The following updates has been released for Debian:
[DLA 891-1] libnl security update
[DLA 892-1] libnl3 security update
[DLA 893-1] bouncycastle security update
[DSA 3828-1] dovecot security update
[DSA 3828-2] dovecot regression update
[DLA 891-1] libnl security update
[DLA 892-1] libnl3 security update
[DLA 893-1] bouncycastle security update
[DSA 3828-1] dovecot security update
[DSA 3828-2] dovecot regression update
[DLA 891-1] libnl security update
Package : libnl
Version : 1.1-7+deb7u1
CVE ID : CVE-2017-0553
Debian Bug :
It was discovered that there was a FIXME in libnl, a FIXME...
For Debian 7 "Wheezy", this issue has been fixed in libnl version
1.1-7+deb7u1.
We recommend that you upgrade your libnl packages.
[DLA 892-1] libnl3 security update
Package : libnl3
Version : 3.2.7-4+deb7u1
CVE ID : CVE-2017-0553
Debian Bug : #859948
It was discovered that there was an integer overflow in libnl3, a library for
dealing with netlink sockets.
A missing check in nlmsg_reserve() could have allowed a malicious application
to execute arbitrary code within the context of the WiFi service.
For Debian 7 "Wheezy", this issue has been fixed in libnl3 version
3.2.7-4+deb7u1.
We recommend that you upgrade your libnl3 packages.
[DLA 893-1] bouncycastle security update
Package : bouncycastle
Version : 1.44+dfsg-3.1+deb7u2
CVE ID : CVE-2015-6644
An information disclosure vulnerability was discovered in Bouncy
Castle, a Java library which consists of various cryptographic
algorithms. The Galois/Counter mode (GCM) implementation was missing a
boundary check that could enable a local application to gain access to
user's private information.
For Debian 7 "Wheezy", these problems have been fixed in version
1.44+dfsg-3.1+deb7u2.
We recommend that you upgrade your bouncycastle packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 3828-1] dovecot security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3828-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : dovecot
CVE ID : CVE-2017-2669
Debian Bug : 860049
It was discovered that the Dovecot email server is vulnerable to a
denial of service attack. When the "dict" passdb and userdb are used
for user authentication, the username sent by the IMAP/POP3 client is
sent through var_expand() to perform %variable expansion. Sending
specially crafted %variable fields could result in excessive memory
usage causing the process to crash (and restart).
For the stable distribution (jessie), this problem has been fixed in
version 1:2.2.13-12~deb8u2.
We recommend that you upgrade your dovecot packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[DSA 3828-2] dovecot regression update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3828-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 11, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : dovecot
The Dovecot update issued as DSA-3828-1 introduced a regression, this
update reverts the backported patch. Further analysis by the Dovecot
team has shown that only versions starting from 2.2.26 are affected. For
reference, the original advisory text follows.
It was discovered that the Dovecot email server is vulnerable to a
denial of service attack. When the "dict" passdb and userdb are used
for user authentication, the username sent by the IMAP/POP3 client is
sent through var_expand() to perform %variable expansion. Sending
specially crafted %variable fields could result in excessive memory
usage causing the process to crash (and restart).
For the stable distribution (jessie), this problem has been fixed in
version 1:2.2.13-12~deb8u3.
We recommend that you upgrade your dovecot packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
