[SECURITY] [DSA 3905-1] xorg-server security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3905-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 09, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1019-1] phpldapadmin security update

Package : phpldapadmin Version : 1.2.2-5+deb7u1 CVE ID : CVE-2017-11107 Debian Bug : 867719 It was discovered that there was a cross-site scripting XSS vulnerability in phpldapadmin, a web-based interface for administering LDAP servers. For Debian 7 "Wheezy", this issue has been fixed in...

[SECURITY] [DLA 1018-1] sqlite3 security update

Package : sqlite3 Version : 3.7.13-1+deb7u4 CVE ID : CVE-2017-10989 Debian Bug : 867618 It was discovered that there was a heap-based buffer over-read vulnerability in SQLite, a lightweight database engine. The getNodeSize function in ext/rtree/rtree.c mishandled undersized RTree blobs in a...

[SECURITY] [DSA 3904-1] bind9 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3904-1 [email protected] https://www.debian.org/security/ Yves-Alexis Perez July 08, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1017-1] mpg123 security update

Package : mpg123 Version : 1.14.4-1+deb7u2 CVE ID : CVE-2017-10683 Debian Bug : 866860 It was discovered that there was a remote denial of service vulnerability in the mpg123 audio library/player. This was caused by a heap-based buffer over-read in the "convertlatin1" function. For Debian 7...

[SECURITY] [DLA 1016-1] radare2 security update

Package : radare2 Version : 0.9-3+deb7u3 CVE ID : CVE-2017-10929 Debian Bug : 867369 It was discovered that there was a heap-based buffer overflow in radare2, a reverse-engineering framework. The grubmemmove function allowed attackers to cause a remote denial of service. For Debian 7 "Wheezy", th...

[SECURITY] [DLA 1015-1] libgcrypt11 security update

Package : libgcrypt11 Version : 1.5.0-5+deb7u6 CVE ID : CVE-2017-7526 It was discovered that there was a key disclosure vulnerability in libgcrypt11 a library of cryptographic routines: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows...

[SECURITY] [DLA 1014-1] libclamunrar security update

Package : libclamunrar Version : 0.99-0+deb7u2 CVE ID : CVE-2017-7520 Debian Bug : 867223 It was discovered that there was an arbitrary code execution vulnerability in libcamunrar, a library to add unrar support to the Clam anti-virus software. This was caused by an integer overflow resulting in ...

[SECURITY] [DSA 3903-1] tiff security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3903-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3902-1] jabberd2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3902-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 05, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3902-1] jabberd2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3902-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 05, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1013-1] graphite2 security update

Package : graphite2 Version : 1.3.10-1deb7u1 CVE ID : CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778 Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the...

Security Update for salt

Al Nikolov uploaded new package for salt which fixed the following security problem: CVE-2017-8109 The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on...

[BSA-116] Security Update for openvpn

Bernhard Schmidt uploaded new packages for openvpn which fixed the following security problems: CVE-2017-7479 It was discovered that openvpn did not properly handle the rollover of packet identifiers. This would allow an authenticated remote attacker to cause a denial-of-service via application...

Security Update for salt

Al Nikolov uploaded new package for salt which fixed the following security problem: CVE-2017-8109 The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on...

[SECURITY] [DLA 1011-1] sudo security update

Package : sudo Version : 1.8.5p2-1+nmu3+deb7u4 CVE ID : CVE-2017-1000368 Debian Bug : 863897 Todd Millers sudo version 1.8.20p1 and earlier is vulnerable to an input validation embedded newlines in the getprocessttyname function resulting in information disclosure and command execution. The...

[SECURITY] [DLA 1012-1] puppet security update

Package : puppet Version : 2.7.23-1deb7u4 CVE ID : CVE-2017-2295 Debian Bug : 863212 Versions of Puppet prior to 4.10.1 will deserialize data off the wire from the agent to the server, in this case with a attacker-specified format. This could be used to force YAML deserialization in an unsafe...

[SECURITY] [DLA 1010-1] vorbis-tools security update

Package : vorbis-tools Version : 1.4.0-1+deb7u1 CVE ID : CVE-2014-9638 CVE-2014-9639 CVE-2014-9640 CVE-2015-6749 Debian Bug : 797461 776086 771363 vorbis-tools is vulnerable to multiple issues that can result in denial of service. CVE-2014-9638 Divide by zero error in oggenc with a WAV file whose...

[SECURITY] [DLA 1007-1] icedove/thunderbird security update

Package : icedove Version : 1:52.2.1-1deb7u1 CVE ID : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776...

[SECURITY] [DSA 3901-1] libgcrypt20 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3901-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 02, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3901-1] libgcrypt20 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3901-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 02, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1009-1] apache2 security update

Package : apache2 Version : 2.2.22-13+deb7u9 CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7668 CVE-2017-7679 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-3167 Emmanuel Dreyfus reported that the use of apgetbasicauthpw by third-party modules outside of the...

[SECURITY] [DLA 1008-1] libxml2 security update

Package : libxml2 Version : 2.8.0+dfsg1-7+wheezy8 CVE ID : CVE-2017-7375 CVE-2017-9047 CVE-2017-9048 CVE-2017-9049 CVE-2017-9050 CVE-2017-7375 Missing validation for external entities in xmlParsePEReference CVE-2017-9047 CVE-2017-9048 A buffer overflow was discovered in libxml2...

[SECURITY] [DLA 1006-1] libarchive security update

Package : libarchive Version : 3.0.4-3+wheezy6 CVE ID : CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 Debian Bug : 859456 861609 Multiple denial of services vulnerabilities have been identified in libarchive when manipulating specially crafted archives. CVE-2016-10209 NULL pointer dereference and...

[SECURITY] [DLA 1005-1] mercurial security update

Package : mercurial Version : 2.2.2-4+deb7u4 CVE ID : CVE-2017-9462 Debian Bug : 861243 In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. For Debian 7...

[SECURITY] [DLA 1004-1] drupal7 security update

Package : drupal7 Version : 7.14-2+deb7u16 CVE ID : CVE-2017-6922 Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not...

[SECURITY] [DSA 3900-1] openvpn security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3900-1 [email protected] https://www.debian.org/security/ Sebastien Delafond June 27, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3900-1] openvpn security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3900-1 [email protected] https://www.debian.org/security/ Sebastien Delafond June 27, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3886-2] linux regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-3886-2 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3886-2] linux regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-3886-2 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 993-2] linux regression update

Package : linux Version : 3.2.89-2 Debian Bug : 865303 The security update announced as DLA-993-1 caused regressions for some applications using Java - including jsvc, LibreOffice and Scilab - due to the fix for CVE-2017-1000364. Updated packages are now available to correct this issue. For...

[SECURITY] [DSA 3899-1] vlc security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3899-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3899-1] vlc security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3899-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1003-1] unrar-nonfree security update

Package : unrar-nonfree Version : 1:4.1.4-1+deb7u2 CVE ID : CVE-2012-6706 Debian Bug : 865461 It was reported that unrar fixed a VMSFDELTA memory corruption issue in their latest version unrarsrc-5.5.5.tar.gz. This problem was reported to Sophos AV in 2012 but never reach upstream rar. For Debian...

[SECURITY] [DLA 1002-1] smb4k security update

Package : smb4k Version : 1.2.1-2deb7u1 CVE ID : CVE-2017-8849 Debian Bug : 862505 Sebastian Krahmer from SUSE discovered that smb4k, a Samba SMB share advanced browser, contains a logic flaw in which the mount helper binary does not properly verify the mount command it is being asked to run. Thi...

[SECURITY] [DSA 3898-1] expat security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3898-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3898-1] expat security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3898-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1001-1] exim4 security update

Package : exim4 Version : 4.80-7+deb7u5 CVE ID : CVE-2017-1000369 Exim supports the use of multiple "-p" command line arguments which are malloced and never freeed, used in conjunction with other issues allows attackers to cause arbitrary code execution. For Debian 7 "Wheezy", these problems have...

[SECURITY] [DLA 1000-1] imagemagick security update

Package : imagemagick Version : 8:6.7.7.10-5+deb7u15 CVE ID : CVE-2017-9261 CVE-2017-9262 CVE-2017-9405 CVE-2017-9407 CVE-2017-9409 CVE-2017-9439 CVE-2017-9500 CVE-2017-9501 Debian Bug : 863833 863834 864087 864089 864090 864274 This update fixes several vulnerabilities in imagemagick: Various...

[SECURITY] [DSA 3897-1] drupal7 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3897-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 24, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3897-1] drupal7 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3897-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 24, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DLA 999-1] openvpn security update

Package : openvpn Version : 2.2.1-8+deb7u5 CVE ID : CVE-2017-7520 Debian Bug : 865480 It was discovered that there were multiple out-of-bounds memory read vulnerabilities in openvpn, a popular virtual private network VPN daemon. If clients used a HTTP proxy with NTLM authentication, a...

[SECURITY] [DLA 998-1] c-ares security update

Package : c-ares Version : 1.9.1-3+deb7u2 CVE ID : CVE-2017-1000381 CVE-2017-1000381 The c-ares function aresparsenaptrreply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a...

[SECURITY] [DSA 3896-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3896-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3896-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3896-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3895-1] flatpak security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3895-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3894-1] graphite2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3894-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3893-1] jython security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3893-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3893-1] jython security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3893-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3892-1] tomcat7 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3892-1 [email protected] https://www.debian.org/security/ Sebastien Delafond June 22, 2017 https://www.debian.org/security/faq -...