This is the mail system at host nonagon.crans.org.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<monitoring(a)federez.net> (expanded from <root>): host
smtp.crans.org[138.231.136.39] said: 550 5.1.0 <root(a)nonagon.crans.org>:
Sender address rejected: User unknown in relay recipient table (in reply to
RCPT TO command)
apticron report [Wed, 19 Jul 2017 01:38:06 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
quigon.federez.net
[ 160.228.155.65 ]
The following packages are currently pending an upgrade:
apache2 2.4.25-3+deb9u2
apache2-bin 2.4.25-3+deb9u2
apache2-data 2.4.25-3+deb9u2
apache2-utils 2.4.25-3+deb9u2
imagemagick 8:6.9.7.4+dfsg-11+deb9u1
imagemagick-6-common 8:6.9.7.4+dfsg-11+deb9u1
imagemagick-6.q16 8:6.9.7.4+dfsg-11+deb9u1
libmagickcore-6.q16-3 8:6.9.7.4+dfsg-11+deb9u1
libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-11+deb9u1
libmagickwand-6.q16-3 8:6.9.7.4+dfsg-11+deb9u1
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour imagemagick (imagemagick imagemagick-6-common imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickwand-6.q16-3) ---
imagemagick (8:6.9.7.4+dfsg-11+deb9u1) stretch-security; urgency=high
* Fix security bugs:
+ Previous CVE-2017-9144 fix was incomplete.
A crafted RLE image can trigger a crash because of incorrect
EOF handling in coders/rle.c
(Closes: #863126)
+ CVE-2017-10928:
A heap-based buffer over-read in the GetNextToken
function in token.c allows remote attackers to obtain
sensitive information from process memory or possibly have
unspecified other impact via a crafted SVG document
that is mishandled in the GetUserSpaceCoordinateValue
function in coders/svg.c.
(Closes: #867367).
+ CVE-2017-9500:
An assertion failure was found in the function
ResetImageProfileIterator, which allows attackers to cause
a denial of service via a crafted file.
(Closes: #867778).
+ CVE-2017-9501:
An assertion failure was found in the function LockSemaphoreInfo,
which allows attackers to cause a denial of service via a crafted
file.
(Closes: #867721).
+ CVE-2017-9440:
A memory leak was found in the function ReadPSDChannel
in coders/psd.c, which allows attackers to cause a denial
of service via a crafted file.
(Closes: 864273).
+ CVE-2017-9439:
A memory leak was found in the function ReadPDBImage in
coders/pdb.c, which allows attackers to cause a denial of
service via a crafted file.
(Closes: #864274).
+ CVE-2017-11188: CPU exhaustion in ReadDPXImage
Because dpx.file.image_offset is a unsigned int, it can be controlled
as large as 4294967295.
This will cause ImageMagick spend a lot of time to process a crafted
DPX imagefile, even if the imagefile is very small.
(Closes: #867806)
+ CVE-2017-11141: memory exhaustion in ReadMATImage
When identify MAT file, imagemagick will allocate memory to store data
in function ReadMATImage.
Modifying MAT's MATLAB_HDR field can cause ImageMagick to allocate
a anysize amount of memory, this may cause a memory exhaustion
(Closes: #868264)
+ CVE-2017-11170: memory exhaustion in ReadTGAImage
When identify VST file, imagemagick will allocate memory to store
data in function ReadTGAImage in coders/tga.c
using tga_info.bits_per_pixel field diretly from VST file without
checking in tga.c
By review the founction code, tga_info.bits_per_pixel max valid
value is 32.
On 32bit os, size_t one will be 32bit, so image->colors can be
overflow to 0.
On 64bit os, size_t one will be 64bit, so image->colors
can be large as 0x100000000(64GB).
(Closes: #868184)
+ Memory exhaustion in ReadCINImage
When identify CIN file that contains User defined data,
imagemagick will allocate memory to store the
data in function ReadCINImage in coders\inc.c
There is a security checking in the function SetImageExtent,
but it after memory allocation, so IM can not control the memory usage
(Closes: #867810)
+ CPU exhaustion in ReadRLEImage
A corrupted rle file could trigger a DOS
(Closes: #867808)
+ Memory leak in ReadDIBImage in dib.c
The ReadDIBImage function in dib.c allows attackers
to cause a denial of service (memory leak)
via a small crafted dib file.
(Closes: #867811)
+ Memory exhaustion in ReadDPXImage in dpx.c
When identify DPX file that contains user header data,
imagemagick will allocate memory to store the data in function
ReadDPXImage in coders\dpx.c
There is a security checking in the function SetImageExtent,
but it is too late, so IM can not control the memory usage.
(Closes: #867812)
+ Enable heap overflow check for stdin for mpc files
Enabling seekable streams is required to ensure checking
the blob size works when an image is streamed on stdin.
(Closes: #867896)
+ Assertion failure in WriteBlob
A crafted file revealed an assertion failure in blob.c.
(Closes: #867798)
+ Memory exhaustion in ReadEPTImage in ept.c
When identify EPT file , imagemagick will allocate memory
to store the data.
There is a security checking in the function SetImageExtent,
but it is not used in the allocation function,
so IM can not control the memory usage.
(Closes: #867821)
+ CPU exhaustion in ReadOneJNGImage
Due to lack of validation of PNG format, imagemagick could loop
2^32 in a CPU intensive loop.
(Closes: #867824, #867825).
+ CPU exhaustion in ReadOneDJVUImag
Due to lack of format validation, a crafted file will cause a
loop to run endless.
(Closes: #867826).
+ Zero pixel buffer
Avoid a data leak in case of incorrect file by clearing a buffer
(Closes: #867893).
+ memory leak in ReadMATImage in mat.c
The ReadMATImage function in mat.c allows attackers to cause a
denial of service (memory leak) via a small crafted mat file.
(Closes: #867823).
+ Avoid heap based overflow for jpeg
A corrupted jpeg file could trigger an heap overflow
(Closes: #867894).
+ Fix a memory leak in screenshot coder
(Closes: #867897)
-- Bastien Roucariès <rouca(a)debian.org> Fri, 14 Jul 2017 15:56:50 +0200
--- Modifications pour apache2 (apache2 apache2-bin apache2-data apache2-utils) ---
apache2 (2.4.25-3+deb9u2) stretch-security; urgency=medium
* CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
-- Stefan Fritsch <sf(a)debian.org> Tue, 18 Jul 2017 20:37:33 +0200
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on quigon.federez.net
--
apticron
This is the mail system at host nonagon.crans.org.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<monitoring(a)federez.net> (expanded from <root>): host
smtp.crans.org[138.231.136.39] said: 550 5.1.0 <root(a)nonagon.crans.org>:
Sender address rejected: User unknown in relay recipient table (in reply to
RCPT TO command)
apticron report [Sun, 09 Jul 2017 01:38:11 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
quigon.federez.net
[ 160.228.155.65 ]
The following packages are currently pending an upgrade:
bind9 1:9.10.3.dfsg.P4-12.3+deb9u1
bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u1
bind9utils 1:9.10.3.dfsg.P4-12.3+deb9u1
dnsutils 1:9.10.3.dfsg.P4-12.3+deb9u1
libbind9-140 1:9.10.3.dfsg.P4-12.3+deb9u1
libdns162 1:9.10.3.dfsg.P4-12.3+deb9u1
libdns-export162 1:9.10.3.dfsg.P4-12.3+deb9u1
libirs141 1:9.10.3.dfsg.P4-12.3+deb9u1
libisc160 1:9.10.3.dfsg.P4-12.3+deb9u1
libisccc140 1:9.10.3.dfsg.P4-12.3+deb9u1
libisccfg140 1:9.10.3.dfsg.P4-12.3+deb9u1
libisc-export160 1:9.10.3.dfsg.P4-12.3+deb9u1
liblwres141 1:9.10.3.dfsg.P4-12.3+deb9u1
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour bind9 (bind9 bind9-host bind9utils dnsutils libbind9-140 libdns162 libdns-export162 libirs141 libisc160 libisccc140 libisccfg140 libisc-export160 liblwres141) ---
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* debian/patches:
- debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-2017-3143: error in TSIG authentication can permit unauthorized
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
-- Yves-Alexis Perez <corsac(a)debian.org> Fri, 30 Jun 2017 16:20:29 +0200
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on quigon.federez.net
--
apticron
This is the mail system at host nonagon.crans.org.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<monitoring(a)federez.net> (expanded from <root>): host
smtp.crans.org[2a06:e042:100:4:200:9ff:fe04:1901] said: 550 5.1.0
<root(a)nonagon.crans.org>: Sender address rejected: User unknown in relay
recipient table (in reply to RCPT TO command)
