Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-795-1 tiff

Debian Security Advisory

DLA-795-1 tiff -- LTS security update

Date Reported:

23 Jan 2017

Affected Packages:

tiff

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 846837, Bug 820365, Bug 836570, Bug 851297.
In Mitre's CVE dictionary: CVE-2016-3622, CVE-2016-3623, CVE-2016-3624, CVE-2016-3945, CVE-2016-3990, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9538, CVE-2016-9540, CVE-2016-10092, CVE-2016-10093, CVE-2017-5225.

More information:

It was discovered that there were two vulnerabilities in hesiod, Project Athena's DNS-based directory service:

• CVE-2016-10151

  A weak SUID check allowing privilege elevation.

• CVE-2016-10152

  Use of a hard-coded DNS fallback domain (athena.mit.edu) if configuration file could not be read.

For Debian 7 Wheezy, this issue has been fixed in hesiod version 3.0.2-21+deb7u1.

We recommend that you upgrade your hesiod packages.