Debian Security Advisory

Package: otrs2

CVE ID: CVE-2017-15864 CVE-2017-16664

Two vulnerabilities were discovered in the Open Ticket Request System

which could result in disclosure of database credentials or the

execution of arbitrary shell commands by logged-in agents.

For the oldstable distribution (jessie), these problems have been fixed

in version 3.3.18-1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 5.0.16-1+deb9u3.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/otrs2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: openjdk-7

CVE ID: CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295

CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348

CVE-2017-10349 CVE-2017-10350 CVE-2017-10355 CVE-2017-10356

CVE-2017-10357 CVE-2017-10388

Several vulnerabilities have been discovered in OpenJDK, an

implementation of the Oracle Java platform, resulting in impersonation

of Kerberos services, denial of service, sandbox bypass or HTTP header

injection.

For the oldstable distribution (jessie), these problems have been fixed

in version 7u151-2.6.11-2~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

For the detailed security status of openjdk-7 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/openjdk-7

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: ffmpeg

CVE ID: CVE-2017-15186 CVE-2017-15672 CVE-2017-16840

Several vulnerabilities have been discovered in the FFmpeg multimedia

framework, which could result in denial of service or potentially the

execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (stretch), these problems have been fixed in

version 7:3.2.9-1~deb9u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: xen

CVE ID: CVE-2017-14316 CVE-2017-14317 CVE-2017-14318 CVE-2017-14319

CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15592

CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 CVE-2017-15597

Multiple vulnerabilities have been discovered in the Xen hypervisor, which

could result in denial of service, information leaks, privilege escalation

or the execution of arbitrary code.

For the oldstable distribution (jessie) a separate update will be

released.

For the stable distribution (stretch), these problems have been fixed in

version 4.8.2+xsa245-0+deb9u1.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: curl

CVE ID: CVE-2017-8816 CVE-2017-8817

Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2017-8816

Alex Nichols discovered a buffer overrun flaw in the NTLM authentication

code which can be triggered on 32bit systems where an integer overflow

might occur when calculating the size of a memory allocation.

CVE-2017-8817

Fuzzing by the OSS-Fuzz project led to the discovery of a read out of

bounds flaw in the FTP wildcard function in libcurl. A malicious server

could redirect a libcurl-based client to an URL using a wildcard pattern,

triggering the out-of-bound read.

For the oldstable distribution (jessie), these problems have been fixed

in version 7.38.0-4+deb8u8.

For the stable distribution (stretch), these problems have been fixed in

version 7.52.1-5+deb9u3.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: bzr

CVE ID: CVE-2017-14176

Debian Bug: 874429

Adam Collard discovered that Bazaar, an easy to use distributed version

control system, did not correctly handle maliciously constructed bzr+ssh

URLs, allowing a remote attackers to run an arbitrary shell command.

For the oldstable distribution (jessie), this problem has been fixed

in version 2.6.0+bzr6595-6+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 2.7.0+bzr6619-7+deb9u1.

We recommend that you upgrade your bzr packages.

For the detailed security status of bzr please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/bzr

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: exim4

CVE ID: CVE-2017-16943 CVE-2017-16944

Debian Bug: 882648 882671

Several vulnerabilities have been discovered in Exim, a mail transport

agent. The Common Vulnerabilities and Exposures project identifies the

following issues:

CVE-2017-16943

A use-after-free vulnerability was discovered in Exim's routines

responsible for parsing mail headers. A remote attacker can take

advantage of this flaw to cause Exim to crash, resulting in a denial

of service, or potentially for remote code execution.

CVE-2017-16944

It was discovered that Exim does not properly handle BDAT data

headers allowing a remote attacker to cause Exim to crash, resulting

in a denial of service.

For the stable distribution (stretch), these problems have been fixed in

version 4.89-2+deb9u2. Default installations disable advertising the

ESMTP CHUNKING extension and are not affected by these issues.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: tor

CVE ID: CVE-2017-8819 CVE-2017-8820 CVE-2017-8821 CVE-2017-8822

CVE-2017-8823

Multiple vulnerabilities have been found in Tor, a connection-based

low-latency anonymous communication system.

For the oldstable distribution (jessie), these problems have been fixed

in version 0.2.5.16-1.

For the stable distribution (stretch), these problems have been fixed in

version 0.2.9.14-1.

We recommend that you upgrade your tor packages.

For the detailed security status of tor please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/tor

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: heimdal

CVE ID: CVE-2017-17439

Debian Bug: 878144

Michael Eder and Thomas Kittel discovered that Heimdal, an

implementation of Kerberos 5 that aims to be compatible with MIT

Kerberos, did not correctly handle ASN.1 data. This would allow an

unauthenticated remote attacker to cause a denial of service (crash of

the KDC daemon) by sending maliciously crafted packets.

For the stable distribution (stretch), this problem has been fixed in

version 7.1.0+dfsg-13+deb9u2.

We recommend that you upgrade your heimdal packages.

For the detailed security status of heimdal please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/heimdal

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: nova

CVE ID: CVE-2017-16239

Debian Bug: 882009

George Shuklin from servers.com discovered that Nova, a cloud

computing fabric controller, did not correctly enforce its image- or

hosts-filters. This allowed an authenticated user to bypass those

filters by simply rebuilding an instance.

For the stable distribution (stretch), this problem has been fixed in

version 2:14.0.0-4+deb9u1.

We recommend that you upgrade your nova packages.

For the detailed security status of nova please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/nova

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: erlang

CVE ID: CVE-2017-1000385

It was discovered that the TLS server in Erlang is vulnerable to an

adaptive chosen ciphertext attack against RSA keys.

For the oldstable distribution (jessie), this problem has been fixed

in version 1:17.3-dfsg-4+deb8u2.

For the stable distribution (stretch), this problem has been fixed in

version 1:19.2.1+dfsg-2+deb9u1.

We recommend that you upgrade your erlang packages.

For the detailed security status of erlang please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/erlang

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: optipng

CVE ID: CVE-2017-16938 CVE-2017-1000229

Debian Bug: 878839 882032

Two vulnerabilities were discovered in optipng, an advanced PNG

optimizer, which may result in denial of service or the execution of

arbitrary code if a malformed file is processed.

For the oldstable distribution (jessie), these problems have been fixed

in version 0.7.5-1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 0.7.6-1+deb9u1.

We recommend that you upgrade your optipng packages.

For the detailed security status of optipng please refer to its security

tracker page at: https://security-tracker.debian.org/tracker/optipng

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: libxcursor

CVE ID: CVE-2017-16612

Debian Bug: 883792

It was discovered that libXcursor, a X cursor management library, is

prone to several heap overflows when parsing malicious files. An

attacker can take advantage of these flaws for arbitrary code execution,

if a user is tricked into processing a specially crafted cursor file.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:1.1.14-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 1:1.1.14-1+deb9u1.

We recommend that you upgrade your libxcursor packages.

For the detailed security status of libxcursor please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/libxcursor

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: wireshark

CVE ID: CVE-2017-11408 CVE-2017-13766 CVE-2017-17083 CVE-2017-17084

CVE-2017-17085

It was discovered that wireshark, a network protocol analyzer, contained

several vulnerabilities in the dissectors for CIP Safety, IWARP_MPA,

NetBIOS, Profinet I/O and AMQP, which result in denial of dervice or the

execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed

in version 1.12.1+g01b65bf-4+deb8u12.

For the stable distribution (stretch), these problems have been fixed in

version 2.2.6+g32dac6a-2+deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: thunderbird

CVE ID: CVE-2017-7826 CVE-2017-7828 CVE-2017-7830

Multiple security issues have been found in Thunderbird, which may lead

to the execution of arbitrary code or denial of service.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:52.5.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 1:52.5.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: firefox-esr

CVE ID: CVE-2017-7843

It discovered that the Private Browsing mode in the Mozilla Firefox

web browser allowed to fingerprint a user across multiple sessions

via IndexedDB.

For the oldstable distribution (jessie), this problem has been fixed

in version 52.5.2esr-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 52.5.2esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: pdns-recursor

CVE ID: CVE-2017-15120

Toshifumi Sakaguchi discovered that PowerDNS Recursor, a high-performance

resolving name server was susceptible to denial of service via a crafted

CNAME answer.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in

version 4.0.4-1+deb9u3.

We recommend that you upgrade your pdns-recursor packages.

For the detailed security status of pdns-recursor please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/pdns-recursor

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: chromium-browser

CVE ID: CVE-2017-15407 CVE-2017-15408 CVE-2017-15409 CVE-2017-15410

CVE-2017-15411 CVE-2017-15413 CVE-2017-15415 CVE-2017-15416

CVE-2017-15417 CVE-2017-15418 CVE-2017-15419 CVE-2017-15420

CVE-2017-15423 CVE-2017-15424 CVE-2017-15425 CVE-2017-15426

CVE-2017-15427

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2017-15407

Ned Williamson discovered an out-of-bounds write issue.

CVE-2017-15408

Ke Liu discovered a heap overflow issue in the pdfium library.

CVE-2017-15409

An out-of-bounds write issue was discovered in the skia library.

CVE-2017-15410

Luat Nguyen discovered a use-after-free issue in the pdfium library.

CVE-2017-15411

Luat Nguyen discovered a use-after-free issue in the pdfium library.

CVE-2017-15413

Gaurav Dewan discovered a type confusion issue.

CVE-2017-15415

Viktor Brange discovered an information disclosure issue.

CVE-2017-15416

Ned Williamson discovered an out-of-bounds read issue.

CVE-2017-15417

Max May discovered an information disclosure issue in the skia

library.

CVE-2017-15418

Kushal Arvind Shah discovered an uninitialized value in the skia

library.

CVE-2017-15419

Jun Kokatsu discoved an information disclosure issue.

CVE-2017-15420

WenXu Wu discovered a URL spoofing issue.

CVE-2017-15423

Greg Hudson discovered an issue in the boringssl library.

CVE-2017-15424

Khalil Zhani discovered a URL spoofing issue.

CVE-2017-15425

xisigr discovered a URL spoofing issue.

CVE-2017-15426

WenXu Wu discovered a URL spoofing issue.

CVE-2017-15427

Junaid Farhan discovered an issue with the omnibox.

For the stable distribution (stretch), these problems have been fixed in

version 63.0.3239.84-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/chromium-browser

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: openssl1.0

CVE ID: CVE-2017-3737 CVE-2017-3738

Multiple vulnerabilities have been discovered in OpenSSL, a Secure

Sockets Layer toolkit. The Common Vulnerabilities and Exposures project

identifies the following issues:

CVE-2017-3737

David Benjamin of Google reported that OpenSSL does not properly

handle SSL_read() and SSL_write() while being invoked in an error

state, causing data to be passed without being decrypted or

encrypted directly from the SSL/TLS record layer.

CVE-2017-3738

It was discovered that OpenSSL contains an overflow bug in the AVX2

Montgomery multiplication procedure used in exponentiation with

1024-bit moduli.

Details can be found in the upstream advisory:

https://www.openssl.org/news/secadv/20171207.txt

For the stable distribution (stretch), these problems have been fixed in

version 1.0.2l-2+deb9u2.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: otrs2

CVE ID: CVE-2017-16854 CVE-2017-16921

Two vulnerabilities were discovered in the Open Ticket Request System

which could result in information disclosureor the execution of arbitrary

shell commands by logged-in agents.

For the oldstable distribution (jessie), these problems have been fixed

in version 3.3.18-1+deb8u3.

For the stable distribution (stretch), these problems have been fixed in

version 5.0.16-1+deb9u4.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/otrs2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/