Security Updates (DSA-3608-1, DSA-3609-1, DSA-3611-1, DSA-3613-1, DSA-3614-1, DSA-3615-1, DSA-3617-1, DSA-3619-1, DSA-3620-1, DSA-3625-1, DSA-3626-1, DSA-3627-1, DSA-3629-1, DSA-3630-1, DSA-3631-1, DSA-3632-1, DSA-3636-1)

The security updates of libreoffice, tomcat8, libcommons-fileupload-java, libvirt, tomcat7, wireshark, horizon, libgd2, pidgin, squid3, openssh, phpmyadmin, ntp, libgd2, php5, mariadb-10.0 and collctd.

 

Vulnerability Information

DSA-3608-1 libreoffice — Security Updates
Security database details:

• Aleksandar Nikolic discovered that missing input sanitising in the RTF parser in Libreoffice may result in the execution of arbitrary code if a malformed documented is opened.

 

DSA-3609-1 tomcat8 — Security Updates

Security database details:

• Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service.

 

DSA-3611-1 libcommons-fileupload-java— Security Updates
Security database details:

• The TERASOLUNA Framework Development Team discovered a denial of service vulnerability in Apache Commons FileUpload, a package to make it easy to add robust, high-performance, file upload capability to servlets and web applications. A remote attacker can take advantage of this flaw by sending file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests.

 

DSA-3613-1 libvirt— Security Updates
Security database details:

• Vivian Zhang and Christoph Anton Mitterer discovered that setting an empty VNC password does not work as documented in Libvirt, a virtualisation abstraction library. When the password on a VNC server is set to the empty string, authentication on the VNC server will be disabled, allowing any user to connect, despite the documentation declaring that setting an empty password for the VNC server prevents all client connections. With this update the behaviour is enforced by setting the password expiration to now.

 

DSA-3614-1 tomcat7— Security Updates

Security database details:

• Multiple vulnerabilities were discovered in the dissectors/parsers for PKTC, IAX2, GSM CBCH and NCP, SPOOLS, IEEE 802.11, UMTS FP, USB, Toshiba, CoSine, NetScreen, WBXML which could result in denial of service or potentially the execution of arbitrary code.

 

DSA-3615-1 wireshark — Security Updates

Security database details:
Multiple vulnerabilities were discovered in the dissectors/parsers for PKTC, IAX2, GSM CBCH and NCP, SPOOLS, IEEE 802.11, UMTS FP, USB, Toshiba, CoSine, NetScreen, WBXML which could result in denial of service or potentially the execution of arbitrary code.

 

DSA-3617-1 horizon — Security Updates
Security database details:

• Two cross-site scripting vulnerabilities have been found in Horizon, a web application to control an OpenStack cloud.

 

DSA-3619-1 libgd2 — Security Updates
Security database details:

• Several vulnerabilities were discovered in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of these flaws to cause a denial-of-service against an application using the libgd2 library (application crash), or potentially to execute arbitrary code with the privileges of the user running the application.

 

DSA-3620-1 pidgin — Security Updates
Security database details:

• Yves Younan of Cisco Talos discovered several vulnerabilities in the MXit protocol support in pidgin, a multi-protocol instant messaging client. A remote attacker can take advantage of these flaws to cause a denial of service (application crash), overwrite files, information disclosure, or potentially to execute arbitrary code.

 

DSA-3625-1 squid3 — Security Updates
Security database details:
Several security issues have been discovered in the Squid caching proxy.

• CVE-2016-4051: CESG and Yuriy M. Kaminskiy discovered that Squid cachemgr.cgi was vulnerable to a buffer overflow when processing remotely supplied inputs relayed through Squid.
• CVE-2016-4052: CESG discovered that a buffer overflow made Squid vulnerable to a Denial of Service (DoS) attack when processing ESI responses.
• CVE-2016-4053: CESG found that Squid was vulnerable to public information disclosure of the server stack layout when processing ESI responses.
• CVE-2016-4054: CESG discovered that Squid was vulnerable to remote code execution when processing ESI responses.
• CVE-2016-4554: Jianjun Chen found that Squid was vulnerable to a header smuggling attack that could lead to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers.
• CVE-2016-4555, CVE-2016-4556: “bfek-18″ and “@vftable” found that Squid was vulnerable to a Denial of Service (DoS) attack when processing ESI responses, due to incorrect pointer handling and reference counting.

 

DSA-3626-1 openssh — Security Updates
Security database details:
Eddie Harari reported that the OpenSSH SSH daemon allows user enumeration through timing differences when trying to authenticate users. When sshd tries to authenticate a non-existing user, it will pick up a fixed fake password structure with a hash based on the Blowfish algorithm. If real users passwords are hashed using SHA256/SHA512, then a remote attacker can take advantage of this flaw by sending large passwords, receiving shorter response times from the server for non-existing users.

 

DSA-3627-1 phpmyadmin — Security Updates
Security database details: everal vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface.

• CVE-2016-1927: The suggestPassword function relied on a non-secure random number generator which makes it easier for remote attackers to guess generated passwords via a brute-force approach.
• CVE-2016-2039: CSRF token values were generated by a non-secure random number generator, which allows remote attackers to bypass intended access restrictions by predicting value.
• CVE-2016-2040: Multiple cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML.
• CVE-2016-2041: phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.
• CVE-2016-2560: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
• CVE-2016-2561: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
• CVE-2016-5099: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
• CVE-2016-5701: For installations running on plain HTTP, phpMyAdmin allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
• CVE-2016-5705: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
• CVE-2016-5706: phpMyAdmin allows remote attackers to cause a denial of service (resource consumption) via a large array in the scripts parameter.
• CVE-2016-5731: A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML.
• CVE-2016-5733: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
• CVE-2016-5739: A specially crafted Transformation could leak information which a remote attacker could use to perform cross site request forgeries.

 

DSA-3629-1 ntp — Security Updates
Security database details: Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs.

• CVE-2015-7974: Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.
• CVE-2015-7977 /CVE-2015-7978: Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of ntpdc reslist commands may result in denial of service.
• CVE-2015-7979: Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.
• CVE-2015-8138: Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.
• CVE-2015-8158: Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.
• CVE-2016-1547: Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service.
• CVE-2016-1548: Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.
• CVE-2016-1550: Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest.
• CVE-2016-2516: Yihan Lian discovered that duplicate IPs on unconfig directives will trigger an assert.
• CVE-2016-2518: Yihan Lian discovered that an OOB memory access could potentially crash ntpd.

 

DSA-3630-1 libgd2 — Security Updates
Security database details:

• Secunia Research at Flexera Software discovered an integer overflow vulnerability within the _gdContributionsAlloc() function in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of this flaw to cause a denial-of-service against an application using the libgd2 library.

 

DSA-3631-1 php5 — Security Updates
Security database details:

• The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.24, which includes additional bug fixes. Please refer to the upstream changelog for more information: https://php.net/ChangeLog-5.php#5.6.24

 

DSA-3632-1 mariadb-10.0 — Security Updates
Security database details:

• Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.26. Please see the MariaDB 10.0 Release Notes for further details:
  https://mariadb.com/kb/en/mariadb/mariadb-10026-release-notes/

 

DSA-3636-1 collectd — Security Updates
Security database details:

• Emilien Gaspar discovered that collectd, a statistics collection and monitoring daemon, incorrectly processed incoming network packets. This resulted in a heap overflow, allowing a remote attacker to either cause a DoS via application crash, or potentially execute arbitrary code.

 

Fixing Status

libreoffice security vulnerabilities have been fixed in version 1:5.1.4~rc1-1; tomcat8 security vulnerabilities have been fixed in version 8.0.36-1; libcommons- fileupload-java security vulnerabilities have been fixed in version 1.3.2-1; libvirt security vulnerabilities have been fixed in version 2.0.0-1; tomcat7 security vulnerabilities have been fixed in version 7.0.70-1; wireshark security vulnerabilities have been fixed in version 2.0.4+gdd7746e-1; horizon security vulnerabilities have been fixed in version3:9.0.1-2; libgd2 security vulnerabilities have been fixed in version 2.2.2-29-g3c2b605-1; pidginsecurity vulnerabilities have been fixed in version 2.11.0-1; squid3 security vulnerabilities have been fixed in version 3.5.19-1; openssh security vulnerabilities have been fixed in version 1:7.2p2-8; phpmyadmin security vulnerabilities have been fixed in version 4:4.6.3-1; ntp security vulnerabilities have been fixed in version 1:4.2.8p7+dfsg-1; libgd2 security vulnerabilities have been fixed in version 2.2.2-43-g22cba39-1; php5 security vulnerabilities have been fixed in version 7.0.9-1; mariadb-10.0 security vulnerabilities have been fixed in version 10.0.26-2; collctd security vulnerabilities have been fixed in version 5.5.2-1.
We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.