The following updates has been released for Debian 7 LTS:
DLA 1145-1: zoneminder security update
DLA 1146-1: mosquitto security update
DLA 1147-1: exiv2 security update
DLA 1145-1: zoneminder security update
DLA 1146-1: mosquitto security update
DLA 1147-1: exiv2 security update
DLA 1145-1: zoneminder security update
Package : zoneminder
Version : 1.25.0-4+deb7u2
CVE ID : CVE-2017-5595
Multiple vulnerabilities have been found in zoneminder. This update
fixes only a serious file disclosure vulnerability (CVE-2017-5595).
The application has been found to suffer from many other problems
such as SQL injection vulnerabilities, cross-site scripting issues,
cross-site request forgery, session fixation vulnerability. Due to the
amount of issues and to the relative invasiveness of the relevant patches,
those issues will not be fixed in Wheezy. We thus advise you to restrict
access to zoneminder to trusted users only. If you want to review the
list of ignored issues, you can check the security tracker:
https://security-tracker.debian.org/tracker/source-package/zoneminder
We recommend that you upgrade your zoneminder packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Raphaël Hertzog â Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
DLA 1146-1: mosquitto security update
Package : mosquitto
Version : 0.15-2+deb7u2
CVE ID : CVE-2017-9868
Debian Bug : 865959
mosquitto's persistence file (mosquitto.db) was created in a
world-readable way thus allowing local users to obtain sensitive MQTT
topic information. While the application has been fixed to set
proper permissions by default, you still have to manually fix
the permissions on any existing file.
For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u2.
We recommend that you upgrade your mosquitto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- --
Raphaël Hertzog â Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
DLA 1147-1: exiv2 security update
Package : exiv2
Version : 0.23-1+deb7u2
CVE ID : CVE-2017-11591 CVE-2017-11683 CVE-2017-14859 CVE-2017-14862
CVE-2017-14864
Debian Bug : 876893
The exiv2 library is vulnerable to multiple issues that can all lead
to denial of service of the applications relying on the library to parse
images' metadata.
CVE-2017-11591
Denial of service via floating point exception in
the Exiv2::ValueType function.
CVE-2017-11683
Denial of service through failing assertion triggered by
crafted image.
CVE-2017-14859 / CVE-2017-14862 / CVE-2017-14864
Denial of service through invalid memory access triggered by a crafted
image.
For Debian 7 "Wheezy", these problems have been fixed in version
0.23-1+deb7u2.
We recommend that you upgrade your exiv2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
