Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 924-2] tomcat7 regression update
[DLA 935-1] lxterminal security update
[DLA 936-1] libtirpc security update
[DLA 937-1] rpcbind security update
[DLA 938-1] git security update
[DSA 3848-1] git security update



[DLA 924-2] tomcat7 regression update

Package : tomcat7
Version : 7.0.28-4+deb7u13
Debian Bug : 861872

The security update announced as DLA-924-1 introduced a regression in
Tomcat's APR protocol due to the fix for CVE-2017-5647 and prevented a
successful sendfile request.

For Debian 7 "Wheezy", these problems have been fixed in version
7.0.28-4+deb7u13.

We recommend that you upgrade your tomcat7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 935-1] lxterminal security update

Package : lxterminal
Version : 0.1.11-4+deb7u1
CVE ID : CVE-2016-10369
Debian Bug : #862098

It was discovered that there was a local denial of service vulnerability in
lxterminal, the terminal emulator for the LXDE desktop environment.

This was caused by an insecure use of temporary files for a socket file.

For Debian 7 "Wheezy", this issue has been fixed in lxterminal version
0.1.11-4+deb7u1.

We recommend that you upgrade your lxterminal packages.

[DLA 936-1] libtirpc security update

Package : libtirpc
Version : 0.2.2-5+deb7u1
CVE ID : CVE-2017-8779
Debian Bug : 861834

Guido Vranken discovered that incorrect memory management in libtirpc,
a transport-independent RPC library used by rpcbind and other programs
may result in denial of service via memory exhaustion (depending on
memory management settings).

For Debian 7 "Wheezy", these problems have been fixed in version
0.2.2-5+deb7u1.

We recommend that you upgrade your libtirpc packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 937-1] rpcbind security update

Package : rpcbind
Version : 0.2.0-8+deb7u2
CVE ID : CVE-2017-8779
Debian Bug : 861835

Guido Vranken discovered that incorrect memory management in libtirpc,
a transport-independent RPC library used by rpcbind and other programs
may result in denial of service via memory exhaustion (depending on
memory management settings).

For Debian 7 "Wheezy", these problems have been fixed in version
0.2.0-8+deb7u2.

We recommend that you upgrade your rpcbind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 938-1] git security update

Package : git
Version : 1:1.7.10.4-1+wheezy4
CVE ID : CVE-2017-8386

Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.7.10.4-1+wheezy4.

We recommend that you upgrade your git packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3848-1] git security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3848-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : git
CVE ID : CVE-2017-8386

Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".

For the stable distribution (jessie), this problem has been fixed in
version 1:2.1.4-2.1+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.11.0-3.

We recommend that you upgrade your git packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/