Debian 9858 Published by

The following updates has been released for Debian:

[DLA 964-1] xen security update
[DLA 972-1] openldap security update
[DLA 973-1] strongswan security update
[DLA 974-1] picocom security update
[DSA 3871-1] zookeeper security update
[DSA 3872-1] nss security update



[DLA 964-1] xen security update

Package : xen
Version : 4.1.6.lts1-8
CVE ID : CVE-2016-9932 CVE-2017-7995 CVE-2017-8903 CVE-2017-8904
CVE-2017-8905


Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2016-9932 (XSA-200)

CMPXCHG8B emulation allows local HVM guest OS users to obtain sensitive
information from host stack memory.

CVE-2017-7995

Description
Xen checks access permissions to MMIO ranges only after accessing them,
allowing host PCI device space memory reads.

CVE-2017-8903 (XSA-213)

Xen mishandles page tables after an IRET hypercall which can lead to
arbitrary code execution on the host OS. The vulnerability is only exposed
to 64-bit PV guests.

CVE-2017-8904 (XSA-214)

Xen mishandles the "contains segment descriptors" property during
GNTTABOP_transfer. This might allow PV guest OS users to execute arbitrary
code on the host OS.

CVE-2017-8905 (XSA-215)

Xen mishandles a failsafe callback which might allow PV guest OS users to
execute arbitrary code on the host OS.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.6.lts1-8.

We recommend that you upgrade your xen packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 972-1] openldap security update

Package : openldap
Version : 2.4.31-2+deb7u3
CVE ID : CVE-2017-9287
Debian Bug : #863563

It was discovered that there was a double-free vulnerability in the
"openldap" LDAP server.

A user with access to search the directory could crash slapd by issuing
a search requesting a "Paged Results" value set to zero.

For Debian 7 "Wheezy", this issue has been fixed in openldap version
2.4.31-2+deb7u3.

We recommend that you upgrade your openldap packages.

[DLA 973-1] strongswan security update

Package : strongswan
Version : 4.5.2-1.5+deb7u9
CVE ID : CVE-2017-9022 CVE-2017-9023

Two denial of service vulnerabilities were identified in strongSwan, an
IKE/IPsec suite, using Google's OSS-Fuzz fuzzing project.

CVE-2017-9022

RSA public keys passed to the gmp plugin aren't validated sufficiently
before attempting signature verification, so that invalid input might
lead to a floating point exception and crash of the process.
A certificate with an appropriately prepared public key sent by a peer
could be used for a denial-of-service attack.

CVE-2017-9023

ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when
parsing X.509 certificates with extensions that use such types. This could
lead to infinite looping of the thread parsing a specifically crafted
certificate.

For Debian 7 "Wheezy", these problems have been fixed in version
4.5.2-1.5+deb7u9.

We recommend that you upgrade your strongswan packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 974-1] picocom security update

Package : picocom
Version : 1.7-1+deb7u1
CVE ID : CVE-2015-9059
Debian Bug : #863671

It was discovered that there was a command injection vulnerability in
picocom, a dumb-terminal emulation program.

For Debian 7 "Wheezy", this issue has been fixed in picocom version
1.7-1+deb7u1.

We recommend that you upgrade your picocom packages.

[DSA 3871-1] zookeeper security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3871-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : zookeeper
CVE ID : CVE-2017-5637

It was discovered that Zookeeper, a service for maintaining
configuration information, didn't restrict access to the computationally
expensive wchp/wchc commands which could result in denial of service by
elevated CPU consumption.

This update disables those two commands by default. The new
configuration option "4lw.commands.whitelist" can be used to whitelist
commands selectively (and the full set of commands can be restored
with '*')

For the stable distribution (jessie), this problem has been fixed in
version 3.4.5+dfsg-2+deb8u2.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your zookeeper packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3872-1] nss security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3872-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nss
CVE ID : CVE-2017-5461 CVE-2017-5462 CVE-2017-7502

Several vulnerabilities were discovered in NSS, a set of cryptographic
libraries, which may result in denial of service or information
disclosure.

For the stable distribution (jessie), these problems have been fixed in
version 2:3.26-1+debu8u2.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your nss packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/