Debian 9844 Published by

The following updates has been released for Debian today:

[DLA 873-1] apt-cacher security update
[DLA 874-1] jbig2dec security update
[DLA 875-1] php5 security update
[DSA 3818-1] gst-plugins-bad1.0 security update
[DSA 3819-1] gst-plugins-base1.0 security update
[DSA 3820-1] gst-plugins-good1.0 security update
[DSA 3821-1] gst-plugins-ugly1.0 security update
[DSA 3822-1] gstreamer1.0 security update



[DLA 873-1] apt-cacher security update

Package : apt-cacher
Version : 1.7.6+deb7u1
Debian Bug : #858739

It was discovered that there was a HTTP response splitting vulnerability in
apt-cacher, a proxy server for Debian/Ubuntu software repositories.

For Debian 7 "Wheezy", this issue has been fixed in apt-cacher version
1.7.6+deb7u1.

We recommend that you upgrade your apt-cacher packages.

[DLA 874-1] jbig2dec security update

Package : jbig2dec
Version : 0.13-4~deb7u1
CVE ID : CVE-2016-9601

Multiple security issues have been found in the JBIG2 decoder library,
which may lead to lead to denial of service or the execution of arbitrary
code if a malformed image file (usually embedded in a PDF document) is
opened.

For Debian 7 "Wheezy", these problems have been fixed in version
0.13-4~deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 0.13-4~deb8u1.

For the upcoming stable distribution (stretch) and for the unstable
distribution (sid), this problem has been fixed in version 0.13-4.

We recommend that you upgrade your jbig2dec packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 875-1] php5 security update

Package : php5
Version : 5.4.45-0+deb7u8
CVE ID : CVE-2016-7478 CVE-2016-7479 CVE-2017-7272

Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.

CVE-2016-7478:
Zend/zend_exceptions.c in PHP allows remote attackers to
cause a denial of service (infinite loop) via a crafted Exception
object in serialized data, a related issue to CVE-2015-8876.

CVE-2016-7479:
During the unserialization process, resizing the 'properties' hash
table of a serialized object may lead to use-after-free. A remote
attacker may exploit this bug to gain the ability of arbitrary code
execution. Even though the property table issue only affects PHP 7
this change also prevents a wide range of other __wakeup() based
attacks.

CVE-2017-7272:
The fsockopen() function will use the port number which is defined
in hostname instead of the port number passed to the second
parameter of the function. This misbehavior may introduce another
attack vector for an already known application vulnerability (e.g.
Server Side Request Forgery).

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u8.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3818-1] gst-plugins-bad1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3818-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-bad1.0
CVE ID : CVE-2016-9809 CVE-2016-9812 CVE-2016-9813 CVE-2017-5843
CVE-2017-5848

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2.1+deb8u2.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3819-1] gst-plugins-base1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3819-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-base1.0
CVE ID : CVE-2016-9811 CVE-2017-5837 CVE-2017-5839 CVE-2017-5842
CVE-2017-5844

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

We recommend that you upgrade your gst-plugins-base1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3820-1] gst-plugins-good1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3820-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-good1.0
CVE ID : CVE-2016-10198 CVE-2016-10199 CVE-2017-5840 CVE-2017-5841
CVE-2017-5845

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u3.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.3-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.3-1.

We recommend that you upgrade your gst-plugins-good1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3821-1] gst-plugins-ugly1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3821-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gst-plugins-ugly1.0
CVE ID : CVE-2017-5846 CVE-2017-5847

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 1.10.4-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.4-1.

We recommend that you upgrade your gst-plugins-ugly1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3822-1] gstreamer1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3822-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gstreamer1.0
CVE ID : CVE-2017-5838

Hanno Boeck discovered multiple vulnerabilities in the GStreamer media
framework and its codecs and demuxers, which may result in denial of
service or the execution of arbitrary code if a malformed media file is
opened.

For the stable distribution (jessie), this problem has been fixed in
version 1.4.4-2+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1.10.3-1.

For the unstable distribution (sid), this problem has been fixed in
version version 1.10.3-1.

We recommend that you upgrade your gstreamer1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/