Debian 9843 Published by

The following updates has been released for Debian:

[DLA 728-1] tomcat6 security update
[DLA 729-1] tomcat7 security update
[DLA 730-1] firefox-esr security update
[DLA 731-1] imagemagick security update
[DSA 3728-1] firefox-esr security update



[DLA 728-1] tomcat6 security update

Package : tomcat6
Version : 6.0.45+dfsg-1~deb7u3
CVE ID : CVE-2016-0762 CVE-2016-5018 CVE-2016-6794
CVE-2016-6796 CVE-2016-6797 CVE-2016-6816
CVE-2016-8735
Debian Bug : 841655 842662 842663 842664 842665 842666 845385


Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in possible timing attacks to
determine valid user names, bypass of the SecurityManager, disclosure of
system properties, unrestricted access to global resources, arbitrary
file overwrites, and potentially escalation of privileges.

In addition this update further hardens Tomcat's init and maintainer
scripts to prevent possible privilege escalations. Thanks to Paul
Szabo for the report.

This is probably the last security update of Tomcat 6 which will reach
its end-of-life exactly in one month. We strongly recommend to switch
to another supported version such as Tomcat 7 at your earliest
convenience.

For Debian 7 "Wheezy", these problems have been fixed in version
6.0.45+dfsg-1~deb7u3.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 729-1] tomcat7 security update

Package : tomcat7
Version : 7.0.28-4+deb7u7
CVE ID : CVE-2016-0762 CVE-2016-5018 CVE-2016-6794
CVE-2016-6796 CVE-2016-6797 CVE-2016-6816
CVE-2016-8735
Debian Bug : 841655 842662 842663 842664 842665 842666 845385


Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in possible timing attacks to
determine valid user names, bypass of the SecurityManager, disclosure of
system properties, unrestricted access to global resources, arbitrary
file overwrites, and potentially escalation of privileges.

In addition this update further hardens Tomcat's init and maintainer
scripts to prevent possible privilege escalations. Thanks to Paul
Szabo for the report.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u7.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 730-1] firefox-esr security update

Package : firefox-esr
Version : 45.5.1esr-1~deb7u1
CVE ID : CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297
CVE-2016-9064 CVE-2016-9066

Multiple security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors, buffer overflows and other
implementation errors may lead to the execution of arbitrary code or
bypass of the same-origin policy.

A man-in-the-middle attack in the addon update mechanism has been fixed.

A use-after-free vulnerability in the SVG Animation was discovered,
allowing a remote attacker to cause a denial of service (application
crash) or execute arbitrary code, if a user is tricked into opening a
specially crafted website.

For Debian 7 "Wheezy", these problems have been fixed in version
45.5.1esr-1~deb7u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 731-1] imagemagick security update

Package : imagemagick
Version : 8:6.7.7.10-5+deb7u8
CVE ID : CVE-2014-9805 CVE-2014-9806 CVE-2014-9807 CVE-2014-9808
CVE-2014-9809 CVE-2014-9810 CVE-2014-9811 CVE-2014-9812
CVE-2014-9813 CVE-2014-9814 CVE-2014-9815 CVE-2014-9816
CVE-2014-9817 CVE-2014-9818 CVE-2014-9819 CVE-2014-9821
CVE-2014-9822 CVE-2014-9823 CVE-2014-9824 CVE-2014-9826
CVE-2014-9828 CVE-2014-9829 CVE-2014-9830 CVE-2014-9831
CVE-2014-9832 CVE-2014-9833 CVE-2014-9834 CVE-2014-9835
CVE-2014-9836 CVE-2014-9837 CVE-2014-9838 CVE-2014-9839
CVE-2014-9840 CVE-2014-9843 CVE-2014-9844 CVE-2014-9845
CVE-2014-9846 CVE-2014-9847 CVE-2014-9848 CVE-2014-9849
CVE-2014-9851 CVE-2014-9853 CVE-2014-9854 CVE-2014-9907
CVE-2015-8957 CVE-2015-8958 CVE-2015-8959 CVE-2016-4562
CVE-2016-4564 CVE-2016-5010 CVE-2016-5687 CVE-2016-5688
CVE-2016-5689 CVE-2016-5690 CVE-2016-5691 CVE-2016-5841
CVE-2016-5842 CVE-2016-6491 CVE-2016-6823 CVE-2016-7101
CVE-2016-7514 CVE-2016-7515 CVE-2016-7516 CVE-2016-7517
CVE-2016-7518 CVE-2016-7519 CVE-2016-7520 CVE-2016-7521
CVE-2016-7522 CVE-2016-7523 CVE-2016-7524 CVE-2016-7526
CVE-2016-7527 CVE-2016-7528 CVE-2016-7529 CVE-2016-7530
CVE-2016-7531 CVE-2016-7532 CVE-2016-7533 CVE-2016-7534
CVE-2016-7535 CVE-2016-7536 CVE-2016-7537 CVE-2016-7538
CVE-2016-7539
Debian Bug : #773980 #836172 #834501 #834183 #833744 #833730 #833735


Several issues have been discovered in ImageMagick, a popular set of
programs and libraries for image manipulation. These issues include
several problems in memory handling that can result in a denial of
service attack or in execution of arbitrary code by an attacker with
control on the image input.

For Debian 7 "Wheezy", these problems have been fixed in version
8:6.7.7.10-5+deb7u8.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 3728-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3728-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 01, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2016-9079

A use-after-free vulnerability in the SVG Animation was discovered in
the Mozilla Firefox web browser, allowing a remote attacker to cause a
denial of service (application crash) or execute arbitrary code, if a
user is tricked into opening a specially crafted website.

For the stable distribution (jessie), this problem has been fixed in
version 45.5.1esr-1~deb8u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org