Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

DLA 1333-1: dovecot security update
DLA 1334-1: mosquitto security update
DLA 1335-1: zsh security update



DLA 1333-1: dovecot security update




Package : dovecot
Version : 1:2.1.7-7+deb7u2
CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132


Several vulnerabilities have been discovered in the Dovecot email
server. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2017-14461

Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker.

CVE-2017-15130

It was discovered that TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted, resulting in a denial of service. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.

CVE-2017-15132

It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.


For Debian 7 "Wheezy", these problems have been fixed in version
1:2.1.7-7+deb7u2.

We recommend that you upgrade your dovecot packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1334-1: mosquitto security update




Package : mosquitto
Version : 0.15-2+deb7u3
CVE ID : CVE-2017-7651 CVE-2017-7652


CVE-2017-7651
A crafted CONNECT packet from an unauthenticated client could
result in extraordinary memory consumption.

CVE-2017-7652
In case all sockets/file descriptors are exhausted, a SIGHUP
signal to reload the configuration could result in default
config values (especially bad security settings)


For Debian 7 "Wheezy", these problems have been fixed in version
0.15-2+deb7u3.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1335-1: zsh security update




Package : zsh
Version : 4.3.17-1+deb7u2
CVE ID : CVE-2018-1071 CVE-2018-1083
Debian Bug : 894044 894043

Two security vulnerabilities were discovered in the Z shell.

CVE-2018-1071
Stack-based buffer overflow in the exec.c:hashcmd() function.
A local attacker could exploit this to cause a denial of service.

CVE-2018-1083
Buffer overflow in the shell autocomplete functionality. A local
unprivileged user can create a specially crafted directory path which
leads to code execution in the context of the user who tries to use
autocomplete to traverse the before mentioned path. If the user
affected is privileged, this leads to privilege escalation.

For Debian 7 "Wheezy", these problems have been fixed in version
4.3.17-1+deb7u2.

We recommend that you upgrade your zsh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS