U2Proxy requests.

For Debian 7 "Wheezy", these problems have been fixed in version
1.10.1+dfsg-5+deb7u8.

We recommend that you upgrade your krb5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 3943-1: gajim security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3943-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 14, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gajim
CVE ID : CVE-2016-10376
Debian Bug : 863445

Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the
"XEP-0146: Remote Controlling Clients" extension, allowing a malicious
XMPP server to trigger commands to leak private conversations from
encrypted sessions. With this update XEP-0146 support has been disabled
by default and made opt-in via the 'remote_commands' option.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.16-1+deb8u2.

For the stable distribution (stretch), this problem has been fixed prior
to the initial release.

We recommend that you upgrade your gajim packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/