Debian 9899 Published by

The following updates has been released for Debian:

Debian GNU/Linux 7 LTS:
[DLA 1041-1] nasm security update
[DLA 1042-1] libquicktime security update
[DLA 1043-1] mysql-5.5 security update

Debian GNU/Linux 8:
[DSA 3922-1] mysql-5.5 security update

Debian GNU/Linux 8 and 9:
[DSA 3921-1] enigmail update



[DLA 1041-1] nasm security update

Package : nasm
Version : 2.10.01-1+deb7u1
CVE ID : CVE-2017-10686 CVE-2017-11111

CVE-2017-10686
In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use
after free vulnerabilities in the tool nasm. The related heap is
allocated in the token() function and freed in the detoken()
function (called by pp_getline()) - it is used again at multiple
positions later that could cause multiple damages. For example,
it causes a corrupted double-linked list in detoken(), a double
free or corruption in delete_Token(), and an out-of-bounds write
in detoken(). It has a high possibility to lead to a remote code
execution attack.

CVE-2017-11111
In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote
attackers to cause a denial of service (heap-based buffer
overflow and application crash) or possibly have unspecified
other impact via a crafted file.


For Debian 7 "Wheezy", these problems have been fixed in version
2.10.01-1+deb7u1.

We recommend that you upgrade your nasm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 1042-1] libquicktime security update

Package : libquicktime
Version : 2:1.2.4-3+deb7u2
CVE ID : CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125
CVE-2017-9126 CVE-2017-9127 CVE-2017-9128
Debian Bug : 864664

CVE-2017-9122

The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allows
remote attackers to cause a denial of service (infinite loop and CPU
consumption) via a crafted mp4 file.

CVE-2017-9123

The lqt_frame_duration function in lqt_quicktime.c in libquicktime
1.2.4 allows remote attackers to cause a denial of service (invalid
memory read and application crash) via a crafted mp4 file.

CVE-2017-9124

The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows
remote attackers to cause a denial of service (NULL pointer dereference
and application crash) via a crafted mp4 file.

CVE-2017-9125

The lqt_frame_duration function in lqt_quicktime.c in libquicktime
1.2.4 allows remote attackers to cause a denial of service (heap-based
buffer over-read) via a crafted mp4 file.

CVE-2017-9126

The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4
allows remote attackers to cause a denial of service (heap-based buffer
overflow and application crash) via a crafted mp4 file.

CVE-2017-9127

The quicktime_user_atoms_read_atom function in useratoms.c in
libquicktime 1.2.4 allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) via a crafted mp4
file.

CVE-2017-9128

The quicktime_video_width function in lqt_quicktime.c in libquicktime
1.2.4 allows remote attackers to cause a denial of service (heap-based
buffer over-read and application crash) via a crafted mp4 file.


For Debian 7 "Wheezy", these problems have been fixed in version
2:1.2.4-3+deb7u2.

We recommend that you upgrade your libquicktime packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 1043-1] mysql-5.5 security update

Package : mysql-5.5
Version : 5.5.57-0+deb7u1
CVE ID : CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648.
CVE-2017-3651 CVE-2017-3652 CVE-2017-3653
Debian Bug : 868788

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.57, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-56.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

For Debian 7 "Wheezy", these problems have been fixed in version
5.5.57-0+deb7u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3921-1] enigmail update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3921-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 28, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : enigmail
Debian Bug : 869774

In DSA 3918 Thunderbird was upgraded to the latest ESR series. This
update upgrades Enigmail, the OpenPGP extention for Thunderbird,
to version 1.9.8.1 to restore full compatibility.

For the oldstable distribution (jessie), this problem has been fixed
in version 2:1.9.8.1-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.9.8.1-1~deb9u1.

We recommend that you upgrade your enigmail packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3922-1] mysql-5.5 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3922-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 28, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mysql-5.5
CVE ID : CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648
CVE-2017-3651 CVE-2017-3652 CVE-2017-3653
Debian Bug : 868788

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.57, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-56.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

For the oldstable distribution (jessie), these problems have been fixed
in version 5.5.57-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/