Debian 9844 Published by

The following updates has been released for Debian GNU/Linux:

DLA 1185-1: sam2p security update
DLA 1186-1: xorg-server security update
DSA 4046-1: libspring-ldap-java security update



DLA 1185-1: sam2p security update




Package : sam2p
Version : 0.49.1-1+deb7u2
CVE ID : CVE-2017-16663

It was discovered that sam2p, a utility to convert raster images and
other image formats, was affected by an integer overflow vulnerability
with resultant heap-based buffer overflow in input-bmp.ci because
width and height multiplications occur unsafely. This may lead to an
application crash or unspecified other impact when a maliciously
crafted file is processed.

For Debian 7 "Wheezy", these problems have been fixed in version
0.49.1-1+deb7u2.

We recommend that you upgrade your sam2p packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1186-1: xorg-server security update




Package : xorg-server
Version : 2:1.12.4-6+deb7u8
CVE ID : CVE-2017-2624 CVE-2017-12176 CVE-2017-12177 CVE-2017-12178
CVE-2017-12180 CVE-2017-12182 CVE-2017-12183 CVE-2017-12184
CVE-2017-12185 CVE-2017-12187 CVE-2017-13723

Several vulnerabilities have been discovered in the X.Org X server. An
attacker who's able to connect to an X server could cause a denial of
service or potentially the execution of arbitrary code.

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.12.4-6+deb7u8.

We recommend that you upgrade your xorg-server packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4046-1: libspring-ldap-java security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4046-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
November 22, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libspring-ldap-java
CVE ID : CVE-2017-8028

Tobias Schneider discovered that libspring-ldap-java, a Java library
for Spring-based applications using the Lightweight Directory Access
Protocol, would under some circumstances allow authentication with a
correct username but an arbitrary password.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.1.RELEASE-5+deb8u1.

We recommend that you upgrade your libspring-ldap-java packages.

For the detailed security status of libspring-ldap-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libspring-ldap-java

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/