Debian 10225 Published by

The following packages has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1297-1: simplesamlphp security update

Debian GNU/Linux 8 and 9:
DSA 4129-1: freexl security update
DSA 4130-1: dovecot security update

Debian GNU/Linux 9:
DSA 4128-1: trafficserver security update



DLA 1297-1: simplesamlphp security update




Package : simplesamlphp
Version : 1.9.2-1+deb7u3
CVE ID : CVE-2016-9814 CVE-2016-9955

Several vulnerabilities have been discovered in SimpleSAMLphp, a
framework for authentication, primarily via the SAML protocol.

CVE-2016-9814 & CVE-2016-9955

An incorrect check of return values in the signature validation
utilities allowed an attacker to get invalid signatures accepted
as valid in the rare case of an error occurring during validation.

SSPSA-201802-01 (no CVE yet)

Critical signature validation vulnerability.

In addition this update adds a patch to solve excessive resource
consumption in case of SimpleSAMLphp processing a large metadata file.

For Debian 7 "Wheezy", these problems have been fixed in version
1.9.2-1+deb7u3.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4128-1: trafficserver security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4128-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
March 02, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : trafficserver
CVE ID : CVE-2017-5660 CVE-2017-7671

Several vulnerabilities were discovered in Apache Traffic Server, a
reverse and forward proxy server. They could lead to the use of an
incorrect upstream proxy, or allow a remote attacker to cause a
denial-of-service by application crash.

For the stable distribution (stretch), these problems have been fixed in
version 7.0.0-6+deb9u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4129-1: freexl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4129-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 02, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : freexl
CVE ID : CVE-2018-7435 CVE-2018-7436 CVE-2018-7437 CVE-2018-7438
CVE-2018-7439

Multiple heap buffer over reads were discovered in freexl, a library to
read Microsoft Excel spreadsheets, which could result in denial of
service.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.0g-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2-2+deb9u2.

We recommend that you upgrade your freexl packages.

For the detailed security status of freexl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freexl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4130-1: dovecot security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4130-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 02, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dovecot
CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132
Debian Bug : 888432 891819 891820

Several vulnerabilities have been discovered in the Dovecot email
server. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2017-14461

Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker.

CVE-2017-15130

It was discovered that TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted, resulting in a denial of service. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.

CVE-2017-15132

It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:2.2.13-12~deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.2.27-3+deb9u2.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/