Debian 9844 Published by

The following updates are available for Debian GNU/Linux:

[DLA 746-1] tomcat6 security update
[DLA 747-1] libupnp security update
[DLA 748-1] libupnp4 security update
[DLA 749-1] php5 security update
[DLA 750-1] game-music-emu security update
[DLA 751-1] nagios3 security update
[DSA 3737-1] php5 security update



[DLA 746-1] tomcat6 security update

Package : tomcat6
Version : 6.0.45+dfsg-1~deb7u4
CVE ID : CVE-2016-9774
Debian Bug : 845393 845425 846298

Paul Szabo discovered a potential privilege escalation that could be
exploited in the situation envisaged in DLA-622-1. This update also
addresses two regressions which were introduced by the fixes for
CVE-2016-5018 (when running Jasper with SecurityManager enabled) and
CVE-2016-6797.

For Debian 7 "Wheezy", these problems have been fixed in version
6.0.45+dfsg-1~deb7u4.

We recommend that you upgrade your tomcat6 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 747-1] libupnp security update

Package : libupnp
Version : 1:1.6.17-1.2+deb7u2
CVE ID : CVE-2016-8863
Debian Bug : 842093

Scott Tenaglia discovered a heap-based buffer overflow in libupnp, a
portable SDK for UPnP Devices. That can lead to denial of service or
remote code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.6.17-1.2+deb7u2.

We recommend that you upgrade your libupnp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 748-1] libupnp4 security update

Package : libupnp4
Version : 1.8.0~svn20100507-1.2+deb7u1
CVE ID : CVE-2016-8863

Scott Tenaglia discovered a heap-based buffer overflow in libupnp4, a
portable SDK for UPnP Devices. That can lead to denial of service or
remote code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.0~svn20100507-1.2+deb7u1.

We recommend that you upgrade your libupnp4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 749-1] php5 security update

Package : php5
Version : 5.4.45-0+deb7u6
CVE ID : CVE-2016-5385 CVE-2016-7124 CVE-2016-7128 CVE-2016-7129
CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 CVE-2016-7411
CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416
CVE-2016-7417 CVE-2016-7418


CVE-2016-5385
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from
the presence of untrusted client data in the HTTP_PROXY environment
variable, which might allow remote attackers to redirect an application's
outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy
header in an HTTP request, as demonstrated by (1) an application that
makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP,
aka an "httpoxy" issue.

CVE-2016-7124
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10
mishandles certain invalid objects, which allows remote attackers to cause
a denial of service or possibly have unspecified other impact via crafted
serialized data that leads to a (1) __destruct call or (2) magic method
call.

CVE-2016-7128
The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before
5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset
that exceeds the file size, which allows remote attackers to obtain
sensitive information from process memory via a crafted TIFF image.

CVE-2016-7129
The php_wddx_process_data function in ext/wddx/wddx.c in PHP before
5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial
of service (segmentation fault) or possibly have unspecified other
impact via an invalid ISO 8601 time value, as demonstrated by
a wddx_deserialize call that mishandles a dateTime element in
a wddxPacket XML document.

CVE-2016-7130
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before
5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash)
or possibly have unspecified other impact via an invalid base64
binary value, as demonstrated by a wddx_deserialize call that
mishandles a binary element in a wddxPacket XML document.

CVE-2016-7131
ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
remote attackers to cause a denial of service (NULL pointer
dereference and application crash) or possibly have unspecified
other impact via a malformed wddxPacket XML document that is
mishandled in a wddx_deserialize call, as demonstrated by a tag
that lacks a < (less than) character.

CVE-2016-7132
ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
remote attackers to cause a denial of service (NULL pointer
dereference and application crash) or possibly have unspecified
other impact via an invalid wddxPacket XML document that is
mishandled in a wddx_deserialize call, as demonstrated by
a stray element inside a boolean element, leading to incorrect
pop processing.

CVE-2016-7411
ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles
object-deserialization failures, which allows remote attackers
to cause a denial of service (memory corruption) or possibly
have unspecified other impact via an unserialize call that
references a partially constructed object.

CVE-2016-7412
ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x
before 7.0.11 does not verify that a BIT field has the
UNSIGNED_FLAG flag, which allows remote MySQL servers to cause
a denial of service (heap-based buffer overflow) or possibly
have unspecified other impact via crafted field metadata.

CVE-2016-7413
Use-after-free vulnerability in the wddx_stack_destroy function in
ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a wddxPacket XML document that lacks
an end-tag for a recordset field element, leading to mishandling
in a wddx_deserialize call.

CVE-2016-7414
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x
before 7.0.11 does not ensure that the uncompressed_filesize field
is large enough, which allows remote attackers to cause a denial of
service (out-of-bounds memory access) or possibly have unspecified
other impact via a crafted PHAR archive, related to ext/phar/util.c
and ext/phar/zip.c.

CVE-2016-7416
ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x
before 7.0.11 does not properly restrict the locale length provided
to the Locale class in the ICU library, which allows remote attackers
to cause a denial of service (application crash) or possibly have
unspecified other impact via a MessageFormatter::formatMessage call
with a long first argument.

CVE-2016-7417
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11
proceeds with SplArray unserialization without validating a
return value and data type, which allows remote attackers to
cause a denial of service or possibly have unspecified other
impact via crafted serialized data.

CVE-2016-7418
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a
denial of service (invalid pointer access and out-of-bounds read)
or possibly have unspecified other impact via an incorrect boolean
element in a wddxPacket XML document, leading to mishandling in
a wddx_deserialize call.


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u6.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 750-1] game-music-emu security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package : game-music-emu
Version : 0.5.5-2+deb7u1
CVE ID : CVE-2016-9957 CVE-2016-9958 CVE-2016-9959 CVE-2016-9960
CVE-2016-9961

Chris Evans found several issues in the emulation code in game-music-emu
that could lead to arbitrary code execution.

For Debian 7 "Wheezy", these problems have been fixed in version
0.5.5-2+deb7u1.

We recommend that you upgrade your game-music-emu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 751-1] nagios3 security update

Package : nagios3
Version : 3.4.1-3+deb7u3
CVE ID : CVE-2016-9565 CVE-2016-9566

Nagios was found to be vulnerable to two security issues that, when
combined, lead to a remote root code execution vulnerability.
Fortunately, the hardened permissions of the Debian package limit the
effect of those to information disclosure, but privilege escalation to
root is still possible locally.

CVE-2016-9565

Improper sanitization of RSS feed input enables unauthenticated
remote read and write of arbitrary files which may lead to remote
code execution if the web root is writable.

CVE-2016-9566

Unsafe logfile handling allows unprivileged users to escalate their
privileges to root. In wheezy, this is possible only through the
debug logfile which is disabled by default.

For Debian 7 "Wheezy", these problems have been fixed in version
3.4.1-3+deb7u3.

We recommend that you upgrade your nagios3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3737-1] php5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3737-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 16, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php5
CVE ID : CVE-2016-9935

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream
version 5.6.29, which includes additional bug fixes. Please refer to the
upstream changelog for more information:

https://php.net/ChangeLog-5.php#5.6.29

For the stable distribution (jessie), this problem has been fixed in
version 5.6.29+dfsg-0+deb8u1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/