Security

The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.

ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.

ffmpeg was updated to 2.8.8 to fix the following issues, both bugs and security issues:

* avformat/oggparsevp8: fix pts calculation on pages ending with an invisible frame

* avcodec/mjpegdec: Do not try to detect last scan but apply idct after all scans for progressive jpeg

* avformat/oggparseopus: Check that granule pos is within the supported range

* avformat/utils: Check bps before using it in a shift in ff_get_pcm_codec_id()

* ffmpeg: Check that r_frame_rate is set before attempting to use it

* avformat/utils: Do not compute the bitrate from duration == 0

* avformat/utils: Check negative bps before shifting in ff_get_pcm_codec_id()

* avformat/avidec: Detect index with too short entries

* avformat/oggparseopus: Fix Undefined behavior in oggparseopus.c and libavformat/utils.c

* avformat/allformats: Making av_register_all() thread-safe.

* avcodec/vp9_parser: Check the input frame sizes for being consistent

* avformat/oggdec: Fix integer overflow with invalid pts

* avcodec/ffv1enc: Fix assertion failure with non zero bits per sample

* avcodec/diracdec: Check numx/y

* avformat/avidec: Fix infinite loop in avi_read_nikon()

It was discovered that there was an out-of-bounds write vulnerability in the XMP image handling functionality in freeimage, a support library for various graphics image formats. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution.

Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or information disclosure if a specially crafted Postscript file is processed.

Unsigned underflow leading to heap overflow when parsing 8BIM chunk (CVE-2016-7800).

Two issues in the WPG reader (CVE-2016-7996, CVE-2016-7997).

CVE-2016-7799 (denial of service): A buffer over-read vulnerability was found in ImageMagick. A malicious file could cause the application to crash.

CVE-2016-7906 (arbitrary code execution): An attacker is able to trigger a use-after-free when providing a crafted image to ImageMagick's mogrify function.

An information disclosure vulnerability was found in the buf.pl core script for irssi. Other users on the same machine may be able to retrieve the whole window contents after /UPGRADE when the buf.pl script is loaded. Furthermore, this dump of the windows contents is never removed afterwards.

Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

A user could sneak an unicode string terminator in the kdesu invocation.

Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path as an unlimited recursion could unfold in both VLAN and TEB modules leading to a stack corruption in the kernel.

An out-of-bounds read vulnerability was found in libdwarf-20160613.

Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.

It was found that when receiving a response from the server protocol data is not validated sufficiently. The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems.

A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won't read the whole data from server, getting out of sync.

It was found that when receiving a response from the server protocol data is not validated sufficiently. This results in integer overflows.

CVE-2016-7945 and CVE-2016-7946.

CVE-2016-7947: It was found that when receiving a response from the server protocol data is not validated sufficiently. This results in integer overflows.

CVE-2016-7948: It was found that when receiving a response from the server protocol data is not validated sufficiently. This results in various data mishandlings.

CVE-2016-7949: It was found that when receiving a response from the server protocol data is not validated sufficiently. Individual lengths inside received server data can overflow the previously reserved memory.

CVE-2016-7950: It was found that when receiving a response from the server protocol data is not validated sufficiently. The memory for filter names is reserved right after receiving the reply. After that, filters are iterated and each individual filter name is stored in that reserved memory. The individual name lengths are not checked for validity, which means that a malicious server can reserve less memory than it will write to during each iteration.

CVE-2016-7951: It was found that when receiving a response from the server protocol data is not validated sufficiently. This results in integer overflows.

CVE-2016-7952: It was found that when receiving a response from the server protocol data is not validated sufficiently. This results in various data mishandlings.

It was found that when receiving a response from the server protocol data is not validated sufficiently. The Xv query functions for adaptors and encodings suffer from out of boundary accesses if a hostile X server sends a maliciously crafted response.

It was found that when receiving a response from the server protocol data is not validated sufficiently. If an empty string is received from an x-server, the buffer might underrun by accessing "rep.nameLen - 1" unconditionally, which could end up being -1.

An implementation flaw was discovered in mat, the metadata anonymisation toolkit. The implementation of PDF support lacks support to anonymize the metadata in embedded images. As there is no easy fix for this flaw, it was decided that PDF support will be removed altogether from mat for the time being.

CVE-2016-7967 (cross-site scripting): KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.

CVE-2016-7968 (insufficient validation): KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.

1. CVE-2016-7563: mujs str Out-of-Bound read 1 byte in function chartorune.
http://bugs.ghostscript.com/show_bug.cgi?id=697136

2. CVE-2016-7564: mujs "char *s" Heap overflow in Fp_toString at jsfunction.c:72
http://bugs.ghostscript.com/show_bug.cgi?id=697137

CVE-2016-5325: An unspecified low-severity Node.js HTTP processing vulnerability was found and will be fixed in latest update. Details are currently embargoed until new releases are available.

CVE-2016-7099: This is a high severity defect that would allow a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client. This is due to a flaw in the validation of *. in the wildcard name string.

It was found that NSD does not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server.

It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)

Google Chrome before 53.0.2785.113 does not ensure that the recipient of a certain IPC message is a valid RenderFrame or RenderWidget, which allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) or possibly have unspecified other impact by leveraging access to a renderer process, related to render_frame_host_impl.cc and render_widget_host_impl.cc, as demonstrated by a Password Manager message.

This update backports an overflow fix. ---- Backport fix for three memory disclosure/corruption bugs from insufficient parameter validation leading to integer overflow.

CVE-2016-7161: Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.

CVE-2016-7170: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) is vulnerable to an OOB memory access.

CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.

A zero-length message received over systemd's notification socket could make manager_dispatch_notify_fd() return an error and, as a side effect, disable the notification handler completely. As the notification socket is world-writable, this could have allowed a local user to perform a denial-of-service attack against systemd.

It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)

It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

It was discovered that Tracker incorrectly handled certain malformed GIF images. If a user or automated system were tricked into downloading a specially-crafted GIF image, Tracker could crash, resulting in a denial of service.

Quick Emulator(Qemu) built with the VMWARE VMXNET3 NIC device support is vulnerable to an OOB read access. In that it does not check if packet headers does not check for IP header length. It could lead to a OOB access when reading further packet data.

CVE-2016-4861: The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.