Debian 10229 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1127-1: sam2p security update
DLA 1128-1: qemu-kvm security update
DLA 1129-1: qemu security update

Debian GNU/Linux 8 and 9:
DSA 3994-1: nautilus security update



DLA 1127-1: sam2p security update




Package : sam2p
Version : 0.49.1-1+deb7u1
CVE ID : CVE-2017-14628 CVE-2017-14629 CVE-2017-14630
CVE-2017-14631 CVE-2017-14636 CVE-2017-14637


Several vulnerabilites, like heap-based buffer overflows, integer
signedness or overflow errors have been found by fpbibi and have
been fixed by upstream.


For Debian 7 "Wheezy", these problems have been fixed in version
0.49.1-1+deb7u1.

We recommend that you upgrade your sam2p packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1128-1: qemu-kvm security update

Package : qemu-kvm
Version : 1.1.2+dfsg-6+deb7u24
CVE ID : CVE-2017-14167 CVE-2017-15038

Multiple vulnerabilities were discovered in qemu-kvm, a full
virtualization solution for Linux hosts on x86 hardware with x86 guests
based on the Quick Emulator(Qemu).

CVE-2017-14167

Incorrect validation of multiboot headers could result in the
execution of arbitrary code.

CVE-2017-15038

When using 9pfs qemu-kvm is vulnerable to an information
disclosure issue. It could occur while accessing extended attributes
of a file due to a race condition. This could be used to disclose
heap memory contents of the host.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u24.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1129-1: qemu security update

Package : qemu
Version : 1.1.2+dfsg-6+deb7u24
CVE ID : CVE-2017-14167 CVE-2017-15038


Multiple vulnerabilities were discovered in qemu, a fast processor
emulator. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2017-14167

Incorrect validation of multiboot headers could result in the
execution of arbitrary code.

CVE-2017-15038

When using 9pfs qemu-kvm is vulnerable to an information
disclosure issue. It could occur while accessing extended attributes
of a file due to a race condition. This could be used to disclose
heap memory contents of the host.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u24.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 3994-1: nautilus security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3994-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
October 07, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nautilus
CVE ID : CVE-2017-14604
Debian Bug : 860268

Christian Boxdörfer discovered a vulnerability in the handling of
FreeDesktop.org .desktop files in Nautilus, a file manager for the GNOME
desktop environment. An attacker can craft a .desktop file intended to run
malicious commands but displayed as a innocuous document file in Nautilus. An
user would then trust it and open the file, and Nautilus would in turn execute
the malicious content. Nautilus protection of only trusting .desktop files with
executable permission can be bypassed by shipping the .desktop file inside a
tarball.

For the oldstable distribution (jessie), this problem has not been fixed yet.

For the stable distribution (stretch), this problem has been fixed in
version 3.22.3-1+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 3.26.0-1.

For the unstable distribution (sid), this problem has been fixed in
version 3.26.0-1.

We recommend that you upgrade your nautilus packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/