Debian 9859 Published by

The following updates has been released for Debian 7 LTS:

DLA 1145-1: zoneminder security update
DLA 1146-1: mosquitto security update
DLA 1147-1: exiv2 security update



DLA 1145-1: zoneminder security update




Package : zoneminder
Version : 1.25.0-4+deb7u2
CVE ID : CVE-2017-5595

Multiple vulnerabilities have been found in zoneminder. This update
fixes only a serious file disclosure vulnerability (CVE-2017-5595).

The application has been found to suffer from many other problems
such as SQL injection vulnerabilities, cross-site scripting issues,
cross-site request forgery, session fixation vulnerability. Due to the
amount of issues and to the relative invasiveness of the relevant patches,
those issues will not be fixed in Wheezy. We thus advise you to restrict
access to zoneminder to trusted users only. If you want to review the
list of ignored issues, you can check the security tracker:
https://security-tracker.debian.org/tracker/source-package/zoneminder

We recommend that you upgrade your zoneminder packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/


DLA 1146-1: mosquitto security update




Package : mosquitto
Version : 0.15-2+deb7u2
CVE ID : CVE-2017-9868
Debian Bug : 865959

mosquitto's persistence file (mosquitto.db) was created in a
world-readable way thus allowing local users to obtain sensitive MQTT
topic information. While the application has been fixed to set
proper permissions by default, you still have to manually fix
the permissions on any existing file.

For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u2.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/


DLA 1147-1: exiv2 security update




Package : exiv2
Version : 0.23-1+deb7u2
CVE ID : CVE-2017-11591 CVE-2017-11683 CVE-2017-14859 CVE-2017-14862
CVE-2017-14864
Debian Bug : 876893

The exiv2 library is vulnerable to multiple issues that can all lead
to denial of service of the applications relying on the library to parse
images' metadata.

CVE-2017-11591

Denial of service via floating point exception in
the Exiv2::ValueType function.

CVE-2017-11683

Denial of service through failing assertion triggered by
crafted image.

CVE-2017-14859 / CVE-2017-14862 / CVE-2017-14864

Denial of service through invalid memory access triggered by a crafted
image.

For Debian 7 "Wheezy", these problems have been fixed in version
0.23-1+deb7u2.

We recommend that you upgrade your exiv2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS