Debian 10260 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1231-1: graphicsmagick security update
DLA 1233-1: gifsicle security update
DLA 1234-1: gdk-pixbuf security update
DLA 1235-1: opencv security update

Debian GNU/Linux 8:
DSA 4081-1: php5 security update

Debian GNU/Linux 9:
DSA 4080-1: php7.0 security update



DLA 1231-1: graphicsmagick security update




Package : graphicsmagick
Version : 1.3.16-1.1+deb7u16
CVE ID : CVE-2017-17498 CVE-2017-17500 CVE-2017-17501
CVE-2017-17502 CVE-2017-17503 CVE-2017-17782
CVE-2017-17912 CVE-2017-17915
Debian Bug : 884905

The NSFocus Security Team discovered multiple security issues in
Graphicsmagick, a collection of image processing tools. Several
heap-based buffer over-reads may lead to a denial-of-service
(application crash) or possibly have other unspecified impact when
processing a crafted file.

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.16-1.1+deb7u16.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1233-1: gifsicle security update




Package : gifsicle
Version : 1.67-1.1~deb7u1
CVE ID : CVE-2017-1000421

It was discovered that there was a use-after-free vulnerability in
gifsicle, a command-line tool for manipulating GIF images.

For Debian 7 "Wheezy", this issue has been fixed in gifsicle version
1.67-1.1~deb7u1.

We recommend that you upgrade your gifsicle packages.

(Thanks to Herbert Parentes Fortes Neto for his help in preparing this
update.)




DLA 1234-1: gdk-pixbuf security update




Package : gdk-pixbuf
Version : 2.26.1-1+deb7u7
CVE ID : CVE-2017-1000422

It was discovered that there were several integer overflows in
gdk-pixbuf, a library to manipulate images for the GTK graphics toolkit.
This could have led to memory corruption and potential code execution.

For Debian 7 "Wheezy", this issue has been fixed in gdk-pixbuf version
2.26.1-1+deb7u7.

We recommend that you upgrade your gdk-pixbuf packages.




DLA 1235-1: opencv security update




Package : opencv
Version : 2.3.1-11+deb7u3
CVE ID : CVE-2017-17760 CVE-2017-1000450


Opencv 3.3 and earlier has problems while reading data, which might
result in either buffer overflows or integer overflows.



For Debian 7 "Wheezy", these problems have been fixed in version
2.3.1-11+deb7u3.

We recommend that you upgrade your opencv packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4080-1: php7.0 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4080-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php7.0
CVE ID : CVE-2017-11144 CVE-2017-11145 CVE-2017-11628
CVE-2017-12932 CVE-2017-12933 CVE-2017-12934
CVE-2017-16642

Several vulnerabilities were found in PHP, a widely-used open source
general purpose scripting language:

CVE-2017-11144

Denial of service in openssl extension due to incorrect return value
check of OpenSSL sealing function

CVE-2017-11145

Out-of-bounds read in wddx_deserialize()

CVE-2017-11628

Buffer overflow in PHP INI parsing API

CVE-2017-12932 / CVE-2017-12934

Use-after-frees during unserialisation

CVE-2017-12933

Buffer overread in finish_nested_data()

CVE-2017-16642

Out-of-bounds read in timelib_meridian()

For the stable distribution (stretch), these problems have been fixed in
version 7.0.27-0+deb9u1.

We recommend that you upgrade your php7.0 packages.

For the detailed security status of php7.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4081-1: php5 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4081-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2017-11142 CVE-2017-11143 CVE-2017-11144
CVE-2017-11145 CVE-2017-11628 CVE-2017-12933
CVE-2017-16642

Several vulnerabilities were found in PHP, a widely-used open source
general purpose scripting language:

CVE-2017-11142

Denial of service via overly long form variables

CVE-2017-11143

Invalid free() in wddx_deserialize()

CVE-2017-11144

Denial of service in openssl extension due to incorrect return value
check of OpenSSL sealing function.

CVE-2017-11145

Out-of-bounds read in wddx_deserialize()

CVE-2017-11628

Buffer overflow in PHP INI parsing API

CVE-2017-12933

Buffer overread in finish_nested_data()

CVE-2017-16642

Out-of-bounds read in timelib_meridian()

For the oldstable distribution (jessie), these problems have been fixed
in version 5.6.33+dfsg-0+deb8u1.

We recommend that you upgrade your php5 packages.

For the detailed security status of php5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php5

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/