Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1464 replies to this topic

#1451 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 14 July 2018 - 07:46 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4244-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 13, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2017-17689 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360
                 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
                 CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or attacks on
encrypted emails.

For the stable distribution (stretch), these problems have been fixed in
version 1:52.9.1-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4245-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 14, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : imagemagick
CVE ID         : CVE-2018-5248 CVE-2018-11251 CVE-2018-12599 CVE-2018-12600

This update fixes several vulnerabilities in Imagemagick, a graphical
software suite. Various memory handling problems or incomplete input
sanitising could result in denial of service or the execution of
arbitrary code.
      
For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u5.

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 9: 9.5 released                          press@debian.org
July 14th, 2018                https://www.debian.o...s/2018/20180714
------------------------------------------------------------------------


The Debian project is pleased to announce the fifth update of its stable
distribution Debian 9 (codename "stretch"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1452 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 15 July 2018 - 10:05 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4246-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 15, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mailman
CVE ID         : CVE-2018-0618

To****sugu Yoneyama of Mitsui Bussan Secure Directions, Inc. discovered
that mailman, a web-based mailing list manager, is prone to a cross-site
scripting flaw allowing a malicious listowner to inject scripts into the
listinfo page, due to not validated input in the host_name field.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.1.23-1+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1453 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 18 July 2018 - 07:14 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4247-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 16, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-rack-protection
CVE ID         : CVE-2018-1000119

A timing attack was discovered in the function for CSRF token validation
of the "Ruby rack protection" framework.

For the stable distribution (stretch), this problem has been fixed in
version 1.5.3-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4248-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 17, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : blender
CVE ID         : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902
                 CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906
                 CVE-2017-2907 CVE-2017-2908 CVE-2017-2918 CVE-2017-12081
                 CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100
                 CVE-2017-12101 CVE-2017-12102 CVE-2017-12103 CVE-2017-12104
                 CVE-2017-12105

Multiple vulnerabilities have been discovered in various parsers of
Blender, a 3D modeller/ renderer. Malformed .blend model files and
malformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may
result in the execution of arbitrary code.
        
For the stable distribution (stretch), these problems have been fixed in
version 2.79.b+dfsg0-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4249-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 17, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2018-6392 CVE-2018-6621 CVE-2018-7557 CVE-2018-10001
                 CVE-2018-12458 CVE-2018-13300 CVE-2018-13302

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.
      
For the stable distribution (stretch), these problems have been fixed in
version 7:3.2.11-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4250-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
July 18, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2018-12895
Debian Bug     : 902876

A vulnerability was discovered in Wordpress, a web blogging tool. It
allowed remote attackers with specific roles to execute arbitrary
code.

For the stable distribution (stretch), this problem has been fixed in
version 4.7.5+dfsg-2+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4251-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 18, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2018-11529

A use-after-free was discovered in the MP4 demuxer of the VLC media
player, which could result in the execution of arbitrary code if a
malformed media file is played.
      
For the stable distribution (stretch), this problem has been fixed in
version 3.0.3-1-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4252-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 18, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : znc
CVE ID         : CVE-2018-14055 CVE-2018-14056

Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which
could result in privilege escalation or denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 1.6.5-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1454 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 24 July 2018 - 09:51 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4253-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 23, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : network-manager-vpnc
CVE ID         : CVE-2018-10900
Debian Bug     : 904255

Denis Andzakovic discovered that network-manager-vpnc, a plugin to
provide VPNC support for NetworkManager, is prone to a privilege
escalation vulnerability. A newline character can be used to inject a
Password helper parameter into the configuration data passed to vpnc,
allowing a local user with privileges to modify a system connection to
execute arbitrary commands as root.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.4-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4254-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 24, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : slurm-llnl
CVE ID         : CVE-2018-7033 CVE-2018-10995
Debian Bug     : 893044 900548

Several vulnerabilities were discovered in the Simple Linux Utility for
Resource Management (SLURM), a cluster resource management and job
scheduling system. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2018-7033

    Incomplete sanitization of user-provided text strings could lead to
    SQL injection attacks against slurmdbd.

CVE-2018-10995

    Insecure handling of user_name and gid fields leading to improper
    authentication handling.

For the stable distribution (stretch), these problems have been fixed in
version 16.05.9-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4255-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 24, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ant
CVE ID         : CVE-2018-10886

Danny Grander reported that the unzip and untar tasks in ant, a Java
based build tool like make, allow the extraction of files outside a
target directory. An attacker can take advantage of this flaw by
submitting a specially crafted Zip or Tar archive to an ant build to
overwrite any file writable by the user running ant.

For the stable distribution (stretch), this problem has been fixed in
version 1.9.9-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1455 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 28 July 2018 - 08:40 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4256-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
July 26, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151
                 CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155
                 CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159
                 CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164
                 CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168
                 CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172
                 CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176
                 CVE-2018-6177 CVE-2018-6178 CVE-2018-6179

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-4117

    AhsanEjaz discovered an information leak.

CVE-2018-6044

    Rob Wu discovered a way to escalate privileges using extensions.

CVE-2018-6150

    Rob Wu discovered an information disclosure issue (this problem was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6151

    Rob Wu discovered an issue in the developer tools (this problem  was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6152

    Rob Wu discovered an issue in the developer tools (this problem  was
    fixed in a previous release but was mistakenly omitted from upstream's
    announcement at the time).

CVE-2018-6153

    Zhen Zhou discovered a buffer overflow issue in the skia library.

CVE-2018-6154

    Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6155

    Natalie Silvanovich discovered a use-after-free issue in the WebRTC
    implementation.

CVE-2018-6156

    Natalie Silvanovich discovered a buffer overflow issue in the WebRTC
    implementation.

CVE-2018-6157

    Natalie Silvanovich discovered a type confusion issue in the WebRTC
    implementation.

CVE-2018-6158

    Zhe Jin discovered a use-after-free issue.

CVE-2018-6159

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6161

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6162

    Omair discovered a buffer overflow issue in the WebGL implementation.

CVE-2018-6163

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6164

    Jun Kokatsu discovered a way to bypass the same origin policy.

CVE-2018-6165

    evil1m0 discovered a URL spoofing issue.

CVE-2018-6166

    Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6167

    Lynas Zhang discovered a URL spoofing issue.

CVE-2018-6168

    Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross
    Origin Resource Sharing policy.

CVE-2018-6169

    Sam P discovered a way to bypass permissions when installing
    extensions.

CVE-2018-6170

    A type confusion issue was discovered in the pdfium library.

CVE-2018-6171

    A use-after-free issue was discovered in the WebBluetooth
    implementation.

CVE-2018-6172

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6173

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6174

    Mark Brand discovered an integer overflow issue in the swiftshader
    library.

CVE-2018-6175

    Khalil Zhani discovered a URL spoofing issue.

CVE-2018-6176

    Jann Horn discovered a way to escalate privileges using extensions.

CVE-2018-6177

    Ron Masas discovered an information leak.

CVE-2018-6178

    Khalil Zhani discovered a user interface spoofing issue.

CVE-2018-6179

    It was discovered that information about files local to the system
    could be leaked to extensions.

This version also fixes a regression introduced in the previous security
update that could prevent decoding of particular audio/video codecs.

For the stable distribution (stretch), these problems have been fixed in
version 68.0.3440.75-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4257-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 28, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : fuse
CVE ID         : CVE-2018-10906
Debian Bug     : 904439

Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the
bypass of the 'user_allow_other' restriction when SELinux is active
(including in permissive mode). A local user can take advantage of this
flaw in the fusermount utility to bypass the system configuration and
mount a FUSE filesystem with the 'allow_other' mount option.

For the stable distribution (stretch), this problem has been fixed in
version 2.9.7-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1456 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 30 July 2018 - 09:01 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4258-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 29, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2018-14395

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (stretch), this problem has been fixed in
version 7:3.2.12-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1457 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 01 August 2018 - 08:52 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4259-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 31, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.3
CVE ID         : CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914
                 CVE-2018-8777  CVE-2018-8778  CVE-2018-8779  CVE-2018-8780
                 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075
CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078
CVE-2018-1000079

Several vulnerabilities have been discovered in the interpreter for the
Ruby language, which may result in incorrect processing of HTTP/FTP,
directory traversal, command injection, unintended socket creation or
information disclosure.

This update also fixes several issues in RubyGems which could allow an
attacker to use specially crafted gem files to mount cross-site scripting
attacks, cause denial of service through an infinite loop, write arbitrary
files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1458 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 02 August 2018 - 09:04 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4260-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 02, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libmspack
CVE ID         : CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682
Debian Bug     : 904799 904800 904801 904802

Several vulnerabilities were discovered in libsmpack, a library used to
handle Microsoft compression formats. A remote attacker could craft
malicious CAB, CHM or KWAJ files and use these flaws to cause a denial
of service via application crash, or potentially execute arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 0.5-1+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1459 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 05 August 2018 - 09:12 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4261-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 03, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vim-syntastic
CVE ID         : CVE-2018-11319

Enrico Zini discovered a vulnerability in Syntastic, an addon
module for the Vim editor that runs a file through external checkers
and displays any resulting errors. Config files were looked up in the
current working directory which could result in arbitrary
shell code execution if a malformed source code file is opened.

For the stable distribution (stretch), this problem has been fixed in
version 3.7.0-1+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4262-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 03, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : symfony
CVE ID         : CVE-2016-2403  CVE-2017-1665  CVE-2017-16653
                 CVE-2017-16654 CVE-2017-16790 CVE-2018-11385
CVE-2018-11386 CVE-2018-11406

Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to open redirects, cross-site request forgery,
information disclosure, session fixation or denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 2.8.7+dfsg-1.3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4263-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 04, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : cgit
CVE ID         : CVE-2018-14912
Debian Bug     : 905382

Jann Horn discovered a directory traversal vulnerability in cgit, a fast
web frontend for git repositories written in C. A remote attacker can
take advantage of this flaw to retrieve arbitrary files via a specially
crafted request, when 'enable-http-clone=1' (default) is not turned off.

For the stable distribution (stretch), this problem has been fixed in
version 1.1+git2.10.2-3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4264-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 05, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-django
CVE ID         : CVE-2018-14574

Andreas Hug discovered an open redirect in Django, a Python web
development framework, which is exploitable if
django.middleware.common.CommonMiddleware is used and the APPEND_SLASH
setting is enabled.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.10.7-2+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4265-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 05, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xml-security-c
CVE ID         : not yet available

It was discovered that the Apache XML Security for C++ library performed
insufficient validation of KeyInfo hints, which could result in denial
of service via NULL pointer dereferences when processing malformed XML
data.

For the stable distribution (stretch), this problem has been fixed in
version 1.7.3-4+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1460 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 06 August 2018 - 09:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4266-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 06, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-5390 CVE-2018-13405

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial of service.

CVE-2018-5390

    Juha-Matti Tilli discovered that a remote attacker can trigger the
    worst case code paths for TCP stream reassembly with low rates of
    specially crafted packets leading to remote denial of service.

CVE-2018-13405

    Jann Horn discovered that the inode_init_owner function in
    fs/inode.c in the Linux kernel allows local users to create files
    with an unintended group ownership allowing attackers to escalate
    privileges by making a plain file executable and SGID.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u1. This update includes fixes for several
regressions in the latest point release.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1461 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 08 August 2018 - 08:39 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4267-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 08, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : kamailio
CVE ID         : CVE-2018-14767

Henning Westerholt discovered a flaw related to the To header processing
in kamailio, a very fast, dynamic and configurable SIP server. Missing
input validation in the build_res_buf_from_sip_req function could result
in denial of service and potentially the execution of arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 4.4.4-2+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1462 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 12 August 2018 - 08:28 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4268-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2018-2952

It was discovered that the PatternSyntaxException class in the
Concurrency component of OpenJDK, an implementation of the Oracle Java
platform could result in denial of service via excessive memory
consumption.
      
For the stable distribution (stretch), this problem has been fixed in
version 8u181-b13-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4269-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 10, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-9.6
CVE ID         : CVE-2018-10915 CVE-2018-10925

Two vulnerabilities have been found in the PostgreSQL database system:

CVE-2018-10915

    Andrew Krasichkov discovered that libpq did not reset all its
    connection state during reconnects.

CVE-2018-10925

    It was discovered that some "CREATE TABLE" statements could
    disclose server memory.

For additional information please refer to the upstream announcement
at https://www.postgres...bout/news/1878/

For the stable distribution (stretch), these problems have been fixed in
version 9.6.10-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1463 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 13 August 2018 - 07:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4270-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 13, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gdm3
CVE ID         : CVE-2018-14424

Chris Coulson discovered a use-after-free flaw in the GNOME Display
Manager, triggerable by an unprivileged user via a specially crafted
sequence of D-Bus method calls, leading to denial of service or
potentially the execution of arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 3.22.3-3+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1464 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 14 August 2018 - 08:29 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4271-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 14, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2018-10858 CVE-2018-10919

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

CVE-2018-10858

    Svyatoslav Phirsov discovered that insufficient input validation in
    libsmbclient allowed a malicious Samba server to write to the
    client's heap memory.

CVE-2018-10919

    Phillip Kuhrt discovered that Samba when acting as an Active Domain
    controller disclosed some sensitive attributes.

For the stable distribution (stretch), these problems have been fixed in
version 2:4.5.12+dfsg-2+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4272-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 14, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-5391

CVE-2018-5391 (FragmentSmack)

    Juha-Matti Tilli discovered a flaw in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker can take advantage of this flaw to trigger time and
    calculation expensive fragment reassembly algorithms by sending
    specially crafted packets, leading to remote denial of service.

    This is mitigated by reducing the default limits on memory usage
    for incomplete fragmented packets.  The same mitigation can be
    achieved without the need to reboot, by setting the sysctls:

    net.ipv4.ipfrag_high_thresh = 262144
    net.ipv6.ip6frag_high_thresh = 262144
    net.ipv4.ipfrag_low_thresh = 196608
    net.ipv6.ip6frag_low_thresh = 196608

    The default values may still be increased by local configuration
    if necessary.

For the stable distribution (stretch), this problem has been fixed in
version 4.9.110-3+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1465 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,619 posts

Posted 16 August 2018 - 08:53 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4273-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 16, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : intel-microcode
CVE ID         : CVE-2018-3639 CVE-2018-3640

This update ships updated CPU microcode for some types of Intel CPUs and
provides SSBD support (needed to address "Spectre v4") and fixes for
"Spectre v3a".
    
For the stable distribution (stretch), these problems have been fixed in
version 3.20180703.2~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4274-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 16, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3620 CVE-2018-3646

This update provides mitigations for the "L1 Terminal Fault"
vulnerability affecting a range of Intel CPUs.

For additional information please refer to
https://xenbits.xen....visory-273.html. The microcode updates
mentioned there are not yet available in a form distributable by Debian.

In addition two denial of service vulnerabilities have been fixed
(XSA-268 and XSA-269).

For the stable distribution (stretch), these problems have been fixed in
version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4275-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 16, 2018                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : keystone
CVE ID         : CVE-2018-14432
Debian Bug     : 904616

Kristi Nikolla discovered an information leak in Keystone, the OpenStack
identity service, if running in a federated setup.

For the stable distribution (stretch), this problem has been fixed in
version 2:10.0.0-9+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users