Debian 9843 Published by

The following updates has been released for Debian:

[DLA 663-1] tor security update
[DLA 665-1] libgd2 security update
[DLA 666-1] guile-2.0 security update
[DSA 3694-1] tor security update
[DSA 3695-1] quagga security update



[DLA 663-1] tor security update

Package : tor
Version : 0.2.4.27-2

It has been discovered that Tor treats the contents of some buffer
chunks as if they were a NUL-terminated string. This issue could
enable a remote attacker to crash a Tor client, hidden service, relay,
or authority. This update aims to defend against this general
class of security bugs.

For Debian 7 "Wheezy", this problem has been fixed in version 0.2.4.27-2.

For the stable distribution (jessie), this problem has been fixed in
version 0.2.5.12-3., for unstable (sid) with version 0.2.8.9-1, and for
experimental with 0.2.9.4-alpha-1.

Additionally, for wheezy this updates the set of authority directory servers
to the one from Tor 0.2.8.7, released in August 2016.

We recommend that you upgrade your tor packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 665-1] libgd2 security update

Package : libgd2
Version : 2.0.36~rc1~dfsg-6.1+deb7u6
CVE ID : CVE-2016-6911 CVE-2016-8670

CVE-2016-6911
invalid read in gdImageCreateFromTiffPtr()
(most of the code is not present in the Wheezy version)

CVE-2016-8670:
Stack Buffer Overflow in GD dynamicGetbuf

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.36~rc1~dfsg-6.1+deb7u6.

We recommend that you upgrade your libgd2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 666-1] guile-2.0 security update

Package : guile-2.0
Version : 2.0.5+1-3+deb7u1
CVE ID : CVE-2016-8605 CVE-2016-8606
Debian Bug : 840555 840556


Several vulnerabilities were discovered in GNU Guile, an
implementation of the Scheme programming language. The Common
Vulnerabilities and Exposures project identifies the following issues.

CVE-2016-8605:
The mkdir procedure of GNU Guile temporarily changed the process'
umask to zero. During that time window, in a multithreaded
application, other threads could end up creating files with
insecure permissions.

CVE-2016-8606:
GNU Guile provides a "REPL server" which is a command prompt that
developers can connect to for live coding and debugging purposes.
The REPL server is started by the '--listen' command-line option
or equivalent API.

It was reported that the REPL server is vulnerable to the HTTP
inter-protocol attack.

This constitutes a remote code execution vulnerability for
developers running a REPL server that listens on a loopback device
or private network. Applications that do not run a REPL server, as
is usually the case, are unaffected.


For Debian 7 "Wheezy", these problems have been fixed in version
2.0.5+1-3+deb7u1.

We recommend that you upgrade your guile-2.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3694-1] tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3694-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 18, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor
CVE ID : not yet available

It has been discovered that Tor treats the contents of some buffer
chunks as if they were a NUL-terminated string. This issue could
enable a remote attacker to crash a Tor client, hidden service, relay,
or authority.

For the stable distribution (jessie), this problem has been fixed in
version 0.2.5.12-3.

For the unstable distribution (sid), this problem has been fixed in
version 0.2.8.9-1.

For the experimental distribution, this problem has been fixed in
version 0.2.9.4-alpha-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3695-1] quagga security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3695-1 security@debian.org
https://www.debian.org/security/ Florian Weimer
October 18, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : quagga
CVE ID : CVE-2016-1245
Debian Bug : 841162

It was discovered that the zebra daemon in the Quagga routing suite
suffered from a stack-based buffer overflow when processing IPv6
Neighbor Discovery messages.

For the stable distribution (jessie), this problem has been fixed in
version 0.99.23.1-1+deb8u3.

We recommend that you upgrade your quagga packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/