Debian 10264 Published by

The following updates has been released for Debian:

Debian GNU/Linux 7 LTS:
[DLA 1051-1] postgresql-9.1 security update

Debian GNU/Linux 8 and 9:
[DSA 3932-1] subversion security update
[DSA 3933-1] pjproject security update
[DSA 3934-1] git security update

Debian GNU/Linux 8:
[DSA 3935-1] postgresql-9.4 security update

Debian GNU/Linux 9:
[DSA 3936-1] postgresql-9.6 security update



[DLA 1051-1] postgresql-9.1 security update

Package : postgresql-9.1
Version : 9.1.24-0+deb7u1
CVE ID : CVE-2017-7486 CVE-2017-7546 CVE-2017-7547
Debian Bug :

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7486

Andrew Wheelwright discovered that user mappings were insufficiently
restricted.

CVE-2017-7546

In some authentication methods empty passwords were accepted.

CVE-2017-7547

User mappings could leak data to unprivileged users.

For Debian 7 "Wheezy", these problems have been fixed in version
9.1.24lts2-0+deb7u1.

We recommend that you upgrade your postgresql-9.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3932-1] subversion security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3932-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
August 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : subversion
CVE ID : CVE-2016-8734 CVE-2017-9800

Several problems were discovered in Subversion, a centralised version
control system.

CVE-2016-8734 (jessie only)

Subversion's mod_dontdothat server module and Subversion clients
using http(s):// were vulnerable to a denial-of-service attack
caused by exponential XML entity expansion.

CVE-2017-9800

Joern Schneeweisz discovered that Subversion did not correctly
handle maliciously constructed svn+ssh:// URLs. This allowed an
attacker to run an arbitrary shell command, for instance via
svn:externals properties or when using 'svnsync sync'.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.8.10-6+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.9.5-1+deb9u1.

We recommend that you upgrade your subversion packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3933-1] pjproject security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3933-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pjproject
CVE ID : CVE-2017-9359 CVE-2017-9372

Two vulnerabilities were found in the PJSIP/PJProject communication
library, which may result in denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.1.0.0.ast20130823-1+deb8u1.

For the stable distribution (stretch), these problems had been fixed
prior to the initial release.

We recommend that you upgrade your pjproject packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3934-1] git security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3934-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
August 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : git
CVE ID : CVE-2017-1000117

Joern Schneeweisz discovered that git, a distributed revision control
system, did not correctly handle maliciously constructed ssh://
URLs. This allowed an attacker to run an arbitrary shell command, for
instance via git submodules.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u1.

We recommend that you upgrade your git packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3935-1] postgresql-9.4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3935-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7546

In some authentication methods empty passwords were accepted.

CVE-2017-7547

User mappings could leak data to unprivileged users.

CVE-2017-7548

The lo_put() function ignored ACLs.

For more in-depth descriptions of the security vulnerabilities,
please see https://www.postgresql.org/about/news/1772/

For the oldstable distribution (jessie), these problems have been fixed
in version 9.4.13-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3936-1] postgresql-9.6 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3936-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.6
CVE ID : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

Several vulnerabilities have been found in the PostgreSQL database
system:

CVE-2017-7546

In some authentication methods empty passwords were accepted.

CVE-2017-7547

User mappings could leak data to unprivileged users.

CVE-2017-7548

The lo_put() function ignored ACLs.

For more in-depth descriptions of the security vulnerabilities,
please see https://www.postgresql.org/about/news/1772/

For the stable distribution (stretch), these problems have been fixed in
version 9.6.4-0+deb9u1.

We recommend that you upgrade your postgresql-9.6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/