Debian 9843 Published by

4 new updates are available for Debian 7 LTS and 2 for Debian 8:

[DLA 557-1] dietlibc security update
[DLA 558-1] squid security update
[DLA 559-1] ntp security update
[DLA 560-1] cacti security update
[DSA 3628-1] perl security update
[DSA 3629-1] ntp security update



[DLA 557-1] dietlibc security update

Package : dietlibc
Version : 0.33~cvs20120325-4+deb7u1
Debian Bug : #832169

It was discovered that there was an insecure default PATH in
dietlibc, a libc optimized for small size.

Thorsten Glaser discovered that the default PATH in dietlibc
(if the environment variable is unset) contained the current
working directory.

For Debian 7 "Wheezy", this issue has been fixed in:

* dietlibc version 0.33~cvs20120325-4+deb7u1
* minit version 0.10-5+deb7u1

We recommend that you upgrade your dietlibc and minit packages.

[DLA 558-1] squid security update

Package : squid
Version : 2.7.STABLE9-4.1+deb7u2
CVE ID : CVE-2016-4554

A security issue has been discovered in the Squid chaching proxy, on its
2.7.STABLE9 version branch.

CVE-2016-4554

Jianjun Chen found that Squid was vulnerable to a header smuggling
attack that could lead to cache poisoning and to bypass of same-origin
security policy in Squid and some client browsers.

For Debian 7 "Wheezy", this issue has been fixed in version
2.7.STABLE9-4.1+deb7u2.

We recommend that you upgrade your squid packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 559-1] ntp security update

Package : ntp
Version : 1:4.2.6.p5+dfsg-2+deb7u7
CVE ID : CVE-2015-7974 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979
CVE-2015-8138 CVE-2015-8158 CVE-2016-1547 CVE-2016-1548
CVE-2016-1550 CVE-2016-2516 CVE-2016-2518

Several vulnerabilities were discovered in the Network Time Protocol
daemon and utility programs:

CVE-2015-7974

Matt Street discovered that insufficient key validation allows
impersonation attacks between authenticated peers.

CVE-2015-7977 / CVE-2015-7978

Stephen Gray discovered that a NULL pointer dereference and a
buffer overflow in the handling of "ntpdc reslist" commands may
result in denial of service.

CVE-2015-7979

Aanchal Malhotra discovered that if NTP is configured for broadcast
mode, an attacker can send malformed authentication packets which
break associations with the server for other broadcast clients.

CVE-2015-8138

Matthew van Gundy and Jonathan Gardner discovered that missing
validation of origin timestamps in ntpd clients may result in denial
of service.

CVE-2015-8158

Jonathan Gardner discovered that missing input sanitising in ntpq
may result in denial of service.

CVE-2016-1547

Stephen Gray and Matthew van Gundy discovered that incorrect handling
of crypto NAK packets my result in denial of service.

CVE-2016-1548

Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients
could be forced to change from basic client/server mode to interleaved
symmetric mode, preventing time synchronisation.

CVE-2016-1550

Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered
that timing leaks in the the packet authentication code could result
in recovery of a message digest.

CVE-2016-2516

Yihan Lian discovered that duplicate IPs on "unconfig" directives will
trigger an assert.

CVE-2016-2518

Yihan Lian discovered that an OOB memory access could potentially
crash ntpd.

For Debian 7 "Wheezy", these problems have been fixed in version
1:4.2.6.p5+dfsg-2+deb7u7.

We recommend that you upgrade your ntp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 560-1] cacti security update

Package : cacti
Version : 0.8.8a+dfsg-5+deb7u9
CVE ID : CVE-2016-2313 CVE-2016-3172 CVE-2016-3659


Three security issues have been found in cacti:

CVE-2016-2313

auth_login.php allows remote authenticated users who use web
authentication to bypass intended access restrictions by logging in
as a user not in the cacti database.

CVE-2016-3172

An SQL injection vulnerability in tree.php allows remote authenticated
users to execute arbitrary SQL commands via the parent_id parameter in
an item_edit action.

CVE-2016-3659

An SQL injection vulnerability in graph_view.php allows remote
authenticated users to execute arbitrary SQL commands via the
host_group_data parameter.


For Debian 7 "Wheezy", these problems have been fixed in version
0.8.8a+dfsg-5+deb7u9.

We recommend that you upgrade your cacti packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3628-1] perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3628-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : perl
CVE ID : CVE-2016-1238 CVE-2016-6185
Debian Bug : 829578

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2016-1238

John Lightsey and Todd Rinaldo reported that the opportunistic
loading of optional modules can make many programs unintentionally
load code from the current working directory (which might be changed
to another directory without the user realising) and potentially
leading to privilege escalation, as demonstrated in Debian with
certain combinations of installed packages.

The problem relates to Perl loading modules from the includes
directory array ("@INC") in which the last element is the current
directory ("."). That means that, when "perl" wants to load a module
(during first compilation or during lazy loading of a module in run-
time), perl will look for the module in the current directory at the
end, since '.' is the last include directory in its array of include
directories to seek. The issue is with requiring libraries that are
in "." but are not otherwise installed.

With this update several modules which are known to be vulnerable
are updated to not load modules from current directory.

Additionally the update allows configurable removal of "." from @INC
in /etc/perl/sitecustomize.pl for a transitional period. It is
recommended to enable this setting if the possible breakage for a
specific site has been evaluated. Problems in packages provided in
Debian resulting from the switch to the removal of '.' from @INC
should be reported to the Perl maintainers at
perl@packages.debian.org .

It is planned to switch to the default removal of '.' in @INC in a
subsequent update to perl via a point release if possible, and in
any case for the upcoming stable release Debian 9 (stretch).

CVE-2016-6185

It was discovered that XSLoader, a core module from Perl to
dynamically load C libraries into Perl code, could load shared
library from incorrect location. XSLoader uses caller() information
to locate the .so file to load. This can be incorrect if
XSLoader::load() is called in a string eval. An attacker can take
advantage of this flaw to execute arbitrary code.

For the stable distribution (jessie), these problems have been fixed in
version 5.20.2-3+deb8u6. Additionally this update includes the
following updated packages to address optional module loading
vulnerabilities related to CVE-2016-1238, or to address build failures
which occur when '.' is removed from @INC:

- cdbs 0.4.130+deb8u1
- debhelper 9.20150101+deb8u2
- devscripts 2.15.3+deb8u1
- exim4 4.84.2-2+deb8u1
- libintl-perl 1.23-1+deb8u1
- libmime-charset-perl 1.011.1-1+deb8u2
- libmime-encwords-perl 1.014.3-1+deb8u1
- libmodule-build-perl 0.421000-2+deb8u1
- libnet-dns-perl 0.81-2+deb8u1
- libsys-syslog-perl 0.33-1+deb8u1
- libunicode-linebreak-perl 0.0.20140601-2+deb8u2

We recommend that you upgrade your perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3629-1] ntp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3629-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 25, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntp
CVE ID : CVE-2015-7974 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979
CVE-2015-8138 CVE-2015-8158 CVE-2016-1547 CVE-2016-1548
CVE-2016-1550 CVE-2016-2516 CVE-2016-2518

Several vulnerabilities were discovered in the Network Time Protocol
daemon and utility programs:

CVE-2015-7974

Matt Street discovered that insufficient key validation allows
impersonation attacks between authenticated peers.

CVE-2015-7977 / CVE-2015-7978

Stephen Gray discovered that a NULL pointer dereference and a
buffer overflow in the handling of "ntpdc reslist" commands may
result in denial of service.

CVE-2015-7979

Aanchal Malhotra discovered that if NTP is configured for broadcast
mode, an attacker can send malformed authentication packets which
break associations with the server for other broadcast clients.

CVE-2015-8138

Matthew van Gundy and Jonathan Gardner discovered that missing
validation of origin timestamps in ntpd clients may result in denial
of service.

CVE-2015-8158

Jonathan Gardner discovered that missing input sanitising in ntpq
may result in denial of service.

CVE-2016-1547

Stephen Gray and Matthew van Gundy discovered that incorrect handling
of crypto NAK packets my result in denial of service.

CVE-2016-1548

Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients
could be forced to change from basic client/server mode to interleaved
symmetric mode, preventing time synchronisation.

CVE-2016-1550

Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered
that timing leaks in the the packet authentication code could result
in recovery of a message digest.

CVE-2016-2516

Yihan Lian discovered that duplicate IPs on "unconfig" directives will
trigger an assert.

CVE-2016-2518

Yihan Lian discovered that an OOB memory access could potentially
crash ntpd.

For the stable distribution (jessie), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7+deb8u2.

For the testing distribution (stretch), these problems have been fixed
in version 1:4.2.8p7+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.8p7+dfsg-1.

We recommend that you upgrade your ntp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/