Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 1026-1] xorg-server security update
[DLA 1027-1] heimdal security update
[DSA 3909-1] samba security update



[DLA 1026-1] xorg-server security update

Package : xorg-server
Version : 2:1.12.4-6+deb7u7
CVE ID : CVE-2017-10971 CVE-2017-10972
Debian Bug : 867492 867492

CVE-2017-10971

A user authenticated to an X Session could crash or execute code in the
context of the X Server by exploiting a stack overflow in the endianness
conversion of X Events.

CVE-2017-10972

Uninitialized data in endianness conversion in the XEvent handling of the
X.Org X Server allowed authenticated malicious users to access potentially
privileged data from the X server.

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.12.4-6+deb7u7.

We recommend that you upgrade your xorg-server packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[SECURITY][DLA 1027-1] heimdal security update

Package : heimdal
Version : 1.6~git20120403+dfsg1-2+deb7u1
CVE ID : CVE-2017-11103
Debian Bug : 868208

Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual
authentication bypass vulnerability in Heimdal Kerberos. Also known as
Orpheus' Lyre, this vulnerability could be used by an attacker to mount
a service impersonation attack on the client if he's on the network
path between the client and the service.

More details can be found on the vulnerability website
(https://orpheus-lyre.info/).

For Debian 7 "Wheezy", these problems have been fixed in version
1.6~git20120403+dfsg1-2+deb7u1.

We recommend that you upgrade your heimdal packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3909-1] samba security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3909-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
July 14, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : samba
CVE ID : CVE-2017-11103
Debian Bug : 868209

Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual
authentication bypass vulnerability in samba, the SMB/CIFS file, print, and
login server. Also known as Orpheus' Lyre, this vulnerability is located in
Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by
an attacker on the network path to impersonate a server.

More details can be found on the vulnerability website
(https://orpheus-lyre.info/) and on the Samba project website
(https://www.samba.org/samba/security/CVE-2017-11103.html)

For the oldstable distribution (jessie), this problem has been fixed
in version 2:4.2.14+dfsg-0+deb8u7.

For the stable distribution (stretch), this problem has been fixed in
version 2:4.5.8+dfsg-2+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 2:4.6.5+dfsg-4.

For the unstable distribution (sid), this problem has been fixed in
version 2:4.6.5+dfsg-4.

We recommend that you upgrade your samba packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/