Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1166-2: tomcat7 regression update
DLA-1157-1: openssl security update

Debian GNU/Linux 8:
DSA 4027-1: postgresql-9.4 security update

Debian GNU/Linux 9:
DSA 4028-1: postgresql-9.6 security update

Debian GNU/Linux 8 and 9:
DSA 4026-1: bchunk security update
DSA 4029-1: postgresql-common security update
DSA 4030-1: roundcube security update



DLA 1166-2: tomcat7 regression update

Package : tomcat7
Version : 7.0.28-4+deb7u17
Debian Bug : 881162


The update for tomcat7 issued as DLA-1166-1 caused a regressions whereby every
request, including for the root document (/), returned HTTP status 404. Updated
packages are now available to address this problem. For reference, the original
advisory text follows.

When HTTP PUT was enabled (e.g., via setting the readonly initialization
parameter of the Default servlet to false) it was possible to upload a JSP
file to the server via a specially crafted request. This JSP could then be
requested and any code it contained would be executed by the server.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u17.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA-1157-1: openssl security update




Package : openssl
Version : 1.0.1t-1+deb7u3
CVE ID : CVE-2017-3735

A security vulnerability was discovered in OpenSSL, the Secure Sockets
Layer toolkit.

CVE-2017-3735

It was discovered that OpenSSL is prone to a one-byte buffer
overread while parsing a malformed IPAddressFamily extension in an
X.509 certificate.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20170828.txt


For Debian 7 "Wheezy", these problems have been fixed in version
1.0.1t-1+deb7u3.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4026-1: bchunk security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4026-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
November 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bchunk
CVE ID : CVE-2017-15953 CVE-2017-15954 CVE-2017-15955
Debian Bug : 880116

Wen Bin discovered that bchunk, an application that converts a CD
image in bin/cue format into a set of iso and cdr/wav tracks files,
did not properly check its input. This would allow malicious users to
crash the application or potentially execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.2.0-12+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1.2.0-12+deb9u1.

We recommend that you upgrade your bchunk packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4027-1: postgresql-9.4 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4027-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2017-15098

A vulnerabilitiy has been found in the PostgreSQL database system:
Denial of service and potential memory disclosure in the
json_populate_recordset() and jsonb_populate_recordset() functions.

For the oldstable distribution (jessie), this problem has been fixed
in version 9.4.15-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4028-1: postgresql-9.6 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4028-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-9.6
CVE ID : CVE-2017-15098 CVE-2017-15099

Several vulnerabilities have been found in the PostgreSQL database system:

CVE-2017-15098

Denial of service and potential memory disclosure in the
json_populate_recordset() and jsonb_populate_recordset() functions

CVE-2017-15099

Insufficient permissions checks in "INSERT ... ON CONFLICT DO UPDATE"
statements.

For the stable distribution (stretch), these problems have been fixed in
version 9.6.6-0+deb9u1.

We recommend that you upgrade your postgresql-9.6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4029-1: postgresql-common security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4029-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-common
CVE ID : CVE-2017-8806

It was discovered that the pg_ctlcluster, pg_createcluster and
pg_upgradecluster commands handled symbolic links insecurely which could
result in local denial of service by overwriting arbitrary files.

For the oldstable distribution (jessie), this problem has been fixed
in version 165+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 181+deb9u1.

We recommend that you upgrade your postgresql-common packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4030-1: roundcube security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4030-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 09, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
CVE ID : CVE-2017-16651

A file disclosure vulnerability was discovered in roundcube, a skinnable
AJAX based webmail solution for IMAP servers. An authenticated attacker
can take advantage of this flaw to read roundcube's configuration files.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.3+dfsg.1-4+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.3+dfsg.1-1.

We recommend that you upgrade your roundcube packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/