Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1440 replies to this topic

#1426 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 09 May 2018 - 07:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4197-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wavpack
CVE ID         : CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539
                 CVE-2018-10540

Multiple vulnerabilities were discovered in the wavpack audio codec which
could result in denial of service or the execution of arbitrary code if
malformed media files are processed.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.0-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4198-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 09, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : prosody
CVE ID         : CVE-2017-18265
Debian Bug     : 875829

Albert Dengg discovered that incorrect parsing of <stream:error> messages
in the Prosody Jabber/XMPP server may result in denial of service.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.12-2+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1427 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 12 May 2018 - 08:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4199-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 10, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5157
                 CVE-2018-5158 CVE-2018-5159 CVE-2018-5168 CVE-2018-5178
                 CVE-2018-5183

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors
may lead to the execution of arbitrary code or denial of service.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.8.0esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.8.0esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1428 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 14 May 2018 - 07:44 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4200-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 14, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : kwallet-pam
CVE ID         : CVE-2018-10380

Fabian Vogt discovered that incorrect permission handling in the PAM
module of the KDE Wallet could allow an unprivileged local user to gain
ownership of arbitrary files.

For the stable distribution (stretch), this problem has been fixed in
version 5.8.4-1+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1429 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 16 May 2018 - 08:31 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4201-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 15, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-8897 CVE-2018-10471 CVE-2018-10472 CVE-2018-10981
                 CVE-2018-10982

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-8897

    Andy Lutomirski and Nick Peterson discovered that incorrect handling
    of debug exceptions could result in privilege escalation.

CVE-2018-10471

    An error was discovered in the mitigations against Meltdown which
    could result in denial of service.

CVE-2018-10472

    Anthony Perard discovered that incorrect parsing of CDROM images
    can result in information disclosure.

CVE-2018-10981

    Jan Beulich discovered that malformed device models could result
    in denial of service.

CVE-2018-10982

    Roger Pau Monne discovered that incorrect handling of high precision
    event timers could result in denial of service and potentially
    privilege escalation.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4202-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
May 16, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2018-1000301
Debian Bug     : 898856

OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer
library, could be tricked into reading data beyond the end of a heap
based buffer when parsing invalid headers in an RTSP response.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.38.0-4+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 7.52.1-5+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1430 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 21 May 2018 - 09:41 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4203-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 17, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2017-17670

Hans Jerry Illikainen discovered a type conversion vulnerability in the
MP4 demuxer of the VLC media player, which could result in the execution
of arbitrary code if a malformed media file is played.

This update upgrades VLC in stretch to the new 3.x release series (as
security fixes couldn't be sensibly backported to the 2.x series). In
addition two packages needed to be rebuild to ensure compatibility with
VLC 3; phonon-backend-vlc (0.9.0-2+deb9u1) and goldencheetah
(4.0.0~DEV1607-2+deb9u1).

VLC in jessie cannot be migrated to version 3 due to incompatible
library changes with reverse dependencies and is thus now declared
end-of-life for jessie. We recommend to upgrade to stretch or pick a
different media player if that's not an option.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.2-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4204-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
May 18, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2017-10995 CVE-2017-11533 CVE-2017-11535 CVE-2017-11639
                 CVE-2017-13143 CVE-2017-17504 CVE-2017-17879 CVE-2018-5248
Debian Bug     : 867748 869827 869834 870012 870065 885125 885340 886588

This update fixes several vulnerabilities in imagemagick, a graphical
software suite. Various memory handling problems or issues about
incomplete input sanitizing would result in denial of service or
memory disclosure.

For the oldstable distribution (jessie), these problems have been fixed
in version 8:6.8.9.9-5+deb8u12.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4205-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 18, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

This is an advance notice that regular security support for Debian
GNU/Linux 8 (code name "jessie") will be terminated on the 17th of
June.

As with previous releases additional LTS support will be provided for
a reduced set of architectures and packages, a separate announcement
will be available in due time.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4206-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 21, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gitlab
CVE ID         : CVE-2017-0920 CVE-2018-8971

Several vulnerabilities have been discovered in Gitlab, a software
platform to collaborate on code:
    
CVE-2017-0920

    It was discovered that missing validation of merge requests allowed
    users to see names to private projects, resulting in information
    disclosure.

CVE-2018-8971

    It was discovered that the Auth0 integration was implemented
    incorrectly.

For the stable distribution (stretch), these problems have been fixed in
version 8.13.11+dfsg1-8+deb9u2. The fix for CVE-2018-8971 also requires
ruby-omniauth-auth0 to be upgraded to version 2.0.0-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1431 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 22 May 2018 - 09:42 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4207-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 22, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : packagekit
CVE ID         : CVE-2018-1106
Debian Bug     : 896703

Matthias Gerstner discovered that PackageKit, a DBus abstraction layer
for simple software management tasks, contains an authentication bypass
flaw allowing users without privileges to install local packages.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.5-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4208-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 22, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : procps
CVE ID         : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125
                 CVE-2018-1126
Debian Bug     : 899170

The Qualys Research Labs discovered multiple vulnerabilities in procps,
a set of command line and full screen utilities for browsing procfs. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2018-1122

    top read its configuration from the current working directory if no
    $HOME was configured. If top were started from a directory writable
    by the attacker (such as /tmp) this could result in local privilege
    escalation.

CVE-2018-1123

    Denial of service against the ps invocation of another user.

CVE-2018-1124

    An integer overflow in the file2strvec() function of libprocps could
    result in local privilege escalation.

CVE-2018-1125

    A stack-based buffer overflow in pgrep could result in denial
    of service for a user using pgrep for inspecting a specially
    crafted process.

CVE-2018-1126

    Incorrect integer size parameters used in wrappers for standard C
    allocators could cause integer truncation and lead to integer
    overflow issues.

For the oldstable distribution (jessie), these problems have been fixed
in version 2:3.3.9-9+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 2:3.3.12-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1432 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 25 May 2018 - 08:28 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4209-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 25, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5159
                 CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170
                 CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or attacks on
encrypted emails.

For the oldstable distribution (jessie), these problems have been fixed
in version 1:52.8.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.8.0-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4210-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 25, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3639

This update provides mitigations for the Spectre v4 variant in x86-based
micro processors. On Intel CPUs this requires updated microcode which
is currently not released publicly (but your hardware vendor may have
issued an update). For servers with AMD CPUs no microcode update is
needed, please refer to https://xenbits.xen....visory-263.html
for further information.

For the stable distribution (stretch), this problem has been fixed in
version 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4211-1                   security@debian.org
https://www.debian.org/security/                            Luciano Bello
May 25, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xdg-utils
CVE ID         : CVE-2017-18266
Debian Bug     : 898317

Gabriel Corona discovered that xdg-utils, a set of tools for desktop
environment integration, is vulnerable to argument injection attacks. If
the environment variable BROWSER in the victim host has a "%s" and the
victim opens a link crafted by an attacker with xdg-open, the malicious
party could manipulate the parameters used by the browser when opened.
This manipulation could set, for example, a proxy to which the network
traffic could be intercepted for that particular execution.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.1.0~rc1+git20111210-7.4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.1-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1433 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 29 May 2018 - 08:37 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4206-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 26, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gitlab
Debian Bug     : 900066

The gitlab security update announced as DSA-4206-1 caused regressions
when creating merge requests (returning 500 Internal Server Errors) due
to an issue in the patch to address CVE-2017-0920. Updated packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 8.13.11+dfsg1-8+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4212-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 29, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2018-11235

Etienne Stalmans discovered that git, a fast, scalable, distributed
revision control system, is prone to an arbitrary code execution
vulnerability exploitable via specially crafted submodule names in a
.gitmodules file.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u6.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4213-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 29, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124
                 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381
                 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550
Debian Bug     : 877890 880832 880836 882136 883399 883625 884806 886532
                 887392 892041

Several vulnerabilities were discovered in qemu, a fast processor
emulator.

CVE-2017-15038

    Tuomas Tynkkynen discovered an information leak in 9pfs.

CVE-2017-15119

    Eric Blake discovered that the NBD server insufficiently restricts
    large option requests, resulting in denial of service.

CVE-2017-15124

    Daniel Berrange discovered that the integrated VNC server
    insufficiently restricted memory allocation, which could result in
    denial of service.

CVE-2017-15268

    A memory leak in websockets support may result in denial of service.

CVE-2017-15289

    Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics
    adaptor which could result in denial of service.

CVE-2017-16845

    Cyrille Chatras discovered an information leak in PS/2 mouse and
    keyboard emulation which could be exploited during instance
    migration.

CVE-2017-17381

    Dengzhan Heyuandong Bijunhua and Liweichao discovered that an
    implementation error in the virtio vring implementation could result
    in denial of service.

CVE-2017-18043

    Eric Blake discovered an integer overflow in an internally used
    macro which could result in denial of service.

CVE-2018-5683

    Jiang Xin and Lin ZheCheng discovered an OOB memory access in the
    emulated VGA adaptor which could result in denial of service.

CVE-2018-7550

    Cyrille Chatras discovered that an OOB memory write when using
    multiboot could result in the execution of arbitrary code.

This update also backports a number of mitigations against the Spectre
v2 vulnerability affecting modern CPUs (CVE-2017-5715).  For additional
information please refer to
https://www.qemu.org.../01/04/spectre/

For the stable distribution (stretch), these problems have been fixed in
version 1:2.8+dfsg-6+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1434 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 01 June 2018 - 09:00 PM

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Debian 7 Long Term Support reaching end-of-life         press@debian.org
June 1st, 2018                 https://www.debian.o...s/2018/20180601
------------------------------------------------------------------------


The Debian Long Term Support (LTS) Team hereby announces that Debian 7
"Wheezy" support has reached its end-of-life on May 31, 2018, five years
after its initial release on May 4, 2013.

Debian will not provide further security updates for Debian 7. A subset
of Wheezy packages will be supported by external parties. Detailed
information can be found at Extended LTS [1].

    1: https://wiki.debian.org/LTS/Extended

The LTS Team will prepare the transition to Debian 8 "Jessie", which is
the current oldstable release. The LTS team will take over support from
the Security Team on June 17, 2018.

Debian 8 will also receive Long Term Support for five years after its
initial release with support ending on June 30, 2020. The supported
architectures include amd64, i386, armel and armhf.

For further information about using Jessie LTS and upgrading from Wheezy
LTS, please refer to LTS/Using [2].

    2: https://wiki.debian.org/LTS/Using

Debian and its LTS Team would like to thank all contributing users,
developers and sponsors who are making it possible to extend the life of
previous stable releases, and who have made this LTS a success.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4214-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 01, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zookeeper
CVE ID         : CVE-2018-8012

It was discovered that Zookeeper, a service for maintaining configuration
information, enforced no authentication/authorisation when a server
attempts to join a Zookeeper quorum.

This update backports authentication support. Additional configuration
steps are needed, please see
https://cwiki.apache... authentication
for additional information.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.4.9-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 3.4.9-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1435 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 03 June 2018 - 08:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4215-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 02, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : batik
CVE ID         : CVE-2017-5662 CVE-2018-8013
Debian Bug     : 860566 899374

Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a
toolkit for processing SVG images, did not properly validate its
input. This would allow an attacker to cause a denial-of-service,
mount cross-site scripting attacks, or access restricted files on the
server.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.7+dfsg-5+deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 1.8-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4216-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 02, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : prosody
CVE ID         : CVE-2018-10847
Debian Bug     : 900524

It was discovered that Prosody, a lightweight Jabber/XMPP server, does
not properly validate client-provided parameters during XMPP stream
restarts, allowing authenticated users to override the realm associated
with their session, potentially bypassing security policies and allowing
impersonation.

Details can be found in the upstream advisory at
https://prosody.im/s...isory_20180531/

For the oldstable distribution (jessie), this problem has been fixed
in version 0.9.7-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.12-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4191-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 03, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redmine
Debian Bug     : 900283

The redmine security update announced as DSA-4191-1 caused regressions
with multi-value fields while doing queries on project issues due to an
bug in the patch to address CVE-2017-15569. Updated packages are now
available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 3.3.1-4+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4217-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 03, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335
                 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358
                 CVE-2018-11360 CVE-2018-11362

It was discovered that Wireshark, a network protocol analyzer, contained
several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC,
IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial
of service or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.12.1+g01b65bf-4+deb8u14.

For the stable distribution (stretch), these problems have been fixed in
version 2.2.6+g32dac6a-2+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1436 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 07 June 2018 - 08:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4218-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 06, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : memcached
CVE ID         : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127
Debian Bug     : 868701 894404

Several vulnerabilities were discovered in memcached, a high-performance
memory object caching system. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-9951

    Daniel Shapira reported a heap-based buffer over-read in memcached
    (resulting from an incomplete fix for CVE-2016-8705) triggered by
    specially crafted requests to add/set a key and allowing a remote
    attacker to cause a denial of service.

CVE-2018-1000115

    It was reported that memcached listens to UDP by default. A remote
    attacker can take advantage of it to use the memcached service as a
    DDoS amplifier.

    Default installations of memcached in Debian are not affected by
    this issue as the installation defaults to listen only on localhost.
    This update disables the UDP port by default. Listening on the UDP
    can be re-enabled in the /etc/memcached.conf (cf.
    /usr/share/doc/memcached/NEWS.Debian.gz).

CVE-2018-1000127

    An integer overflow was reported in memcached, resulting in resource
    leaks, data corruption, deadlocks or crashes.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.4.21-1.1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 1.4.33-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1437 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 08 June 2018 - 08:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4219-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jruby
CVE ID         : CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
                 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079
Debian Bug     : 895778

Several vulnerabilities were discovered in jruby, a Java
implementation of the Ruby programming language. They would allow an
attacker to use specially crafted gem files to mount cross-site
scripting attacks, cause denial of service through an infinite loop,
write arbitrary files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in
version 1.7.26-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4220-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-6126

Ivan Fratric discovered a buffer overflow in the Skia graphics library
used by Firefox, which could result in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 52.8.1esr-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 52.8.1esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4221-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libvncserver
CVE ID         : CVE-2018-7225

Alexander Peslyak discovered that insufficient input sanitising of RFB
packets in LibVNCServer could result in the disclosure of memory
contents.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.9.9+dfsg2-6.1+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.11+dfsg-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4222-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg2
CVE ID         : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg....8q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.18-8~deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4223-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg1
CVE ID         : CVE-2018-12020
Debian Bug     : 901088

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg....8q2/000425.html

For the stable distribution (stretch), this problem has been fixed in
version 1.4.21-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4224-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnupg
CVE ID         : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg....8q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4.18-7+deb8u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1438 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 10 June 2018 - 08:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4225-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 10, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-7
CVE ID         : CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796
                 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800
                 CVE-2018-2814 CVE-2018-2815

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, execution of arbitrary code or bypass of JAR
signature validation.

For the oldstable distribution (jessie), these problems have been fixed
in version 7u181-2.6.14-1~deb8u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1439 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 13 June 2018 - 07:14 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4226-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 12, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-12015
Debian Bug     : 900834

Jakub Wilk discovered a directory traversal flaw in the Archive::Tar
module, allowing an attacker to overwrite any file writable by the
extracting user via a specially crafted tar archive.

For the oldstable distribution (jessie), this problem has been fixed
in version 5.20.2-3+deb8u11.

For the stable distribution (stretch), this problem has been fixed in
version 5.24.1-3+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4227-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 12, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : plexus-archiver
CVE ID         : CVE-2018-1002200
Debian Bug     : 900953

Danny Grander discovered a directory traversal flaw in plexus-archiver,
an Archiver plugin for the Plexus compiler system, allowing an attacker
to overwrite any file writable by the extracting user via a specially
crafted Zip archive.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 2.2-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1440 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted 15 June 2018 - 08:35 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4228-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 14, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2017-15736
Debian Bug     : 879954

Several vulnerabilities were found in SPIP, a website engine for
publishing, resulting in cross-site scripting and PHP injection.

For the oldstable distribution (jessie), this problem has been fixed
in version 3.0.17-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in
version 3.1.4-4~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1441 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,533 posts

Posted Yesterday, 08:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4229-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
June 14, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2018-5388 CVE-2018-10811

Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite.

CVE-2018-5388

    The stroke plugin did not verify the message length when reading from its
    control socket. This vulnerability could lead to denial of service. On
    Debian write access to the socket requires root permission on default
    configuration.

CVE-2018-10811

    A missing variable initialization in IKEv2 key derivation could lead to a
    denial of service (crash of the charon IKE daemon) if the openssl plugin is
    used in FIPS mode and the negotiated PRF is HMAC-MD5.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.2.1-6+deb8u6.

For the stable distribution (stretch), these problems have been fixed in
version 5.5.1-4+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4230-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 17, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redis
CVE ID         : CVE-2018-11218 CVE-2018-11219

Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a
persistent key-value database, which could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 3:3.2.6-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4231-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 17, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt20
CVE ID         : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack
allowing recovery of ECDSA private keys.

For the stable distribution (stretch), this problem has been fixed in
version 1.7.6-2+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users