Debian 10206 Published by

The following updates has been released for Debian:

Debian GNU/Linux 7 LTS:
DLA 1064-1: freeradius security update
DLA 1065-1: fontforge security update
DLA 1066-1: php5 security update
DLA 1067-1: augeas security update

Debian GNU/Linux 8:
DSA 3954-1: openjdk-7 security update

Debian GNU/Linux 9:
DSA 3955-1: mariadb-10.1 security update



DLA 1064-1: freeradius security update




Package : freeradius
Version : 2.1.12+dfsg-1.2+deb7u2
CVE ID : CVE-2017-10978 CVE-2017-10979 CVE-2017-10980
CVE-2017-10981 CVE-2017-10982 CVE-2017-10983
Debian Bug : 868765

Guido Vranken discovered that FreeRADIUS, an open source
implementation of RADIUS, the IETF protocol for AAA (Authorisation,
Authentication, and
Accounting), did not properly handle memory when processing packets.
This would allow a remote attacker to cause a denial-of-service by
application crash, or potentially execute arbitrary code.

For Debian 7 "Wheezy", these problems have been fixed in version
2.1.12+dfsg-1.2+deb7u2.

We recommend that you upgrade your freeradius packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1065-1: fontforge security update




Package : fontforge
Version : 0.0.20120101+git-2+deb7u1
CVE ID : CVE-2017-11568 CVE-2017-11569 CVE-2017-11571 CVE-2017-11572
CVE-2017-11574 CVE-2017-11575 CVE-2017-11576 CVE-2017-11577

FontForge is vulnerable to heap-based buffer over-read in several
functions, resulting in DoS or code execution via a crafted otf file:


For Debian 7 "Wheezy", these problems have been fixed in version
0.0.20120101+git-2+deb7u1.

We recommend that you upgrade your fontforge packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1066-1: php5 security update




Package : php5
Version : 5.4.45-0+deb7u10
CVE ID : CVE-2017-11628

A stack-based buffer overflow in the zend_ini_do_op() function in
Zend/zend_ini_parser.c could cause a denial of service or potentially allow
executing code. NOTE: this is only relevant for PHP applications that accept
untrusted input (instead of the system's php.ini file) for the parse_ini_string
or parse_ini_file function, e.g., a web application for syntax validation of
php.ini directives.

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u10.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1067-1: augeas security update




Package : augeas
Version : 0.10.0-1+deb7u1
CVE ID : CVE-2017-7555
Debian Bug : 872400

Augeas is vulnerable to heap-based buffer overflow due to improper handling of
escaped strings. Attacker could send crafted strings that would cause the
application using augeas to copy past the end of a buffer, leading to a crash
or possible code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
0.10.0-1+deb7u1.

We recommend that you upgrade your augeas packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 3954-1: openjdk-7 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3954-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 25, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-7
CVE ID : CVE-2017-10053 CVE-2017-10067 CVE-2017-10074 CVE-2017-10081
CVE-2017-10087 CVE-2017-10089 CVE-2017-10090 CVE-2017-10096
CVE-2017-10101 CVE-2017-10102 CVE-2017-10107 CVE-2017-10108
CVE-2017-10109 CVE-2017-10110 CVE-2017-10115 CVE-2017-10116
CVE-2017-10118 CVE-2017-10135 CVE-2017-10176 CVE-2017-10193
CVE-2017-10198 CVE-2017-10243

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in sandbox bypass,
incorrect authentication, the execution of arbitrary code, denial of
service, information disclosure, use of insecure cryptography or
bypassing Jar verification.

For the oldstable distribution (jessie), these problems have been fixed
in version 7u151-2.6.11-1~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 3955-1: mariadb-10.1 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3955-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 26, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mariadb-10.1
CVE ID : CVE-2017-3636 CVE-2017-3641 CVE-2017-3653

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.1.26. Please see the MariaDB 10.1 Release Notes for further
details:

https://mariadb.com/kb/en/mariadb/mariadb-10124-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10125-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10126-release-notes/

For the stable distribution (stretch), these problems have been fixed in
version 10.1.26-0+deb9u1.

For the unstable distribution (sid), these problems have been fixed in
version 10.1.26-1.

We recommend that you upgrade your mariadb-10.1 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/