Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1419 replies to this topic

#1401 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 19 March 2018 - 07:11 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4145-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 18, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gitlab
CVE ID         : CVE-2017-0915 CVE-2017-0916 CVE-2017-0917 CVE-2017-0918
                 CVE-2017-0925 CVE-2017-0926 CVE-2018-3710

Several vulnerabilities have been discovered in Gitlab, a software
platform to collaborate on code:

CVE-2017-0915 / CVE-2018-3710

    Arbitrary code execution in project import.

CVE-2017-0916

    Command injection via Webhooks.

CVE-2017-0917

    Cross-site scripting in CI job output.

CVE-2017-0918

    Insufficient restriction of CI runner for project cache access.

CVE-2017-0925

    Information disclosure in Services API.

CVE-2017-0926

    Restrictions for disabled OAuth providers could be bypassed.

For the stable distribution (stretch), these problems have been fixed in
version 8.13.11+dfsg1-8+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1402 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 20 March 2018 - 07:01 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4146-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 20, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : plexus-utils
CVE ID         : CVE-2017-1000487

Charles Duffy discovered that the Commandline class in the utilities for
the Plexus framework performs insufficient quoting of double-encoded
strings, which could result in the execution of arbitrary shell commands.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:1.5.15-4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.5.15-4+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1403 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 23 March 2018 - 05:44 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4147-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 21, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : polarssl
CVE ID         : CVE-2017-18187 CVE-2018-0487 CVE-2018-0488
Debian Bug     : 890287 890288

Several vulnerabilities were discovered in PolarSSL, a lightweight
crypto and SSL/TLS library, that allowed a remote attacker to either
cause a denial-of-service by application crash, or execute arbitrary
code.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.3.9-2.1+deb8u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4148-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 22, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : kamailio
CVE ID         : CVE-2018-8828

Alfred Farrugia and Sandro Gauci discovered an off-by-one heap overflow
in the Kamailio SIP server which could result in denial of service and
potentially the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 4.2.0-2+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 4.4.4-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4149-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 22, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : plexus-utils2
CVE ID         : CVE-2017-1000487

Charles Duffy discovered that the Commandline class in the utilities for
the Plexus framework performs insufficient quoting of double-encoded
strings, which could result in the execution of arbitrary shell commands.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.0.15-1+deb8u1.

For the stable distribution (stretch), this problem has been prior to
the initial release.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4150-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 23, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icu
CVE ID         : CVE-2017-15422

It was discovered that an integer overflow in the International
Components for Unicode (ICU) library could result in denial of service
and potentially the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 52.1-8+deb8u7.

For the stable distribution (stretch), this problem has been fixed in
version 57.1-6+deb9u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1404 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 26 March 2018 - 07:00 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4151-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 26, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : librelp
CVE ID         : CVE-2018-1000140

Bas van Schaik and Kevin Backhouse discovered a stack-based buffer
overflow vulnerability in librelp, a library providing reliable event
logging over the network, triggered while checking x509 certificates
from a peer. A remote attacker able to connect to rsyslog can take
advantage of this flaw for remote code execution by sending a specially
crafted x509 certificate.

Details can be found in the upstream advisory:
http://www.rsyslog.c...e-2018-1000140/

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.7-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.12-1+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1405 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 27 March 2018 - 06:37 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4152-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
March 27, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2018-6544 CVE-2018-1000051
Debian Bug     : 891245

Two vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book
viewer, which may result in denial of service or remote code execution.
An attacker can craft a PDF document which, when opened in the victim
host, might consume vast amounts of memory, crash the program, or, in
some cases, execute code in the context in which the application is
running.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.5-1+deb8u4.

For the stable distribution (stretch), these problems have been fixed in
version 1.9a+ds1-4+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4153-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-5148

It was discovered that a use-after-free in the compositor of Firefox
can result in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 52.7.3esr-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 52.7.3esr-1~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1406 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 28 March 2018 - 06:21 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4154-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 28, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : net-snmp
CVE ID         : CVE-2015-5621 CVE-2018-1000116
Debian Bug     : 788964 894110

A heap corruption vulnerability was discovered in net-snmp, a suite of
Simple Network Management Protocol applications, triggered when parsing
the PDU prior to the authentication process. A remote, unauthenticated
attacker can take advantage of this flaw to crash the snmpd process
(causing a denial of service) or, potentially, execute arbitrary code
with the privileges of the user running snmpd.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.7.2.1+dfsg-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed
before the initial release.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4155-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 28, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5144
                 CVE-2018-5145 CVE-2018-5146

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or information
disclosure.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.7.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.7.0-1~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1407 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 30 March 2018 - 08:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4156-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 29, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : CVE-2018-7600
Debian Bug     : 894259

A remote code execution vulnerability has been found in Drupal, a
fully-featured content management framework. For additional information,
please refer to the upstream advisory at
https://www.drupal.o...a-core-2018-002

For the oldstable distribution (jessie), this problem has been fixed
in version 7.32-1+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4157-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 29, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2017-3738 CVE-2018-0739

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3738

    David Benjamin of Google reported an overflow bug in the AVX2
    Montgomery multiplication procedure used in exponentiation with
    1024-bit moduli.

CVE-2018-0739

    It was discovered that constructed ASN.1 types with a recursive
    definition could exceed the stack, potentially leading to a denial
    of service.

Details can be found in the upstream advisory:
https://www.openssl....dv/20180327.txt

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected
by CVE-2017-3738.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0f-3+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4158-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 29, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive
definition could exceed the stack, potentially leading to a denial of
service.

Details can be found in the upstream advisory:
https://www.openssl....dv/20180327.txt

For the stable distribution (stretch), this problem has been fixed in
version 1.0.2l-2+deb9u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1408 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 01 April 2018 - 07:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4159-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : remctl
CVE ID         : CVE-2018-0493

Santosh Ananthakrishnan discovered a use-after-free in remctl, a server
for Kerberos-authenticated command execution. If the command is
configured with the sudo option, this could potentially result in the
execution of arbitrary code.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 3.13-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4160-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libevt
CVE ID         : CVE-2018-8754

It was discovered that insufficient input sanitising in libevt, a library
to access the Windows Event Log (EVT) format, could result in denial of
service or the execution of arbitrary code if a malformed EVT file is
processed.

For the stable distribution (stretch), this problem has been fixed in
version 20170120-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4161-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
April 01, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-django
CVE ID         : CVE-2018-7536 CVE-2018-7537

James Davis discovered two issues in Django, a high-level Python web
development framework, that can lead to a denial-of-service attack.
An attacker with control on the input of the django.utils.html.urlize()
function or django.utils.text.Truncator's chars() and words() methods
could craft a string that might stuck the execution of the application.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.7.11-1+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.10.7-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4162-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : irssi
CVE ID         : CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208
                 CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053
                 CVE-2018-7054

Multiple vulnerabilities have been discovered in Irssi, a terminal-based
IRC client which can result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.7-1~deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1409 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 03 April 2018 - 07:50 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4163-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 02, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : beep
CVE ID         : CVE-2018-0492

It was discovered that a race condition in beep (if configured as setuid
via debconf) allows local privilege escalation.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.3-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4164-1                   security@debian.org
https://www.debian.org/security/                           Stefan Fritsch
April 03, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301
                 CVE-2018-1303 CVE-2018-1312

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-15710

    Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if
    configured with AuthLDAPCharsetConfig, could cause an of bound write
    if supplied with a crafted Accept-Language header. This could
    potentially be used for a Denial of Service attack.

CVE-2017-15715

    Elar Lang discovered that expression specified in <FilesMatch> could
    match '$' to a newline character in a malicious filename, rather
    than matching only the end of the filename. This could be exploited
    in environments where uploads of some files are are externally
    blocked, but only by matching the trailing portion of the filename.

CVE-2018-1283

    When mod_session is configured to forward its session data to CGI
    applications (SessionEnv on, not the default), a remote user could
    influence their content by using a "Session" header.

CVE-2018-1301

    Robert Swiecki reported that a specially crafted request could have
    crashed the Apache HTTP Server, due to an out of bound access after
    a size limit is reached by reading the HTTP header.

CVE-2018-1303

    Robert Swiecki reported that a specially crafted HTTP request header
    could have crashed the Apache HTTP Server if using
    mod_cache_socache, due to an out of bound read while preparing data
    to be cached in shared memory.

CVE-2018-1312

    Nicolas Daniels discovered that when generating an HTTP Digest
    authentication challenge, the nonce sent by mod_auth_digest to
    prevent reply attacks was not correctly generated using a
    pseudo-random seed. In a cluster of servers using a common Digest
    authentication configuration, HTTP requests could be replayed across
    servers by an attacker without detection.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.4.10-10+deb8u12.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1410 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 04 April 2018 - 06:43 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4165-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
April 03, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ldap-account-manager
CVE ID         : CVE-2018-8763 CVE-2018-8764

Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web
front-end for LDAP directories.

CVE-2018-8763

    The found Reflected Cross Site Scripting (XSS) vulnerability might
    allow an attacker to execute Javascript code in the browser of the
    victim or to redirect her to a malicious website if the victim clicks
    on a specially crafted link.

CVE-2018-8764

    The application leaks the CSRF token in the URL, which can be use by
    an attacker to perform a Cross-Site Request Forgery attack, in which
    a victim logged in LDAP Account Manager might performed unwanted
    actions in the front-end by clicking on a link crafted by the
    attacker.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.7.1-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 5.5-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4166-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 04, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-7
CVE ID         : CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602
                 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633
                 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663
                 CVE-2018-2677 CVE-2018-2678

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, execution of arbitrary code, incorrect
LDAP/GSS authentication, insecure use of cryptography or bypass of
deserialisation restrictions.

For the oldstable distribution (jessie), these problems have been fixed
in version 7u171-2.6.13-1~deb8u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1411 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 05 April 2018 - 06:41 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4167-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
April 05, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sharutils
CVE ID         : CVE-2018-1000097
Debian Bug     : 893525

A buffer-overflow vulnerability was discovered in Sharutils, a set of
utilities handle Shell Archives. An attacker with control on the input of
the unshar command, could crash the application or execute arbitrary code
in the its context.

For the oldstable distribution (jessie), this problem has been fixed
in version 4.14-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1:4.15.2-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1412 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 08 April 2018 - 07:03 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4168-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 08, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squirrelmail
CVE ID         : CVE-2018-8741
Debian Bug     : 893202

Florian Grunow und Birk Kauer of ERNW discovered a path traversal
vulnerability in SquirrelMail, a webmail application, allowing an
authenticated remote attacker to retrieve or delete arbitrary files
via mail attachment.

For the oldstable distribution (jessie), this problem has been fixed
in version 2:1.4.23~svn20120406-2+deb8u2.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1413 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 11 April 2018 - 07:11 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4170-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 09, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pjproject
CVE ID         : CVE-2017-16872 CVE-2017-16875 CVE-2018-1000098
                 CVE-2018-1000099

Multiple vulnerabilities have been discovered in the PJSIP/PJProject
multimedia communication which may result in denial of service during
the processing of SIP and SDP messages and ioqueue keys.

For the stable distribution (stretch), these problems have been fixed in
version 2.5.5~dfsg-6+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4169-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
April 11, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pcs
CVE ID         : CVE-2018-1086
Debian Bug     : 895313

Cédric Buissart from Red Hat discovered an information disclosure bug in pcs, a
pacemaker command line interface and GUI. The REST interface normally doesn't
allow passing --debug parameter to prevent information leak, but the check
wasn't sufficient.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.155+dfsg-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1414 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 13 April 2018 - 08:13 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4079-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 12, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : poppler
CVE ID         : CVE-2017-9776
Debian Bug     : 890826

It was discovered that the poppler upload for the oldstable distribution
(jessie), released as DSA-4079-1, did not correctly address
CVE-2017-9776 and additionally caused regressions when rendering PDFs
embedding JBIG2 streams. Updated packages are now available to correct
this issue.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.26.5-2+deb8u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4171-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 13, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-loofah
CVE ID         : CVE-2018-8048
Debian Bug     : 893596

The Shopify Application Security Team reported that ruby-loofah, a
general library for manipulating and transforming HTML/XML documents and
fragments, allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments. This might
allow to mount a code injection attack into a browser consuming
sanitized output.

For the stable distribution (stretch), this problem has been fixed in
version 2.0.3-2+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1415 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 15 April 2018 - 09:48 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4172-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 14, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-6797

    Brian Carpenter reported that a crafted regular expression
    could cause a heap buffer write overflow, with control over the
    bytes written.

CVE-2018-6798

    Nguyen Duc Manh reported that matching a crafted locale dependent
    regular expression could cause a heap buffer read overflow and
    potentially information disclosure.

CVE-2018-6913

    GwanYeong Kim reported that 'pack()' could cause a heap buffer write
    overflow with a large item count.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update
contains only a fix for CVE-2018-6913.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u3.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1416 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 17 April 2018 - 06:54 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4173-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 16, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : r-cran-readxl
CVE ID         : CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12110
                 CVE-2017-12111

Marcin Noga discovered multiple vulnerabilities in readxl, a GNU R
package to read Excel files (via the integrated libxls library), which
could result in the execution of arbitrary code if a malformed
spreadsheet is processed.

For the stable distribution (stretch), these problems have been fixed in
version 0.1.1-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4174-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 17, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : corosync
CVE ID         : CVE-2018-1084
Debian Bug     : 895653

The Citrix Security Response Team discovered that corosync, a cluster
engine implementation, allowed an unauthenticated user to cause a
denial-of-service by application crash.

For the stable distribution (stretch), this problem has been fixed in
version 2.4.2-3+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1417 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 19 April 2018 - 08:16 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4175-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 18, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : freeplane
CVE ID         : CVE-2018-1000069
Debian Bug     : 893663

Wojciech Regula discovered an XML External Entity vulnerability in the
XML Parser of the mindmap loader in freeplane, a Java program for
working with mind maps, resulting in potential information disclosure if
a malicious mind map file is opened.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.12-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.5.18-1+deb9u1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1418 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 21 April 2018 - 07:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4176-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 20, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mysql-5.5
CVE ID         : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773
                 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818
                 CVE-2018-2819

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.60, which includes additional changes. Please see the MySQL
5.5 Release Notes and Oracle's Critical Patch Update advisory for
further details:

https://dev.mysql.co...ews-5-5-60.html
http://www.oracle.co...18-3678067.html

For the oldstable distribution (jessie), these problems have been fixed
in version 5.5.60-0+deb8u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4177-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 20, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libsdl2-image
CVE ID         : CVE-2017-2887  CVE-2017-12122 CVE-2017-14440 CVE-2017-14441
                 CVE-2017-14442 CVE-2017-14448 CVE-2017-14449 CVE-2017-14450
                 CVE-2018-3837  CVE-2018-3838  CVE-2018-3839

Multiple vulnerabilities have been discovered in the image loading
library for Simple DirectMedia Layer 2, which could result in denial of
service or the execution of arbitrary code if malformed image files are
opened.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.0.0+dfsg-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 2.0.1+dfsg-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4178-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 20, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libreoffice
CVE ID         : CVE-2018-10119 CVE-2018-10120

Two vulnerabilities were discovered in LibreOffice's code to parse
MS Word and Structured Storage files, which could result in denial of
service and potentially the execution of arbitrary code if a malformed
file is opened.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:4.3.3-2+deb8u11.

For the stable distribution (stretch), these problems have been fixed in
version 1:5.2.7-1+deb9u4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1419 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted 24 April 2018 - 09:20 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4179-1                   security@debian.org
https://www.debian.org/security/                            Ben Hutchings
April 24, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux-tools

This update doesn't fix a vulnerability in linux-tools, but provides
support for building Linux kernel modules with the "retpoline"
mitigation for CVE-2017-5715 (Spectre variant 2).

This update also includes bug fixes from the upstream Linux 3.16 stable
branch up to and including 3.16.56.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.16.56-1.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.

#1420 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,484 posts

Posted Today, 08:53 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4180-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 25, 2018                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : CVE-2018-7602
Debian Bug     : 896701

A remote code execution vulnerability has been found in Drupal, a
fully-featured content management framework. For additional information,
please refer to the upstream advisory at
https://www.drupal.o...a-core-2018-004

For the oldstable distribution (jessie), this problem has been fixed
in version 7.32-1+deb8u12.

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u4.
registered Linux user number 324659  || The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted ImageKXStudio
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users