sunrat Posted April 5, 2018 Share Posted April 5, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4167-1 security@debian.org https://www.debian.org/security/ Luciano Bello April 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sharutils CVE ID : CVE-2018-1000097 Debian Bug : 893525 A buffer-overflow vulnerability was discovered in Sharutils, a set of utilities handle Shell Archives. An attacker with control on the input of the unshar command, could crash the application or execute arbitrary code in the its context. For the oldstable distribution (jessie), this problem has been fixed in version 4.14-2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1:4.15.2-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 8, 2018 Share Posted April 8, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4168-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squirrelmail CVE ID : CVE-2018-8741 Debian Bug : 893202 Florian Grunow und Birk Kauer of ERNW discovered a path traversal vulnerability in SquirrelMail, a webmail application, allowing an authenticated remote attacker to retrieve or delete arbitrary files via mail attachment. For the oldstable distribution (jessie), this problem has been fixed in version 2:1.4.23~svn20120406-2+deb8u2. Link to comment Share on other sites More sharing options...
sunrat Posted April 11, 2018 Share Posted April 11, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4170-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 09, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pjproject CVE ID : CVE-2017-16872 CVE-2017-16875 CVE-2018-1000098 CVE-2018-1000099 Multiple vulnerabilities have been discovered in the PJSIP/PJProject multimedia communication which may result in denial of service during the processing of SIP and SDP messages and ioqueue keys. For the stable distribution (stretch), these problems have been fixed in version 2.5.5~dfsg-6+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4169-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez April 11, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pcs CVE ID : CVE-2018-1086 Debian Bug : 895313 Cédric Buissart from Red Hat discovered an information disclosure bug in pcs, a pacemaker command line interface and GUI. The REST interface normally doesn't allow passing --debug parameter to prevent information leak, but the check wasn't sufficient. For the stable distribution (stretch), this problem has been fixed in version 0.9.155+dfsg-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 14, 2018 Share Posted April 14, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4079-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 12, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : poppler CVE ID : CVE-2017-9776 Debian Bug : 890826 It was discovered that the poppler upload for the oldstable distribution (jessie), released as DSA-4079-1, did not correctly address CVE-2017-9776 and additionally caused regressions when rendering PDFs embedding JBIG2 streams. Updated packages are now available to correct this issue. For the oldstable distribution (jessie), this problem has been fixed in version 0.26.5-2+deb8u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4171-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-loofah CVE ID : CVE-2018-8048 Debian Bug : 893596 The Shopify Application Security Team reported that ruby-loofah, a general library for manipulating and transforming HTML/XML documents and fragments, allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. This might allow to mount a code injection attack into a browser consuming sanitized output. For the stable distribution (stretch), this problem has been fixed in version 2.0.3-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 16, 2018 Share Posted April 16, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4172-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : perl CVE ID : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-6797 Brian Carpenter reported that a crafted regular expression could cause a heap buffer write overflow, with control over the bytes written. CVE-2018-6798 Nguyen Duc Manh reported that matching a crafted locale dependent regular expression could cause a heap buffer read overflow and potentially information disclosure. CVE-2018-6913 GwanYeong Kim reported that 'pack()' could cause a heap buffer write overflow with a large item count. For the oldstable distribution (jessie), these problems have been fixed in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update contains only a fix for CVE-2018-6913. For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted April 17, 2018 Share Posted April 17, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4173-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : r-cran-readxl CVE ID : CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12110 CVE-2017-12111 Marcin Noga discovered multiple vulnerabilities in readxl, a GNU R package to read Excel files (via the integrated libxls library), which could result in the execution of arbitrary code if a malformed spreadsheet is processed. For the stable distribution (stretch), these problems have been fixed in version 0.1.1-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4174-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : corosync CVE ID : CVE-2018-1084 Debian Bug : 895653 The Citrix Security Response Team discovered that corosync, a cluster engine implementation, allowed an unauthenticated user to cause a denial-of-service by application crash. For the stable distribution (stretch), this problem has been fixed in version 2.4.2-3+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 20, 2018 Share Posted April 20, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4175-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : freeplane CVE ID : CVE-2018-1000069 Debian Bug : 893663 Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened. For the oldstable distribution (jessie), this problem has been fixed in version 1.3.12-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.5.18-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 21, 2018 Share Posted April 21, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4176-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.60-0+deb8u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4177-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 20, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libsdl2-image CVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14449 CVE-2017-14450 CVE-2018-3837 CVE-2018-3838 CVE-2018-3839 Multiple vulnerabilities have been discovered in the image loading library for Simple DirectMedia Layer 2, which could result in denial of service or the execution of arbitrary code if malformed image files are opened. For the oldstable distribution (jessie), these problems have been fixed in version 2.0.0+dfsg-3+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 2.0.1+dfsg-2+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4178-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 20, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libreoffice CVE ID : CVE-2018-10119 CVE-2018-10120 Two vulnerabilities were discovered in LibreOffice's code to parse MS Word and Structured Storage files, which could result in denial of service and potentially the execution of arbitrary code if a malformed file is opened. For the oldstable distribution (jessie), these problems have been fixed in version 1:4.3.3-2+deb8u11. For the stable distribution (stretch), these problems have been fixed in version 1:5.2.7-1+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted April 25, 2018 Share Posted April 25, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4179-1 security@debian.org https://www.debian.org/security/ Ben Hutchings April 24, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux-tools This update doesn't fix a vulnerability in linux-tools, but provides support for building Linux kernel modules with the "retpoline" mitigation for CVE-2017-5715 (Spectre variant 2). This update also includes bug fixes from the upstream Linux 3.16 stable branch up to and including 3.16.56. For the oldstable distribution (jessie), this problem has been fixed in version 3.16.56-1. Link to comment Share on other sites More sharing options...
sunrat Posted April 27, 2018 Share Posted April 27, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4180-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 25, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : CVE-2018-7602 Debian Bug : 896701 A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-004 For the oldstable distribution (jessie), this problem has been fixed in version 7.32-1+deb8u12. For the stable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted April 29, 2018 Share Posted April 29, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4182-1 security@debian.org https://www.debian.org/security/ Michael Gilbert April 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2018-6056 CVE-2018-6057 CVE-2018-6060 CVE-2018-6061 CVE-2018-6062 CVE-2018-6063 CVE-2018-6064 CVE-2018-6065 CVE-2018-6066 CVE-2018-6067 CVE-2018-6068 CVE-2018-6069 CVE-2018-6070 CVE-2018-6071 CVE-2018-6072 CVE-2018-6073 CVE-2018-6074 CVE-2018-6075 CVE-2018-6076 CVE-2018-6077 CVE-2018-6078 CVE-2018-6079 CVE-2018-6080 CVE-2018-6081 CVE-2018-6082 CVE-2018-6083 CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 CVE-2018-6116 CVE-2018-6117 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-6056 lokihardt discovered an error in the v8 javascript library. CVE-2018-6057 Gal Beniamini discovered errors related to shared memory permissions. CVE-2018-6060 Omair discovered a use-after-free issue in blink/webkit. CVE-2018-6061 Guang Gong discovered a race condition in the v8 javascript library. CVE-2018-6062 A heap overflow issue was discovered in the v8 javascript library. CVE-2018-6063 Gal Beniamini discovered errors related to shared memory permissions. CVE-2018-6064 lokihardt discovered a type confusion error in the v8 javascript library. CVE-2018-6065 Mark Brand discovered an integer overflow issue in the v8 javascript library. CVE-2018-6066 Masato Kinugawa discovered a way to bypass the Same Origin Policy. CVE-2018-6067 Ned Williamson discovered a buffer overflow issue in the skia library. CVE-2018-6068 Luan Herrera discovered object lifecycle issues. CVE-2018-6069 Wanglu and Yangkang discovered a stack overflow issue in the skia library. CVE-2018-6070 Rob Wu discovered a way to bypass the Content Security Policy. CVE-2018-6071 A heap overflow issue was discovered in the skia library. CVE-2018-6072 Atte Kettunen discovered an integer overflow issue in the pdfium library. CVE-2018-6073 Omair discover a heap overflow issue in the WebGL implementation. CVE-2018-6074 Abdulrahman Alqabandi discovered a way to cause a downloaded web page to not contain a Mark of the Web. CVE-2018-6075 Inti De Ceukelaire discovered a way to bypass the Same Origin Policy. CVE-2018-6076 Mateusz Krzeszowiec discovered that URL fragment identifiers could be handled incorrectly. CVE-2018-6077 Khalil Zhani discovered a timing issue. CVE-2018-6078 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6079 Ivars discovered an information disclosure issue. CVE-2018-6080 Gal Beniamini discovered an information disclosure issue. CVE-2018-6081 Rob Wu discovered a cross-site scripting issue. CVE-2018-6082 WenXu Wu discovered a way to bypass blocked ports. CVE-2018-6083 Jun Kokatsu discovered that AppManifests could be handled incorrectly. CVE-2018-6085 Ned Williamson discovered a use-after-free issue. CVE-2018-6086 Ned Williamson discovered a use-after-free issue. CVE-2018-6087 A use-after-free issue was discovered in the WebAssembly implementation. CVE-2018-6088 A use-after-free issue was discovered in the pdfium library. CVE-2018-6089 Rob Wu discovered a way to bypass the Same Origin Policy. CVE-2018-6090 ZhanJia Song discovered a heap overflow issue in the skia library. CVE-2018-6091 Jun Kokatsu discovered that plugins could be handled incorrectly. CVE-2018-6092 Natalie Silvanovich discovered an integer overflow issue in the WebAssembly implementation. CVE-2018-6093 Jun Kokatsu discovered a way to bypass the Same Origin Policy. CVE-2018-6094 Chris Rohlf discovered a regression in garbage collection hardening. CVE-2018-6095 Abdulrahman Alqabandi discovered files could be uploaded without user interaction. CVE-2018-6096 WenXu Wu discovered a user interface spoofing issue. CVE-2018-6097 xisigr discovered a user interface spoofing issue. CVE-2018-6098 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6099 Jun Kokatsu discovered a way to bypass the Cross Origin Resource Sharing mechanism. CVE-2018-6100 Lnyas Zhang dsicovered a URL spoofing issue. CVE-2018-6101 Rob Wu discovered an issue in the developer tools remote debugging protocol. CVE-2018-6102 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6103 Khalil Zhani discovered a user interface spoofing issue. CVE-2018-6104 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6105 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6106 lokihardt discovered that v8 promises could be handled incorrectly. CVE-2018-6107 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6108 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6109 Dominik Weber discovered a way to misuse the FileAPI feature. CVE-2018-6110 Wenxiang Qian discovered that local plain text files could be handled incorrectly. CVE-2018-6111 Khalil Zhani discovered a use-after-free issue in the developer tools. CVE-2018-6112 Khalil Zhani discovered incorrect handling of URLs in the developer tools. CVE-2018-6113 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6114 Lnyas Zhang discovered a way to bypass the Content Security Policy. CVE-2018-6116 Chengdu Security Response Center discovered an error when memory is low. CVE-2018-6117 Spencer Dailey discovered an error in form autofill settings. For the oldstable distribution (jessie), security support for chromium has been discontinued. For the stable distribution (stretch), these problems have been fixed in version 66.0.3359.117-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4181-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : roundcube CVE ID : CVE-2018-9846 Debian Bug : 895184 Andrea Basile discovered that the 'archive' plugin in roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize a user-controlled parameter, allowing a remote attacker to inject arbitrary IMAP commands and perform malicious actions. For the stable distribution (stretch), this problem has been fixed in version 1.2.3+dfsg.1-4+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4183-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2018-0490 It has been discovered that Tor, a connection-based low-latency anonymous communication system, contains a protocol-list handling bug that could be used to remotely crash directory authorities with a null-pointer exception (TROVE-2018-001). For the stable distribution (stretch), this problem has been fixed in version 0.2.9.15-1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4184-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sdl-image1.2 CVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 CVE-2018-3837 CVE-2018-3838 CVE-2018-3839 Debian Bug : 878267 Multiple vulnerabilities have been discovered in the image loading library for Simple DirectMedia Layer 1.2, which could result in denial of service or the execution of arbitrary code if malformed image files are opened. For the oldstable distribution (jessie), these problems have been fixed in version 1.2.12-5+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1.2.12-5+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4185-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-8 CVE ID : CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800 CVE-2018-2814 CVE-2018-2815 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. For the stable distribution (stretch), these problems have been fixed in version 8u171-b11-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4186-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gunicorn CVE ID : CVE-2018-1000164 It was discovered that gunicorn, an event-based HTTP/WSGI server was susceptible to HTTP Response splitting. For the oldstable distribution (jessie), this problem has been fixed in version 19.0-1+deb8u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 2, 2018 Share Posted May 2, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4187-1 security@debian.org https://www.debian.org/security/ Ben Hutchings May 01, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-1000004 CVE-2018-1000199 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation. CVE-2017-0861 Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution. CVE-2017-5753 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function. More use sites will be added over time. CVE-2017-13166 A bug in the 32-bit compatibility layer of the v4l2 ioctl handling code has been found. Memory protections ensuring user-provided buffers always point to userland memory were disabled, allowing destination addresses to be in kernel space. On a 64-bit kernel a local user with access to a suitable video device can exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2017-13220 Al Viro reported that the Bluetooth HIDP implementation could dereference a pointer before performing the necessary type check. A local user could use this to cause a denial of service. CVE-2017-16526 Andrey Konovalov reported that the UWB subsystem may dereference an invalid pointer in an error case. A local user might be able to use this for denial of service. CVE-2017-16911 Secunia Research reported that the USB/IP vhci_hcd driver exposed kernel heap addresses to local users. This information could aid the exploitation of other vulnerabilities. CVE-2017-16912 Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to an out-of-bounds read. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-16913 Secunia Research reported that the USB/IP stub driver failed to perform a range check on a received packet header field, leading to excessive memory allocation. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-16914 Secunia Research reported that the USB/IP stub driver failed to check for an invalid combination of fields in a received packet, leading to a null pointer dereference. A remote user able to connect to the USB/IP server could use this for denial of service. CVE-2017-18017 Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module failed to validate TCP header lengths, potentially leading to a use-after-free. If this module is loaded, it could be used by a remote attacker for denial of service or possibly for code execution. CVE-2017-18203 Hou Tao reported that there was a race condition in creation and deletion of device-mapper (DM) devices. A local user could potentially use this for denial of service. CVE-2017-18216 Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service. CVE-2017-18232 Jason Yan reported a race condition in the SAS (Serial-Attached SCSI) subsystem, between probing and destroying a port. This could lead to a deadlock. A physically present attacker could use this to cause a denial of service. CVE-2017-18241 Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service. CVE-2018-1066 Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service. CVE-2018-1068 The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default. CVE-2018-1092 Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-5332 Mohamed Ghannam reported that the RDS protocol did not sufficiently validate RDMA requests, leading to an out-of-bounds write. A local attacker on a system with the rds module loaded could use this for denial of service or possibly for privilege escalation. CVE-2018-5333 Mohamed Ghannam reported that the RDS protocol did not properly handle an error case, leading to a null pointer dereference. A local attacker on a system with the rds module loaded could possibly use this for denial of service. CVE-2018-5750 Wang Qize reported that the ACPI sbshc driver logged a kernel heap address. This information could aid the exploitation of other vulnerabilities. CVE-2018-5803 Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service. CVE-2018-6927 Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did not check for negative parameter values, which might lead to a denial of service or other security impact. CVE-2018-7492 The syzkaller tool found that the RDS protocol was lacking a null pointer check. A local attacker on a system with the rds module loaded could use this for denial of service. CVE-2018-7566 Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-7740 Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service. CVE-2018-7757 Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service. CVE-2018-7995 Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact. CVE-2018-8781 Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2018-8822 Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client. CVE-2018-1000004 Luo Quan reported a race condition in the ALSA (sound) sequencer core, between multiple ioctl operations. This could lead to a deadlock or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-1000199 Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4188-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 01, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193 CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224 CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-1108 CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781 CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution. CVE-2017-5753 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function. More use sites will be added over time. CVE-2017-17975 Tuba Yavuz reported a use-after-free flaw in the USBTV007 audio-video grabber driver. A local user could use this for denial of service by triggering failure of audio registration. CVE-2017-18193 Yunlei He reported that the f2fs implementation does not properly handle extent trees, allowing a local user to cause a denial of service via an application with multiple threads. CVE-2017-18216 Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service. CVE-2017-18218 Jun He reported a user-after-free flaw in the Hisilicon HNS ethernet driver. A local user could use this for denial of service. CVE-2017-18222 It was reported that the Hisilicon Network Subsystem (HNS) driver implementation does not properly handle ethtool private flags. A local user could use this for denial of service or possibly have other impact. CVE-2017-18224 Alex Chen reported that the OCFS2 filesystem omits the use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode. A local user could use this for denial of service. CVE-2017-18241 Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service. CVE-2017-18257 It was reported that the f2fs implementation is prone to an infinite loop caused by an integer overflow in the __get_data_block() function. A local user can use this for denial of service via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. CVE-2018-1065 The syzkaller tool found a NULL pointer dereference flaw in the netfilter subsystem when handling certain malformed iptables rulesets. A local user with the CAP_NET_RAW or CAP_NET_ADMIN capability (in any user namespace) could use this to cause a denial of service. Debian disables unprivileged user namespaces by default. CVE-2018-1066 Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service. CVE-2018-1068 The syzkaller tool found that the 32-bit compatibility layer of ebtables did not sufficiently validate offset values. On a 64-bit kernel, a local user with the CAP_NET_ADMIN capability (in any user namespace) could use this to overwrite kernel memory, possibly leading to privilege escalation. Debian disables unprivileged user namespaces by default. CVE-2018-1092 Wen Xu reported that a crafted ext4 filesystem image would trigger a null dereference when mounted. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-1093 Wen Xu reported that a crafted ext4 filesystem image could trigger an out-of-bounds read in the ext4_valid_block_bitmap() function. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-1108 Jann Horn reported that crng_ready() does not properly handle the crng_init variable states and the RNG could be treated as cryptographically safe too early after system boot. CVE-2018-5803 Alexey Kodanev reported that the SCTP protocol did not range-check the length of chunks to be created. A local or remote user could use this to cause a denial of service. CVE-2018-7480 Hou Tao discovered a double-free flaw in the blkcg_init_queue() function in block/blk-cgroup.c. A local user could use this to cause a denial of service or have other impact. CVE-2018-7566 Fan LongFei reported a race condition in the ALSA (sound) sequencer core, between write and ioctl operations. This could lead to an out-of-bounds access or use-after-free. A local user with access to a sequencer device could use this for denial of service or possibly for privilege escalation. CVE-2018-7740 Nic Losby reported that the hugetlbfs filesystem's mmap operation did not properly range-check the file offset. A local user with access to files on a hugetlbfs filesystem could use this to cause a denial of service. CVE-2018-7757 Jason Yan reported a memory leak in the SAS (Serial-Attached SCSI) subsystem. A local user on a system with SAS devices could use this to cause a denial of service. CVE-2018-7995 Seunghun Han reported a race condition in the x86 MCE (Machine Check Exception) driver. This is unlikely to have any security impact. CVE-2018-8087 A memory leak flaw was found in the hwsim_new_radio_nl() function in the simulated radio testing tool driver for mac80211, allowing a local user to cause a denial of service. CVE-2018-8781 Eyal Itkin reported that the udl (DisplayLink) driver's mmap operation did not properly range-check the file offset. A local user with access to a udl framebuffer device could exploit this to overwrite kernel memory, leading to privilege escalation. CVE-2018-8822 Dr Silvio Cesare of InfoSect reported that the ncpfs client implementation did not validate reply lengths from the server. An ncpfs server could use this to cause a denial of service or remote code execution in the client. CVE-2018-10323 Wen Xu reported a NULL pointer dereference flaw in the xfs_bmapi_write() function triggered when mounting and operating a crafted xfs filesystem image. A local user able to mount arbitrary filesystems could use this for denial of service. CVE-2018-1000199 Andy Lutomirski discovered that the ptrace subsystem did not sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for privilege escalation, on x86 (amd64 and i386) and possibly other architectures. For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1. Link to comment Share on other sites More sharing options...
sunrat Posted May 4, 2018 Share Posted May 4, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4189-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 02, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : quassel CVE ID : CVE-2018-1000178 CVE-2018-1000179 Two vulnerabilities were found in the Quassel IRC client, which could result in the execution of arbitrary code or denial of service. Note that you need to restart the 'quasselcore' service after upgrading the Quassel packages. For the oldstable distribution (jessie), these problems have been fixed in version 1:0.10.0-2.3+deb8u4. For the stable distribution (stretch), these problems have been fixed in version 1:0.12.4-2+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4190-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond May 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jackson-databind CVE ID : CVE-2018-7489 Debian Bug : 891614 It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing because of an incomplete fix for CVE-2017-7525. For the oldstable distribution (jessie), this problem has been fixed in version 2.4.2-2+deb8u4. For the stable distribution (stretch), this problem has been fixed in version 2.8.6-1+deb9u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4191-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond May 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redmine CVE ID : CVE-2017-15568 CVE-2017-15569 CVE-2017-15570 CVE-2017-15571 CVE-2017-15572 CVE-2017-15573 CVE-2017-15574 CVE-2017-15575 CVE-2017-15576 CVE-2017-15577 CVE-2017-16804 CVE-2017-18026 Debian Bug : 882544 882545 882547 882548 887307 Multiple vulnerabilities were discovered in Redmine, a project management web application. They could lead to remote code execution, information disclosure or cross-site scripting attacks. For the stable distribution (stretch), these problems have been fixed in version 3.3.1-4+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 6, 2018 Share Posted May 6, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4192-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 04, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libmad CVE ID : CVE-2017-8372 CVE-2017-8373 CVE-2017-8374 Several vulnerabilities were discovered in MAD, an MPEG audio decoder library, which could result in denial of service if a malformed audio file is processed. For the oldstable distribution (jessie), these problems have been fixed in version 0.15.1b-8+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 0.15.1b-8+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4193-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2018-10100 CVE-2018-10101 CVE-2018-10102 Debian Bug : 895034 Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects. More information can be found in the upstream advisory at https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ For the oldstable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u17. For the stable distribution (stretch), these problems have been fixed in version 4.7.5+dfsg-2+deb9u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4194-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lucene-solr CVE ID : CVE-2018-1308 An XML external entity expansion vulnerability was discovered in the DataImportHandler of Solr, a search server based on Lucene, which could result in information disclosure. For the oldstable distribution (jessie), this problem has been fixed in version 3.6.2+dfsg-5+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 3.6.2+dfsg-10+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted May 9, 2018 Share Posted May 9, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4195-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wget CVE ID : CVE-2018-0494 Debian Bug : 898076 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values. For the oldstable distribution (jessie), this problem has been fixed in version 1.16-1+deb8u5. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4196-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-1087 CVE-2018-8897 Debian Bug : 897427 897599 898067 898100 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM guest user to crash the guest or potentially escalate their privileges. CVE-2018-8897 Nick Peterson of Everdox Tech LLC discovered that #DB exceptions that are deferred by MOV SS or POP SS are not properly handled, allowing an unprivileged user to crash the kernel and cause a denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1+deb8u1. This update includes various fixes for regressions from 3.16.56-1 as released in DSA-4187-1 (Cf. #897427, #898067 and #898100). For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1+deb9u1. The fix for CVE-2018-1108 applied in DSA-4188-1 is temporarily reverted due to various regression, cf. #897599. Link to comment Share on other sites More sharing options...
sunrat Posted May 9, 2018 Share Posted May 9, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4197-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wavpack CVE ID : CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 Multiple vulnerabilities were discovered in the wavpack audio codec which could result in denial of service or the execution of arbitrary code if malformed media files are processed. The oldstable distribution (jessie) is not affected. For the stable distribution (stretch), these problems have been fixed in version 5.0.0-2+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4198-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : prosody CVE ID : CVE-2017-18265 Debian Bug : 875829 Albert Dengg discovered that incorrect parsing of <stream:error> messages in the Prosody Jabber/XMPP server may result in denial of service. The oldstable distribution (jessie) is not affected. For the stable distribution (stretch), this problem has been fixed in version 0.9.12-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 13, 2018 Share Posted May 13, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4199-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 10, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5157 CVE-2018-5158 CVE-2018-5159 CVE-2018-5168 CVE-2018-5178 CVE-2018-5183 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code or denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 52.8.0esr-1~deb8u1. For the stable distribution (stretch), these problems have been fixed in version 52.8.0esr-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 14, 2018 Share Posted May 14, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4200-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : kwallet-pam CVE ID : CVE-2018-10380 Fabian Vogt discovered that incorrect permission handling in the PAM module of the KDE Wallet could allow an unprivileged local user to gain ownership of arbitrary files. For the stable distribution (stretch), this problem has been fixed in version 5.8.4-1+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted May 17, 2018 Share Posted May 17, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4201-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2018-8897 CVE-2018-10471 CVE-2018-10472 CVE-2018-10981 CVE-2018-10982 Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2018-8897 Andy Lutomirski and Nick Peterson discovered that incorrect handling of debug exceptions could result in privilege escalation. CVE-2018-10471 An error was discovered in the mitigations against Meltdown which could result in denial of service. CVE-2018-10472 Anthony Perard discovered that incorrect parsing of CDROM images can result in information disclosure. CVE-2018-10981 Jan Beulich discovered that malformed device models could result in denial of service. CVE-2018-10982 Roger Pau Monne discovered that incorrect handling of high precision event timers could result in denial of service and potentially privilege escalation. For the stable distribution (stretch), these problems have been fixed in version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4202-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini May 16, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2018-1000301 Debian Bug : 898856 OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer library, could be tricked into reading data beyond the end of a heap based buffer when parsing invalid headers in an RTSP response. For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u11. For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u6. Link to comment Share on other sites More sharing options...
sunrat Posted May 22, 2018 Share Posted May 22, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4203-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2017-17670 Hans Jerry Illikainen discovered a type conversion vulnerability in the MP4 demuxer of the VLC media player, which could result in the execution of arbitrary code if a malformed media file is played. This update upgrades VLC in stretch to the new 3.x release series (as security fixes couldn't be sensibly backported to the 2.x series). In addition two packages needed to be rebuild to ensure compatibility with VLC 3; phonon-backend-vlc (0.9.0-2+deb9u1) and goldencheetah (4.0.0~DEV1607-2+deb9u1). VLC in jessie cannot be migrated to version 3 due to incompatible library changes with reverse dependencies and is thus now declared end-of-life for jessie. We recommend to upgrade to stretch or pick a different media player if that's not an option. For the stable distribution (stretch), this problem has been fixed in version 3.0.2-0+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4204-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond May 18, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : imagemagick CVE ID : CVE-2017-10995 CVE-2017-11533 CVE-2017-11535 CVE-2017-11639 CVE-2017-13143 CVE-2017-17504 CVE-2017-17879 CVE-2018-5248 Debian Bug : 867748 869827 869834 870012 870065 885125 885340 886588 This update fixes several vulnerabilities in imagemagick, a graphical software suite. Various memory handling problems or issues about incomplete input sanitizing would result in denial of service or memory disclosure. For the oldstable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u12. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4205-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 18, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- This is an advance notice that regular security support for Debian GNU/Linux 8 (code name "jessie") will be terminated on the 17th of June. As with previous releases additional LTS support will be provided for a reduced set of architectures and packages, a separate announcement will be available in due time. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4206-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 21, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gitlab CVE ID : CVE-2017-0920 CVE-2018-8971 Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code: CVE-2017-0920 It was discovered that missing validation of merge requests allowed users to see names to private projects, resulting in information disclosure. CVE-2018-8971 It was discovered that the Auth0 integration was implemented incorrectly. For the stable distribution (stretch), these problems have been fixed in version 8.13.11+dfsg1-8+deb9u2. The fix for CVE-2018-8971 also requires ruby-omniauth-auth0 to be upgraded to version 2.0.0-0+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 23, 2018 Share Posted May 23, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4207-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 22, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : packagekit CVE ID : CVE-2018-1106 Debian Bug : 896703 Matthias Gerstner discovered that PackageKit, a DBus abstraction layer for simple software management tasks, contains an authentication bypass flaw allowing users without privileges to install local packages. For the stable distribution (stretch), this problem has been fixed in version 1.1.5-2+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4208-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 22, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : procps CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 Debian Bug : 899170 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top read its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation. CVE-2018-1123 Denial of service against the ps invocation of another user. CVE-2018-1124 An integer overflow in the file2strvec() function of libprocps could result in local privilege escalation. CVE-2018-1125 A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process. CVE-2018-1126 Incorrect integer size parameters used in wrappers for standard C allocators could cause integer truncation and lead to integer overflow issues. For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 26, 2018 Share Posted May 26, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4209-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 25, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5159 CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170 CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. For the oldstable distribution (jessie), these problems have been fixed in version 1:52.8.0-1~deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1:52.8.0-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4210-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 25, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2018-3639 This update provides mitigations for the Spectre v4 variant in x86-based micro processors. On Intel CPUs this requires updated microcode which is currently not released publicly (but your hardware vendor may have issued an update). For servers with AMD CPUs no microcode update is needed, please refer to https://xenbits.xen.org/xsa/advisory-263.html for further information. For the stable distribution (stretch), this problem has been fixed in version 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4211-1 security@debian.org https://www.debian.org/security/ Luciano Bello May 25, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xdg-utils CVE ID : CVE-2017-18266 Debian Bug : 898317 Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution. For the oldstable distribution (jessie), this problem has been fixed in version 1.1.0~rc1+git20111210-7.4+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.1.1-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 30, 2018 Share Posted May 30, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4206-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 26, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gitlab Debian Bug : 900066 The gitlab security update announced as DSA-4206-1 caused regressions when creating merge requests (returning 500 Internal Server Errors) due to an issue in the patch to address CVE-2017-0920. Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 8.13.11+dfsg1-8+deb9u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4212-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 29, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : git CVE ID : CVE-2018-11235 Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file. For the oldstable distribution (jessie), this problem has been fixed in version 1:2.1.4-2.1+deb8u6. For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4213-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 29, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124 CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381 CVE-2017-18043 CVE-2018-5683 CVE-2018-7550 Debian Bug : 877890 880832 880836 882136 883399 883625 884806 886532 887392 892041 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. CVE-2017-15124 Daniel Berrange discovered that the integrated VNC server insufficiently restricted memory allocation, which could result in denial of service. CVE-2017-15268 A memory leak in websockets support may result in denial of service. CVE-2017-15289 Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics adaptor which could result in denial of service. CVE-2017-16845 Cyrille Chatras discovered an information leak in PS/2 mouse and keyboard emulation which could be exploited during instance migration. CVE-2017-17381 Dengzhan Heyuandong Bijunhua and Liweichao discovered that an implementation error in the virtio vring implementation could result in denial of service. CVE-2017-18043 Eric Blake discovered an integer overflow in an internally used macro which could result in denial of service. CVE-2018-5683 Jiang Xin and Lin ZheCheng discovered an OOB memory access in the emulated VGA adaptor which could result in denial of service. CVE-2018-7550 Cyrille Chatras discovered that an OOB memory write when using multiboot could result in the execution of arbitrary code. This update also backports a number of mitigations against the Spectre v2 vulnerability affecting modern CPUs (CVE-2017-5715). For additional information please refer to https://www.qemu.org/2018/01/04/spectre/ For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted June 2, 2018 Share Posted June 2, 2018 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Debian 7 Long Term Support reaching end-of-life press@debian.org June 1st, 2018 https://www.debian.org/News/2018/20180601 ------------------------------------------------------------------------ The Debian Long Term Support (LTS) Team hereby announces that Debian 7 "Wheezy" support has reached its end-of-life on May 31, 2018, five years after its initial release on May 4, 2013. Debian will not provide further security updates for Debian 7. A subset of Wheezy packages will be supported by external parties. Detailed information can be found at Extended LTS [1]. 1: https://wiki.debian.org/LTS/Extended The LTS Team will prepare the transition to Debian 8 "Jessie", which is the current oldstable release. The LTS team will take over support from the Security Team on June 17, 2018. Debian 8 will also receive Long Term Support for five years after its initial release with support ending on June 30, 2020. The supported architectures include amd64, i386, armel and armhf. For further information about using Jessie LTS and upgrading from Wheezy LTS, please refer to LTS/Using [2]. 2: https://wiki.debian.org/LTS/Using Debian and its LTS Team would like to thank all contributing users, developers and sponsors who are making it possible to extend the life of previous stable releases, and who have made this LTS a success. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4214-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 01, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : zookeeper CVE ID : CVE-2018-8012 It was discovered that Zookeeper, a service for maintaining configuration information, enforced no authentication/authorisation when a server attempts to join a Zookeeper quorum. This update backports authentication support. Additional configuration steps are needed, please see https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication for additional information. For the oldstable distribution (jessie), this problem has been fixed in version 3.4.9-3+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 3.4.9-3+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 4, 2018 Share Posted June 4, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4215-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 02, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : batik CVE ID : CVE-2017-5662 CVE-2018-8013 Debian Bug : 860566 899374 Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a toolkit for processing SVG images, did not properly validate its input. This would allow an attacker to cause a denial-of-service, mount cross-site scripting attacks, or access restricted files on the server. For the oldstable distribution (jessie), these problems have been fixed in version 1.7+dfsg-5+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1.8-4+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4216-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 02, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : prosody CVE ID : CVE-2018-10847 Debian Bug : 900524 It was discovered that Prosody, a lightweight Jabber/XMPP server, does not properly validate client-provided parameters during XMPP stream restarts, allowing authenticated users to override the realm associated with their session, potentially bypassing security policies and allowing impersonation. Details can be found in the upstream advisory at https://prosody.im/security/advisory_20180531/ For the oldstable distribution (jessie), this problem has been fixed in version 0.9.7-2+deb8u4. For the stable distribution (stretch), this problem has been fixed in version 0.9.12-2+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4191-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redmine Debian Bug : 900283 The redmine security update announced as DSA-4191-1 caused regressions with multi-value fields while doing queries on project issues due to an bug in the patch to address CVE-2017-15569. Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 3.3.1-4+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4217-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362 It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC, IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code. For the oldstable distribution (jessie), these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u14. For the stable distribution (stretch), these problems have been fixed in version 2.2.6+g32dac6a-2+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted June 8, 2018 Share Posted June 8, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4218-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 06, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : memcached CVE ID : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127 Debian Bug : 868701 894404 Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-9951 Daniel Shapira reported a heap-based buffer over-read in memcached (resulting from an incomplete fix for CVE-2016-8705) triggered by specially crafted requests to add/set a key and allowing a remote attacker to cause a denial of service. CVE-2018-1000115 It was reported that memcached listens to UDP by default. A remote attacker can take advantage of it to use the memcached service as a DDoS amplifier. Default installations of memcached in Debian are not affected by this issue as the installation defaults to listen only on localhost. This update disables the UDP port by default. Listening on the UDP can be re-enabled in the /etc/memcached.conf (cf. /usr/share/doc/memcached/NEWS.Debian.gz). CVE-2018-1000127 An integer overflow was reported in memcached, resulting in resource leaks, data corruption, deadlocks or crashes. For the oldstable distribution (jessie), these problems have been fixed in version 1.4.21-1.1+deb8u2. For the stable distribution (stretch), these problems have been fixed in version 1.4.33-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 9, 2018 Share Posted June 9, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4219-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jruby CVE ID : CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 Debian Bug : 895778 Several vulnerabilities were discovered in jruby, a Java implementation of the Ruby programming language. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code. For the stable distribution (stretch), these problems have been fixed in version 1.7.26-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4220-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2018-6126 Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code. For the oldstable distribution (jessie), this problem has been fixed in version 52.8.1esr-1~deb8u1. For the stable distribution (stretch), this problem has been fixed in version 52.8.1esr-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4221-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libvncserver CVE ID : CVE-2018-7225 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. For the oldstable distribution (jessie), this problem has been fixed in version 0.9.9+dfsg2-6.1+deb8u3. For the stable distribution (stretch), this problem has been fixed in version 0.9.11+dfsg-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4222-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gnupg2 CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4223-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gnupg1 CVE ID : CVE-2018-12020 Debian Bug : 901088 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the stable distribution (stretch), this problem has been fixed in version 1.4.21-4+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4224-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gnupg CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5. Link to comment Share on other sites More sharing options...
sunrat Posted June 11, 2018 Share Posted June 11, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4225-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 10, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-7 CVE ID : CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800 CVE-2018-2814 CVE-2018-2815 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. For the oldstable distribution (jessie), these problems have been fixed in version 7u181-2.6.14-1~deb8u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 13, 2018 Share Posted June 13, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4226-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : perl CVE ID : CVE-2018-12015 Debian Bug : 900834 Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive. For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11. For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4227-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : plexus-archiver CVE ID : CVE-2018-1002200 Debian Bug : 900953 Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive. For the oldstable distribution (jessie), this problem has been fixed in version 1.2-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.2-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 16, 2018 Share Posted June 16, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4228-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spip CVE ID : CVE-2017-15736 Debian Bug : 879954 Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in cross-site scripting and PHP injection. For the oldstable distribution (jessie), this problem has been fixed in version 3.0.17-2+deb8u4. For the stable distribution (stretch), this problem has been fixed in version 3.1.4-4~deb9u1. Link to comment Share on other sites More sharing options...
Recommended Posts