Debian 10206 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1087-1: icedove/thunderbird security update
DLA 1090-1: tcpdump security update

Debian GNU/Linux 9:
DSA 3965-1: file security update
DSA 3966-1: ruby2.3 security update



DLA 1087-1: icedove/thunderbird security update

Package : icedove
Version : 1:52.3.0-4~deb7u1
CVE ID : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785
CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
CVE-2017-7800 CVE-2017-7801 CVE-2017-7802 CVE-2017-7803
CVE-2017-7804 CVE-2017-7807 CVE-2017-7809

Multiple security issues have been found in the Mozilla Thunderbird mail
client: Multiple memory safety errors, buffer overflows and other
implementation errors may lead to the execution of arbitrary code or
spoofing.

For Debian 7 "Wheezy", these problems have been fixed in version
1:52.3.0-4~deb7u1.

We recommend that you upgrade your icedove packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1090-1: tcpdump security update

Package : tcpdump
Version : 4.9.0-1~deb7u2
CVE ID : CVE-2017-11108 CVE-2017-11541 CVE-2017-11542 CVE-2017-11543

Several vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial
of service (application crash).

For Debian 7 "Wheezy", these problems have been fixed in version
4.9.0-1~deb7u2.

We recommend that you upgrade your tcpdump packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 3965-1: file security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3965-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 05, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : file
CVE ID : CVE-2017-1000249

Thomas Jarosch discovered a stack-based buffer overflow flaw in file, a
file type classification tool, which may result in denial of service if
an ELF binary with a specially crafted .notes section is processed.

For the stable distribution (stretch), this problem has been fixed in
version 1:5.30-1+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.32-1.

We recommend that you upgrade your file packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 3966-1: ruby2.3 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3966-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 05, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby2.3
CVE ID : CVE-2015-9096 CVE-2016-7798 CVE-2017-0899 CVE-2017-0900
CVE-2017-0901 CVE-2017-0902 CVE-2017-14064

Multiple vulnerabilities were discovered in the interpreter for the Ruby
language:

CVE-2015-9096

SMTP command injection in Net::SMTP.

CVE-2016-7798

Incorrect handling of initialization vector in the GCM mode in the
OpenSSL extension.

CVE-2017-0900

Denial of service in the RubyGems client.

CVE-2017-0901

Potential file overwrite in the RubyGems client.

CVE-2017-0902

DNS hijacking in the RubyGems client.

CVE-2017-14064

Heap memory disclosure in the JSON library.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u1. This update also hardens RubyGems against
malicious termonal escape sequences (CVE-2017-0899).

We recommend that you upgrade your ruby2.3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/