The following security updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 LTS:
DLA 1231-1: graphicsmagick security update
DLA 1233-1: gifsicle security update
DLA 1234-1: gdk-pixbuf security update
DLA 1235-1: opencv security update
Debian GNU/Linux 8:
DSA 4081-1: php5 security update
Debian GNU/Linux 9:
DSA 4080-1: php7.0 security update
Debian GNU/Linux 7 LTS:
DLA 1231-1: graphicsmagick security update
DLA 1233-1: gifsicle security update
DLA 1234-1: gdk-pixbuf security update
DLA 1235-1: opencv security update
Debian GNU/Linux 8:
DSA 4081-1: php5 security update
Debian GNU/Linux 9:
DSA 4080-1: php7.0 security update
DLA 1231-1: graphicsmagick security update
Package : graphicsmagick
Version : 1.3.16-1.1+deb7u16
CVE ID : CVE-2017-17498 CVE-2017-17500 CVE-2017-17501
CVE-2017-17502 CVE-2017-17503 CVE-2017-17782
CVE-2017-17912 CVE-2017-17915
Debian Bug : 884905
The NSFocus Security Team discovered multiple security issues in
Graphicsmagick, a collection of image processing tools. Several
heap-based buffer over-reads may lead to a denial-of-service
(application crash) or possibly have other unspecified impact when
processing a crafted file.
For Debian 7 "Wheezy", these problems have been fixed in version
1.3.16-1.1+deb7u16.
We recommend that you upgrade your graphicsmagick packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1233-1: gifsicle security update
Package : gifsicle
Version : 1.67-1.1~deb7u1
CVE ID : CVE-2017-1000421
It was discovered that there was a use-after-free vulnerability in
gifsicle, a command-line tool for manipulating GIF images.
For Debian 7 "Wheezy", this issue has been fixed in gifsicle version
1.67-1.1~deb7u1.
We recommend that you upgrade your gifsicle packages.
(Thanks to Herbert Parentes Fortes Neto for his help in preparing this
update.)
DLA 1234-1: gdk-pixbuf security update
Package : gdk-pixbuf
Version : 2.26.1-1+deb7u7
CVE ID : CVE-2017-1000422
It was discovered that there were several integer overflows in
gdk-pixbuf, a library to manipulate images for the GTK graphics toolkit.
This could have led to memory corruption and potential code execution.
For Debian 7 "Wheezy", this issue has been fixed in gdk-pixbuf version
2.26.1-1+deb7u7.
We recommend that you upgrade your gdk-pixbuf packages.
DLA 1235-1: opencv security update
Package : opencv
Version : 2.3.1-11+deb7u3
CVE ID : CVE-2017-17760 CVE-2017-1000450
Opencv 3.3 and earlier has problems while reading data, which might
result in either buffer overflows or integer overflows.
For Debian 7 "Wheezy", these problems have been fixed in version
2.3.1-11+deb7u3.
We recommend that you upgrade your opencv packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4080-1: php7.0 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4080-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php7.0
CVE ID : CVE-2017-11144 CVE-2017-11145 CVE-2017-11628
CVE-2017-12932 CVE-2017-12933 CVE-2017-12934
CVE-2017-16642
Several vulnerabilities were found in PHP, a widely-used open source
general purpose scripting language:
CVE-2017-11144
Denial of service in openssl extension due to incorrect return value
check of OpenSSL sealing function
CVE-2017-11145
Out-of-bounds read in wddx_deserialize()
CVE-2017-11628
Buffer overflow in PHP INI parsing API
CVE-2017-12932 / CVE-2017-12934
Use-after-frees during unserialisation
CVE-2017-12933
Buffer overread in finish_nested_data()
CVE-2017-16642
Out-of-bounds read in timelib_meridian()
For the stable distribution (stretch), these problems have been fixed in
version 7.0.27-0+deb9u1.
We recommend that you upgrade your php7.0 packages.
For the detailed security status of php7.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.0
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
DSA 4081-1: php5 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4081-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php5
CVE ID : CVE-2017-11142 CVE-2017-11143 CVE-2017-11144
CVE-2017-11145 CVE-2017-11628 CVE-2017-12933
CVE-2017-16642
Several vulnerabilities were found in PHP, a widely-used open source
general purpose scripting language:
CVE-2017-11142
Denial of service via overly long form variables
CVE-2017-11143
Invalid free() in wddx_deserialize()
CVE-2017-11144
Denial of service in openssl extension due to incorrect return value
check of OpenSSL sealing function.
CVE-2017-11145
Out-of-bounds read in wddx_deserialize()
CVE-2017-11628
Buffer overflow in PHP INI parsing API
CVE-2017-12933
Buffer overread in finish_nested_data()
CVE-2017-16642
Out-of-bounds read in timelib_meridian()
For the oldstable distribution (jessie), these problems have been fixed
in version 5.6.33+dfsg-0+deb8u1.
We recommend that you upgrade your php5 packages.
For the detailed security status of php5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php5
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
