Debian 9844 Published by

The following updates has been released for Debian GNU/Linux:

DSA 4065-1: openssl1.0 security update
DSA 4066-1: otrs2 security update
DSA 4067-1: openafs security update
DSA 4068-1: rsync security update



DSA 4065-1: openssl1.0 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4065-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2017-3737 CVE-2017-3738

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3737

David Benjamin of Google reported that OpenSSL does not properly
handle SSL_read() and SSL_write() while being invoked in an error
state, causing data to be passed without being decrypted or
encrypted directly from the SSL/TLS record layer.

CVE-2017-3738

It was discovered that OpenSSL contains an overflow bug in the AVX2
Montgomery multiplication procedure used in exponentiation with
1024-bit moduli.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20171207.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2l-2+deb9u2.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4066-1: otrs2 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4066-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 17, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : otrs2
CVE ID : CVE-2017-16854 CVE-2017-16921

Two vulnerabilities were discovered in the Open Ticket Request System
which could result in information disclosure or the execution of arbitrary
shell commands by logged-in agents.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.3.18-1+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.16-1+deb9u4.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/otrs2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4067-1: openafs security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4067-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 17, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openafs
CVE ID : CVE-2017-17432

It was discovered that malformed jumbogram packets could result in
denial of service against OpenAFS, an implementation of the Andrew
distributed file system.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.6.9-2+deb8u6. This update also provides corrections for
CVE-2016-4536 and CVE-2016-9772.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.20-2+deb9u1.

We recommend that you upgrade your openafs packages.

For the detailed security status of openafs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openafs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4068-1: rsync security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4068-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rsync
CVE ID : CVE-2017-16548 CVE-2017-17433 CVE-2017-17434
Debian Bug : 880954 883665 883667

Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool, allowing a remote attacker to
bypass intended access restrictions or cause a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.1.1-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 3.1.2-1+deb9u1.

We recommend that you upgrade your rsync packages.

For the detailed security status of rsync please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/rsync

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/