Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1264-1: unbound security update

Debian GNU/Linux 8:
DSA 4094-2: smarty3 security update

Debian GNU/Linux 8 and 9:
DSA 4102-1: thunderbird security update



DLA 1264-1: unbound security update




Package : unbound
Version : 1.4.17-3+deb7u3
CVE ID : CVE-2017-15105
Debian Bug : 887733

Ralph Dolmans and Karst Koymans found a flaw in the way unbound
validated wildcard-synthesized NSEC records. An improperly validated
wildcard NSEC record could be used to prove the non-existence
(NXDOMAIN answer) of an existing wildcard record, or trick unbound
into accepting a NODATA proof.

For more information please refer to the upstream advisory at
https://unbound.net/downloads/CVE-2017-15105.txt.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.17-3+deb7u3.

We recommend that you upgrade your unbound packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4094-2: smarty3 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4094-2 security@debian.org
https://www.debian.org/security/
January 30, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : smarty3
CVE ID : CVE-2017-1000480
Debian Bug : 886460

Côme Chilliet from the FusionDirectory team detected a regression in the
previously issued fix for CVE-2017-1000480. This regression only affects
the Jessie version of the patch. For reference, the relevant part of the
original advisory text follows.

It was discovered that Smarty, a PHP template engine, was vulnerable to
code-injection attacks. An attacker was able to craft a filename in
comments that could lead to arbitrary code execution on the host running
Smarty.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.1.21-1+deb8u2.

We recommend that you upgrade your smarty3 packages.

For the detailed security status of smarty3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/smarty3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4102-1: thunderbird security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4102-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 30, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2018-5089 CVE-2018-5091 CVE-2018-5095 CVE-2018-5096
CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102
CVE-2018-5103 CVE-2018-5104 CVE-2018-5117

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or URL spoofing.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.6.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.6.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/