Debian 10264 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1164-1: mupdf security update
DLA 1165-1: libpam4j security update
DLA 1166-1: tomcat7 security update

Debian GNU/Linux 8 and 9:
DSA 4021-1: otrs2 security update
DSA 4023-1: slurm-llnl security update



DLA 1164-1: mupdf security update




Package : mupdf
Version : 0.9-2+deb7u4
CVE ID : CVE-2017-14687 CVE-2017-15587
Debian Bug : 877379 879055

Two security issues were discovered in mupdf, a lightweight PDF viewer.

CVE-2017-14687
MuPDF allows attackers to cause a denial of service or possibly have
unspecified other impact via a crafted .xps file. This occurs
because of mishandling of XML tag name comparisons.

CVE-2017-15587
An integer overflow was discovered in pdf_read_new_xref_section in
pdf/pdf-xref.c

For Debian 7 "Wheezy", these problems have been fixed in version
0.9-2+deb7u4.

We recommend that you upgrade your mupdf packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1165-1: libpam4j security update




Package : libpam4j
Version : 1.4-2+deb7u1
CVE ID : CVE-2017-12197
Debian Bug : 879001

It was discovered that libpam4j, a Java binding for libpam.so, does
not call pam_acct_mgmt(). As a consequence, the PAM account is not
properly
verified. Any user with a valid password but with deactivated or
disabled account was able to log in.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4-2+deb7u1.

We recommend that you upgrade your libpam4j packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1166-1: tomcat7 security update

Package : tomcat7
Version : 7.0.28-4+deb7u16
CVE ID : CVE-2017-12617


A remote code execution vulnerability has been discovered in tomcat7.

When HTTP PUT was enabled (e.g., via setting the readonly initialization
parameter of the Default servlet to false) it was possible to upload a JSP
file to the server via a specially crafted request. This JSP could then be
requested and any code it contained would be executed by the server.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u16.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4021-1: otrs2 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4021-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 07, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : otrs2
CVE ID : CVE-2017-14635

It was discovered that missing input validation in the Open Ticket
Request System could result in privilege escalation by an agent with
write permissions for statistics.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.3.18-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.16-1+deb9u2.

We recommend that you upgrade your otrs2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4023-1: slurm-llnl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4023-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 07, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : slurm-llnl
CVE ID : CVE-2017-15566
Debian Bug : 880530

Ryan Day discovered that the Simple Linux Utility for Resource
Management (SLURM), a cluster resource management and job scheduling
system, does not properly handle SPANK environment variables, allowing a
user permitted to submit jobs to execute code as root during the Prolog
or Epilog. All systems using a Prolog or Epilog script are vulnerable,
regardless of whether SPANK plugins are in use.

For the stable distribution (stretch), this problem has been fixed in
version 16.05.9-1+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 17.02.9-1.

We recommend that you upgrade your slurm-llnl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/