Debian 10225 Published by

The following updates has been released for Debian:

Debian GNU/Linux 7 LTS:
DLA 1073-1: openjdk-7 security update

Debian GNU/Linux 9:
DSA 3957-1: ffmpeg security update



DLA 1073-1: openjdk-7 security update


Package : openjdk-7
Version : 7u151-2.6.11-1+deb7u1
CVE ID : CVE-2017-10053 CVE-2017-10067 CVE-2017-10074 CVE-2017-10081
CVE-2017-10087 CVE-2017-10089 CVE-2017-10090 CVE-2017-10096
CVE-2017-10101 CVE-2017-10102 CVE-2017-10107 CVE-2017-10108
CVE-2017-10109 CVE-2017-10110 CVE-2017-10115 CVE-2017-10116
CVE-2017-10118 CVE-2017-10135 CVE-2017-10176 CVE-2017-10193
CVE-2017-10198 CVE-2017-10243

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in sandbox bypass,
incorrect authentication, the execution of arbitrary code, denial of
service, information disclosure, use of insecure cryptography or
bypassing Jar verification.

For Debian 7 "Wheezy", these problems have been fixed in version
7u151-2.6.11-1+deb7u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 3957-1: ffmpeg security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-3957-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
August 28, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : CVE-2017-9608 CVE-2017-9993 CVE-2017-11399 CVE-2017-11665
CVE-2017-11719

Several vulnerabilities have been discovered in FFmpeg, a multimedia
player, server and encoder. These issues could lead to Denial-of-Service
and, in some situation, the execution of arbitrary code.

CVE-2017-9608

Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when
parsing a crafted MOV file.

CVE-2017-9993

Thierry Foucu discovered that it was possible to leak information from
files and symlinks ending in common multimedia extensions, using the
HTTP Live Streaming.

CVE-2017-11399

Liu Bingchang of IIE discovered an integer overflow in the APE decoder
that can be triggered by a crafted APE file.

CVE-2017-11665

JunDong Xie of Ant-financial Light-Year Security Lab discovered that
an attacker able to craft a RTMP stream can crash FFmpeg.

CVE-2017-11719

Liu Bingchang of IIE discovered an out-of-bound access that can be
triggered by a crafted DNxHD file.

For the stable distribution (stretch), these problems have been fixed in
version 7:3.2.7-1~deb9u1.

We recommend that you upgrade your ffmpeg packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/