APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS are now available and address the following:
Export Available for: macOS 10.12 Sierra or later, iOS 10 or later Impact: The contents of password-protected PDFs exported from iWork may be exposed Description: iWork used weak 40-bit RC4 encryption for password- protected PDF exports. This issue was addressed by changing iWork export to use AES-128. CVE-2017-2391: Philipp Eckel of ThoughtWorks
Installation note:
Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS may be obtained from the App Store.
Summary ======= A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors:
The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and The incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.
Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
It was discovered that wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for ASTERIX , DHCPv6, NetScaler, LDSS, IAX2, WSP, K12 and STANAG 4607, that could lead to various crashes, denial-of-service or execution of arbitrary code.
For the stable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u11.
For the unstable distribution (sid), these problems have been fixed in version 2.2.5+g440fd4d-2.
We recommend that you upgrade your wireshark packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at:https://www.debian.org/security/
It was discovered that ioquake3, a modified version of the ioQuake3 game engine performs insufficent restrictions on automatically downloaded content (pk3 files or game code), which allows malicious game servers to modify configuration settings including driver settings.
For the stable distribution (jessie), this problem has been fixed in version 1.36+u20140802+gca9eebb-2+deb8u1.
For the unstable distribution (sid), this problem has been fixed in version 1.36+u20161101+dfsg1-2.
We recommend that you upgrade your ioquake3 packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at:https://www.debian.org/security/
Cory Duplantis discovered a buffer overflow in the R programming langauage. A malformed encoding file may lead to the execution of arbitrary code during PDF generation.
For the stable distribution (jessie), this problem has been fixed in version 3.1.1-1+deb8u1.
For the upcoming stable distribution (stretch), this problem has been fixed in version 3.3.3-1.
For the unstable distribution (sid), this problem has been fixed in version 3.3.3-1.
We recommend that you upgrade your r-base packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at:https://www.debian.org/security/