sunrat Posted June 18, 2018 Share Posted June 18, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4229-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez June 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : strongswan CVE ID : CVE-2018-5388 CVE-2018-10811 Two vulnerabilities were discovered in strongSwan, an IKE/IPsec suite. CVE-2018-5388 The stroke plugin did not verify the message length when reading from its control socket. This vulnerability could lead to denial of service. On Debian write access to the socket requires root permission on default configuration. CVE-2018-10811 A missing variable initialization in IKEv2 key derivation could lead to a denial of service (crash of the charon IKE daemon) if the openssl plugin is used in FIPS mode and the negotiated PRF is HMAC-MD5. For the oldstable distribution (jessie), these problems have been fixed in version 5.2.1-6+deb8u6. For the stable distribution (stretch), these problems have been fixed in version 5.5.1-4+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4230-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redis CVE ID : CVE-2018-11218 CVE-2018-11219 Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a persistent key-value database, which could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 3:3.2.6-3+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4231-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libgcrypt20 CVE ID : CVE-2018-0495 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted June 21, 2018 Share Posted June 21, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4232-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 20, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2018-3665 This update provides mitigations for the "lazy FPU" vulnerability affecting a range of Intel CPUs, which could result in leaking CPU register states belonging to another vCPU previously scheduled on the same CPU. For additional information please refer to https://xenbits.xen.org/xsa/advisory-267.html For the stable distribution (stretch), this problem has been fixed in version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8. Link to comment Share on other sites More sharing options...
sunrat Posted June 23, 2018 Share Posted June 23, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4233-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bouncycastle CVE ID : CVE-2018-1000180 It was discovered that the low-level interface to the RSA key pair generator of Bouncy Castle (a Java implementation of cryptographic algorithms) could perform less Miller-Rabin primality tests than expected. For the stable distribution (stretch), this problem has been fixed in version 1.56-1+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4234-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 22, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lava-server CVE ID : CVE-2018-12564 CVE-2018-12565 Two vulnerabilities were discovered in LAVA, a continuous integration system for deploying operating systems for running tests, which could result in information disclosure of files readable by the lavaserver system user or the execution of arbitrary code via a XMLRPC call. For the stable distribution (stretch), these problems have been fixed in version 2016.12-3. Link to comment Share on other sites More sharing options...
sunrat Posted June 24, 2018 Share Posted June 24, 2018 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 8: 8.11 released press@debian.org June 23rd, 2018 https://www.debian.org/News/2018/20180623 ------------------------------------------------------------------------ The Debian project is pleased to announce the eleventh (and final) update of its oldstable distribution Debian 8 (codename "jessie"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 8. Users wishing to continue to receive security support should upgrade to Debian 9, or see https://wiki.debian.org/LTS for details about the subset of architectures and packages covered by the Long Term Support project. The packages for some architectures for DSA 3746, DSA 3944, DSA 3968, DSA 4010, DSA 4014, DSA 4061, DSA 4075, DSA 4102, DSA 4155, DSA 4209 and DSA 4218 are not included in this point release for technical reasons. All other security updates released during the lifetime of "jessie" that have not previously been part of a point release are included in this update. Please note that the point release does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old "jessie" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. Link to comment Share on other sites More sharing options...
sunrat Posted June 28, 2018 Share Posted June 28, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4235-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 27, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2018-5156 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure. For the stable distribution (stretch), these problems have been fixed in version 52.9.0esr-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4236-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 27, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2018-12891 CVE-2018-12892 CVE-2018-12893 Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2018-12891 It was discovered that insufficient validation of PV MMU operations may result in denial of service. CVE-2018-12892 It was discovered that libxl fails to honour the 'readonly' flag on HVM-emulated SCSI disks. CVE-2018-12893 It was discovered that incorrect implementation of debug exception checks could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9. Link to comment Share on other sites More sharing options...
sunrat Posted July 3, 2018 Share Posted July 3, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4237-1 security@debian.org https://www.debian.org/security/ Michael Gilbert June 30, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2018-6118 CVE-2018-6120 CVE-2018-6121 CVE-2018-6122 CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6138 CVE-2018-6139 CVE-2018-6140 CVE-2018-6141 CVE-2018-6142 CVE-2018-6143 CVE-2018-6144 CVE-2018-6145 CVE-2018-6147 CVE-2018-6148 CVE-2018-6149 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-6118 Ned Williamson discovered a use-after-free issue. CVE-2018-6120 Zhou Aiting discovered a buffer overflow issue in the pdfium library. CVE-2018-6121 It was discovered that malicious extensions could escalate privileges. CVE-2018-6122 A type confusion issue was discovered in the v8 javascript library. CVE-2018-6123 Looben Yang discovered a use-after-free issue. CVE-2018-6124 Guang Gong discovered a type confusion issue. CVE-2018-6125 Yubico discovered that the WebUSB implementation was too permissive. CVE-2018-6126 Ivan Fratric discovered a buffer overflow issue in the skia library. CVE-2018-6127 Looben Yang discovered a use-after-free issue. CVE-2018-6129 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC. CVE-2018-6130 Natalie Silvanovich discovered an out-of-bounds read issue in WebRTC. CVE-2018-6131 Natalie Silvanovich discovered an error in WebAssembly. CVE-2018-6132 Ronald E. Crane discovered an uninitialized memory issue. CVE-2018-6133 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6134 Jun Kokatsu discovered a way to bypass the Referrer Policy. CVE-2018-6135 Jasper Rebane discovered a user interface spoofing issue. CVE-2018-6136 Peter Wong discovered an out-of-bounds read issue in the v8 javascript library. CVE-2018-6137 Michael Smith discovered an information leak. CVE-2018-6138 François Lajeunesse-Robert discovered that the extensions policy was too permissive. CVE-2018-6139 Rob Wu discovered a way to bypass restrictions in the debugger extension. CVE-2018-6140 Rob Wu discovered a way to bypass restrictions in the debugger extension. CVE-2018-6141 Yangkang discovered a buffer overflow issue in the skia library. CVE-2018-6142 Choongwoo Han discovered an out-of-bounds read in the v8 javascript library. CVE-2018-6143 Guang Gong discovered an out-of-bounds read in the v8 javascript library. CVE-2018-6144 pdknsk discovered an out-of-bounds read in the pdfium library. CVE-2018-6145 Masato Kinugawa discovered an error in the MathML implementation. CVE-2018-6147 Michail Pishchagin discovered an error in password entry fields. CVE-2018-6148 Michał Bentkowski discovered that the Content Security Policy header was handled incorrectly. CVE-2018-6149 Yu Zhou and Jundong Xie discovered an out-of-bounds write issue in the v8 javascript library. For the stable distribution (stretch), these problems have been fixed in version 67.0.3396.87-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 4, 2018 Share Posted July 4, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4238-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : exiv2 CVE ID : CVE-2018-10958 CVE-2018-10998 CVE-2018-10999 CVE-2018-11531 CVE-2018-12264 CVE-2018-12265 Several vulnerabilites have been discovered in Exiv2, a C++ library and a command line utility to manage image metadata which could result in denial of service or the execution of arbitrary code if a malformed file is parsed. For the stable distribution (stretch), these problems have been fixed in version 0.25-3.1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4239-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gosa CVE ID : CVE-2018-1000528 Fabian Henneke discovered a cross-site scripting vulnerability in the password change form of GOsa, a web-based LDAP administration program. For the stable distribution (stretch), this problem has been fixed in version gosa 2.7.4+reloaded2-3+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 5, 2018 Share Posted July 5, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4240-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.0 CVE ID : CVE-2018-7584 CVE-2018-10545 CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549 Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language: CVE-2018-7584 Buffer underread in parsing HTTP responses CVE-2018-10545 Dumpable FPM child processes allowed the bypass of opcache access controls CVE-2018-10546 Denial of service via infinite loop in convert.iconv stream filter CVE-2018-10547 The fix for CVE-2018-5712 (shipped in DSA 4080) was incomplete CVE-2018-10548 Denial of service via malformed LDAP server responses CVE-2018-10549 Out-of-bounds read when parsing malformed JPEG files For the stable distribution (stretch), these problems have been fixed in version 7.0.30-0+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4241-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libsoup2.4 CVE ID : CVE-2018-12910 It was discovered that the Soup HTTP library performed insuffient validation of cookie requests which could result in an out-of-bounds memory read. For the stable distribution (stretch), this problem has been fixed in version 2.56.0-2+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted July 10, 2018 Share Posted July 10, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4242-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 09, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-sprockets CVE ID : CVE-2018-3760 Debian Bug : 901913 Orange Tsai discovered a path traversal flaw in ruby-sprockets, a Rack-based asset packaging system. A remote attacker can take advantage of this flaw to read arbitrary files outside an application's root directory via specially crafted requests, when the Sprockets server is used in production. For the stable distribution (stretch), this problem has been fixed in version 3.7.0-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 12, 2018 Share Posted July 12, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4243-1 security@debian.org https://www.debian.org/security/ Luciano Bello July 11, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cups CVE ID : CVE-2017-15400 CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 CVE-2018-6553 Several vulnerabilities were discovered in CUPS, the Common UNIX Printing System. These issues have been identified with the following CVE ids: CVE-2017-15400 Rory McNamara discovered that an attacker is able to execute arbitrary commands (with the privilege of the CUPS daemon) by setting a malicious IPP server with a crafted PPD file. CVE-2018-4180 Dan Bastone of Gotham Digital Science discovered that a local attacker with access to cupsctl could escalate privileges by setting an environment variable. CVE-2018-4181 Eric Rafaloff and John Dunlap of Gotham Digital Science discovered that a local attacker can perform limited reads of arbitrary files as root by manipulating cupsd.conf. CVE-2018-4182 Dan Bastone of Gotham Digital Science discovered that an attacker with sandboxed root access can execute backends without a sandbox profile by provoking an error in CUPS' profile creation. CVE-2018-4183 Dan Bastone and Eric Rafaloff of Gotham Digital Science discovered that an attacker with sandboxed root access can execute arbitrary commands as unsandboxed root by modifying /etc/cups/cups-files.conf CVE-2018-6553 Dan Bastone of Gotham Digital Science discovered that an attacker can bypass the AppArmor cupsd sandbox by invoking the dnssd backend using an alternate name that has been hard linked to dnssd. For the stable distribution (stretch), these problems have been fixed in version 2.2.1-8+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted July 14, 2018 Share Posted July 14, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4244-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 13, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2017-17689 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or attacks on encrypted emails. For the stable distribution (stretch), these problems have been fixed in version 1:52.9.1-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4245-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : imagemagick CVE ID : CVE-2018-5248 CVE-2018-11251 CVE-2018-12599 CVE-2018-12600 This update fixes several vulnerabilities in Imagemagick, a graphical software suite. Various memory handling problems or incomplete input sanitising could result in denial of service or the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u5. ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 9: 9.5 released press@debian.org July 14th, 2018 https://www.debian.org/News/2018/20180714 ------------------------------------------------------------------------ The Debian project is pleased to announce the fifth update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Link to comment Share on other sites More sharing options...
sunrat Posted July 16, 2018 Share Posted July 16, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4246-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 15, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mailman CVE ID : CVE-2018-0618 To****sugu Yoneyama of Mitsui Bussan Secure Directions, Inc. discovered that mailman, a web-based mailing list manager, is prone to a cross-site scripting flaw allowing a malicious listowner to inject scripts into the listinfo page, due to not validated input in the host_name field. For the stable distribution (stretch), this problem has been fixed in version 1:2.1.23-1+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted July 18, 2018 Share Posted July 18, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4247-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 16, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-rack-protection CVE ID : CVE-2018-1000119 A timing attack was discovered in the function for CSRF token validation of the "Ruby rack protection" framework. For the stable distribution (stretch), this problem has been fixed in version 1.5.3-2+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4248-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : blender CVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902 CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906 CVE-2017-2907 CVE-2017-2908 CVE-2017-2918 CVE-2017-12081 CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 CVE-2017-12101 CVE-2017-12102 CVE-2017-12103 CVE-2017-12104 CVE-2017-12105 Multiple vulnerabilities have been discovered in various parsers of Blender, a 3D modeller/ renderer. Malformed .blend model files and malformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may result in the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 2.79.b+dfsg0-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4249-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ffmpeg CVE ID : CVE-2018-6392 CVE-2018-6621 CVE-2018-7557 CVE-2018-10001 CVE-2018-12458 CVE-2018-13300 CVE-2018-13302 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the stable distribution (stretch), these problems have been fixed in version 7:3.2.11-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4250-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond July 18, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2018-12895 Debian Bug : 902876 A vulnerability was discovered in Wordpress, a web blogging tool. It allowed remote attackers with specific roles to execute arbitrary code. For the stable distribution (stretch), this problem has been fixed in version 4.7.5+dfsg-2+deb9u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4251-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 18, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2018-11529 A use-after-free was discovered in the MP4 demuxer of the VLC media player, which could result in the execution of arbitrary code if a malformed media file is played. For the stable distribution (stretch), this problem has been fixed in version 3.0.3-1-0+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4252-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 18, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : znc CVE ID : CVE-2018-14055 CVE-2018-14056 Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could result in privilege escalation or denial of service. For the stable distribution (stretch), these problems have been fixed in version 1.6.5-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 25, 2018 Share Posted July 25, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4253-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 23, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : network-manager-vpnc CVE ID : CVE-2018-10900 Debian Bug : 904255 Denis Andzakovic discovered that network-manager-vpnc, a plugin to provide VPNC support for NetworkManager, is prone to a privilege escalation vulnerability. A newline character can be used to inject a Password helper parameter into the configuration data passed to vpnc, allowing a local user with privileges to modify a system connection to execute arbitrary commands as root. For the stable distribution (stretch), this problem has been fixed in version 1.2.4-4+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4254-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 24, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : slurm-llnl CVE ID : CVE-2018-7033 CVE-2018-10995 Debian Bug : 893044 900548 Several vulnerabilities were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-7033 Incomplete sanitization of user-provided text strings could lead to SQL injection attacks against slurmdbd. CVE-2018-10995 Insecure handling of user_name and gid fields leading to improper authentication handling. For the stable distribution (stretch), these problems have been fixed in version 16.05.9-1+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4255-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 24, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ant CVE ID : CVE-2018-10886 Danny Grander reported that the unzip and untar tasks in ant, a Java based build tool like make, allow the extraction of files outside a target directory. An attacker can take advantage of this flaw by submitting a specially crafted Zip or Tar archive to an ant build to overwrite any file writable by the user running ant. For the stable distribution (stretch), this problem has been fixed in version 1.9.9-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 29, 2018 Share Posted July 29, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4256-1 security@debian.org https://www.debian.org/security/ Michael Gilbert July 26, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium-browser CVE ID : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151 CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155 CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159 CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164 CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168 CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172 CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176 CVE-2018-6177 CVE-2018-6178 CVE-2018-6179 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-4117 AhsanEjaz discovered an information leak. CVE-2018-6044 Rob Wu discovered a way to escalate privileges using extensions. CVE-2018-6150 Rob Wu discovered an information disclosure issue (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time). CVE-2018-6151 Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time). CVE-2018-6152 Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time). CVE-2018-6153 Zhen Zhou discovered a buffer overflow issue in the skia library. CVE-2018-6154 Omair discovered a buffer overflow issue in the WebGL implementation. CVE-2018-6155 Natalie Silvanovich discovered a use-after-free issue in the WebRTC implementation. CVE-2018-6156 Natalie Silvanovich discovered a buffer overflow issue in the WebRTC implementation. CVE-2018-6157 Natalie Silvanovich discovered a type confusion issue in the WebRTC implementation. CVE-2018-6158 Zhe Jin discovered a use-after-free issue. CVE-2018-6159 Jun Kokatsu discovered a way to bypass the same origin policy. CVE-2018-6161 Jun Kokatsu discovered a way to bypass the same origin policy. CVE-2018-6162 Omair discovered a buffer overflow issue in the WebGL implementation. CVE-2018-6163 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6164 Jun Kokatsu discovered a way to bypass the same origin policy. CVE-2018-6165 evil1m0 discovered a URL spoofing issue. CVE-2018-6166 Lynas Zhang discovered a URL spoofing issue. CVE-2018-6167 Lynas Zhang discovered a URL spoofing issue. CVE-2018-6168 Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross Origin Resource Sharing policy. CVE-2018-6169 Sam P discovered a way to bypass permissions when installing extensions. CVE-2018-6170 A type confusion issue was discovered in the pdfium library. CVE-2018-6171 A use-after-free issue was discovered in the WebBluetooth implementation. CVE-2018-6172 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6173 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6174 Mark Brand discovered an integer overflow issue in the swiftshader library. CVE-2018-6175 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6176 Jann Horn discovered a way to escalate privileges using extensions. CVE-2018-6177 Ron Masas discovered an information leak. CVE-2018-6178 Khalil Zhani discovered a user interface spoofing issue. CVE-2018-6179 It was discovered that information about files local to the system could be leaked to extensions. This version also fixes a regression introduced in the previous security update that could prevent decoding of particular audio/video codecs. For the stable distribution (stretch), these problems have been fixed in version 68.0.3440.75-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4257-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 28, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : fuse CVE ID : CVE-2018-10906 Debian Bug : 904439 Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the bypass of the 'user_allow_other' restriction when SELinux is active (including in permissive mode). A local user can take advantage of this flaw in the fusermount utility to bypass the system configuration and mount a FUSE filesystem with the 'allow_other' mount option. For the stable distribution (stretch), this problem has been fixed in version 2.9.7-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 31, 2018 Share Posted July 31, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4258-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 29, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ffmpeg CVE ID : CVE-2018-14395 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the stable distribution (stretch), this problem has been fixed in version 7:3.2.12-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 2, 2018 Share Posted August 2, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4259-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 31, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted August 3, 2018 Share Posted August 3, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4260-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 02, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libmspack CVE ID : CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682 Debian Bug : 904799 904800 904801 904802 Several vulnerabilities were discovered in libsmpack, a library used to handle Microsoft compression formats. A remote attacker could craft malicious CAB, CHM or KWAJ files and use these flaws to cause a denial of service via application crash, or potentially execute arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 0.5-1+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 6, 2018 Share Posted August 6, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4261-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vim-syntastic CVE ID : CVE-2018-11319 Enrico Zini discovered a vulnerability in Syntastic, an addon module for the Vim editor that runs a file through external checkers and displays any resulting errors. Config files were looked up in the current working directory which could result in arbitrary shell code execution if a malformed source code file is opened. For the stable distribution (stretch), this problem has been fixed in version 3.7.0-1+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4262-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : symfony CVE ID : CVE-2016-2403 CVE-2017-1665 CVE-2017-16653 CVE-2017-16654 CVE-2017-16790 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to open redirects, cross-site request forgery, information disclosure, session fixation or denial of service. For the stable distribution (stretch), these problems have been fixed in version 2.8.7+dfsg-1.3+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4263-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 04, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cgit CVE ID : CVE-2018-14912 Debian Bug : 905382 Jann Horn discovered a directory traversal vulnerability in cgit, a fast web frontend for git repositories written in C. A remote attacker can take advantage of this flaw to retrieve arbitrary files via a specially crafted request, when 'enable-http-clone=1' (default) is not turned off. For the stable distribution (stretch), this problem has been fixed in version 1.1+git2.10.2-3+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4264-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2018-14574 Andreas Hug discovered an open redirect in Django, a Python web development framework, which is exploitable if django.middleware.common.CommonMiddleware is used and the APPEND_SLASH setting is enabled. For the stable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4265-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xml-security-c CVE ID : not yet available It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data. For the stable distribution (stretch), this problem has been fixed in version 1.7.3-4+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 7, 2018 Share Posted August 7, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4266-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 06, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-5390 CVE-2018-13405 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-5390 Juha-Matti Tilli discovered that a remote attacker can trigger the worst case code paths for TCP stream reassembly with low rates of specially crafted packets leading to remote denial of service. CVE-2018-13405 Jann Horn discovered that the inode_init_owner function in fs/inode.c in the Linux kernel allows local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u1. This update includes fixes for several regressions in the latest point release. Link to comment Share on other sites More sharing options...
sunrat Posted August 9, 2018 Share Posted August 9, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4267-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 08, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : kamailio CVE ID : CVE-2018-14767 Henning Westerholt discovered a flaw related to the To header processing in kamailio, a very fast, dynamic and configurable SIP server. Missing input validation in the build_res_buf_from_sip_req function could result in denial of service and potentially the execution of arbitrary code. For the stable distribution (stretch), this problem has been fixed in version 4.4.4-2+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 13, 2018 Share Posted August 13, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4268-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 10, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-8 CVE ID : CVE-2018-2952 It was discovered that the PatternSyntaxException class in the Concurrency component of OpenJDK, an implementation of the Oracle Java platform could result in denial of service via excessive memory consumption. For the stable distribution (stretch), this problem has been fixed in version 8u181-b13-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4269-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 10, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-9.6 CVE ID : CVE-2018-10915 CVE-2018-10925 Two vulnerabilities have been found in the PostgreSQL database system: CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. CVE-2018-10925 It was discovered that some "CREATE TABLE" statements could disclose server memory. For additional information please refer to the upstream announcement at https://www.postgresql.org/about/news/1878/ For the stable distribution (stretch), these problems have been fixed in version 9.6.10-0+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 13, 2018 Share Posted August 13, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4270-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 13, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gdm3 CVE ID : CVE-2018-14424 Chris Coulson discovered a use-after-free flaw in the GNOME Display Manager, triggerable by an unprivileged user via a specially crafted sequence of D-Bus method calls, leading to denial of service or potentially the execution of arbitrary code. For the stable distribution (stretch), this problem has been fixed in version 3.22.3-3+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 15, 2018 Share Posted August 15, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4271-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : samba CVE ID : CVE-2018-10858 CVE-2018-10919 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-10858 Svyatoslav Phirsov discovered that insufficient input validation in libsmbclient allowed a malicious Samba server to write to the client's heap memory. CVE-2018-10919 Phillip Kuhrt discovered that Samba when acting as an Active Domain controller disclosed some sensitive attributes. For the stable distribution (stretch), these problems have been fixed in version 2:4.5.12+dfsg-2+deb9u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4272-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 14, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-5391 CVE-2018-5391 (FragmentSmack) Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculation expensive fragment reassembly algorithms by sending specially crafted packets, leading to remote denial of service. This is mitigated by reducing the default limits on memory usage for incomplete fragmented packets. The same mitigation can be achieved without the need to reboot, by setting the sysctls: net.ipv4.ipfrag_high_thresh = 262144 net.ipv6.ip6frag_high_thresh = 262144 net.ipv4.ipfrag_low_thresh = 196608 net.ipv6.ip6frag_low_thresh = 196608 The default values may still be increased by local configuration if necessary. For the stable distribution (stretch), this problem has been fixed in version 4.9.110-3+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 17, 2018 Share Posted August 17, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4273-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 16, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : intel-microcode CVE ID : CVE-2018-3639 CVE-2018-3640 This update ships updated CPU microcode for some types of Intel CPUs and provides SSBD support (needed to address "Spectre v4") and fixes for "Spectre v3a". For the stable distribution (stretch), these problems have been fixed in version 3.20180703.2~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4274-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 16, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2018-3620 CVE-2018-3646 This update provides mitigations for the "L1 Terminal Fault" vulnerability affecting a range of Intel CPUs. For additional information please refer to https://xenbits.xen.org/xsa/advisory-273.html. The microcode updates mentioned there are not yet available in a form distributable by Debian. In addition two denial of service vulnerabilities have been fixed (XSA-268 and XSA-269). For the stable distribution (stretch), these problems have been fixed in version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4275-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 16, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : keystone CVE ID : CVE-2018-14432 Debian Bug : 904616 Kristi Nikolla discovered an information leak in Keystone, the OpenStack identity service, if running in a federated setup. For the stable distribution (stretch), this problem has been fixed in version 2:10.0.0-9+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 19, 2018 Share Posted August 19, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4276-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php-horde-image CVE ID : CVE-2017-9773 CVE-2017-9774 CVE-2017-14650 Debian Bug : 865504 865505 876400 Fariskhi Vidyan and Thomas Jarosch discovered several vulnerabilities in php-horde-image, the image processing library for the Horde groupware suite. They would allow an attacker to cause a denial-of-service or execute arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 2.3.6-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4277-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 17, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mutt CVE ID : CVE-2018-14349 CVE-2018-14350 CVE-2018-14351 CVE-2018-14352 CVE-2018-14353 CVE-2018-14354 CVE-2018-14355 CVE-2018-14356 CVE-2018-14357 CVE-2018-14358 CVE-2018-14359 CVE-2018-14360 CVE-2018-14361 CVE-2018-14362 CVE-2018-14363 Debian Bug : 904051 Several vulnerabilities were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, potentially leading to code execution, denial of service or information disclosure when connecting to a malicious mail/NNTP server. For the stable distribution (stretch), these problems have been fixed in version 1.7.2-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 22, 2018 Share Posted August 22, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4278-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 19, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jetty9 CVE ID : CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 Multiple vulnerabilities were discovered in Jetty, a Java servlet engine and webserver which could result in HTTP request smuggling. For the stable distribution (stretch), these problems have been fixed in version 9.2.21-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4279-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 20, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-3620 CVE-2018-3646 Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4280-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 22, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssh CVE ID : CVE-2018-15473 Debian Bug : 906236 Dariusz Tytko, Michal Sajdak and Qualys Security discovered that OpenSSH, an implementation of the SSH protocol suite, was prone to a user enumeration vulnerability. This would allow a remote attacker to check whether a specific user account existed on the target server. For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted August 25, 2018 Share Posted August 25, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4279-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 22, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux Debian Bug : 906769 The security update announced as DSA 4279-1 caused regressions on the ARM architectures (boot failures on some systems). Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 4.9.110-3+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted August 31, 2018 Share Posted August 31, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond August 29, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2018-1304 CVE-2018-1305 CVE-2018-1336 CVE-2018-8034 CVE-2018-8037 Debian Bug : 867247 Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. For the stable distribution (stretch), these problems have been fixed in version 8.5.14-1+deb9u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4282-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2018-1318 CVE-2018-8004 CVE-2018-8005 CVE-2018-8040 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, cache poisoning or information disclosure. For the stable distribution (stretch), these problems have been fixed in version 7.0.0-6+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4283-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-json-jwt CVE ID : CVE-2018-1000539 It was discovered that ruby-json-jwt, a Ruby implementation of JSON web tokens performed insufficient validation of GCM auth tags. For the stable distribution (stretch), this problem has been fixed in version 1.6.2-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 5, 2018 Share Posted September 5, 2018 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4284-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 04, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lcms2 CVE ID : CVE-2018-16435 Quang Nguyen discovered an integer overflow in the Little CMS 2 colour management library, which could in denial of service and potentially the execution of arbitrary code if a malformed IT8 calibration file is processed. For the stable distribution (stretch), this problem has been fixed in version 2.8-4+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4285-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sympa CVE ID : CVE-2018-1000550 Michael Kaczmarczik discovered a vulnerability in the web interface template editing function of Sympa, a mailing list manager. Owner and listmasters could use this flaw to create or modify arbitrary files in the server with privileges of sympa user or owner view list config files even if edit_list.conf prohibits it. For the stable distribution (stretch), this problem has been fixed in version 6.2.16~dfsg-3+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4286-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini September 05, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2018-14618 Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information. For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u7. Link to comment Share on other sites More sharing options...
Recommended Posts