Debian 10226 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1276-1: tomcat-native security update
DLA 1277-1: audacity security update

Debian GNU/Linux 9:
DSA 4111-1: libreoffice security update



DLA 1276-1: tomcat-native security update




Package : tomcat-native
Version : 1.1.24-1+deb7u1
CVE ID : CVE-2017-15698

Jonas Klempel discovered that, when parsing the AIA-Extension field of
a client certificate, Apache Tomcat Native did not correctly handle
fields longer than 127 bytes. The result of the parsing error was to
skip the
OCSP check. It was therefore possible for client certificates that
should have been rejected (if the OCSP check had been made) to be
accepted. Users not using OCSP checks are not affected by this
vulnerability.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.24-1+deb7u1.

We recommend that you upgrade your tomcat-native packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1277-1: audacity security update

Package : audacity
Version : 2.0.1-1+deb7u1
CVE ID : CVE-2016-2540


Chris Navarrete from Fortinet's FortiGuard Labs discovered that Audacity,
a multi-track audio editor, contains a vulnerability such that a .wav
file with a crafted FORMATCHUNK structure (many channels) can result in
a denial of service (memory corruption and application crash).

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.1-1+deb7u1.

We recommend that you upgrade your audacity packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




DSA 4111-1: libreoffice security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4111-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 11, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2018-6871

Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that
missing restrictions in the implementation of the WEBSERVICE function
in LibreOffice could result in the disclosure of arbitrary files
readable by the user who opens a malformed document.

For the stable distribution (stretch), this problem has been fixed in
version 1:5.2.7-1+deb9u2.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/