Debian Security Advisory DSA-3723-1 security@debian.orghttps://www.debian.org/security/ Salvatore BonaccorsoNovember 24, 2016 https://www.debian.org/security/faq- ------------------------------------------------------------
-------------Package : gst-plugins-good1.0CVE ID : CVE-2016-9634 CVE-2016-9635 CVE-2016-9636Debian Bug : 845375Chris Evans discovered that the GStreamer 1.0 plugin used to decodefiles in the FLIC format allowed execution of arbitrary code. Furtherdetails can be found in his advisory athttps://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.htmlFor the stable distribution (jessie), these problems have been fixed inversion 1.4.4-2+deb8u2.For the unstable distribution (sid), these problems have been fixed inversion 1.10.1-2.We recommend that you upgrade your gst-plugins-good1.0 packages.Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/
- ------------------------------------------------------------
-------------Debian Security Advisory DSA-3724-1 security@debian.orghttps://www.debian.org/security/ Salvatore BonaccorsoNovember 24, 2016 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : gst-plugins-good0.10CVE ID : CVE-2016-9634 CVE-2016-9635 CVE-2016-9636Chris Evans discovered that the GStreamer 0.10 plugin used to decodefiles in the FLIC format allowed execution of arbitrary code. Furtherdetails can be found in his advisory athttps://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.htmlThis update removes the insecure FLIC file format plugin.For the stable distribution (jessie), these problems have been fixed inversion 0.10.31-3+nmu4+deb8u2.We recommend that you upgrade your gst-plugins-good0.10 packages.Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/
CVE-2016-6803<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6803>Apache OpenOffice Advisory<https://www.openoffice.org/security/cves/CVE-2016-6803.html>Title: Windows Installer Can Enable Privileged Trojan ExecutionVersion 1.0Announced October 11, 2016DescriptionThe Apache OpenOffice installer for Windows contained a defectiveoperation that could trigger execution of unwanted softwareinstalled by a Trojan Horse application. The installer defectis known as an "unquoted Windows search path vulnerability."In the case of Apache OpenOffice installers for Windows, the PC musthave previously been infected by a Trojan Horse application (or user)running with administrator privilege. Any installer with the unquotedsearch path vulnerability becomes a delayed trigger for the exploit.The exploit may already have operated on the user's PC.Severity: Medium There are no known exploits of this vulnerability. A proof-of-concept demonstration exists.Vendor: The Apache Software FoundationVersions Affected: All Apache OpenOffice versions 4.1.2 and older are affected. Old OpenOffice.org versions are also affected.Mitigation:Install Apache OpenOffice 4.1.3 for the latest maintenance andcumulative security fixes. Use <https://www.openoffice.org/download/>.If instead of a typical installation you use a custom-installationoption to change the location where Apache OpenOffice is installed,use a location that has no spaces in its full-path name.Defenses and Work-Arounds:If you are unable to update to 4.1.3, there are otherprecautions that can be taken. These precautions are alsorecommended as protection against other software that mayhave the unquoted search path vulnerability.Ensure that there are no programs installed at thetop-level folder (usually C:\) where Windows is installed.All are dangerous, especially ones named "Program", whether"Program.exe" or some other variation.If such programs are found, install or update to currentanti-virus/-malware software. Perform a complete system scan.The scan may provide for removal of programs where there shouldnot be any. If that does not happen, it is necessary to removeany Program.exe and others manually using administrator privilege.Further Information:For additional information and assistance, consult the ApacheOpenOffice Community Forums, <https://forum.openoffice.org/> ormake requests to the <mailto:users@openoffice.apache.org> publicmailing list. Defects not involving suspected securityvulnerabilities can be reported via<http://www.openoffice.org/qa/issue_handling/pre_submission.html>.The latest information on Apache OpenOffice security bulletinscan be found at the Bulletin Archive page<http://www.openoffice.org/security/bulletin.html>.Credits:The Apache OpenOffice project acknowledges the reporting andanalysis for CVE-2016-6803 by Cyril Vallicari.
