Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4229-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

June 14, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : strongswan

CVE ID : CVE-2018-5388 CVE-2018-10811

 

Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite.

 

CVE-2018-5388

 

The stroke plugin did not verify the message length when reading from its

control socket. This vulnerability could lead to denial of service. On

Debian write access to the socket requires root permission on default

configuration.

 

CVE-2018-10811

 

A missing variable initialization in IKEv2 key derivation could lead to a

denial of service (crash of the charon IKE daemon) if the openssl plugin is

used in FIPS mode and the negotiated PRF is HMAC-MD5.

 

For the oldstable distribution (jessie), these problems have been fixed

in version 5.2.1-6+deb8u6.

 

For the stable distribution (stretch), these problems have been fixed in

version 5.5.1-4+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4230-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 17, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : redis

CVE ID : CVE-2018-11218 CVE-2018-11219

 

Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a

persistent key-value database, which could result in denial of service.

 

For the stable distribution (stretch), these problems have been fixed in

version 3:3.2.6-3+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4231-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libgcrypt20

CVE ID : CVE-2018-0495

 

It was discovered that Libgcrypt is prone to a local side-channel attack

allowing recovery of ECDSA private keys.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.7.6-2+deb9u3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4232-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 20, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xen

CVE ID : CVE-2018-3665

 

This update provides mitigations for the "lazy FPU" vulnerability

affecting a range of Intel CPUs, which could result in leaking CPU

register states belonging to another vCPU previously scheduled on the

same CPU. For additional information please refer to

https://xenbits.xen.org/xsa/advisory-267.html

 

For the stable distribution (stretch), this problem has been fixed in

version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4233-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 22, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : bouncycastle

CVE ID : CVE-2018-1000180

 

It was discovered that the low-level interface to the RSA key pair

generator of Bouncy Castle (a Java implementation of cryptographic

algorithms) could perform less Miller-Rabin primality tests than

expected.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.56-1+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4234-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 22, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : lava-server

CVE ID : CVE-2018-12564 CVE-2018-12565

 

Two vulnerabilities were discovered in LAVA, a continuous integration

system for deploying operating systems for running tests, which could

result in information disclosure of files readable by the lavaserver

system user or the execution of arbitrary code via a XMLRPC call.

 

For the stable distribution (stretch), these problems have been fixed in

version 2016.12-3.

Link to comment
Share on other sites

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 8: 8.11 released press@debian.org

June 23rd, 2018 https://www.debian.org/News/2018/20180623

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the eleventh (and final)

update of its oldstable distribution Debian 8 (codename "jessie"). This

point release mainly adds corrections for security issues, along with a

few adjustments for serious problems. Security advisories have already

been published separately and are referenced where available.

 

After this point release, Debian's Security and Release Teams will no

longer be producing updates for Debian 8. Users wishing to continue to

receive security support should upgrade to Debian 9, or see

https://wiki.debian.org/LTS for details about the subset of

architectures and packages covered by the Long Term Support project.

 

 

The packages for some architectures for DSA 3746, DSA 3944, DSA 3968,

DSA 4010, DSA 4014, DSA 4061, DSA 4075, DSA 4102, DSA 4155, DSA 4209 and

DSA 4218 are not included in this point release for technical reasons.

All other security updates released during the lifetime of "jessie" that

have not previously been part of a point release are included in this

update.

 

Please note that the point release does not constitute a new version of

Debian 8 but only updates some of the packages included. There is no

need to throw away old "jessie" media. After installation, packages can

be upgraded to the current versions using an up-to-date Debian mirror.

 

Those who frequently install updates from security.debian.org won't have

to update many packages, and most such updates are included in the point

release.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4235-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2018-5156 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362

CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366

 

Several security issues have been found in the Mozilla Firefox web

browser: Multiple memory safety errors and other implementation errors may

lead to the execution of arbitrary code, denial of service, cross-site

request forgery or information disclosure.

 

For the stable distribution (stretch), these problems have been fixed in

version 52.9.0esr-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4236-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

June 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xen

CVE ID : CVE-2018-12891 CVE-2018-12892 CVE-2018-12893

 

Multiple vulnerabilities have been discovered in the Xen hypervisor:

 

CVE-2018-12891

 

It was discovered that insufficient validation of PV MMU operations

may result in denial of service.

 

CVE-2018-12892

 

It was discovered that libxl fails to honour the 'readonly' flag on

HVM-emulated SCSI disks.

 

CVE-2018-12893

 

It was discovered that incorrect implementation of debug exception

checks could result in denial of service.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4237-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

June 30, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2018-6118 CVE-2018-6120 CVE-2018-6121 CVE-2018-6122

CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126

CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131

CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135

CVE-2018-6136 CVE-2018-6137 CVE-2018-6138 CVE-2018-6139

CVE-2018-6140 CVE-2018-6141 CVE-2018-6142 CVE-2018-6143

CVE-2018-6144 CVE-2018-6145 CVE-2018-6147 CVE-2018-6148

CVE-2018-6149

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2018-6118

 

Ned Williamson discovered a use-after-free issue.

 

CVE-2018-6120

 

Zhou Aiting discovered a buffer overflow issue in the pdfium library.

 

CVE-2018-6121

 

It was discovered that malicious extensions could escalate privileges.

 

CVE-2018-6122

 

A type confusion issue was discovered in the v8 javascript library.

 

CVE-2018-6123

 

Looben Yang discovered a use-after-free issue.

 

CVE-2018-6124

 

Guang Gong discovered a type confusion issue.

 

CVE-2018-6125

 

Yubico discovered that the WebUSB implementation was too permissive.

 

CVE-2018-6126

 

Ivan Fratric discovered a buffer overflow issue in the skia library.

 

CVE-2018-6127

 

Looben Yang discovered a use-after-free issue.

 

CVE-2018-6129

 

Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.

 

CVE-2018-6130

 

Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC.

 

CVE-2018-6131

 

Natalie Silvanovich discovered an error in WebAssembly.

 

CVE-2018-6132

 

Ronald E. Crane discovered an uninitialized memory issue.

 

CVE-2018-6133

 

Khalil Zhani discovered a URL spoofing issue.

 

CVE-2018-6134

 

Jun Kokatsu discovered a way to bypass the Referrer Policy.

 

CVE-2018-6135

 

Jasper Rebane discovered a user interface spoofing issue.

 

CVE-2018-6136

 

Peter Wong discovered an out-of-bounds read issue in the v8 javascript

library.

 

CVE-2018-6137

 

Michael Smith discovered an information leak.

 

CVE-2018-6138

 

François Lajeunesse-Robert discovered that the extensions policy was

too permissive.

 

CVE-2018-6139

 

Rob Wu discovered a way to bypass restrictions in the debugger extension.

 

CVE-2018-6140

 

Rob Wu discovered a way to bypass restrictions in the debugger extension.

 

CVE-2018-6141

 

Yangkang discovered a buffer overflow issue in the skia library.

 

CVE-2018-6142

 

Choongwoo Han discovered an out-of-bounds read in the v8 javascript

library.

 

CVE-2018-6143

 

Guang Gong discovered an out-of-bounds read in the v8 javascript library.

 

CVE-2018-6144

 

pdknsk discovered an out-of-bounds read in the pdfium library.

 

CVE-2018-6145

 

Masato Kinugawa discovered an error in the MathML implementation.

 

CVE-2018-6147

 

Michail Pishchagin discovered an error in password entry fields.

 

CVE-2018-6148

 

Michał Bentkowski discovered that the Content Security Policy header

was handled incorrectly.

 

CVE-2018-6149

 

Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the

v8 javascript library.

 

For the stable distribution (stretch), these problems have been fixed in

version 67.0.3396.87-1~deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4238-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 03, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : exiv2

CVE ID : CVE-2018-10958 CVE-2018-10998 CVE-2018-10999 CVE-2018-11531

CVE-2018-12264 CVE-2018-12265

 

Several vulnerabilites have been discovered in Exiv2, a C++ library and

a command line utility to manage image metadata which could result in

denial of service or the execution of arbitrary code if a malformed file

is parsed.

 

For the stable distribution (stretch), these problems have been fixed in

version 0.25-3.1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4239-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 03, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gosa

CVE ID : CVE-2018-1000528

 

Fabian Henneke discovered a cross-site scripting vulnerability in the

password change form of GOsa, a web-based LDAP administration program.

 

For the stable distribution (stretch), this problem has been fixed in

version gosa 2.7.4+reloaded2-3+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4240-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 05, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php7.0

CVE ID : CVE-2018-7584 CVE-2018-10545 CVE-2018-10546

CVE-2018-10547 CVE-2018-10548 CVE-2018-10549

 

Several vulnerabilities were found in PHP, a widely-used open source

general purpose scripting language:

 

CVE-2018-7584

 

Buffer underread in parsing HTTP responses

 

CVE-2018-10545

 

Dumpable FPM child processes allowed the bypass of opcache access

controls

 

CVE-2018-10546

 

Denial of service via infinite loop in convert.iconv stream filter

 

CVE-2018-10547

 

The fix for CVE-2018-5712 (shipped in DSA 4080) was incomplete

 

CVE-2018-10548

 

Denial of service via malformed LDAP server responses

 

CVE-2018-10549

 

Out-of-bounds read when parsing malformed JPEG files

 

For the stable distribution (stretch), these problems have been fixed in

version 7.0.30-0+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4241-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 05, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libsoup2.4

CVE ID : CVE-2018-12910

 

It was discovered that the Soup HTTP library performed insuffient

validation of cookie requests which could result in an out-of-bounds

memory read.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.56.0-2+deb9u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4242-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 09, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-sprockets

CVE ID : CVE-2018-3760

Debian Bug : 901913

 

Orange Tsai discovered a path traversal flaw in ruby-sprockets, a

Rack-based asset packaging system. A remote attacker can take advantage

of this flaw to read arbitrary files outside an application's root

directory via specially crafted requests, when the Sprockets server is

used in production.

 

For the stable distribution (stretch), this problem has been fixed in

version 3.7.0-1+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4243-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

July 11, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cups

CVE ID : CVE-2017-15400 CVE-2018-4180 CVE-2018-4181 CVE-2018-4182

CVE-2018-4183 CVE-2018-6553

 

Several vulnerabilities were discovered in CUPS, the Common UNIX Printing

System. These issues have been identified with the following CVE ids:

 

CVE-2017-15400

 

Rory McNamara discovered that an attacker is able to execute arbitrary

commands (with the privilege of the CUPS daemon) by setting a

malicious IPP server with a crafted PPD file.

 

CVE-2018-4180

 

Dan Bastone of Gotham Digital Science discovered that a local

attacker with access to cupsctl could escalate privileges by setting

an environment variable.

 

CVE-2018-4181

 

Eric Rafaloff and John Dunlap of Gotham Digital Science discovered

that a local attacker can perform limited reads of arbitrary files

as root by manipulating cupsd.conf.

 

CVE-2018-4182

 

Dan Bastone of Gotham Digital Science discovered that an attacker

with sandboxed root access can execute backends without a sandbox

profile by provoking an error in CUPS' profile creation.

 

CVE-2018-4183

 

Dan Bastone and Eric Rafaloff of Gotham Digital Science discovered

that an attacker with sandboxed root access can execute arbitrary

commands as unsandboxed root by modifying /etc/cups/cups-files.conf

 

CVE-2018-6553

 

Dan Bastone of Gotham Digital Science discovered that an attacker

can bypass the AppArmor cupsd sandbox by invoking the dnssd backend

using an alternate name that has been hard linked to dnssd.

 

 

For the stable distribution (stretch), these problems have been fixed in

version 2.2.1-8+deb9u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4244-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 13, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : thunderbird

CVE ID : CVE-2017-17689 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360

CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365

CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374

 

Multiple security issues have been found in Thunderbird, which may lead

to the execution of arbitrary code, denial of service or attacks on

encrypted emails.

 

For the stable distribution (stretch), these problems have been fixed in

version 1:52.9.1-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4245-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 14, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : imagemagick

CVE ID : CVE-2018-5248 CVE-2018-11251 CVE-2018-12599 CVE-2018-12600

 

This update fixes several vulnerabilities in Imagemagick, a graphical

software suite. Various memory handling problems or incomplete input

sanitising could result in denial of service or the execution of

arbitrary code.

 

For the stable distribution (stretch), these problems have been fixed in

version 8:6.9.7.4+dfsg-11+deb9u5.

 

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 9: 9.5 released press@debian.org

July 14th, 2018 https://www.debian.org/News/2018/20180714

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the fifth update of its stable

distribution Debian 9 (codename "stretch"). This point release mainly

adds corrections for security issues, along with a few adjustments for

serious problems. Security advisories have already been published

separately and are referenced where available.

 

Please note that the point release does not constitute a new version of

Debian 9 but only updates some of the packages included. There is no

need to throw away old "stretch" media. After installation, packages can

be upgraded to the current versions using an up-to-date Debian mirror.

 

Those who frequently install updates from security.debian.org won't have

to update many packages, and most such updates are included in the point

release.

 

New installation images will be available soon at the regular locations.

 

Upgrading an existing installation to this revision can be achieved by

pointing the package management system at one of Debian's many HTTP

mirrors. A comprehensive list of mirrors is available at:

 

https://www.debian.org/mirror/list

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4246-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 15, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mailman

CVE ID : CVE-2018-0618

 

To****sugu Yoneyama of Mitsui Bussan Secure Directions, Inc. discovered

that mailman, a web-based mailing list manager, is prone to a cross-site

scripting flaw allowing a malicious listowner to inject scripts into the

listinfo page, due to not validated input in the host_name field.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:2.1.23-1+deb9u3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4247-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 16, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-rack-protection

CVE ID : CVE-2018-1000119

 

A timing attack was discovered in the function for CSRF token validation

of the "Ruby rack protection" framework.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.5.3-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4248-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 17, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : blender

CVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902

CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906

CVE-2017-2907 CVE-2017-2908 CVE-2017-2918 CVE-2017-12081

CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100

CVE-2017-12101 CVE-2017-12102 CVE-2017-12103 CVE-2017-12104

CVE-2017-12105

 

Multiple vulnerabilities have been discovered in various parsers of

Blender, a 3D modeller/ renderer. Malformed .blend model files and

malformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may

result in the execution of arbitrary code.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.79.b+dfsg0-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4249-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 17, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ffmpeg

CVE ID : CVE-2018-6392 CVE-2018-6621 CVE-2018-7557 CVE-2018-10001

CVE-2018-12458 CVE-2018-13300 CVE-2018-13302

 

Several vulnerabilities have been discovered in the FFmpeg multimedia

framework, which could result in denial of service or potentially the

execution of arbitrary code if malformed files/streams are processed.

 

For the stable distribution (stretch), these problems have been fixed in

version 7:3.2.11-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4250-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

July 18, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

CVE ID : CVE-2018-12895

Debian Bug : 902876

 

A vulnerability was discovered in Wordpress, a web blogging tool. It

allowed remote attackers with specific roles to execute arbitrary

code.

 

For the stable distribution (stretch), this problem has been fixed in

version 4.7.5+dfsg-2+deb9u4.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4251-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 18, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : vlc

CVE ID : CVE-2018-11529

 

A use-after-free was discovered in the MP4 demuxer of the VLC media

player, which could result in the execution of arbitrary code if a

malformed media file is played.

 

For the stable distribution (stretch), this problem has been fixed in

version 3.0.3-1-0+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4252-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 18, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : znc

CVE ID : CVE-2018-14055 CVE-2018-14056

 

Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which

could result in privilege escalation or denial of service.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.6.5-1+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4253-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 23, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : network-manager-vpnc

CVE ID : CVE-2018-10900

Debian Bug : 904255

 

Denis Andzakovic discovered that network-manager-vpnc, a plugin to

provide VPNC support for NetworkManager, is prone to a privilege

escalation vulnerability. A newline character can be used to inject a

Password helper parameter into the configuration data passed to vpnc,

allowing a local user with privileges to modify a system connection to

execute arbitrary commands as root.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.2.4-4+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4254-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 24, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : slurm-llnl

CVE ID : CVE-2018-7033 CVE-2018-10995

Debian Bug : 893044 900548

 

Several vulnerabilities were discovered in the Simple Linux Utility for

Resource Management (SLURM), a cluster resource management and job

scheduling system. The Common Vulnerabilities and Exposures project

identifies the following problems:

 

CVE-2018-7033

 

Incomplete sanitization of user-provided text strings could lead to

SQL injection attacks against slurmdbd.

 

CVE-2018-10995

 

Insecure handling of user_name and gid fields leading to improper

authentication handling.

 

For the stable distribution (stretch), these problems have been fixed in

version 16.05.9-1+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4255-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 24, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ant

CVE ID : CVE-2018-10886

 

Danny Grander reported that the unzip and untar tasks in ant, a Java

based build tool like make, allow the extraction of files outside a

target directory. An attacker can take advantage of this flaw by

submitting a specially crafted Zip or Tar archive to an ant build to

overwrite any file writable by the user running ant.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.9.9-1+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4256-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

July 26, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151

CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155

CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159

CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164

CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168

CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172

CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176

CVE-2018-6177 CVE-2018-6178 CVE-2018-6179

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2018-4117

 

AhsanEjaz discovered an information leak.

 

CVE-2018-6044

 

Rob Wu discovered a way to escalate privileges using extensions.

 

CVE-2018-6150

 

Rob Wu discovered an information disclosure issue (this problem was

fixed in a previous release but was mistakenly omitted from upstream's

announcement at the time).

 

CVE-2018-6151

 

Rob Wu discovered an issue in the developer tools (this problem was

fixed in a previous release but was mistakenly omitted from upstream's

announcement at the time).

 

CVE-2018-6152

 

Rob Wu discovered an issue in the developer tools (this problem was

fixed in a previous release but was mistakenly omitted from upstream's

announcement at the time).

 

CVE-2018-6153

 

Zhen Zhou discovered a buffer overflow issue in the skia library.

 

CVE-2018-6154

 

Omair discovered a buffer overflow issue in the WebGL implementation.

 

CVE-2018-6155

 

Natalie Silvanovich discovered a use-after-free issue in the WebRTC

implementation.

 

CVE-2018-6156

 

Natalie Silvanovich discovered a buffer overflow issue in the WebRTC

implementation.

 

CVE-2018-6157

 

Natalie Silvanovich discovered a type confusion issue in the WebRTC

implementation.

 

CVE-2018-6158

 

Zhe Jin discovered a use-after-free issue.

 

CVE-2018-6159

 

Jun Kokatsu discovered a way to bypass the same origin policy.

 

CVE-2018-6161

 

Jun Kokatsu discovered a way to bypass the same origin policy.

 

CVE-2018-6162

 

Omair discovered a buffer overflow issue in the WebGL implementation.

 

CVE-2018-6163

 

Khalil Zhani discovered a URL spoofing issue.

 

CVE-2018-6164

 

Jun Kokatsu discovered a way to bypass the same origin policy.

 

CVE-2018-6165

 

evil1m0 discovered a URL spoofing issue.

 

CVE-2018-6166

 

Lynas Zhang discovered a URL spoofing issue.

 

CVE-2018-6167

 

Lynas Zhang discovered a URL spoofing issue.

 

CVE-2018-6168

 

Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross

Origin Resource Sharing policy.

 

CVE-2018-6169

 

Sam P discovered a way to bypass permissions when installing

extensions.

 

CVE-2018-6170

 

A type confusion issue was discovered in the pdfium library.

 

CVE-2018-6171

 

A use-after-free issue was discovered in the WebBluetooth

implementation.

 

CVE-2018-6172

 

Khalil Zhani discovered a URL spoofing issue.

 

CVE-2018-6173

 

Khalil Zhani discovered a URL spoofing issue.

 

CVE-2018-6174

 

Mark Brand discovered an integer overflow issue in the swiftshader

library.

 

CVE-2018-6175

 

Khalil Zhani discovered a URL spoofing issue.

 

CVE-2018-6176

 

Jann Horn discovered a way to escalate privileges using extensions.

 

CVE-2018-6177

 

Ron Masas discovered an information leak.

 

CVE-2018-6178

 

Khalil Zhani discovered a user interface spoofing issue.

 

CVE-2018-6179

 

It was discovered that information about files local to the system

could be leaked to extensions.

 

This version also fixes a regression introduced in the previous security

update that could prevent decoding of particular audio/video codecs.

 

For the stable distribution (stretch), these problems have been fixed in

version 68.0.3440.75-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4257-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

July 28, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : fuse

CVE ID : CVE-2018-10906

Debian Bug : 904439

 

Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the

bypass of the 'user_allow_other' restriction when SELinux is active

(including in permissive mode). A local user can take advantage of this

flaw in the fusermount utility to bypass the system configuration and

mount a FUSE filesystem with the 'allow_other' mount option.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.9.7-1+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4258-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 29, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ffmpeg

CVE ID : CVE-2018-14395

 

Several vulnerabilities have been discovered in the FFmpeg multimedia

framework, which could result in denial of service or potentially the

execution of arbitrary code if malformed files/streams are processed.

 

For the stable distribution (stretch), this problem has been fixed in

version 7:3.2.12-1~deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4259-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 31, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby2.3

CVE ID : CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914

CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780

CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075

CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078

CVE-2018-1000079

 

Several vulnerabilities have been discovered in the interpreter for the

Ruby language, which may result in incorrect processing of HTTP/FTP,

directory traversal, command injection, unintended socket creation or

information disclosure.

 

This update also fixes several issues in RubyGems which could allow an

attacker to use specially crafted gem files to mount cross-site scripting

attacks, cause denial of service through an infinite loop, write arbitrary

files, or run malicious code.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.3.3-1+deb9u3.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4260-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 02, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libmspack

CVE ID : CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682

Debian Bug : 904799 904800 904801 904802

 

Several vulnerabilities were discovered in libsmpack, a library used to

handle Microsoft compression formats. A remote attacker could craft

malicious CAB, CHM or KWAJ files and use these flaws to cause a denial

of service via application crash, or potentially execute arbitrary code.

 

For the stable distribution (stretch), these problems have been fixed in

version 0.5-1+deb9u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4261-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 03, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : vim-syntastic

CVE ID : CVE-2018-11319

 

Enrico Zini discovered a vulnerability in Syntastic, an addon

module for the Vim editor that runs a file through external checkers

and displays any resulting errors. Config files were looked up in the

current working directory which could result in arbitrary

shell code execution if a malformed source code file is opened.

 

For the stable distribution (stretch), this problem has been fixed in

version 3.7.0-1+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4262-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 03, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : symfony

CVE ID : CVE-2016-2403 CVE-2017-1665 CVE-2017-16653

CVE-2017-16654 CVE-2017-16790 CVE-2018-11385

CVE-2018-11386 CVE-2018-11406

 

Multiple vulnerabilities have been found in the Symfony PHP framework

which could lead to open redirects, cross-site request forgery,

information disclosure, session fixation or denial of service.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.8.7+dfsg-1.3+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4263-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 04, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : cgit

CVE ID : CVE-2018-14912

Debian Bug : 905382

 

Jann Horn discovered a directory traversal vulnerability in cgit, a fast

web frontend for git repositories written in C. A remote attacker can

take advantage of this flaw to retrieve arbitrary files via a specially

crafted request, when 'enable-http-clone=1' (default) is not turned off.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.1+git2.10.2-3+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4264-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 05, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : python-django

CVE ID : CVE-2018-14574

 

Andreas Hug discovered an open redirect in Django, a Python web

development framework, which is exploitable if

django.middleware.common.CommonMiddleware is used and the APPEND_SLASH

setting is enabled.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:1.10.7-2+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4265-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 05, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xml-security-c

CVE ID : not yet available

 

It was discovered that the Apache XML Security for C++ library performed

insufficient validation of KeyInfo hints, which could result in denial

of service via NULL pointer dereferences when processing malformed XML

data.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.7.3-4+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4266-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 06, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2018-5390 CVE-2018-13405

 

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation or denial of service.

 

CVE-2018-5390

 

Juha-Matti Tilli discovered that a remote attacker can trigger the

worst case code paths for TCP stream reassembly with low rates of

specially crafted packets leading to remote denial of service.

 

CVE-2018-13405

 

Jann Horn discovered that the inode_init_owner function in

fs/inode.c in the Linux kernel allows local users to create files

with an unintended group ownership allowing attackers to escalate

privileges by making a plain file executable and SGID.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.9.110-3+deb9u1. This update includes fixes for several

regressions in the latest point release.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4267-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 08, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : kamailio

CVE ID : CVE-2018-14767

 

Henning Westerholt discovered a flaw related to the To header processing

in kamailio, a very fast, dynamic and configurable SIP server. Missing

input validation in the build_res_buf_from_sip_req function could result

in denial of service and potentially the execution of arbitrary code.

 

For the stable distribution (stretch), this problem has been fixed in

version 4.4.4-2+deb9u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4268-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 10, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openjdk-8

CVE ID : CVE-2018-2952

 

It was discovered that the PatternSyntaxException class in the

Concurrency component of OpenJDK, an implementation of the Oracle Java

platform could result in denial of service via excessive memory

consumption.

 

For the stable distribution (stretch), this problem has been fixed in

version 8u181-b13-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4269-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 10, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : postgresql-9.6

CVE ID : CVE-2018-10915 CVE-2018-10925

 

Two vulnerabilities have been found in the PostgreSQL database system:

 

CVE-2018-10915

 

Andrew Krasichkov discovered that libpq did not reset all its

connection state during reconnects.

 

CVE-2018-10925

 

It was discovered that some "CREATE TABLE" statements could

disclose server memory.

 

For additional information please refer to the upstream announcement

at https://www.postgresql.org/about/news/1878/

 

For the stable distribution (stretch), these problems have been fixed in

version 9.6.10-0+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4270-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 13, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : gdm3

CVE ID : CVE-2018-14424

 

Chris Coulson discovered a use-after-free flaw in the GNOME Display

Manager, triggerable by an unprivileged user via a specially crafted

sequence of D-Bus method calls, leading to denial of service or

potentially the execution of arbitrary code.

 

For the stable distribution (stretch), this problem has been fixed in

version 3.22.3-3+deb9u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4271-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 14, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

CVE ID : CVE-2018-10858 CVE-2018-10919

 

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,

print, and login server for Unix. The Common Vulnerabilities and

Exposures project identifies the following issues:

 

CVE-2018-10858

 

Svyatoslav Phirsov discovered that insufficient input validation in

libsmbclient allowed a malicious Samba server to write to the

client's heap memory.

 

CVE-2018-10919

 

Phillip Kuhrt discovered that Samba when acting as an Active Domain

controller disclosed some sensitive attributes.

 

For the stable distribution (stretch), these problems have been fixed in

version 2:4.5.12+dfsg-2+deb9u3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4272-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 14, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2018-5391

 

CVE-2018-5391 (FragmentSmack)

 

Juha-Matti Tilli discovered a flaw in the way the Linux kernel

handled reassembly of fragmented IPv4 and IPv6 packets. A remote

attacker can take advantage of this flaw to trigger time and

calculation expensive fragment reassembly algorithms by sending

specially crafted packets, leading to remote denial of service.

 

This is mitigated by reducing the default limits on memory usage

for incomplete fragmented packets. The same mitigation can be

achieved without the need to reboot, by setting the sysctls:

 

net.ipv4.ipfrag_high_thresh = 262144

net.ipv6.ip6frag_high_thresh = 262144

net.ipv4.ipfrag_low_thresh = 196608

net.ipv6.ip6frag_low_thresh = 196608

 

The default values may still be increased by local configuration

if necessary.

 

For the stable distribution (stretch), this problem has been fixed in

version 4.9.110-3+deb9u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4273-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 16, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : intel-microcode

CVE ID : CVE-2018-3639 CVE-2018-3640

 

This update ships updated CPU microcode for some types of Intel CPUs and

provides SSBD support (needed to address "Spectre v4") and fixes for

"Spectre v3a".

 

For the stable distribution (stretch), these problems have been fixed in

version 3.20180703.2~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4274-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 16, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xen

CVE ID : CVE-2018-3620 CVE-2018-3646

 

This update provides mitigations for the "L1 Terminal Fault"

vulnerability affecting a range of Intel CPUs.

 

For additional information please refer to

https://xenbits.xen.org/xsa/advisory-273.html. The microcode updates

mentioned there are not yet available in a form distributable by Debian.

 

In addition two denial of service vulnerabilities have been fixed

(XSA-268 and XSA-269).

 

For the stable distribution (stretch), these problems have been fixed in

version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4275-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 16, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : keystone

CVE ID : CVE-2018-14432

Debian Bug : 904616

 

Kristi Nikolla discovered an information leak in Keystone, the OpenStack

identity service, if running in a federated setup.

 

For the stable distribution (stretch), this problem has been fixed in

version 2:10.0.0-9+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4276-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 17, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php-horde-image

CVE ID : CVE-2017-9773 CVE-2017-9774 CVE-2017-14650

Debian Bug : 865504 865505 876400

 

Fariskhi Vidyan and Thomas Jarosch discovered several vulnerabilities

in php-horde-image, the image processing library for the Horde

groupware suite. They would allow an attacker to cause a

denial-of-service or execute arbitrary code.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.3.6-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4277-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 17, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mutt

CVE ID : CVE-2018-14349 CVE-2018-14350 CVE-2018-14351 CVE-2018-14352

CVE-2018-14353 CVE-2018-14354 CVE-2018-14355 CVE-2018-14356

CVE-2018-14357 CVE-2018-14358 CVE-2018-14359 CVE-2018-14360

CVE-2018-14361 CVE-2018-14362 CVE-2018-14363

Debian Bug : 904051

 

Several vulnerabilities were discovered in Mutt, a text-based mailreader

supporting MIME, GPG, PGP and threading, potentially leading to code

execution, denial of service or information disclosure when connecting

to a malicious mail/NNTP server.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.7.2-1+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4278-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 19, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : jetty9

CVE ID : CVE-2017-7656 CVE-2017-7657 CVE-2017-7658

 

Multiple vulnerabilities were discovered in Jetty, a Java servlet engine

and webserver which could result in HTTP request smuggling.

 

For the stable distribution (stretch), these problems have been fixed in

version 9.2.21-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4279-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 20, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

CVE ID : CVE-2018-3620 CVE-2018-3646

 

Multiple researchers have discovered a vulnerability in the way the

Intel processor designs have implemented speculative execution of

instructions in combination with handling of page-faults. This flaw

could allow an attacker controlling an unprivileged process to read

memory from arbitrary (non-user controlled) addresses, including from

the kernel and all other processes running on the system or cross

guest/host boundaries to read host memory.

 

To fully resolve these vulnerabilities it is also necessary to install

updated CPU microcode (only available in Debian non-free). Common server

class CPUs are covered in the update released as DSA 4273-1.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.9.110-3+deb9u3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4280-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 22, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssh

CVE ID : CVE-2018-15473

Debian Bug : 906236

 

Dariusz Tytko, Michal Sajdak and Qualys Security discovered that

OpenSSH, an implementation of the SSH protocol suite, was prone to a

user enumeration vulnerability. This would allow a remote attacker to

check whether a specific user account existed on the target server.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:7.4p1-10+deb9u4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4279-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

August 22, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : linux

Debian Bug : 906769

 

The security update announced as DSA 4279-1 caused regressions on the ARM

architectures (boot failures on some systems). Updated packages are now

available to correct this issue.

 

For the stable distribution (stretch), this problem has been fixed in

version 4.9.110-3+deb9u4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4281-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 29, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tomcat8

CVE ID : CVE-2018-1304 CVE-2018-1305 CVE-2018-1336 CVE-2018-8034

CVE-2018-8037

Debian Bug : 867247

 

Several issues were discovered in the Tomcat servlet and JSP

engine. They could lead to unauthorized access to protected resources,

denial-of-service, or information leak.

 

For the stable distribution (stretch), these problems have been fixed in

version 8.5.14-1+deb9u3.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4282-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 31, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : trafficserver

CVE ID : CVE-2018-1318 CVE-2018-8004 CVE-2018-8005 CVE-2018-8040

 

Several vulnerabilities were discovered in Apache Traffic Server, a

reverse and forward proxy server, which could result in denial of

service, cache poisoning or information disclosure.

 

For the stable distribution (stretch), these problems have been fixed in

version 7.0.0-6+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4283-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 31, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-json-jwt

CVE ID : CVE-2018-1000539

 

It was discovered that ruby-json-jwt, a Ruby implementation of JSON web

tokens performed insufficient validation of GCM auth tags.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.6.2-1+deb9u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4284-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 04, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : lcms2

CVE ID : CVE-2018-16435

 

Quang Nguyen discovered an integer overflow in the Little CMS 2 colour

management library, which could in denial of service and potentially the

execution of arbitrary code if a malformed IT8 calibration file is

processed.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.8-4+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4285-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 05, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : sympa

CVE ID : CVE-2018-1000550

 

Michael Kaczmarczik discovered a vulnerability in the web interface

template editing function of Sympa, a mailing list manager. Owner and

listmasters could use this flaw to create or modify arbitrary files in

the server with privileges of sympa user or owner view list config files

even if edit_list.conf prohibits it.

 

For the stable distribution (stretch), this problem has been fixed in

version 6.2.16~dfsg-3+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4286-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

September 05, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : curl

CVE ID : CVE-2018-14618

 

Zhaoyang Wu discovered that cURL, an URL transfer library, contains a

buffer overflow in the NTLM authentication code triggered by passwords

that exceed 2GB in length on 32bit systems.

 

See https://curl.haxx.se/docs/CVE-2018-14618.html for more information.

 

For the stable distribution (stretch), this problem has been fixed in

version 7.52.1-5+deb9u7.

Link to comment
Share on other sites

×
×
  • Create New...