Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1488 replies to this topic

#1476 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 19 September 2018 - 06:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4297-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
September 19, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser

Two vulnerabilities have been discovered in the chromium web browser.
Kevin Cheung discovered an error in the WebAssembly implementation and
evil1m0 discovered a URL spoofing issue.

For the stable distribution (stretch), this problem has been fixed in
version 69.0.3497.92-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1477 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 21 September 2018 - 07:54 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4298-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 20, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : hylafax
CVE ID         : CVE-2018-17141

Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing
input sanitising in the Hylafax fax software could potentially result in
the execution of arbitrary code via a malformed fax message.

For the stable distribution (stretch), this problem has been fixed in
version 3:6.0.6-7+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4299-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
September 21, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : texlive-bin
CVE            : not yet available

Nick Roessler from the University of Pennsylvania has found a buffer overflow
in texlive-bin, the executables for TexLive, the popular distribution of TeX
document production system.

This buffer overflow can be used for arbitrary code execution by crafting a
special type1 font (.pfb) and provide it to users running pdf(la)tex, dvips or
luatex in a way that the font is loaded.

For the stable distribution (stretch), this problem has been fixed in
version 2016.20160513.41080.dfsg-2+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1478 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 22 September 2018 - 08:03 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4300-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 22, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libarchive-zip-perl
CVE ID         : CVE-2018-10860
Debian Bug     : 902882

It was discovered that Archive::Zip, a perl module for manipulation of
ZIP archives, is prone to a directory traversal vulnerability. An
attacker able to provide a specially crafted archive for processing can
take advantage of this flaw to overwrite arbitrary files during archive
extraction.

For the stable distribution (stretch), this problem has been fixed in
version 1.59-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4301-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 22, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2018-0503 CVE-2018-0504 CVE-2018-0505

Multiple security vulnerabilities have been discovered in MediaWiki, a
website engine for collaborative work, which result in incorrectly
configured rate limits, information disclosure in Special:Redirect/logid
and bypass of an account lock.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.27.5-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1479 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 23 September 2018 - 07:04 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4302-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 23, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openafs
CVE ID         : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Debian Bug     : 908616

Several vulnerabilities were discovered in openafs, an implementation of
the distributed filesystem AFS. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-16947

    Jeffrey Altman reported that the backup tape controller (butc)
    process does accept incoming RPCs but does not require (or allow
    for) authentication of those RPCs, allowing an unauthenticated
    attacker to perform volume operations with administrator
    credentials.

    https://openafs.org/...SA-2018-001.txt

CVE-2018-16948

    Mark Vitale reported that several RPC server routines do not fully
    initialize output variables, leaking memory contents (from both
    the stack and the heap) to the remote caller for
    otherwise-successful RPCs.

    https://openafs.org/...SA-2018-002.txt

CVE-2018-16949

    Mark Vitale reported that an unauthenticated attacker can consume
    large amounts of server memory and network bandwidth via
    specially crafted requests, resulting in denial of service to
    legitimate clients.

    https://openafs.org/...SA-2018-003.txt

For the stable distribution (stretch), these problems have been fixed in
version 1.6.20-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4303-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 23, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : okular
CVE ID         : CVE-2018-1000801

Joran Herve discovered that the Okular document viewer was susceptible
to directory traversal via malformed .okular files (annotated document
archives), which could result in the creation of arbitrary files.

For the stable distribution (stretch), this problem has been fixed in
version 4:16.08.2-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4304-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 23, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-12383 CVE-2018-12385

Two security issues have been found in the Mozilla Firefox web browser,
which could potentially result in the execution of arbitrary code and
local information disclosure.

For the stable distribution (stretch), these problems have been fixed in
version 60.2.1esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1480 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 26 September 2018 - 08:28 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4305-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
September 24, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2018-16151 CVE-2018-16152

Sze Yiu Chau and his team from Purdue University and The University of Iowa
found several issues in the gmp plugin for strongSwan, an IKE/IPsec suite.

Problems in the parsing and verification of RSA signatures could lead to a
Bleichenbacher-style low-exponent signature forgery in certificates and during
IKE authentication.

While the gmp plugin doesn't allow arbitrary data after the ASN.1 structure
(the original Bleichenbacher attack), the ASN.1 parser is not strict enough and
allows data in specific fields inside the ASN.1 structure.

Only installations using the gmp plugin are affected (on Debian OpenSSL plugin
has priority over GMP one for RSA operations), and only when using keys and
certificates (including ones from CAs) using keys with an exponent e = 3, which
is usually rare in practice.

CVE-2018-16151

    The OID parser in the ASN.1 code in gmp allows any number of random bytes
    after a valid OID.

CVE-2018-16152

    The algorithmIdentifier parser in the ASN.1 code in gmp doesn't enforce a
    NULL value for the optional parameter which is not used with any PKCS#1
    algorithm.

For the stable distribution (stretch), these problems have been fixed in
version 5.5.1-4+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1481 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 27 September 2018 - 07:04 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4306-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 27, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python2.7
CVE ID         : CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
                 CVE-2018-1000802

Multiple security issues were discovered in Python: ElementTree failed
to initialise Expat's hash salt, two denial of service issues were found
in difflib and poplib and the shutil module was affected by a command
injection vulnerability.

For the stable distribution (stretch), these problems have been fixed in
version 2.7.13-2+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1482 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 28 September 2018 - 07:08 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4307-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 28, 2018                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python3.5
CVE ID         : CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061
                 CVE-2018-14647

Multiple security issues were discovered in Python: ElementTree failed
to initialise Expat's hash salt, two denial of service issues were found
in difflib and poplib and a buffer overflow in PyString_DecodeEscape.

For the stable distribution (stretch), these problems have been fixed in
version 3.5.3-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1483 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 01 October 2018 - 08:38 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4308-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 01, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363
                 CVE-2018-9516 CVE-2018-10902 CVE-2018-10938 CVE-2018-13099
                 CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678
                 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276
                 CVE-2018-16658 CVE-2018-17182

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2018-6554

    A memory leak in the irda_bind function in the irda subsystem was
    discovered. A local user can take advantage of this flaw to cause a
    denial of service (memory consumption).

CVE-2018-6555

    A flaw was discovered in the irda_setsockopt function in the irda
    subsystem, allowing a local user to cause a denial of service
    (use-after-free and system crash).

CVE-2018-7755

    Brian Belleville discovered a flaw in the fd_locked_ioctl function
    in the floppy driver in the Linux kernel. The floppy driver copies a
    kernel pointer to user memory in response to the FDGETPRM ioctl. A
    local user with access to a floppy drive device can take advantage
    of this flaw to discover the location kernel code and data.

CVE-2018-9363

    It was discovered that the Bluetooth HIDP implementation did not
    correctly check the length of received report messages. A paired
    HIDP device could use this to cause a buffer overflow, leading to
    denial of service (memory corruption or crash) or potentially
    remote code execution.

CVE-2018-9516

    It was discovered that the HID events interface in debugfs did not
    correctly limit the length of copies to user buffers.  A local
    user with access to these files could use this to cause a
    denial of service (memory corruption or crash) or possibly for
    privilege escalation.  However, by default debugfs is only
    accessible by the root user.

CVE-2018-10902

    It was discovered that the rawmidi kernel driver does not protect
    against concurrent access which leads to a double-realloc (double
    free) flaw. A local attacker can take advantage of this issue for
    privilege escalation.

CVE-2018-10938

    Yves Younan from Cisco reported that the Cipso IPv4 module did not
    correctly check the length of IPv4 options. On custom kernels with
    CONFIG_NETLABEL enabled, a remote attacker could use this to cause
    a denial of service (hang).

CVE-2018-13099

    Wen Xu from SSLab at Gatech reported a use-after-free bug in the
    F2FS implementation. An attacker able to mount a crafted F2FS
    volume could use this to cause a denial of service (crash or
    memory corruption) or possibly for privilege escalation.

CVE-2018-14609

    Wen Xu from SSLab at Gatech reported a potential null pointer
    dereference in the F2FS implementation. An attacker able to mount
    a crafted F2FS volume could use this to cause a denial of service
    (crash).

CVE-2018-14617

    Wen Xu from SSLab at Gatech reported a potential null pointer
    dereference in the HFS+ implementation. An attacker able to mount
    a crafted HFS+ volume could use this to cause a denial of service
    (crash).

CVE-2018-14633

    Vincent Pelletier discovered a stack-based buffer overflow flaw in
    the chap_server_compute_md5() function in the iSCSI target code. An
    unauthenticated remote attacker can take advantage of this flaw to
    cause a denial of service or possibly to get a non-authorized access
    to data exported by an iSCSI target.

CVE-2018-14678

    M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the
    kernel exit code used on amd64 systems running as Xen PV guests.
    A local user could use this to cause a denial of service (crash).

CVE-2018-14734

    A use-after-free bug was discovered in the InfiniBand
    communication manager. A local user could use this to cause a
    denial of service (crash or memory corruption) or possible for
    privilege escalation.

CVE-2018-15572

    Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and
    Nael Abu-Ghazaleh, from University of California, Riverside,
    reported a variant of Spectre variant 2, dubbed SpectreRSB. A
    local user may be able to use this to read sensitive information
    from processes owned by other users.

CVE-2018-15594

    Nadav Amit reported that some indirect function calls used in
    paravirtualised guests were vulnerable to Spectre variant 2.  A
    local user may be able to use this to read sensitive information
    from the kernel.

CVE-2018-16276

    Jann Horn discovered that the yurex driver did not correctly limit
    the length of copies to user buffers.  A local user with access to
    a yurex device node could use this to cause a denial of service
    (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

    It was discovered that the cdrom driver does not correctly
    validate the parameter to the CDROM_DRIVE_STATUS ioctl.  A user
    with access to a cdrom device could use this to read sensitive
    information from the kernel or to cause a denial of service
    (crash).

CVE-2018-17182

    Jann Horn discovered that the vmacache_flush_all function mishandles
    sequence number overflows. A local user can take advantage of this
    flaw to trigger a use-after-free, causing a denial of service
    (crash or memory corruption) or privilege escalation.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1484 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 03 October 2018 - 07:12 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4309-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
October 01, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2018-17540

Google's OSS-Fuzz revealed an exploitable bug in the gmp plugin caused by the
patch that fixes CVE-2018-16151 and CVE-2018-16151 (DSA-4305-1).

An attacker could trigger it using crafted certificates with RSA keys with
very small moduli. Verifying signatures with such keys would cause an integer
underflow and subsequent heap buffer overflow resulting in a crash of the
daemon. While arbitrary code execution is not completely ruled out because of
the heap buffer overflow, due to the form of the data written to the buffer
it seems difficult to actually exploit it in such a way.

For the stable distribution (stretch), this problem has been fixed in
version 5.5.1-4+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4310-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 03, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-12386 CVE-2018-12387

Two security issues have been found in the Mozilla Firefox web browser,
which could potentially result in the execution of arbitrary code inside
the sandboxed content process.

For the stable distribution (stretch), these problems have been fixed in
version 60.2.2esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1485 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 06 October 2018 - 06:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4311-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 05, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2018-17456

joernchen of Phenoelit discovered that git, a fast, scalable,
distributed revision control system, is prone to an arbitrary code
execution vulnerability via a specially crafted .gitmodules file in a
project cloned with --recurse-submodules.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1486 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 08 October 2018 - 07:00 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4312-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 08, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tinc
CVE ID         : CVE-2018-16738 CVE-2018-16758

Several vulnerabilities were discovered in tinc, a Virtual Private
Network (VPN) daemon. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2018-16738

    Michael Yonli discovered a flaw in the implementation of the
    authentication protocol that could allow a remote attacker to
    establish an authenticated, one-way connection with another node.

CVE-2018-16758

    Michael Yonli discovered that a man-in-the-middle that has
    intercepted a TCP connection might be able to disable encryption of
    UDP packets sent by a node.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.31-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4313-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 08, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-15471 CVE-2018-18021

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2018-15471 (XSA-270)

    Felix Wilhelm of Google Project Zero discovered a flaw in the hash
    handling of the xen-netback Linux kernel module. A malicious or
    buggy frontend may cause the (usually privileged) backend to make
    out of bounds memory accesses, potentially resulting in privilege
    escalation, denial of service, or information leaks.

    https://xenbits.xen....visory-270.html

CVE-2018-18021

    It was discovered that the KVM subsystem on the arm64 platform does
    not properly handle the KVM_SET_ON_REG ioctl. An attacker who can
    create KVM based virtual machines can take advantage of this flaw
    for denial of service (hypervisor panic) or privilege escalation
    (arbitrarily redirect the hypervisor flow of control with full
    register control).

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1487 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 11 October 2018 - 06:11 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4314-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 11, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : net-snmp
CVE ID         : CVE-2018-18065
Debian Bug     : 910638

Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in
net-snmp, a suite of Simple Network Management Protocol applications,
allowing a remote, authenticated attacker to crash the snmpd process
(causing a denial of service).

For the stable distribution (stretch), this problem has been fixed in
version 5.7.3+dfsg-1.7+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1488 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted 18 October 2018 - 07:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4315-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 12, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2018-16056 CVE-2018-16057 CVE-2018-16058

Multiple vulnerabilities have been discovered in Wireshark, a network
protocol analyzer which could result in denial of service or the
execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.6.3-1~deb9u1. This update upgrades Wireshark to the 2.6.x
release branch, future security upgrades will be based on this series.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4316-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 12, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2018-16412 CVE-2018-16413 CVE-2018-16642 CVE-2018-16644
                 CVE-2018-16645

This update fixes several vulnerabilities in Imagemagick, a graphical
software suite. Various memory handling problems or incomplete input
sanitising have been found in the coders for BMP, DIB, PICT, DCM, CUT
and PSD.

For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u6.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4317-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 14, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : otrs2
CVE ID         : CVE-2018-14593 CVE-2018-16586 CVE-2018-16587

Three vulnerabilities were discovered in the Open Ticket Request System
which could result in privilege escalation or denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.16-1+deb9u6.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4318-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 15, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : moin
CVE ID         : CVE-2017-5934
Debian Bug     : 910776

Nitin Venkatesh discovered a cross-site scripting vulnerability in moin,
a Python clone of WikiWiki. A remote attacker can conduct cross-site
scripting attacks via the GUI editor's link dialogue. This only affects
installations which have set up fckeditor (not enabled by default).

For the stable distribution (stretch), this problem has been fixed in
version 1.9.9-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4319-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 15, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spice
CVE ID         : CVE-2018-10873
Debian Bug     : 906315

Frediano Ziglio reported a missing check in the script to generate
demarshalling code in the SPICE protocol client and server library. The
generated demarshalling code is prone to multiple buffer overflows. An
authenticated attacker can take advantage of this flaw to cause a denial
of service (spice server crash), or possibly, execute arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 0.12.8-2.1+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1489 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,679 posts

Posted Yesterday, 07:51 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4320-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 16, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
CVE ID         : CVE-2018-7284 CVE-2018-7286 CVE-2018-12227 CVE-2018-17281
Debian Bug     : 891227 891228 902954 909554

Multiple vulnerabilities have been discovered in Asterisk, an open source
PBX and telephony toolkit, which may result in denial of service or
information disclosure.
      
For the stable distribution (stretch), these problems have been fixed in
version 1:13.14.1~dfsg-2+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4321-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 16, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : graphicsmagick
CVE ID         : CVE-2017-10794 CVE-2017-10799 CVE-2017-10800 CVE-2017-11102
                 CVE-2017-11139 CVE-2017-11140 CVE-2017-11403 CVE-2017-11636
                 CVE-2017-11637 CVE-2017-11638 CVE-2017-11641 CVE-2017-11642
                 CVE-2017-11643 CVE-2017-11722 CVE-2017-12935 CVE-2017-12936
                 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13065
                 CVE-2017-13134 CVE-2017-13737 CVE-2017-13775 CVE-2017-13776
                 CVE-2017-13777 CVE-2017-14314 CVE-2017-14504 CVE-2017-14733
                 CVE-2017-14994 CVE-2017-14997 CVE-2017-15238 CVE-2017-15277
                 CVE-2017-15930 CVE-2017-16352 CVE-2017-16353 CVE-2017-16545
                 CVE-2017-16547 CVE-2017-16669 CVE-2017-17498 CVE-2017-17500
                 CVE-2017-17501 CVE-2017-17502 CVE-2017-17503 CVE-2017-17782
                 CVE-2017-17783 CVE-2017-17912 CVE-2017-17913 CVE-2017-17915
                 CVE-2017-18219 CVE-2017-18220 CVE-2017-18229 CVE-2017-18230
                 CVE-2017-18231 CVE-2018-5685 CVE-2018-6799 CVE-2018-9018

Several vulnerabilities have been discovered in GraphicsMagick, a set of
command-line applications to manipulate image files, which could result
in denial of service or the execution of arbitrary code if malformed
image files are processed.

For the stable distribution (stretch), these problems have been fixed in
version 1.3.30+hg15796-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4322-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 17, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libssh
CVE ID         : CVE-2018-10933
Debian Bug     : 911149

Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH
library, contains an authentication bypass vulnerability in the server
code. An attacker can take advantage of this flaw to successfully
authenticate without any credentials by presenting the server an
SSH2_MSG_USERAUTH_SUCCESS message in place of the
SSH2_MSG_USERAUTH_REQUEST message which the server would expect to
initiate authentication.

For the stable distribution (stretch), this problem has been fixed in
version 0.7.3-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4323-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 18, 2018                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : not yet available

Two vulnerabilities were found in Drupal, a fully-featured content
management framework, which could result in arbitrary code execution or
an open redirect. For additional information, please refer to the
upstream advisory at https://www.drupal.o...a-core-2018-006
      
For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users