Debian Security Advisory

Package: firefox-esr

CVE ID: CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814

CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824

Several security issues have been found in the Mozilla Firefox web

browser: Multiple memory safety errors, use-after-frees, buffer

overflows and other implementation errors may lead to the execution of

arbitrary code, denial of service, cross-site scripting or bypass of

the phishing and malware protection feature.

For the oldstable distribution (jessie), these problems have been fixed

in version 52.4.0esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 52.4.0esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: libidn2-0

CVE ID: CVE-2017-14062

Debian Bug: 873902

An integer overflow vulnerability was discovered in decode_digit() in

libidn2-0, the GNU library for Internationalized Domain Names (IDNs),

allowing a remote attacker to cause a denial of service against an

application using the library (application crash).

For the oldstable distribution (jessie), this problem has been fixed

in version 0.10-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 0.16-1+deb9u1.

For the testing distribution (buster), this problem has been fixed

in version 2.0.2-4.

For the unstable distribution (sid), this problem has been fixed in

version 2.0.2-4.

We recommend that you upgrade your libidn2-0 packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: dnsmasq

CVE ID: CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494

CVE-2017-14495 CVE-2017-14496

Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron

Bowes and Gynvael Coldwind of the Google Security Team discovered

several vulnerabilities in dnsmasq, a small caching DNS proxy and

DHCP/TFTP server, which may result in denial of service, information

leak or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed

in version 2.72-3+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 2.76-5+deb9u1.

We recommend that you upgrade your dnsmasq packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: asterisk

CVE ID: CVE-2017-14603

Klaus-Peter Junghann discovered that insufficient validation of RTCP

packets in Asterisk may result in an information leak. Please see the

upstream advisory at

http://downloads.asterisk.org/pub/security/AST-2017-008.html for

additional details.

For the oldstable distribution (jessie), this problem has been fixed

in version 1:11.13.1~dfsg-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in

version 1:13.14.1~dfsg-2+deb9u2.

We recommend that you upgrade your asterisk packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: qemu

CVE ID: CVE-2017-9375 CVE-2017-12809 CVE-2017-13672 CVE-2017-13711

CVE-2017-14167

Multiple vulnerabilities were found in in qemu, a fast processor emulator:

CVE-2017-9375

Denial of service via memory leak in USB XHCI emulation.

CVE-2017-12809

Denial of service in the CDROM device drive emulation.

CVE-2017-13672

Denial of service in VGA display emulation.

CVE-2017-13711

Denial of service in SLIRP networking support.

CVE-2017-14167

Incorrect validation of multiboot headers could result in the

execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in

version 1:2.8+dfsg-6+deb9u3.

We recommend that you upgrade your qemu packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: curl

CVE ID: CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254

Debian Bug: 871554 871555 877671

Several vulnerabilities have been discovered in cURL, an URL transfer

library. The Common Vulnerabilities and Exposures project identifies the

following problems:

CVE-2017-1000100

Even Rouault reported that cURL does not properly handle long file

names when doing an TFTP upload. A malicious HTTP(S) server can take

advantage of this flaw by redirecting a client using the cURL

library to a crafted TFTP URL and trick it to send private memory

contents to a remote server over UDP.

CVE-2017-1000101

Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw

in the globbing function that parses the numerical range, leading to

an out-of-bounds read when parsing a specially crafted URL.

CVE-2017-1000254

Max Dymond reported that cURL contains an out-of-bounds read flaw in

the FTP PWD response parser. A malicious server can take advantage

of this flaw to effectively prevent a client using the cURL library

to work with it, causing a denial of service.

For the oldstable distribution (jessie), these problems have been fixed

in version 7.38.0-4+deb8u6.

For the stable distribution (stretch), these problems have been fixed in

version 7.52.1-5+deb9u1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: tor

CVE ID: CVE-2017-0380

It was discovered that the Tor onion service could leak sensitive

information to log files if the "SafeLogging" option is set to "0".

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in

version 0.2.9.12-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: nautilus

CVE ID: CVE-2017-14604

Debian Bug: 860268

Christian Boxdörfer discovered a vulnerability in the handling of

FreeDesktop.org .desktop files in Nautilus, a file manager for the GNOME

desktop environment. An attacker can craft a .desktop file intended to run

malicious commands but displayed as a innocuous document file in Nautilus. An

user would then trust it and open the file, and Nautilus would in turn execute

the malicious content. Nautilus protection of only trusting .desktop files with

executable permission can be bypassed by shipping the .desktop file inside a

tarball.

For the oldstable distribution (jessie), this problem has not been fixed yet.

For the stable distribution (stretch), this problem has been fixed in

version 3.22.3-1+deb9u1.

For the testing distribution (buster), this problem has been fixed

in version 3.26.0-1.

For the unstable distribution (sid), this problem has been fixed in

version 3.26.0-1.

We recommend that you upgrade your nautilus packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: libxfont

CVE ID: CVE-2017-13720 CVE-2017-13722

Two vulnerabilities were found in libXfont, the X11 font rasterisation

library, which could result in denial of service or memory disclosure.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:1.5.1-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 1:2.0.1-3+deb9u1.

We recommend that you upgrade your libxfont packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: wordpress

CVE ID: CVE-2017-14718 CVE-2017-14719 CVE-2017-14720 CVE-2017-14721

CVE-2017-14722 CVE-2017-14723 CVE-2017-14724 CVE-2017-14725

CVE-2017-14726 CVE-2017-14990

Debian Bug: 876274 877629

Several vulnerabilities were discovered in Wordpress, a web blogging tool.

They would allow remote attackers to exploit path-traversal issues, perform SQL

injections and various cross-site scripting attacks.

For the oldstable distribution (jessie), these problems have been fixed

in version 4.1+dfsg-1+deb8u15.

For the stable distribution (stretch), these problems have been fixed in

version 4.7.5+dfsg-2+deb9u1.

For the testing distribution (buster), these problems have been fixed

in version 4.8.2+dfsg-2.

For the unstable distribution (sid), these problems have been fixed in

version 4.8.2+dfsg-2.

We recommend that you upgrade your wordpress packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: nss

CVE ID: CVE-2017-7805

Martin Thomson discovered that nss, the Mozilla Network Security Service

library, is prone to a use-after-free vulnerability in the TLS 1.2

implementation when handshake hashes are generated. A remote attacker

can take advantage of this flaw to cause an application using the nss

library to crash, resulting in a denial of service, or potentially to

execute arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed

in version 2:3.26-1+debu8u3.

For the stable distribution (stretch), this problem has been fixed in

version 2:3.26.2-1.1+deb9u1.

For the testing distribution (buster), this problem has been fixed

in version 2:3.33-1.

For the unstable distribution (sid), this problem has been fixed in

version 2:3.33-1.

We recommend that you upgrade your nss packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: wpa

CVE ID: CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080

CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087

CVE-2017-13088

Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered

multiple vulnerabilities in the WPA protocol, used for authentication in

wireless networks. Those vulnerabilities applies to both the access point

(implemented in hostapd) and the station (implemented in wpa_supplicant).

An attacker exploiting the vulnerabilities could force the vulnerable system to

reuse cryptographic session keys, enabling a range of cryptographic attacks

against the ciphers used in WPA1 and WPA2.

More information can be found in the researchers's paper, Key Reinstallation

Attacks: Forcing Nonce Reuse in WPA2.

CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake

CVE-2017-13078: reinstallation of the group key in the Four-way handshake

CVE-2017-13079: reinstallation of the integrity group key in the Four-way

handshake

CVE-2017-13080: reinstallation of the group key in the Group Key handshake

CVE-2017-13081: reinstallation of the integrity group key in the Group Key

handshake

CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation

Request and reinstalling the pairwise key while processing it

CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey

(TPK) key in the TDLS handshake

CVE-2017-13087: reinstallation of the group key (GTK) when processing a

Wireless Network Management (WNM) Sleep Mode Response frame

CVE-2017-13088: reinstallation of the integrity group key (IGTK) when

processing a Wireless Network Management (WNM) Sleep Mode

Response frame

For the oldstable distribution (jessie), these problems have been fixed

in version 2.3-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in

version 2:2.4-1+deb9u1.

For the testing distribution (buster), these problems have been fixed

in version 2:2.4-1.1.

For the unstable distribution (sid), these problems have been fixed in

version 2:2.4-1.1.

We recommend that you upgrade your wpa packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: xorg-server

CVE ID: CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179

CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183

CVE-2017-12184 CVE-2017-12185 CVE-2017-12186 CVE-2017-12187

CVE-2017-13721 CVE-2017-13723

Several vulnerabilities have been discovered in the X.Org X server. An

attacker who's able to connect to an X server could cause a denial of

service or potentially the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed

in version 2:1.16.4-1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 2:1.19.2-1+deb9u2.

We recommend that you upgrade your xorg-server packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: yadifa

CVE ID: CVE-2017-14339

Debian Bug: 876315

It was discovered that YADIFA, an authoritative DNS server, did not

sufficiently check its input. This allowed a remote attacker to cause

a denial-of-service by forcing the daemon to enter an infinite loop.

For the stable distribution (stretch), this problem has been fixed in

version 2.2.3-1+deb9u1.

We recommend that you upgrade your yadifa packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: mysql-5.5

CVE ID: CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384

Debian Bug: 878402

Several issues have been discovered in the MySQL database server. The

vulnerabilities are addressed by upgrading MySQL to the new upstream

version 5.5.58, which includes additional changes, such as performance

improvements, bug fixes, new features, and possibly incompatible

changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical

Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/m…ews-5-5-58.html

http://www.oracle.com/technetwork/se…17-3236626.html

For the oldstable distribution (jessie), these problems have been fixed

in version 5.5.58-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: libvirt

CVE ID: CVE-2017-1000256

Debian Bug: 878799

Daniel P. Berrange reported that Libvirt, a virtualisation abstraction

library, does not properly handle the default_tls_x509_verify (and

related) parameters in qemu.conf when setting up TLS clients and servers

in QEMU, resulting in TLS clients for character devices and disk devices

having verification turned off and ignoring any errors while validating

the server certificate.

More informations in https://security.libvirt.org/2017/0002.html .

For the stable distribution (stretch), this problem has been fixed in

version 3.0.0-4+deb9u1.

For the unstable distribution (sid), this problem has been fixed in

version 3.8.0-3.

We recommend that you upgrade your libvirt packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: jackson-databind

CVE ID: CVE-2017-7525

Debian Bug: 870848

Liao Xinxi discovered that jackson-databind, a Java library used to

parse JSON and other data formats, did not properly validate user

input before attemtping deserialization. This allowed an attacker to

perform code execution by providing maliciously crafted input.

For the oldstable distribution (jessie), this problem has been fixed

in version 2.4.2-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 2.8.6-1+deb9u1.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: openjfx

CVE ID: CVE-2017-10086 CVE-2017-10114

Two unspecified vulnerabilities were discovered in OpenJFX, a rich client

application platform for Java.

For the stable distribution (stretch), these problems have been fixed in

version 8u141-b14-3~deb9u1.

We recommend that you upgrade your openjfx packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: mupdf

CVE ID: CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587

Debian Bug: 877379 879055

Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which

may result in denial of service or the execution of arbitrary code.

CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687

WangLin discovered that a crafted .xps file can crash MuPDF and

potentially execute arbitrary code in several ways, since the

application makes unchecked assumptions on the entry format.

CVE-2017-15587

Terry Chia and Jeremy Heng discovered an integer overflow that can

cause arbitrary code execution via a crafted .pdf file.

For the stable distribution (stretch), these problems have been fixed in

version 1.9a+ds1-4+deb9u1.

We recommend that you upgrade your mupdf packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: curl

CVE ID: CVE-2017-1000257

Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL

transfer library, incorrectly parsed an IMAP FETCH response with size 0,

leading to an out-of-bounds read.

For the oldstable distribution (jessie), this problem has been fixed

in version 7.38.0-4+deb8u7.

For the stable distribution (stretch), this problem has been fixed in

version 7.52.1-5+deb9u2.

For the unstable distribution (sid), this problem has been fixed in

version 7.56.1-1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/