Debian 9843 Published by

The following Debian updates has been released:

[DLA 832-1] bitlbee security update
[DLA 834-1] phpmyadmin security update
[DSA 3792-1] libreoffice security update



[DLA 832-1] bitlbee security update

Package : bitlbee
Version : 3.0.5-1.2+deb7u1
CVE ID : CVE-2016-10188 CVE-2016-10189 CVE-2017-5668


CVE-2017-5668
Fix for incomplete fix for "Null pointer dereference with file
transfer request from unknown contacts".
(Though this package wasn't in Wheezy with this issue, I
mention it here.
The fix was done with the second patch for CVE-2016-10189)

CVE-2016-10189
Null pointer dereference with file transfer request from unknown
contacts.

CVE-2016-10188
deactivate any incoming file transfer for bitlbee
This affects any libpurple protocol when used through BitlBee. It
does not affect other libpurple-based clients such as pidgin.

[DLA 834-1] phpmyadmin security update

Package : phpmyadmin
Version : 4:3.4.11.1-2+deb7u8
CVE ID : CVE-2016-6621

A server-side request forgery vulnerability was reported for the setup
script in phpmyadmin, a MYSQL web administration tool. This flaw may
allow an unauthenticated attacker to brute-force MYSQL passwords,
detect internal hostnames or opened ports on the internal network.
Additionally there was a race condition between writing configuration
and administrator moving it allowing unauthenticated users to read or
alter it. Debian users who configured phpmyadmin via debconf and used
the default configuration for Apache 2 or Lighttpd were never affected.

For Debian 7 "Wheezy", these problems have been fixed in version
4:3.4.11.1-2+deb7u8.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3792-1] libreoffice security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3792-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 23, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2017-3157

Ben Hayak discovered that objects embedded in Writer and Calc documents
may result in information disclosure. Please see
https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/
for additional information.

For the stable distribution (jessie), this problem has been fixed in
version 1:4.3.3-2+deb8u6.

For the testing distribution (stretch), this problem has been fixed
in version 1:5.2.3-1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.2.3-1.

We recommend that you upgrade your libreoffice packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/