Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1475 replies to this topic

#1426 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 09 May 2018 - 07:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4197-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wavpack
CVE ID         : CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539
                 CVE-2018-10540

Multiple vulnerabilities were discovered in the wavpack audio codec which
could result in denial of service or the execution of arbitrary code if
malformed media files are processed.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.0-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4198-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : prosody
CVE ID         : CVE-2017-18265
Debian Bug     : 875829

Albert Dengg discovered that incorrect parsing of <stream:error> messages
in the Prosody Jabber/XMPP server may result in denial of service.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.12-2+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1427 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 12 May 2018 - 08:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4199-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 10, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5157
                 CVE-2018-5158 CVE-2018-5159 CVE-2018-5168 CVE-2018-5178
                 CVE-2018-5183

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors
may lead to the execution of arbitrary code or denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.8.0esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.8.0esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1428 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 14 May 2018 - 07:44 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4200-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 14, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : kwallet-pam
CVE ID         : CVE-2018-10380

Fabian Vogt discovered that incorrect permission handling in the PAM
module of the KDE Wallet could allow an unprivileged local user to gain
ownership of arbitrary files.

For the stable distribution (stretch), this problem has been fixed in
version 5.8.4-1+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1429 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 16 May 2018 - 08:31 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4201-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 15, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-8897 CVE-2018-10471 CVE-2018-10472 CVE-2018-10981
                 CVE-2018-10982

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-8897

    Andy Lutomirski and Nick Peterson discovered that incorrect handling
    of debug exceptions could result in privilege escalation.

CVE-2018-10471

    An error was discovered in the mitigations against Meltdown which
    could result in denial of service.

CVE-2018-10472

    Anthony Perard discovered that incorrect parsing of CDROM images
    can result in information disclosure.

CVE-2018-10981

    Jan Beulich discovered that malformed device models could result
    in denial of service.

CVE-2018-10982

    Roger Pau Monne discovered that incorrect handling of high precision
    event timers could result in denial of service and potentially
    privilege escalation.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4202-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
May 16, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2018-1000301
Debian Bug     : 898856

OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer
library, could be tricked into reading data beyond the end of a heap
based buffer when parsing invalid headers in an RTSP response.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.38.0-4+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 7.52.1-5+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1430 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 21 May 2018 - 09:41 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4203-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 17, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2017-17670

Hans Jerry Illikainen discovered a type conversion vulnerability in the
MP4 demuxer of the VLC media player, which could result in the execution
of arbitrary code if a malformed media file is played.

This update upgrades VLC in stretch to the new 3.x release series (as
security fixes couldn't be sensibly backported to the 2.x series). In
addition two packages needed to be rebuild to ensure compatibility with
VLC 3; phonon-backend-vlc (0.9.0-2+deb9u1) and goldencheetah
(4.0.0~DEV1607-2+deb9u1).

VLC in jessie cannot be migrated to version 3 due to incompatible
library changes with reverse dependencies and is thus now declared
end-of-life for jessie. We recommend to upgrade to stretch or pick a
different media player if that's not an option.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.2-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4204-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
May 18, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-10995 CVE-2017-11533 CVE-2017-11535 CVE-2017-11639
                 CVE-2017-13143 CVE-2017-17504 CVE-2017-17879 CVE-2018-5248
Debian Bug     : 867748 869827 869834 870012 870065 885125 885340 886588

This update fixes several vulnerabilities in imagemagick, a graphical
software suite. Various memory handling problems or issues about
incomplete input sanitizing would result in denial of service or
memory disclosure.

For the oldstable distribution (jessie), these problems have been fixed
in version 8:6.8.9.9-5+deb8u12.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4205-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 18, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

This is an advance notice that regular security support for Debian
GNU/Linux 8 (code name "jessie") will be terminated on the 17th of
June.

As with previous releases additional LTS support will be provided for
a reduced set of architectures and packages, a separate announcement
will be available in due time.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4206-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 21, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gitlab
CVE ID         : CVE-2017-0920 CVE-2018-8971

Several vulnerabilities have been discovered in Gitlab, a software
platform to collaborate on code:
    
CVE-2017-0920

    It was discovered that missing validation of merge requests allowed
    users to see names to private projects, resulting in information
    disclosure.

CVE-2018-8971

    It was discovered that the Auth0 integration was implemented
    incorrectly.

For the stable distribution (stretch), these problems have been fixed in
version 8.13.11+dfsg1-8+deb9u2. The fix for CVE-2018-8971 also requires
ruby-omniauth-auth0 to be upgraded to version 2.0.0-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1431 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 22 May 2018 - 09:42 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4207-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 22, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : packagekit
CVE ID         : CVE-2018-1106
Debian Bug     : 896703

Matthias Gerstner discovered that PackageKit, a DBus abstraction layer
for simple software management tasks, contains an authentication bypass
flaw allowing users without privileges to install local packages.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.5-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4208-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 22, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : procps
CVE ID         : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125
                 CVE-2018-1126
Debian Bug     : 899170

The Qualys Research Labs discovered multiple vulnerabilities in procps,
a set of command line and full screen utilities for browsing procfs. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2018-1122

    top read its configuration from the current working directory if no
    $HOME was configured. If top were started from a directory writable
    by the attacker (such as /tmp) this could result in local privilege
    escalation.

CVE-2018-1123

    Denial of service against the ps invocation of another user.

CVE-2018-1124

    An integer overflow in the file2strvec() function of libprocps could
    result in local privilege escalation.

CVE-2018-1125

    A stack-based buffer overflow in pgrep could result in denial
    of service for a user using pgrep for inspecting a specially
    crafted process.

CVE-2018-1126

    Incorrect integer size parameters used in wrappers for standard C
    allocators could cause integer truncation and lead to integer
    overflow issues.

For the oldstable distribution (jessie), these problems have been fixed
in version 2:3.3.9-9+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 2:3.3.12-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1432 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 25 May 2018 - 08:28 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4209-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 25, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5159
                 CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170
                 CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or attacks on
encrypted emails.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.8.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.8.0-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4210-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 25, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3639

This update provides mitigations for the Spectre v4 variant in x86-based
micro processors. On Intel CPUs this requires updated microcode which
is currently not released publicly (but your hardware vendor may have
issued an update). For servers with AMD CPUs no microcode update is
needed, please refer to https://xenbits.xen....visory-263.html
for further information.

For the stable distribution (stretch), this problem has been fixed in
version 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4211-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
May 25, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xdg-utils
CVE ID         : CVE-2017-18266
Debian Bug     : 898317

Gabriel Corona discovered that xdg-utils, a set of tools for desktop
environment integration, is vulnerable to argument injection attacks. If
the environment variable BROWSER in the victim host has a "%s" and the
victim opens a link crafted by an attacker with xdg-open, the malicious
party could manipulate the parameters used by the browser when opened.
This manipulation could set, for example, a proxy to which the network
traffic could be intercepted for that particular execution.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.1.0~rc1+git20111210-7.4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.1-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1433 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 29 May 2018 - 08:37 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4206-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 26, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gitlab
Debian Bug     : 900066

The gitlab security update announced as DSA-4206-1 caused regressions
when creating merge requests (returning 500 Internal Server Errors) due
to an issue in the patch to address CVE-2017-0920. Updated packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 8.13.11+dfsg1-8+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4212-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 29, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2018-11235

Etienne Stalmans discovered that git, a fast, scalable, distributed
revision control system, is prone to an arbitrary code execution
vulnerability exploitable via specially crafted submodule names in a
.gitmodules file.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u6.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4213-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 29, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124
                 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381
                 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550
Debian Bug     : 877890 880832 880836 882136 883399 883625 884806 886532
                 887392 892041

Several vulnerabilities were discovered in qemu, a fast processor
emulator.

CVE-2017-15038

    Tuomas Tynkkynen discovered an information leak in 9pfs.

CVE-2017-15119

    Eric Blake discovered that the NBD server insufficiently restricts
    large option requests, resulting in denial of service.

CVE-2017-15124

    Daniel Berrange discovered that the integrated VNC server
    insufficiently restricted memory allocation, which could result in
    denial of service.

CVE-2017-15268

    A memory leak in websockets support may result in denial of service.

CVE-2017-15289

    Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics
    adaptor which could result in denial of service.

CVE-2017-16845

    Cyrille Chatras discovered an information leak in PS/2 mouse and
    keyboard emulation which could be exploited during instance
    migration.

CVE-2017-17381

    Dengzhan Heyuandong Bijunhua and Liweichao discovered that an
    implementation error in the virtio vring implementation could result
    in denial of service.

CVE-2017-18043

    Eric Blake discovered an integer overflow in an internally used
    macro which could result in denial of service.

CVE-2018-5683

    Jiang Xin and Lin ZheCheng discovered an OOB memory access in the
    emulated VGA adaptor which could result in denial of service.

CVE-2018-7550

    Cyrille Chatras discovered that an OOB memory write when using
    multiboot could result in the execution of arbitrary code.

This update also backports a number of mitigations against the Spectre
v2 vulnerability affecting modern CPUs (CVE-2017-5715).  For additional
information please refer to
https://www.qemu.org.../01/04/spectre/

For the stable distribution (stretch), these problems have been fixed in
version 1:2.8+dfsg-6+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1434 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 01 June 2018 - 09:00 PM

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Debian 7 Long Term Support reaching end-of-life         press@debian.org
June 1st, 2018                 https://www.debian.o...s/2018/20180601
------------------------------------------------------------------------


The Debian Long Term Support (LTS) Team hereby announces that Debian 7
"Wheezy" support has reached its end-of-life on May 31, 2018, five years
after its initial release on May 4, 2013.

Debian will not provide further security updates for Debian 7. A subset
of Wheezy packages will be supported by external parties. Detailed
information can be found at Extended LTS [1].

    1: https://wiki.debian.org/LTS/Extended

The LTS Team will prepare the transition to Debian 8 "Jessie", which is
the current oldstable release. The LTS team will take over support from
the Security Team on June 17, 2018.

Debian 8 will also receive Long Term Support for five years after its
initial release with support ending on June 30, 2020. The supported
architectures include amd64, i386, armel and armhf.

For further information about using Jessie LTS and upgrading from Wheezy
LTS, please refer to LTS/Using [2].

    2: https://wiki.debian.org/LTS/Using

Debian and its LTS Team would like to thank all contributing users,
developers and sponsors who are making it possible to extend the life of
previous stable releases, and who have made this LTS a success.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4214-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 01, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zookeeper
CVE ID         : CVE-2018-8012

It was discovered that Zookeeper, a service for maintaining configuration
information, enforced no authentication/authorisation when a server
attempts to join a Zookeeper quorum.

This update backports authentication support. Additional configuration
steps are needed, please see
https://cwiki.apache... authentication
for additional information.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.4.9-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 3.4.9-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1435 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 03 June 2018 - 08:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4215-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 02, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : batik
CVE ID         : CVE-2017-5662 CVE-2018-8013
Debian Bug     : 860566 899374

Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a
toolkit for processing SVG images, did not properly validate its
input. This would allow an attacker to cause a denial-of-service,
mount cross-site scripting attacks, or access restricted files on the
server.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.7+dfsg-5+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1.8-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4216-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 02, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : prosody
CVE ID         : CVE-2018-10847
Debian Bug     : 900524

It was discovered that Prosody, a lightweight Jabber/XMPP server, does
not properly validate client-provided parameters during XMPP stream
restarts, allowing authenticated users to override the realm associated
with their session, potentially bypassing security policies and allowing
impersonation.

Details can be found in the upstream advisory at
https://prosody.im/s...isory_20180531/

For the oldstable distribution (jessie), this problem has been fixed
in version 0.9.7-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.12-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4191-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 03, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redmine
Debian Bug     : 900283

The redmine security update announced as DSA-4191-1 caused regressions
with multi-value fields while doing queries on project issues due to an
bug in the patch to address CVE-2017-15569. Updated packages are now
available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 3.3.1-4+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4217-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 03, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335
                 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358
                 CVE-2018-11360 CVE-2018-11362

It was discovered that Wireshark, a network protocol analyzer, contained
several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC,
IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial
of service or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.12.1+g01b65bf-4+deb8u14.

For the stable distribution (stretch), these problems have been fixed in
version 2.2.6+g32dac6a-2+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1436 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 07 June 2018 - 08:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4218-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 06, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : memcached
CVE ID         : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127
Debian Bug     : 868701 894404

Several vulnerabilities were discovered in memcached, a high-performance
memory object caching system. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-9951

    Daniel Shapira reported a heap-based buffer over-read in memcached
    (resulting from an incomplete fix for CVE-2016-8705) triggered by
    specially crafted requests to add/set a key and allowing a remote
    attacker to cause a denial of service.

CVE-2018-1000115

    It was reported that memcached listens to UDP by default. A remote
    attacker can take advantage of it to use the memcached service as a
    DDoS amplifier.

    Default installations of memcached in Debian are not affected by
    this issue as the installation defaults to listen only on localhost.
    This update disables the UDP port by default. Listening on the UDP
    can be re-enabled in the /etc/memcached.conf (cf.
    /usr/share/doc/memcached/NEWS.Debian.gz).

CVE-2018-1000127

    An integer overflow was reported in memcached, resulting in resource
    leaks, data corruption, deadlocks or crashes.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.4.21-1.1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 1.4.33-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1437 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 08 June 2018 - 08:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4219-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jruby
CVE ID         : CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079
Debian Bug     : 895778

Several vulnerabilities were discovered in jruby, a Java
implementation of the Ruby programming language. They would allow an
attacker to use specially crafted gem files to mount cross-site
scripting attacks, cause denial of service through an infinite loop,
write arbitrary files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in
version 1.7.26-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4220-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-6126

Ivan Fratric discovered a buffer overflow in the Skia graphics library
used by Firefox, which could result in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 52.8.1esr-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 52.8.1esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4221-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libvncserver
CVE ID         : CVE-2018-7225

Alexander Peslyak discovered that insufficient input sanitising of RFB
packets in LibVNCServer could result in the disclosure of memory
contents.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.9.9+dfsg2-6.1+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.11+dfsg-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4222-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg2
CVE ID         : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg....8q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.18-8~deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4223-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg1
CVE ID         : CVE-2018-12020
Debian Bug     : 901088

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg....8q2/000425.html

For the stable distribution (stretch), this problem has been fixed in
version 1.4.21-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4224-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg
CVE ID         : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg....8q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4.18-7+deb8u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1438 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 10 June 2018 - 08:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4225-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 10, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-7
CVE ID         : CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796
                 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800
                 CVE-2018-2814 CVE-2018-2815

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, execution of arbitrary code or bypass of JAR
signature validation.

For the oldstable distribution (jessie), these problems have been fixed
in version 7u181-2.6.14-1~deb8u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1439 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 13 June 2018 - 07:14 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4226-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 12, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-12015
Debian Bug     : 900834

Jakub Wilk discovered a directory traversal flaw in the Archive::Tar
module, allowing an attacker to overwrite any file writable by the
extracting user via a specially crafted tar archive.

For the oldstable distribution (jessie), this problem has been fixed
in version 5.20.2-3+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 5.24.1-3+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4227-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 12, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : plexus-archiver
CVE ID         : CVE-2018-1002200
Debian Bug     : 900953

Danny Grander discovered a directory traversal flaw in plexus-archiver,
an Archiver plugin for the Plexus compiler system, allowing an attacker
to overwrite any file writable by the extracting user via a specially
crafted Zip archive.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.2-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1440 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 15 June 2018 - 08:35 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4228-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 14, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2017-15736
Debian Bug     : 879954

Several vulnerabilities were found in SPIP, a website engine for
publishing, resulting in cross-site scripting and PHP injection.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.0.17-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 3.1.4-4~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1441 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 17 June 2018 - 08:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4229-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
June 14, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2018-5388 CVE-2018-10811

Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite.

CVE-2018-5388

    The stroke plugin did not verify the message length when reading from its
    control socket. This vulnerability could lead to denial of service. On
    Debian write access to the socket requires root permission on default
    configuration.

CVE-2018-10811

    A missing variable initialization in IKEv2 key derivation could lead to a
    denial of service (crash of the charon IKE daemon) if the openssl plugin is
    used in FIPS mode and the negotiated PRF is HMAC-MD5.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.2.1-6+deb8u6.

For the stable distribution (stretch), these problems have been fixed in
version 5.5.1-4+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4230-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 17, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redis
CVE ID         : CVE-2018-11218 CVE-2018-11219

Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a
persistent key-value database, which could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 3:3.2.6-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4231-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 17, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt20
CVE ID         : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack
allowing recovery of ECDSA private keys.

For the stable distribution (stretch), this problem has been fixed in
version 1.7.6-2+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1442 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 20 June 2018 - 08:17 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4232-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 20, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3665

This update provides mitigations for the "lazy FPU" vulnerability
affecting a range of Intel CPUs, which could result in leaking CPU
register states belonging to another vCPU previously scheduled on the
same CPU. For additional information please refer to
https://xenbits.xen....visory-267.html

For the stable distribution (stretch), this problem has been fixed in
version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1443 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 22 June 2018 - 10:00 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4233-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 22, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bouncycastle
CVE ID         : CVE-2018-1000180

It was discovered that the low-level interface to the RSA key pair
generator of Bouncy Castle (a Java implementation of cryptographic
algorithms) could perform less Miller-Rabin primality tests than
expected.

For the stable distribution (stretch), this problem has been fixed in
version 1.56-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4234-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 22, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lava-server
CVE ID         : CVE-2018-12564 CVE-2018-12565

Two vulnerabilities were discovered in LAVA, a continuous integration
system for deploying operating systems for running tests, which could
result in information disclosure of files readable by the lavaserver
system user or the execution of arbitrary code via a XMLRPC call.

For the stable distribution (stretch), these problems have been fixed in
version 2016.12-3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1444 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 23 June 2018 - 09:56 PM

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 8: 8.11 released                         press@debian.org
June 23rd, 2018                https://www.debian.o...s/2018/20180623
------------------------------------------------------------------------


The Debian project is pleased to announce the eleventh (and final)
update of its oldstable distribution Debian 8 (codename "jessie"). This
point release mainly adds corrections for security issues, along with a
few adjustments for serious problems. Security advisories have already
been published separately and are referenced where available.

After this point release, Debian's Security and Release Teams will no
longer be producing updates for Debian 8. Users wishing to continue to
receive security support should upgrade to Debian 9, or see
https://wiki.debian.org/LTS for details about the subset of
architectures and packages covered by the Long Term Support project.


The packages for some architectures for DSA 3746, DSA 3944, DSA 3968,
DSA 4010, DSA 4014, DSA 4061, DSA 4075, DSA 4102, DSA 4155, DSA 4209 and
DSA 4218 are not included in this point release for technical reasons.
All other security updates released during the lifetime of "jessie" that
have not previously been part of a point release are included in this
update.

Please note that the point release does not constitute a new version of
Debian 8 but only updates some of the packages included. There is no
need to throw away old "jessie" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1445 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 27 June 2018 - 10:54 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4235-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 27, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-5156 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
                 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors may
lead to the execution of arbitrary code, denial of service, cross-site
request forgery or information disclosure.

For the stable distribution (stretch), these problems have been fixed in
version 52.9.0esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4236-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 27, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-12891 CVE-2018-12892 CVE-2018-12893

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-12891

    It was discovered that insufficient validation of PV MMU operations
    may result in denial of service.

CVE-2018-12892

    It was discovered that libxl fails to honour the 'readonly' flag on
    HVM-emulated SCSI disks.
    
CVE-2018-12893

    It was discovered that incorrect implementation of debug exception
    checks could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1446 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 02 July 2018 - 10:39 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4237-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
June 30, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2018-6118 CVE-2018-6120 CVE-2018-6121 CVE-2018-6122
                 CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126
                 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131
                 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135
                 CVE-2018-6136 CVE-2018-6137 CVE-2018-6138 CVE-2018-6139
                 CVE-2018-6140 CVE-2018-6141 CVE-2018-6142 CVE-2018-6143
                 CVE-2018-6144 CVE-2018-6145 CVE-2018-6147 CVE-2018-6148
                 CVE-2018-6149

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-6118

    Ned Williamson discovered a use-after-free issue.

CVE-2018-6120

    Zhou Aiting discovered a buffer overflow issue in the pdfium library.

CVE-2018-6121

    It was discovered that malicious extensions could escalate privileges.

CVE-2018-6122

    A type confusion issue was discovered in the v8 javascript library.

CVE-2018-6123

    Looben Yang discovered a use-after-free issue.

CVE-2018-6124

    Guang Gong discovered a type confusion issue.

CVE-2018-6125

    Yubico discovered that the WebUSB implementation was too permissive.

CVE-2018-6126

    Ivan Fratric discovered a buffer overflow issue in the skia library.

CVE-2018-6127

    Looben Yang discovered a use-after-free issue.

CVE-2018-6129

    Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.

CVE-2018-6130

    Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.

CVE-2018-6131

    Natalie Silvanovich discovered an error in WebAssembly.

CVE-2018-6132

    Ronald E. Crane discovered an uninitialized memory issue.

CVE-2018-6133

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6134

    Jun Kokatsu discovered a way to bypass the Referrer Policy.

CVE-2018-6135

    Jasper Rebane discovered a user interface spoofing issue.

CVE-2018-6136

    Peter Wong discovered an out-of-bounds read issue in the v8 javascript
    library.

CVE-2018-6137

    Michael Smith discovered an information leak.

CVE-2018-6138

    François Lajeunesse-Robert discovered that the extensions policy was
    too permissive.

CVE-2018-6139

    Rob Wu discovered a way to bypass restrictions in the debugger extension.

CVE-2018-6140

    Rob Wu discovered a way to bypass restrictions in the debugger extension.

CVE-2018-6141

    Yangkang discovered a buffer overflow issue in the skia library.

CVE-2018-6142

    Choongwoo Han discovered an out-of-bounds read in the v8 javascript
    library.

CVE-2018-6143

    Guang Gong discovered an out-of-bounds read in the v8 javascript library.

CVE-2018-6144

    pdknsk discovered an out-of-bounds read in the pdfium library.

CVE-2018-6145

    Masato Kinugawa discovered an error in the MathML implementation.

CVE-2018-6147

    Michail Pishchagin discovered an error in password entry fields.

CVE-2018-6148

    Micha&#322; Bentkowski discovered that the Content Security Policy header
    was handled incorrectly.

CVE-2018-6149

    Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the
    v8 javascript library.

For the stable distribution (stretch), these problems have been fixed in
version 67.0.3396.87-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1447 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 03 July 2018 - 08:36 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4238-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 03, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exiv2
CVE ID         : CVE-2018-10958 CVE-2018-10998 CVE-2018-10999 CVE-2018-11531
                 CVE-2018-12264 CVE-2018-12265

Several vulnerabilites have been discovered in Exiv2, a C++ library and
a command line utility to manage image metadata which could result in
denial of service or the execution of arbitrary code if a malformed file
is parsed.

For the stable distribution (stretch), these problems have been fixed in
version 0.25-3.1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4239-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 03, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gosa
CVE ID         : CVE-2018-1000528

Fabian Henneke discovered a cross-site scripting vulnerability in the
password change form of GOsa, a web-based LDAP administration program.

For the stable distribution (stretch), this problem has been fixed in
version gosa 2.7.4+reloaded2-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1448 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 05 July 2018 - 07:32 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4240-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 05, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.0
CVE ID         : CVE-2018-7584 CVE-2018-10545 CVE-2018-10546
                 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549

Several vulnerabilities were found in PHP, a widely-used open source
general purpose scripting language:

CVE-2018-7584

    Buffer underread in parsing HTTP responses

CVE-2018-10545

    Dumpable FPM child processes allowed the bypass of opcache access
    controls

CVE-2018-10546

    Denial of service via infinite loop in convert.iconv stream filter

CVE-2018-10547

    The fix for CVE-2018-5712 (shipped in DSA 4080) was incomplete

CVE-2018-10548

    Denial of service via malformed LDAP server responses

CVE-2018-10549

    Out-of-bounds read when parsing malformed JPEG files

For the stable distribution (stretch), these problems have been fixed in
version 7.0.30-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4241-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 05, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libsoup2.4
CVE ID         : CVE-2018-12910

It was discovered that the Soup HTTP library performed insuffient
validation of cookie requests which could result in an out-of-bounds
memory read.

For the stable distribution (stretch), this problem has been fixed in
version 2.56.0-2+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1449 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 09 July 2018 - 08:46 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4242-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 09, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-sprockets
CVE ID         : CVE-2018-3760
Debian Bug     : 901913

Orange Tsai discovered a path traversal flaw in ruby-sprockets, a
Rack-based asset packaging system. A remote attacker can take advantage
of this flaw to read arbitrary files outside an application's root
directory via specially crafted requests, when the Sprockets server is
used in production.

For the stable distribution (stretch), this problem has been fixed in
version 3.7.0-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1450 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,654 posts

Posted 11 July 2018 - 10:01 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4243-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
July 11, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : cups
CVE ID         : CVE-2017-15400 CVE-2018-4180 CVE-2018-4181 CVE-2018-4182
                 CVE-2018-4183 CVE-2018-6553

Several vulnerabilities were discovered in CUPS, the Common UNIX Printing
System. These issues have been identified with the following CVE ids:

CVE-2017-15400

    Rory McNamara discovered that an attacker is able to execute arbitrary
    commands (with the privilege of the CUPS daemon) by setting a
    malicious IPP server with a crafted PPD file.

CVE-2018-4180

     Dan Bastone of Gotham Digital Science discovered that a local
     attacker with access to cupsctl could escalate privileges by setting
     an environment variable.

CVE-2018-4181

     Eric Rafaloff and John Dunlap of Gotham Digital Science discovered
     that a local attacker can perform limited reads of arbitrary files
     as root by manipulating cupsd.conf.

CVE-2018-4182

    Dan Bastone of Gotham Digital Science discovered that an attacker
    with sandboxed root access can execute backends without a sandbox
    profile by provoking an error in CUPS' profile creation.

CVE-2018-4183

     Dan Bastone and Eric Rafaloff of Gotham Digital Science discovered
     that an attacker with sandboxed root access can execute arbitrary
     commands as unsandboxed root by modifying /etc/cups/cups-files.conf

CVE-2018-6553

    Dan Bastone of Gotham Digital Science discovered that an attacker
    can bypass the AppArmor cupsd sandbox by invoking the dnssd backend
    using an alternate name that has been hard linked to dnssd.


For the stable distribution (stretch), these problems have been fixed in
version 2.2.1-8+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users