Debian 9844 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 782-1] icedove security update
[DLA 783-1] xen security update
[DSA 3762-1] tiff security update
[DSA 3763-1] pdns-recursor security update
[DSA 3764-1] pdns security update



[DLA 782-1] icedove security update

Package : icedove
Version : 45.6.0-2
CVE ID : CVE-2016-9893 CVE-2016-9895 CVE-2016-9897 CVE-2016-9898
CVE-2016-9899 CVE-2016-9900 CVE-2016-9904 CVE-2016-9905

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail client: Multiple vulnerabilities may lead
to the execution of arbitrary code, data leakage or bypass of the content
security policy.

For Debian 7 "Wheezy", these problems have been fixed in version
45.6.0-2.

We recommend that you upgrade your icedove packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 783-1] xen security update

Package : xen
Version : 4.1.6.lts1-5
CVE ID : CVE-2016-10013 CVE-2016-10024

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2016-10013 (xsa-204)

Xen mishandles SYSCALL singlestep during emulation which can lead to
privilege escalation. The vulnerability is only exposed to 64-bit x86
HVM guests.

CVE-2016-10024 (xsa-202)

PV guests may be able to mask interrupts causing a Denial of Service.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.6.lts1-5.

We recommend that you upgrade your xen packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3762-1] tiff security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3762-1 security@debian.org
https://www.debian.org/security/ Laszlo Boszormenyi (GCS)
January 13, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2016-3622 CVE-2016-3623 CVE-2016-3624 CVE-2016-3945
CVE-2016-3990 CVE-2016-3991 CVE-2016-5314 CVE-2016-5315
CVE-2016-5316 CVE-2016-5317 CVE-2016-5320 CVE-2016-5321
CVE-2016-5322 CVE-2016-5323 CVE-2016-5652 CVE-2016-5875
CVE-2016-6223 CVE-2016-9273 CVE-2016-9297 CVE-2016-9448
CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534
CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538
CVE-2016-9540 CVE-2016-10092 CVE-2016-10093
CVE-2016-10094

Multiple vulnerabilities have been discovered in the libtiff library
and the included tools tiff2rgba, rgb2ycbcr, tiffcp, tiffcrop, tiff2pdf
and tiffsplit, which may result in denial of service, memory disclosure
or the execution of arbitrary code.

There were additional vulnerabilities in the tools bmp2tiff, gif2tiff,
thumbnail and ras2tiff, but since these were addressed by the libtiff
developers by removing the tools altogether, no patches are available
and those tools were also removed from the tiff package in Debian
stable. The change had already been made in Debian stretch before and
no applications included in Debian are known to rely on these scripts.
If you use those tools in custom setups, consider using a different
conversion/thumbnailing tool.

For the stable distribution (jessie), these problems have been fixed in
version 4.0.3-12.3+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 4.0.7-4.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.7-4.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3763-1] pdns-recursor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3763-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns-recursor
CVE ID : CVE-2016-7068

Florian Heinz and Martin Kluge reported that pdns-recursor, a recursive
DNS server, parses all records present in a query regardless of whether
they are needed or even legitimate, allowing a remote, unauthenticated
attacker to cause an abnormal CPU usage load on the pdns server,
resulting in a partial denial of service if the system becomes
overloaded.

For the stable distribution (jessie), this problem has been fixed in
version 3.6.2-2+deb8u3.

We recommend that you upgrade your pdns-recursor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3764-1] pdns security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3764-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns
CVE ID : CVE-2016-2120 CVE-2016-7068 CVE-2016-7072 CVE-2016-7073
CVE-2016-7074

Multiple vulnerabilities have been discovered in pdns, an authoritative
DNS server. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2016-2120

Mathieu Lafon discovered that pdns does not properly validate
records in zones. An authorized user can take advantage of this flaw
to crash server by inserting a specially crafted record in a zone
under their control and then sending a DNS query for that record.

CVE-2016-7068

Florian Heinz and Martin Kluge reported that pdns parses all records
present in a query regardless of whether they are needed or even
legitimate, allowing a remote, unauthenticated attacker to cause an
abnormal CPU usage load on the pdns server, resulting in a partial
denial of service if the system becomes overloaded.

CVE-2016-7072

Mongo discovered that the webserver in pdns is susceptible to a
denial-of-service vulnerability. A remote, unauthenticated attacker
to cause a denial of service by opening a large number of f TCP
connections to the web server.

CVE-2016-7073 / CVE-2016-7074

Mongo discovered that pdns does not sufficiently validate TSIG
signatures, allowing an attacker in position of man-in-the-middle to
alter the content of an AXFR.

For the stable distribution (jessie), these problems have been fixed in
version 3.4.1-4+deb8u7.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.2-1.

We recommend that you upgrade your pdns packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/