Debian 10225 Published by

The following updates has been released for Debian GNU/Linux 7 LTS:

DLA 1330-1: openssl security update
DLA 1331-1: mercurial security update
DLA 1332-1: libvncserver security update



DLA 1330-1: openssl security update

Package : openssl
Version : 1.0.1t-1+deb7u4
CVE ID : CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive
definition could exceed the stack, potentially leading to a denial of
service.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt

For Debian 7 "Wheezy", these problems have been fixed in version
1.0.1t-1+deb7u4.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1331-1: mercurial security update

Package : mercurial
Version : 2.2.2-4+deb7u7
CVE ID : CVE-2018-1000132
Debian Bug : 892964

Mercurial version 4.5 and earlier contains a Incorrect Access Control
(CWE-285) vulnerability in Protocol server that can result in
Unauthorized data access. This attack appear to be exploitable via
network connectivity. This vulnerability appears to have been fixed in
4.5.1.

This update also fixes a regression inroduced in 2.2.2-4+deb7u5 which
makes the testsuite fail non-deterministically.

For Debian 7 "Wheezy", these problems have been fixed in version
2.2.2-4+deb7u7.

We recommend that you upgrade your mercurial packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1332-1: libvncserver security update





Package : libvncserver
Version : 0.9.9+dfsg-1+deb7u3
CVE ID : CVE-2018-7225
Debian Bug : 894045

libvncserver version through 0.9.11. does not sanitize msg.cct.length
which may result in access to uninitialized and potentially sensitive
data or possibly unspecified other impact (e.g., an integer overflow)
via specially crafted VNC packets.

For Debian 7 "Wheezy", these problems have been fixed in version
0.9.9+dfsg-1+deb7u3.

We recommend that you upgrade your libvncserver packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS