Debian 10262 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1141-1: mysql-5.5 security update

Debian GNU/Linux 8:
DSA 4002-1: mysql-5.5 security update

Debian GNU/Linux 8 and 9:
DSA 4003-1: libvirt security update
DSA 4004-1: jackson-databind security update



DLA 1141-1: mysql-5.5 security update




Package : mysql-5.5
Version : 5.5.58-0+deb7u1
CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384
Debian Bug : 878402

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.58, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

For Debian 7 "Wheezy", these problems have been fixed in version
5.5.58-0+deb7u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4002-1: mysql-5.5 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4002-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 19, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mysql-5.5
CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384
Debian Bug : 878402

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.58, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

For the oldstable distribution (jessie), these problems have been fixed
in version 5.5.58-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4003-1: libvirt security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4003-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 19, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvirt
CVE ID : CVE-2017-1000256
Debian Bug : 878799

Daniel P. Berrange reported that Libvirt, a virtualisation abstraction
library, does not properly handle the default_tls_x509_verify (and
related) parameters in qemu.conf when setting up TLS clients and servers
in QEMU, resulting in TLS clients for character devices and disk devices
having verification turned off and ignoring any errors while validating
the server certificate.

More informations in https://security.libvirt.org/2017/0002.html .

For the stable distribution (stretch), this problem has been fixed in
version 3.0.0-4+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 3.8.0-3.

We recommend that you upgrade your libvirt packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4004-1: jackson-databind security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4004-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
October 20, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jackson-databind
CVE ID : CVE-2017-7525
Debian Bug : 870848

Liao Xinxi discovered that jackson-databind, a Java library used to
parse JSON and other data formats, did not properly validate user
input before attemtping deserialization. This allowed an attacker to
perform code execution by providing maliciously crafted input.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.4.2-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.8.6-1+deb9u1.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/