Debian 9844 Published by

The following Debian updates has been released:

[DLA 918-1] freetype security update
[DLA 919-1] weechat security update
[DLA 920-1] jasper security update
[DSA 3835-1] python-django security update



[DLA 918-1] freetype security update

Package : freetype
Version : 2.4.9-1.1+deb7u6
CVE ID : CVE-2017-8105
Debian Bug : 861220 860303

It was found that an out of bounds write caused by a heap-based buffer
overflow could be triggered in freetype via a crafted font.

This update also reverts the fix for CVE-2016-10328, as it was
determined that freetype 2.4.9 is not affected by that issue.

For Debian 7 "Wheezy", these problems have been fixed in version
2.4.9-1.1+deb7u6.

We recommend that you upgrade your freetype packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 919-1] weechat security update

Package : weechat
Version : 0.3.8-1+deb7u2
CVE ID : CVE-2017-8073
Debian Bug : 861121

WeeChat before allows a remote crash by sending a filename via DCC to
the IRC plugin.

For Debian 7 "Wheezy", these problems have been fixed in version
0.3.8-1+deb7u2.

We recommend that you upgrade your weechat packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 920-1] jasper security update

Package : jasper
Version : 1.900.1-13+deb7u6
CVE ID : CVE-2016-9591 CVE-2016-10251


CVE-2016-9591
Use-after-free on heap in jas_matrix_destroy
The vulnerability exists in code responsible for re-encoding the
decoded input image file to a JP2 image. The vulnerability is
caused by not setting related pointers to be null after the
pointers are freed (i.e. missing Setting-Pointer-Null operations
after free). The vulnerability can further cause double-free.

CVE-2016-10251
Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in
JasPer before 1.900.20 allows remote attackers to have unspecified
impact via a crafted file, which triggers use of an uninitialized
value.

Additional
fix for TEMP-CVE from last upload to avoid hassle with SIZE_MAX


For Debian 7 "Wheezy", these problems have been fixed in version
1.900.1-13+deb7u6.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3835-1] python-django security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3835-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 26, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2016-9013 CVE-2016-9014 CVE-2017-7233 CVE-2017-7234
Debian Bug : 842856 859515 859516

Several vulnerabilities were discovered in Django, a high-level Python
web development framework. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2016-9013

Marti Raudsepp reported that a user with a hardcoded password is
created when running tests with an Oracle database.

CVE-2016-9014

Aymeric Augustin discovered that Django does not properly validate
the Host header against settings.ALLOWED_HOSTS when the debug
setting is enabled. A remote attacker can take advantage of this
flaw to perform DNS rebinding attacks.

CVE-2017-7233

It was discovered that is_safe_url() does not properly handle
certain numeric URLs as safe. A remote attacker can take advantage
of this flaw to perform XSS attacks or to use a Django server as an
open redirect.

CVE-2017-7234

Phithon from Chaitin Tech discovered an open redirect vulnerability
in the django.views.static.serve() view. Note that this view is not
intended for production use.

For the stable distribution (jessie), these problems have been fixed in
version 1.7.11-1+deb8u2.

We recommend that you upgrade your python-django packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/