Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1150-1: wpa security update
DLA 1151-1: wordpress security update
DLA 1152-1: quagga security update
DLA 1154-1: graphicsmagick security update
DLA 1155-1: tzdata new upstream version
DLA 1156-1: libdatetime-timezone-perl new upstream version

Debian GNU/Linux 8 and 9:
DSA 4013-1: openjpeg2 security update



DLA 1150-1: wpa security update

Package : wpa
Version : 1.0-3+deb7u5
CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088

A vulnerability was found in how WPA code can be triggered to
reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific
frame that is used to manage the keys. Such reinstallation of the
encryption key can result in two different types of vulnerabilities:
disabling replay protection and significantly reducing the security of
encryption to the point of allowing frames to be decrypted or some parts
of the keys to be determined by an attacker depending on which cipher is
used.

Those issues are commonly known under the "KRACK" appelation. According
to US-CERT, "the impact of exploiting these vulnerabilities includes
decryption, packet replay, TCP connection hijacking, HTTP content
injection, and others."

CVE-2017-13077

Reinstallation of the pairwise encryption key (PTK-TK) in the
4-way handshake.

CVE-2017-13078

Reinstallation of the group key (GTK) in the 4-way handshake.

CVE-2017-13079

Reinstallation of the integrity group key (IGTK) in the 4-way
handshake.

CVE-2017-13080

Reinstallation of the group key (GTK) in the group key handshake.

CVE-2017-13081

Reinstallation of the integrity group key (IGTK) in the group key
handshake.

CVE-2017-13082

Accepting a retransmitted Fast BSS Transition (FT) Reassociation
Request and reinstalling the pairwise encryption key (PTK-TK)
while processing it.

CVE-2017-13084

Reinstallation of the STK key in the PeerKey handshake.

CVE-2017-13086

reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey
(TPK) key in the TDLS handshake.

CVE-2017-13087

reinstallation of the group key (GTK) when processing a Wireless
Network Management (WNM) Sleep Mode Response frame.

CVE-2017-13088

reinstallation of the integrity group key (IGTK) when processing a
Wireless Network Management (WNM) Sleep Mode Response frame.

For Debian 7 "Wheezy", these problems have been fixed in version
1.0-3+deb7u5. Note that the latter two vulnerabilities (CVE-2017-13087
and CVE-2017-13088) were mistakenly marked as fixed in the changelog
whereas they simply did not apply to the 1.0 version of the WPA source
code, which doesn't implement WNM sleep mode responses.

We recommend that you upgrade your wpa packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1151-1: wordpress security update




Package : wordpress
Version : 3.6.1+dfsg-1~deb7u17
CVE ID : CVE-2016-9263 CVE-2017-14718 CVE-2017-14719
CVE-2017-14720 CVE-2017-14721 CVE-2017-14722
CVE-2017-14723 CVE-2017-14725 CVE-2017-14990
Debian Bug : 876274 877629

Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.

CVE-2016-9263
When domain-based flashmediaelement.swf sandboxing is not used,
allows remote attackers to conduct cross-domain Flash injection
(XSF) attacks by leveraging code contained within the
wp-includes/js/mediaelement/flashmediaelement.swf file.

This issue was resolved by completely removing
flashmediaelement.swf.

CVE-2017-14718
WordPress was susceptible to a Cross-Site Scripting attack in the
link modal via a javascript: or data: URL.

CVE-2017-14719
WordPress was vulnerable to a directory traversal attack during
unzip operations in the ZipArchive and PclZip components.

CVE-2017-14720
WordPress allowed a Cross-Site scripting attack in the template list
view via a crafted template name.

CVE-2017-14721
WordPress allowed Cross-Site scripting in the plugin editor via a
crafted plugin name.

CVE-2017-14722
WordPress allowed a Directory Traversal attack in the Customizer
component via a crafted theme filename.

CVE-2017-14723
WordPress mishandled % characters and additional placeholder values
in $wpdb->prepare, and thus did not properly address the possibility
of plugins and themes enabling SQL injection attacks.

CVE-2017-14725
WordPress was susceptible to an open redirect attack in
wp-admin/user-edit.php.

CVE-2017-14990
WordPress stores cleartext wp_signups.activation_key values (but
stores the analogous wp_users.user_activation_key values as hashes),
which might make it easier for remote attackers to hijack
unactivated user accounts by leveraging database read access
(such as access gained through an unspecified SQL injection
vulnerability).

For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u17.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1152-1: quagga security update




Package : quagga
Version : quagga_0.99.22.4-1+wheezy3+deb7u2
CVE ID : CVE-2017-16227
Debian Bug : 879474

It was discovered that the bgpd daemon in the Quagga routing suite
does not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

For Debian 7 "Wheezy", these problems have been fixed in version
quagga_0.99.22.4-1+wheezy3+deb7u2.

We recommend that you upgrade your quagga packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1154-1: graphicsmagick security update

Package : graphicsmagick
Version : 1.3.16-1.1+deb7u12
CVE ID : CVE-2017-14103 CVE-2017-14314 CVE-2017-14504
CVE-2017-14733 CVE-2017-14994 CVE-2017-14997
CVE-2017-15930
Debian Bug : 879999

Multiple vulnerabilities were found in graphicsmagick.

CVE-2017-14103

The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in
GraphicsMagick 1.3.26 do not properly manage image pointers after
certain error conditions, which allows remote attackers to conduct
use-after-free attacks via a crafted file, related to a
ReadMNGImage out-of-order CloseBlob call. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2017-11403.

CVE-2017-14314

Off-by-one error in the DrawImage function in magick/render.c in
GraphicsMagick 1.3.26 allows remote attackers to cause a denial of
service (DrawDashPolygon heap-based buffer over-read and
application crash) via a crafted file.

CVE-2017-14504

ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not
ensure the correct number of colors for the XV 332 format, leading
to a NULL Pointer Dereference.

CVE-2017-14733

ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles
RLE headers that specify too few colors, which allows remote
attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted file.

CVE-2017-14994

ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows
remote attackers to cause a denial of service (NULL pointer
dereference) via a crafted DICOM image, related to the ability of
DCM_ReadNonNativeImages to yield an image list with zero frames.

CVE-2017-14997

GraphicsMagick 1.3.26 allows remote attackers to cause a denial of
service (excessive memory allocation) because of an integer
underflow in ReadPICTImage in coders/pict.c.

CVE-2017-15930

In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a
Null Pointer Dereference occurs while transferring JPEG scanlines,
related to a PixelPacket pointer.

For Debian 7 "Wheezy", CVE-2017-15930 has been fixed in version
1.3.16-1.1+deb7u12. The other security issues were fixed in
1.3.16-1.1+deb7u10 on 10 Oct 2017 in DLA-1130-1 but that announcement
was never sent out so this advisory also contains the notice about
those vulnerabilities.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1155-1: tzdata new upstream version




Package : tzdata
Version : 2017c-0+deb7u1

This update includes the changes in tzdata 2017b. Notable
changes are:
- Northern Cyprus resumed EU rules starting 2017-10-29.
- Namibia will switch from +01 with DST to +02 all year, affecting
UT offsets starting 2018-04-01.
- Sudan will switch from +03 to +02 on 2017-11-01.
- Tonga will not observe DST on 2017-11-05.
- Turks & Caicos will switch from -04 all year to -05 with US DST,
affecting UT offset starting 2018-11-04.

For Debian 7 "Wheezy", these problems have been fixed in version
2017c-0+deb7u1.

We recommend that you upgrade your tzdata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1156-1: libdatetime-timezone-perl new upstream version




Package : libdatetime-timezone-perl
Version : 1:1.58-1+2017c

This update includes the changes in tzdata 2017c for the
Perl bindings. For the list of changes, see DLA-1156-1.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.58-1+2017c.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4013-1: openjpeg2 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4013-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 31, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjpeg2
CVE ID : CVE-2016-1628 CVE-2016-5152 CVE-2016-5157 CVE-2016-9118
CVE-2016-10504 CVE-2017-14039 CVE-2017-14040
CVE-2017-14041 CVE-2017-14151 CVE-2017-14152

Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression /
decompression library, may result in denial of service or the execution
of arbitrary code if a malformed JPEG 2000 file is processed.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.1.0-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 2.1.2-1.1+deb9u2.

We recommend that you upgrade your openjpeg2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/