Debian 10158 Published by

The following updates has been released for Debian:

[DLA 716-1] tiff security update
[DLA 717-1] moin security update
[DLA 718-1] vim security update
[DSA 3722-1] vim security update



[DLA 716-1] tiff security update

Package : tiff
Version : 4.0.2-6+deb7u8
CVE ID : CVE-2016-9273 CVE-2016-9297 CVE-2016-9532
Debian Bug : 844013 844226 844057

Multiple memory corruption issues have been identified in libtiff
and its associated tools.

CVE-2016-9273

Heap buffer overflow in cpStrips().

CVE-2016-9297

Read outside buffer in _TIFFPrintField().

CVE-2016-9532

Heap buffer overflow via writeBufferToSeparateStrips().

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u8.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 717-1] moin security update

Package : moin
Version : 1.9.4-8+deb7u3
CVE ID : CVE-2016-7146 CVE-2016-9119
Debian Bug : 844338 844340

Several cross-site scripting vulnerabilities were discovered in moin, a
Python clone of WikiWiki. A remote attacker can conduct cross-site
scripting attacks via the GUI editor's attachment dialogue
(CVE-2016-7146) and the GUI editor's link dialogue (CVE-2016-9119).

For Debian 7 "Wheezy", these problems have been fixed in version
1.9.4-8+deb7u3.

We recommend that you upgrade your moin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 718-1] vim security update

Package : vim
Version : 2:7.3.547-7+deb7u1
CVE ID : CVE-2016-1248

Florian Larysch and Bram Moolenaar discovered that vim, an enhanced vi
editor, does not properly validate values for the the 'filetype',
'syntax' and 'keymap' options, which may result in the execution of
arbitrary code if a file with a specially crafted modeline is opened.

For Debian 7 "Wheezy", these problems have been fixed in version
2:7.3.547-7+deb7u1.

We recommend that you upgrade your vim packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3722-1] vim security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3722-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 22, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : vim
CVE ID : CVE-2016-1248

Florian Larysch and Bram Moolenaar discovered that vim, an enhanced vi
editor, does not properly validate values for the the 'filetype',
'syntax' and 'keymap' options, which may result in the execution of
arbitrary code if a file with a specially crafted modeline is opened.

For the stable distribution (jessie), this problem has been fixed in
version 2:7.4.488-7+deb8u1.

We recommend that you upgrade your vim packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/