Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1125-1: botan1.10 security update

Debian GNU/Linux 8 and 9:
DSA 3992-1: curl security update

Debian GNU/Linux 9:
DSA 3993-1: tor security update



DLA 1125-1: botan1.10 security update




Package : botan1.10
Version : 1.10.5-1+deb7u4
CVE ID : CVE-2017-14737


CVE-2017-14737
Fix of cache-based side channel attack, which could recover
information about RSA secret keys.


For Debian 7 "Wheezy", these problems have been fixed in version
1.10.5-1+deb7u4.

We recommend that you upgrade your botan1.10 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 3992-1: curl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3992-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 06, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-1000100 CVE-2017-1000101 CVE-2017-1000254
Debian Bug : 871554 871555 877671

Several vulnerabilities have been discovered in cURL, an URL transfer
library. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2017-1000100

Even Rouault reported that cURL does not properly handle long file
names when doing an TFTP upload. A malicious HTTP(S) server can take
advantage of this flaw by redirecting a client using the cURL
library to a crafted TFTP URL and trick it to send private memory
contents to a remote server over UDP.

CVE-2017-1000101

Brian Carpenter and Yongji Ouyang reported that cURL contains a flaw
in the globbing function that parses the numerical range, leading to
an out-of-bounds read when parsing a specially crafted URL.

CVE-2017-1000254

Max Dymond reported that cURL contains an out-of-bounds read flaw in
the FTP PWD response parser. A malicious server can take advantage
of this flaw to effectively prevent a client using the cURL library
to work with it, causing a denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u6.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u1.

We recommend that you upgrade your curl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 3993-1: tor security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3993-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 06, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor
CVE ID : CVE-2017-0380

It was discovered that the Tor onion service could leak sensitive
information to log files if the "SafeLogging" option is set to "0".

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 0.2.9.12-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/