Debian 10168 Published by

The following updates has been released for Debian 7 LTS:

[DLA 627-1] pdns security update
[DLA 628-1] php5 security update
[DLA 629-1] jackrabbit security update
[DLA 630-1] zookeeper security update



[DLA 627-1] pdns security update

Package : pdns
Version : 3.1-4.1+deb7u2
CVE ID : CVE-2016-5426 CVE-2016-5427 CVE-2016-6172
Debian Bug : 830808


Multiple vulnerabilities have been discovered in pdns, an authoritative
DNS server. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2016-5426 / CVE-2016-5427

Florian Heinz and Martin Kluge reported that the PowerDNS
Authoritative Server accepts queries with a qname's length larger
than 255 bytes and does not properly handle dot inside labels. A
remote, unauthenticated attacker can take advantage of these flaws
to cause abnormal load on the PowerDNS backend by sending specially
crafted DNS queries, potentially leading to a denial of service.

CVE-2016-6172

It was reported that a malicious primary DNS server can crash a
secondary PowerDNS server due to improper restriction of zone size
limits. This update adds a feature to limit AXFR sizes in response
to this flaw.

For Debian 7 "Wheezy", these problems have been fixed in version
3.1-4.1+deb7u2.

We recommend that you upgrade your pdns packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 628-1] php5 security update

Package : php5
Version : 5.4.45-0+deb7u5
CVE ID : CVE-2016-4473 CVE-2016-4538 CVE-2016-5114 CVE-2016-5399
CVE-2016-5768 CVE-2016-5769 CVE-2016-5770 CVE-2016-5771
CVE-2016-5772 CVE-2016-5773 CVE-2016-6289 CVE-2016-6290
CVE-2016-6291 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295
CVE-2016-6296 CVE-2016-6297
PHP-Bugs : 70436 72681


* CVE-2016-4473.patch
An invalid free may occur under certain conditions when processing
phar-compatible archives.
* CVE-2016-4538.patch
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35,
5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer
for the scale argument, which allows remote attackers to cause a
denial of service or possibly have unspecified other impact via a
crafted call.
(already fixed with patch for CVE-2016-4537)
* CVE-2016-5114.patch
sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17,
and 7.x before 7.0.2 misinterprets the semantics of the snprintf
return value, which allows attackers to obtain sensitive information
from process memory or cause a denial of service (out-of-bounds read
and buffer overflow) via a long string, as demonstrated by a long URI
in a configuration with custom REQUEST_URI logging.
* CVE-2016-5399.patch
Improper error handling in bzread()
* CVE-2016-5768.patch
Double free vulnerability in the _php_mb_regex_ereg_replace_exec
function in php_mbregex.c in the mbstring extension in PHP before
5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) by leveraging a callback exception.
* CVE-2016-5769.patch
Multiple integer overflows in mcrypt.c in the mcrypt extension in
PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow
remote attackers to cause a denial of service (heap-based buffer
overflow and application crash) or possibly have unspecified other
impact via a crafted length value, related to the
(1) mcrypt_generic and (2) mdecrypt_generic functions.
* CVE-2016-5770.patch
Integer overflow in the SplFileObject::fread function in
spl_directory.c in the SPL extension in PHP before 5.5.37 and
5.6.x before 5.6.23 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via a
large integer argument, a related issue to CVE-2016-5096.
* CVE-2016-5771.patch
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x
before 5.6.23 improperly interacts with the unserialize
implementation and garbage collection, which allows remote
attackers to execute arbitrary code or cause a denial of service
(use-after-free and application crash) via crafted serialized data.
* CVE-2016-5772.patch
Double free vulnerability in the php_wddx_process_data function in
wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before
5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via crafted XML data that is mishandled in a wddx_deserialize
call.
* CVE-2016-5773.patch
php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before
5.6.23, and 7.x before 7.0.8 improperly interacts with the
unserialize implementation and garbage collection, which allows
remote attackers to execute arbitrary code or cause a denial of
service (use-after-free and application crash) via crafted
serialized data containing a ZipArchive object.
* CVE-2016-6289.patch
Integer overflow in the virtual_file_ex function in
TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24,
and 7.x before 7.0.9 allows remote attackers to cause a denial of
service (stack-based buffer overflow) or possibly have unspecified
other impact via a crafted extract operation on a ZIP archive.
* CVE-2016-6290.patch
ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24,
and 7.x before 7.0.9 does not properly maintain a certain hash
data structure, which allows remote attackers to cause a denial
of service (use-after-free) or possibly have unspecified other
impact via vectors related to session deserialization.
* CVE-2016-6291.patch
The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in
PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows
remote attackers to cause a denial of service (out-of-bounds array
access and memory corruption), obtain sensitive information from
process memory, or possibly have unspecified other impact via a
crafted JPEG image.
* CVE-2016-6292.patch
The exif_process_user_comment function in ext/exif/exif.c in PHP
before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows
remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted JPEG image.
* CVE-2016-6294.patch
The locale_accept_from_http function in
ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before
5.6.24, and 7.x before 7.0.9 does not properly restrict calls to
the ICU uloc_acceptLanguageFromHTTP function, which allows remote
attackers to cause a denial of service (out-of-bounds read) or
possibly have unspecified other impact via a call with a long argument.
* CVE-2016-6295.patch
ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x
before 7.0.9 improperly interacts with the unserialize implementation
and garbage collection, which allows remote attackers to cause a
denial of service (use-after-free and application crash) or possibly
have unspecified other impact via crafted serialized data, a related
issue to CVE-2016-5773.
* CVE-2016-6296.patch
Integer signedness error in the simplestring_addn function in
simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before
5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote
attackers to cause a denial of service (heap-based buffer overflow)
or possibly have unspecified other impact via a long first argument
to the PHP xmlrpc_encode_request function.
* CVE-2016-6297.patch
Integer overflow in the php_stream_zip_opener function in
ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and
7.x before 7.0.9 allows remote attackers to cause a denial of
service (stack-based buffer overflow) or possibly have unspecified
other impact via a crafted zip:// URL.
* BUG-70436.patch
Use After Free Vulnerability in unserialize()
* BUG-72681.patch
PHP Session Data Injection Vulnerability, consume data even if we're
not storing them.

[DLA 629-1] jackrabbit security update

Package : jackrabbit
Version : 2.3.6-1+deb7u2
CVE ID : CVE-2016-6801
Debian Bug : 838204


Lukas Reschke discovered that Apache Jackrabbit, a content repository
implementation for Java, was vulnerable to Cross-Site-Request-Forgery
in Jackrabbit's webdav module.

The CSRF content-type check for POST requests did not handle missing
Content-Type header fields, nor variations in field values with
respect to upper/lower case or optional parameters. This could be
exploited to create a resource via CSRF.

For Debian 7 "Wheezy", these problems have been fixed in version
2.3.6-1+deb7u2.

We recommend that you upgrade your jackrabbit packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 630-1] zookeeper security update

Package : zookeeper
Version : 3.3.5+dfsg1-2+deb7u1
CVE ID : CVE-2016-5017


Lyon Yang discovered that the C client shells cli_st and cli_mt of
Apache Zookeeper, a high-performance coordination service for
distributed applications, were affected by a buffer overflow
vulnerability associated with parsing of the input command when using
the "cmd:" batch mode syntax. If the command string exceeds 1024
characters a buffer overflow will occur.

For Debian 7 "Wheezy", these problems have been fixed in version
3.3.5+dfsg1-2+deb7u1.

We recommend that you upgrade your zookeeper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS