The security updates of bind9, samba, evince, heimdal, apache2, catdoc and openjdk-8.
Vulnerability Information
DSA-3904-1 bind9 —Security Updates
Security database details:
Clément Berthaux from Synaktiv discovered two vulnerabilities in BIND, a DNS server implementation. They allow an attacker to bypass TSIG authentication by sending crafted DNS packets to a server.
- CVE-2017-3142: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient; accepting bogus NOTIFY packets
- CVE-2017-3143: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update.
DSA-3909-1 samba —Security Updates
Security database details:
Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in samba, the SMB/CIFS file, print, and login server. Also known as Orpheus' Lyre, this vulnerability is located in Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by an attacker on the network path to impersonate a server.
DSA-3911-1 evince —Security Updates
Security database details:
Felix Wilhelm discovered that the Evince document viewer made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely.
DSA-3912-1 heimdal —Security Updates
Security database details:
Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams reported that Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos, trusts metadata taken from the unauthenticated plaintext (Ticket), rather than the authenticated and encrypted KDC response. A man-in-the-middle attacker can use this flaw to impersonate services to the client.
DSA-3913-1 apache2 —Security Updates
Security database details:
Robert Swiecki reported that mod_auth_digest does not properly initialize or reset the value placeholder in [Proxy-]Authorization headers of type Digest between successive key=value assignments, leading to information disclosure or denial of service.
DSA-3917-1 catdoc —Security Updates
Security database details:
A heap-based buffer underflow flaw was discovered in catdoc, a text extractor for MS-Office files, which may lead to denial of service (application crash) or have unspecified other impact, if a specially crafted file is processed.
DSA-3919-1 openjdk-8 —Security Updates
Security database details:
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in sandbox bypass, use of insecure cryptography, side channel attacks, information disclosure, the execution of arbitrary code, denial of service or bypassing Jar verification.
Fixing Status
bind9 security vulnerabilities have been fixed in version 1:9.9.5.dfsg-9+deb8u12; samba security vulnerabilities have been fixed in version 2:4.6.5+dfsg-4; evince security vulnerabilities have been fixed in version 3.22.1-4; heimdal security vulnerabilities have been fixed in version 7.4.0.dfsg.1-1; apache2 security vulnerabilities have been fixed in version 2.4.27-1; catdoc security vulnerabilities have been fixed in version 1:0.95-3; openjdk-8 security vulnerabilities have been fixed in version 8u141-b15-1.
We recommend that you upgrade the system to obtain the patches to fix the vulnerabilities.