Debian 9858 Published by

The following updates has been released for Debian 7 LTS:

[SECURITY] [DLA 897-1] qbittorrent security update
[SECURITY] [DLA 898-1] libosip2 security update



[DLA 897-1] qbittorrent security update

Package : qbittorrent
Version : 2.9.8-1+deb7u1
CVE ID : CVE-2017-6503 CVE-2017-6504

CVE-2017-6503
WebUI in qBittorrent before 3.3.11 did not escape many values,
which could potentially lead to XSS.

CVE-2017-6504

WebUI in qBittorrent before 3.3.11 did not set the X-Frame-Options
header, which could potentially lead to clickjacking.

For Debian 7 "Wheezy", these problems have been fixed in version
2.9.8-1+deb7u1.

We recommend that you upgrade your qbittorrent packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 898-1] libosip2 security update

Package : libosip2
Version : 3.6.0-4+deb7u1
CVE ID : CVE-2016-10324 CVE-2016-10325 CVE-2016-10326
CVE-2017-7853


CVE-2016-10324
In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to
a heap buffer overflow in the osip_clrncpy() function defined in
osipparser2/osip_port.c.

CVE-2016-10325
In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a
heap buffer overflow in the _osip_message_to_str() function defined
in osipparser2/osip_message_to_str.c, resulting in a remote DoS.

CVE-2016-10326
In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to
a heap buffer overflow in the osip_body_to_str() function defined
in osipparser2/osip_body.c, resulting in a remote DoS.

CVE-2017-7853
In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a
heap buffer overflow in the msg_osip_body_parse() function defined
in osipparser2/osip_message_parse.c, resulting in a remote DoS.


For Debian 7 "Wheezy", these problems have been fixed in version
3.6.0-4+deb7u1.

We recommend that you upgrade your libosip2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS