Debian Security Advisory

Package: openafs

CVE ID: CVE-2017-17432

It was discovered that malformed jumbogram packets could result in

denial of service against OpenAFS, an implementation of the Andrew

distributed file system.

For the oldstable distribution (jessie), this problem has been fixed

in version 1.6.9-2+deb8u6. This update also provides corrections for

CVE-2016-4536 and CVE-2016-9772.

For the stable distribution (stretch), this problem has been fixed in

version 1.6.20-2+deb9u1.

We recommend that you upgrade your openafs packages.

For the detailed security status of openafs please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/openafs

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: rsync

CVE ID: CVE-2017-16548 CVE-2017-17433 CVE-2017-17434

Debian Bug: 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,

remote (and local) file-copying tool, allowing a remote attacker to

bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed

in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 3.1.2-1+deb9u1.

We recommend that you upgrade your rsync packages.

For the detailed security status of rsync please refer to its security

tracker page at: https://security-tracker.debian.org/tracker/rsync

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: otrs2

CVE ID: CVE-2017-17476

Debian Bug: 884801

Francesco Sirocco discovered a flaw in otrs2, the Open Ticket Request

System, which could result in session information disclosure when cookie

support is disabled. A remote attacker can take advantage of this flaw

to take over an agent's session if the agent is tricked into clicking a

link in a specially crafted mail.

For the oldstable distribution (jessie), this problem has been fixed

in version 3.3.18-1+deb8u4.

For the stable distribution (stretch), this problem has been fixed in

version 5.0.16-1+deb9u5.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to its security

tracker page at: https://security-tracker.debian.org/tracker/otrs2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: sensible-utils

CVE ID: CVE-2017-17512

Debian Bug: 881767

Gabriel Corona reported that sensible-browser from sensible-utils, a

collection of small utilities used to sensibly select and spawn an

appropriate browser, editor or pager, does not validate strings before

launching the program specified by the BROWSER environment variable,

potentially allowing a remote attacker to conduct argument-injection

attacks if a user is tricked into processing a specially crafted URL.

For the oldstable distribution (jessie), this problem has been fixed

in version 0.0.9+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 0.0.9+deb9u1.

We recommend that you upgrade your sensible-utils packages.

For the detailed security status of sensible-utils please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/sensible-utils

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: enigmail

CVE ID: not yet available

Multiple vulnerabilities were discovered in Enigmail, an OpenPGP

extension for Thunderbird, which could result in a loss of

confidentiality, faked signatures, plain text leaks and denial of

service. Additional information can be found under

https://enigmail.net/download/other…-%20Excerpt.pdf

For the oldstable distribution (jessie), this problem has been fixed

in version 2:1.9.9-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 2:1.9.9-1~deb9u1.

We recommend that you upgrade your enigmail packages.

For the detailed security status of enigmail please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/enigmail

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: bouncycastle

CVE ID: CVE-2017-13098

Hanno Boeck, Juraj Somorovsky and Craig Young discovered that the

TLS implementation in Bouncy Castle is vulnerable to an adaptive chosen

ciphertext attack against RSA keys.

For the stable distribution (stretch), this problem has been fixed in

version 1.56-1+deb9u1.

We recommend that you upgrade your bouncycastle packages.

For the detailed security status of bouncycastle please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/bouncycastle

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: linux

CVE ID: CVE-2017-8824 CVE-2017-16538 CVE-2017-16644 CVE-2017-16995

CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558

CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806

CVE-2017-17807 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864

CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service or information

leaks.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not

correctly manage resources when a socket is disconnected and

reconnected, potentially leading to a use-after-free.A local

user could use this for denial of service (crash or data

corruption) or possibly for privilege escalation.On systems that

do not already have the dccp module loaded, this can be mitigated

by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver

did not correctly handle some error conditions during

initialisation.A physically present user with a specially

designed USB device can use this to cause a denial of service

(crash).

CVE-2017-16644

Andrey Konovalov reported that the hdpvr media driver did not

correctly handle some error conditions during initialisation.A

physically present user with a specially designed USB device can

use this to cause a denial of service (crash).

CVE-2017-16995

Jann Horn discovered that the Extended BPF verifier did not

correctly model the behaviour of 32-bit load instructions.A

local user can use this for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed

users with the CAP_NET_ADMIN capability in any user namespace, not

just the root namespace, to enable and disable connection tracking

helpers.This could lead to denial of service, violation of

network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed

users with the CAP_NET_ADMIN capability in any user namespace

to monitor netlink traffic in all net namespaces, not just

those owned by that user namespace.This could lead to

exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users

with the CAP_NET_ADMIN capability in any user namespace to modify

the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly

handle some error conditions during initialisation.A physically

present user with a specially designed USB device can use this to

cause a denial of service (crash or memory corruption), or

possibly for privilege escalation.

CVE-2017-17712

Mohamed Ghannam discovered a race condition in the IPv4 raw socket

implementation.A local user could use this to obtain sensitive

information from the kernel.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would

over-read data from memory when emulating an MMIO write if the

kvm_mmio tracepoint was enabled.A guest virtual machine might be

able to use this to cause a denial of service (crash).

CVE-2017-17805

It was discovered that some implementations of the Salsa20 block

cipher did not correctly handle zero-length input.A local user

could use this to cause a denial of service (crash) or possibly

have other security impact.

CVE-2017-17806

It was discovered that the HMAC implementation could be used with

an underlying hash algorithm that requires a key, which was not

intended.A local user could use this to cause a denial of

service (crash or memory corruption), or possibly for privilege

escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for

write permission when adding keys to a process's default keyring.

A local user could use this to cause a denial of service or to

obtain sensitive information.

CVE-2017-17862

Alexei Starovoitov discovered that the Extended BPF verifier

ignored unreachable code, even though it would still be processed

by JIT compilers.This could possibly be used by local users for

denial of service.It also increases the severity of bugs in

determining unreachable code.

CVE-2017-17863

Jann Horn discovered that the Extended BPF verifier did not

correctly model pointer arithmetic on the stack frame pointer.

A local user can use this for privilege escalation.

CVE-2017-17864

Jann Horn discovered that the Extended BPF verifier could fail to

detect pointer leaks from conditional code.A local user could

use this to obtain sensitive information in order to exploit

other vulnerabilities.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel

processors allowed direct access to host I/O port 0x80, which

is not generally safe.On some systems this allows a guest

VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly

handle short EFS information elements in L2CAP messages.An

attacker able to communicate over Bluetooth could use this to

obtain sensitive information from the kernel.

The various problems in the Extended BPF verifier can be mitigated by

disabling use of Extended BPF by unprivileged users:

sysctl kernel.unprivileged_bpf_disabled=1

Debian disables unprivileged user namespaces by default, but if they

are enabled (via the kernel.unprivileged_userns_clone sysctl) then

CVE-2017-17448 can be exploited by any local user.

For the stable distribution (stretch), these problems have been fixed in

version 4.9.65-3+deb9u1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security

tracker page at: https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: imagemagick

CVE ID: CVE-2017-12877 CVE-2017-16546 CVE-2017-17499

CVE-2017-17504 CVE-2017-17879

This update fixes several vulnerabilities in imagemagick: Various memory

handling problems and cases of missing or incomplete input sanitising may

result in denial of service, memory disclosure or the execution of

arbitrary code if malformed image files are processed.

For the stable distribution (stretch), these problems have been fixed in

version 8:6.9.7.4+dfsg-11+deb9u4.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: thunderbird

CVE ID: CVE-2017-7826 CVE-2017-7828 CVE-2017-7829 CVE-2017-7830

CVE-2017-7846 CVE-2017-7847 CVE-2017-7848

Multiple security issues have been found in Thunderbird, which may lead

to the execution of arbitrary code, denial of service, information

disclosure or spoofing of sender's email addresses.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:52.5.2-2~deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 1:52.5.2-2~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: asterisk

CVE ID: CVE-2017-16671 CVE-2017-16672 CVE-2017-17090

CVE-2017-17664

Multiple vulnerabilities have been discovered in Asterisk, an open source

PBX and telephony toolkit, which may result in denial of service,

information disclosure and potentially the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:11.13.1~dfsg-2+deb8u5.

For the stable distribution (stretch), these problems have been fixed in

version 1:13.14.1~dfsg-2+deb9u3.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: gimp

CVE ID: CVE-2017-17784 CVE-2017-17785 CVE-2017-17786 CVE-2017-17787

CVE-2017-17788 CVE-2017-17789

Debian Bug: 884836 884837 884862 884925 884927 885347

Several vulnerabilities were discovered in GIMP, the GNU Image

Manipulation Program, which could result in denial of service

(application crash) or potentially the execution of arbitrary code if

malformed files are opened.

For the oldstable distribution (jessie), these problems have been fixed

in version 2.8.14-1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 2.8.18-1+deb9u1.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/gimp

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: linux

CVE ID: CVE-2017-5754

Multiple researchers have discovered a vulnerability in Intel processors,

enabling an attacker controlling an unprivileged process to read memory from

arbitrary addresses, including from the kernel and all other processes running

on the system.

This specific attack has been named Meltdown and is addressed in the Linux

kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table

Isolation, enforcing a near complete separation of the kernel and userspace

address maps and preventing the attack. This solution might have a performance

impact, and can be disabled at boot time by passing `pti=off' to the kernel

command line.

We also identified a regression for ancient userspaces using the vsyscall

interface, for example chroot and containers using (e)glibc 2.13 and older,

including those based on Debian 7 or RHEL/CentOS 6. This regression will be

fixed in a later update.

The other vulnerabilities (named Spectre) published at the same time are not

addressed in this update and will be fixed in a later update.

For the oldstable distribution (jessie), this problem will be fixed in a

separate update.

For the stable distribution (stretch), this problem has been fixed in

version 4.9.65-3+deb9u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: poppler

CVE ID: CVE-2017-9406CVE-2017-9408CVE-2017-9775

CVE-2017-9776CVE-2017-9865CVE-2017-14517

CVE-2017-14518 CVE-2017-14519 CVE-2017-14520

CVE-2017-14975 CVE-2017-14976 CVE-2017-14977

CVE-2017-15565

Multiple vulnerabilities were discovered in the poppler PDF rendering

library, which could result in denial of service or the execution of

arbitrary code if a malformed PDF file is processed.

For the oldstable distribution (jessie), these problems have been fixed

in version 0.26.5-2+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 0.48.0-2+deb9u1.

We recommend that you upgrade your poppler packages.

For the detailed security status of poppler please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/poppler

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: php7.0

CVE ID: CVE-2017-11144 CVE-2017-11145 CVE-2017-11628

CVE-2017-12932 CVE-2017-12933 CVE-2017-12934

CVE-2017-16642

Several vulnerabilities were found in PHP, a widely-used open source

general purpose scripting language:

CVE-2017-11144

Denial of service in openssl extension due to incorrect return value

check of OpenSSL sealing function

CVE-2017-11145

Out-of-bounds read in wddx_deserialize()

CVE-2017-11628

Buffer overflow in PHP INI parsing API

CVE-2017-12932 / CVE-2017-12934

Use-after-frees during unserialisation

CVE-2017-12933

Buffer overread in finish_nested_data()

CVE-2017-16642

Out-of-bounds read in timelib_meridian()

For the stable distribution (stretch), these problems have been fixed in

version 7.0.27-0+deb9u1.

We recommend that you upgrade your php7.0 packages.

For the detailed security status of php7.0 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/php7.0

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: php5

CVE ID: CVE-2017-11142 CVE-2017-11143 CVE-2017-11144

CVE-2017-11145 CVE-2017-11628 CVE-2017-12933

CVE-2017-16642

Several vulnerabilities were found in PHP, a widely-used open source

general purpose scripting language:

CVE-2017-11142

Denial of service via overly long form variables

CVE-2017-11143

Invalid free() in wddx_deserialize()

CVE-2017-11144

Denial of service in openssl extension due to incorrect return value

check of OpenSSL sealing function.

CVE-2017-11145

Out-of-bounds read in wddx_deserialize()

CVE-2017-11628

Buffer overflow in PHP INI parsing API

CVE-2017-12933

Buffer overread in finish_nested_data()

CVE-2017-16642

Out-of-bounds read in timelib_meridian()

For the oldstable distribution (jessie), these problems have been fixed

in version 5.6.33+dfsg-0+deb8u1.

We recommend that you upgrade your php5 packages.

For the detailed security status of php5 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/php5

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: linux

CVE ID: CVE-2017-5754 CVE-2017-8824 CVE-2017-15868 CVE-2017-16538

CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450

CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806

CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service or information

leaks.

CVE-2017-5754

Multiple researchers have discovered a vulnerability in Intel

processors, enabling an attacker controlling an unprivileged

process to read memory from arbitrary addresses, including from

the kernel and all other processes running on the system.

This specific attack has been named Meltdown and is addressed in

the Linux kernel for the Intel x86-64 architecture by a patch set

named Kernel Page Table Isolation, enforcing a near complete

separation of the kernel and userspace address maps and preventing

the attack. This solution might have a performance impact, and can

be disabled at boot time by passing `pti=off' to the kernel

command line.

CVE-2017-8824

Mohamed Ghannam discovered that the DCCP implementation did not

correctly manage resources when a socket is disconnected and

reconnected, potentially leading to a use-after-free.A local

user could use this for denial of service (crash or data

corruption) or possibly for privilege escalation.On systems that

do not already have the dccp module loaded, this can be mitigated

by disabling it:

echo >> /etc/modprobe.d/disable-dccp.conf install dccp false

CVE-2017-15868

Al Viro found that the Bluebooth Network Encapsulation Protocol

(BNEP) implementation did not validate the type of the second

socket passed to the BNEPCONNADD ioctl(), which could lead to

memory corruption.A local user with the CAP_NET_ADMIN capability

can use this for denial of service (crash or data corruption) or

possibly for privilege escalation.

CVE-2017-16538

Andrey Konovalov reported that the dvb-usb-lmedm04 media driver

did not correctly handle some error conditions during

initialisation.A physically present user with a specially

designed USB device can use this to cause a denial of service

(crash).

CVE-2017-16939

Mohamed Ghannam reported (through Beyond Security's SecuriTeam

Secure Disclosure program) that the IPsec (xfrm) implementation

did not correctly handle some failure cases when dumping policy

information through netlink.A local user with the CAP_NET_ADMIN

capability can use this for denial of service (crash or data

corruption) or possibly for privilege escalation.

CVE-2017-17448

Kevin Cernekee discovered that the netfilter subsystem allowed

users with the CAP_NET_ADMIN capability in any user namespace, not

just the root namespace, to enable and disable connection tracking

helpers.This could lead to denial of service, violation of

network security policy, or have other impact.

CVE-2017-17449

Kevin Cernekee discovered that the netlink subsystem allowed

users with the CAP_NET_ADMIN capability in any user namespace

to monitor netlink traffic in all net namespaces, not just

those owned by that user namespace.This could lead to

exposure of sensitive information.

CVE-2017-17450

Kevin Cernekee discovered that the xt_osf module allowed users

with the CAP_NET_ADMIN capability in any user namespace to modify

the global OS fingerprint list.

CVE-2017-17558

Andrey Konovalov reported that that USB core did not correctly

handle some error conditions during initialisation.A physically

present user with a specially designed USB device can use this to

cause a denial of service (crash or memory corruption), or

possibly for privilege escalation.

CVE-2017-17741

Dmitry Vyukov reported that the KVM implementation for x86 would

over-read data from memory when emulating an MMIO write if the

kvm_mmio tracepoint was enabled.A guest virtual machine might be

able to use this to cause a denial of service (crash).

CVE-2017-17805

Dmitry Vyukov reported that the KVM implementation for x86 would

over-read data from memory when emulating an MMIO write if the

kvm_mmio tracepoint was enabled.A guest virtual machine might be

able to use this to cause a denial of service (crash).

CVE-2017-17806

It was discovered that the HMAC implementation could be used with

an underlying hash algorithm that requires a key, which was not

intended.A local user could use this to cause a denial of

service (crash or memory corruption), or possibly for privilege

escalation.

CVE-2017-17807

Eric Biggers discovered that the KEYS subsystem lacked a check for

write permission when adding keys to a process's default keyring.

A local user could use this to cause a denial of service or to

obtain sensitive information.

CVE-2017-1000407

Andrew Honig reported that the KVM implementation for Intel

processors allowed direct access to host I/O port 0x80, which

is not generally safe.On some systems this allows a guest

VM to cause a denial of service (crash) of the host.

CVE-2017-1000410

Ben Seri reported that the Bluetooth subsystem did not correctly

handle short EFS information elements in L2CAP messages.An

attacker able to communicate over Bluetooth could use this to

obtain sensitive information from the kernel.

For the oldstable distribution (jessie), these problems have been fixed

in version 3.16.51-3+deb8u1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: poco

CVE ID: CVE-2017-1000472

Stephan Zeisberg discovered that poco, a collection of open source C++

class libraries, did not correctly validate file paths in ZIP

archives. An attacker could leverage this flaw to create or overwrite

arbitrary files.

For the oldstable distribution (jessie), this problem has been fixed

in version 1.3.6p1-5+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 1.7.6+dfsg1-5+deb9u1.

We recommend that you upgrade your poco packages.

For the detailed security status of poco please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/poco

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: gifsicle

CVE ID: CVE-2017-1000421

It was discovered that gifsicle, a tool for manipulating GIF image

files, contained a flaw that could lead to arbitrary code execution.

For the oldstable distribution (jessie), this problem has been fixed

in version 1.86-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 1.88-3+deb9u1.

We recommend that you upgrade your gifsicle packages.

For the detailed security status of gifsicle please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/gifsicle

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: xmltooling

CVE ID: CVE-2018-0486

Philip Huppert discovered the Shibboleth service provider is vulnerable

to impersonation attacks and information disclosure due to mishandling

of DTDs in the XMLTooling XML parsing library. For additional details

please refer to the upstream advisory at

https://shibboleth.net/community/advi…dv_20180112.txt

For the oldstable distribution (jessie), this problem has been fixed

in version 1.5.3-2+deb8u2.

The stable distribution (stretch) is not affected.

We recommend that you upgrade your xmltooling packages.

For the detailed security status of xmltooling please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/xmltooling

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package: libxml2

CVE ID: CVE-2017-15412

Debian Bug: 883790

Nick Wellnhofer discovered that certain function calls inside XPath

predicates can lead to use-after-free and double-free errors when

executed by libxml2's XPath engine via an XSLT transformation.

For the oldstable distribution (jessie), this problem has been fixed

in version 2.9.1+dfsg1-5+deb8u6.

For the stable distribution (stretch), this problem has been fixed in

version 2.9.4+dfsg1-2.2+deb9u2.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/libxml2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/