Security fixes from 2016-12-25 13:00 UTC

[Graham Christensen]

The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/21289.

Thank you, Zimbatm, for applying the Exim patches before they were even
officially announced!

The following changes were applied to release-16.09:

d6bff30 exim: 4.87 -> 4.87.1 for CVE-2016-9963
> - Fix CVE-2016-9963 - Info leak from DKIM. When signing DKIM, if
> either LMTP or PRDR was used for delivery, the key could appear in
> logs. Additionally, if the experimental feature "DSN_INFO" was
> used, it could appear in DSN messages (and be sent offsite).
======================================================================



The following changes were applied to unstable:

f3287b0 flashplayer: 11.2.202.644 -> 24.0.0.186 [Critical security..
> According to Adobe:
>
> - These updates resolve use-after-free vulnerabilities that could lead
> to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878,
> CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892).
> - These updates resolve buffer overflow vulnerabilities that could lead
> to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869,
> CVE-2016-7870).
> - These updates resolve memory corruption vulnerabilities that could
> lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874,
> CVE-2016-7875, CVE-2016-7876).
> - These updates resolve a security bypass vulnerability
> (CVE-2016-7890).
>
> https://helpx.adobe.com/security/products/flash-player/apsb16-39.html

352e167 exim: 4.87 -> 4.88 for CVE-2016-9963
> - Fix CVE-2016-9963 - Info leak from DKIM. When signing DKIM, if
> either LMTP or PRDR was used for delivery, the key could appear in
> logs. Additionally, if the experimental feature "DSN_INFO" was
> used, it could appear in DSN messages (and be sent offsite).

41f5569 zlib: patch for CVE-2016-9840, CVE-2016-9841, CVE-9842, CV..
> CVE-2016-9840
> CVE-2016-9841
> CVE-2016-9842
> CVE-2016-9843

b0a1028 samba4: 4.4.6 -> 4.5.3
> - CVE-2016-2123: Trend Micro's Zero Day Initiative and Frederic Besler
> discovered that the routine ndr_pull_dnsp_name, used to parse data
> from the Samba Active Directory ldb database, contains an integer
> overflow flaw, leading to an attacker-controlled memory
> overwrite. An authenticated user can take advantage of this flaw for
> remote privilege escalation.
>
> - CVE-2016-2125: Simo Sorce of Red Hat discovered that the Samba
> client code always requests a forwardable ticket when using Kerberos
> authentication. A target server, which must be in the current or
> trusted domain/realm, is given a valid general purpose Kerberos
> "Ticket Granting Ticket" (TGT), which can be used to fully
> impersonate the authenticated user or service.
>
> - CVE-2016-2126: Volker Lendecke discovered several flaws in the
> Kerberos PAC validation. A remote, authenticated, attacker can cause
> the winbindd process to crash using a legitimate Kerberos ticket due
> to incorrect handling of the PAC checksum. A local service with
> access to the winbindd privileged pipe can cause winbindd to cache
> elevated access permissions.

a737eff python:html5lib: 0.999 -> 0.999999999
> - CVE-2016-9909 (cross-site scripting): A potential cross site
> scripting vulnerability was found in python- html5lib due to
> unquoted attributes that need escaping in legacy browsers.
>
> - CVE-2016-9910 (cross-site scripting): A potential cross site
> scripting vulnerability was found in python- html5lib due to
> unquoted attributes that need escaping in legacy browsers.

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security