debian NEW UPDATES Debian

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4339-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 21, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ceph

Debian Bug : 913909

 

The update for ceph issued as DSA-4339-1 caused a build regression for

the i386 builds. Updated packages are now available to address this

issue. For reference, the original advisory text follows.

 

Multiple vulnerabilities were discovered in Ceph, a distributed storage

and file system: The cephx authentication protocol was susceptible to

replay attacks and calculated signatures incorrectly, "ceph mon" did not

validate capabilities for pool operations (resulting in potential

corruption or deletion of snapshot images) and a format string

vulnerability in libradosstriper could result in denial of service.

 

For the stable distribution (stretch), this problem has been fixed in

version 10.2.11-2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4343-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 23, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : liblivemedia

CVE ID : CVE-2018-4013

 

It was discovered that a buffer overflow in liveMedia, a set of C++

libraries for multimedia streaming could result in the execution of

arbitrary code when parsing a malformed RTSP stream.

 

For the stable distribution (stretch), this problem has been fixed in

version 2016.11.28-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4344-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 24, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : roundcube

CVE ID : CVE-2018-19206

 

Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail

solution for IMAP servers, is prone to a cross-site scripting

vulnerability in handling invalid style tag content.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.2.3+dfsg.1-4+deb9u3.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4345-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

CVE ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851

 

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,

print, and login server for Unix. The Common Vulnerabilities and

Exposures project identifies the following issues:

 

CVE-2018-14629

 

Florian Stuelpner discovered that Samba is vulnerable to

infinite query recursion caused by CNAME loops, resulting in

denial of service.

 

https://www.samba.org/samba/security/CVE-2018-14629.html

 

CVE-2018-16841

 

Alex MacCuish discovered that a user with a valid certificate or

smart card can crash the Samba AD DC's KDC when configured to accept

smart-card authentication.

 

https://www.samba.org/samba/security/CVE-2018-16841.html

 

CVE-2018-16851

 

Garming Sam of the Samba Team and Catalyst discovered a NULL pointer

dereference vulnerability in the Samba AD DC LDAP server allowing a

user able to read more than 256MB of LDAP entries to crash the Samba

AD DC's LDAP server.

 

https://www.samba.org/samba/security/CVE-2018-16851.html

 

For the stable distribution (stretch), these problems have been fixed in

version 2:4.5.12+dfsg-2+deb9u4.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4346-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ghostscript

CVE ID : CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477

 

Several vulnerabilities were discovered in Ghostscript, the GPL

PostScript/PDF interpreter, which may result in denial of service or the

execution of arbitrary code if a malformed Postscript file is processed

(despite the -dSAFER sandbox being enabled).

 

This update rebases ghostscript for stretch to the upstream version 9.26

which includes additional changes.

 

For the stable distribution (stretch), these problems have been fixed in

version 9.26~dfsg-0+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4347-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 29, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : perl

CVE ID : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

 

Multiple vulnerabilities were discovered in the implementation of the

Perl programming language. The Common Vulnerabilities and Exposures

project identifies the following problems:

 

CVE-2018-18311

 

Jayakrishna Menon and Christophe Hauser discovered an integer

overflow vulnerability in Perl_my_setenv leading to a heap-based

buffer overflow with attacker-controlled input.

 

CVE-2018-18312

 

Eiichi Tsukata discovered that a crafted regular expression could

cause a heap-based buffer overflow write during compilation,

potentially allowing arbitrary code execution.

 

CVE-2018-18313

 

Eiichi Tsukata discovered that a crafted regular expression could

cause a heap-based buffer overflow read during compilation which

leads to information leak.

 

CVE-2018-18314

 

Jakub Wilk discovered that a specially crafted regular expression

could lead to a heap-based buffer overflow.

 

For the stable distribution (stretch), these problems have been fixed in

version 5.24.1-3+deb9u5.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4348-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 30, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl

CVE ID : CVE-2018-0732 CVE-2018-0734 CVE-2018-0735 CVE-2018-0737

CVE-2018-5407

 

Several local side channel attacks and a denial of service via large

Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets

Layer toolkit.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.1.0j-1~deb9u1. Going forward, openssl security updates for

stretch will be based on the 1.1.0x upstream releases.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4349-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

November 30, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tiff

CVE ID : CVE-2017-11613 CVE-2017-17095 CVE-2018-5784

CVE-2018-7456 CVE-2018-8905 CVE-2018-10963

CVE-2018-17101 CVE-2018-18557 CVE-2018-15209

CVE-2018-16335

 

Multiple vulnerabilities have been discovered in the libtiff library and

the included tools, which may result in denial of service or the

execution of arbitrary code if malformed image files are processed.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.0.8-2+deb9u4.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4350-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 06, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : policykit-1

CVE ID : CVE-2018-19788

Debian Bug : 915332

 

It was discovered that incorrect processing of very high UIDs in

Policykit, a framework for managing administrative policies and

privileges, could result in authentication bypass.

 

For the stable distribution (stretch), this problem has been fixed in

version 0.105-18+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4351-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

December 07, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libphp-phpmailer

CVE ID : CVE-2018-19296

Debian Bug : 913912

 

It was discovered that PHPMailer, a library to send email from PHP

applications, is prone to a PHP object injection vulnerability,

potentially allowing a remote attacker to execute arbitrary code.

 

For the stable distribution (stretch), this problem has been fixed in

version 5.2.14+dfsg-2.3+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4352-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

December 07, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium-browser

CVE ID : CVE-2018-17480 CVE-2018-17481 CVE-2018-18335 CVE-2018-18336

CVE-2018-18337 CVE-2018-18338 CVE-2018-18339 CVE-2018-18340

CVE-2018-18341 CVE-2018-18342 CVE-2018-18343 CVE-2018-18344

CVE-2018-18345 CVE-2018-18346 CVE-2018-18347 CVE-2018-18348

CVE-2018-18349 CVE-2018-18350 CVE-2018-18351 CVE-2018-18352

CVE-2018-18353 CVE-2018-18354 CVE-2018-18355 CVE-2018-18356

CVE-2018-18357 CVE-2018-18358 CVE-2018-18359

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2018-17480

 

Guang Gong discovered an out-of-bounds write issue in the v8 javascript

library.

 

CVE-2018-17481

 

Several use-after-free issues were discovered in the pdfium library.

 

CVE-2018-18335

 

A buffer overflow issue was discovered in the skia library.

 

CVE-2018-18336

 

Huyna discovered a use-after-free issue in the pdfium library.

 

CVE-2018-18337

 

cloudfuzzer discovered a use-after-free issue in blink/webkit.

 

CVE-2018-18338

 

Zhe Jin discovered a buffer overflow issue in the canvas renderer.

 

CVE-2018-18339

 

cloudfuzzer discovered a use-after-free issue in the WebAudio

implementation.

 

CVE-2018-18340

 

A use-after-free issue was discovered in the MediaRecorder implementation.

 

CVE-2018-18341

 

cloudfuzzer discovered a buffer overflow issue in blink/webkit.

 

CVE-2018-18342

 

Guang Gong discovered an out-of-bounds write issue in the v8 javascript

library.

 

CVE-2018-18343

 

Tran Tien Hung discovered a use-after-free issue in the skia library.

 

CVE-2018-18344

 

Jann Horn discovered an error in the Extensions implementation.

 

CVE-2018-18345

 

Masato Kinugawa and Jun Kokatsu discovered an error in the Site Isolation

feature.

 

CVE-2018-18346

 

Luan Herrera discovered an error in the user interface.

 

CVE-2018-18347

 

Luan Herrera discovered an error in the Navigation implementation.

 

CVE-2018-18348

 

Ahmed Elsobky discovered an error in the omnibox implementation.

 

CVE-2018-18349

 

David Erceg discovered a policy enforcement error.

 

CVE-2018-18350

 

Jun Kokatsu discovered a policy enforcement error.

 

CVE-2018-18351

 

Jun Kokatsu discovered a policy enforcement error.

 

CVE-2018-18352

 

Jun Kokatsu discovered an error in Media handling.

 

CVE-2018-18353

 

Wenxu Wu discovered an error in the network authentication implementation.

 

CVE-2018-18354

 

Wenxu Wu discovered an error related to integration with GNOME Shell.

 

CVE-2018-18355

 

evil1m0 discovered a policy enforcement error.

 

CVE-2018-18356

 

Tran Tien Hung discovered a use-after-free issue in the skia library.

 

CVE-2018-18357

 

evil1m0 discovered a policy enforcement error.

 

CVE-2018-18358

 

Jann Horn discovered a policy enforcement error.

 

CVE-2018-18359

 

cyrilliu discovered an out-of-bounds read issue in the v8 javascript

library.

 

Several additional security relevant issues are also fixed in this update

that have not yet received CVE identifiers.

 

For the stable distribution (stretch), these problems have been fixed in

version 71.0.3578.80-1~deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4353-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 10, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php7.0

CVE ID : CVE-2018-14851 CVE-2018-14883 CVE-2018-17082

CVE-2018-19518 CVE-2018-19935

 

Multiple security issues were found in PHP, a widely-used open source

general purpose scripting language: The EXIF module was susceptible to

denial of service/information disclosure when parsing malformed images,

the Apache module allowed cross-site-scripting via the body of a

"Transfer-Encoding: chunked" request and the IMAP extension performed

insufficient input validation which can result in the execution of

arbitrary shell commands in the imap_open() function and denial of

service in the imap_mail() function.

 

For the stable distribution (stretch), these problems have been fixed in

version 7.0.33-0+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4354-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 12, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2018-12405 CVE-2018-17466 CVE-2018-18492

CVE-2018-18493 CVE-2018-18494 CVE-2018-18498

 

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code or bypass of the same-origin policy.

 

For the stable distribution (stretch), these problems have been fixed in

version 60.4.0esr-1~deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4355-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 19, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl1.0

CVE ID : CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-5407

 

Several local side channel attacks and a denial of service via large

Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets

Layer toolkit.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.0.2q-1~deb9u1. Going forward, openssl1.0 security updates for

stretch will be based on the 1.0.2x upstream releases.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4356-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

December 20, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : netatalk

CVE ID : CVE-2018-1160

Debian Bug : 916930

 

Jacob Baines discovered a flaw in the handling of the DSI Opensession

command in Netatalk, an implementation of the AppleTalk Protocol Suite,

allowing an unauthenticated user to execute arbitrary code with root

privileges.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.2.5-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4357-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

December 20, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libapache-mod-jk

CVE ID : CVE-2018-11759

 

Raphael Arrouas and Jean Lejeune discovered an access control bypass

vulnerability in mod_jk, the Apache connector for the Tomcat Java

servlet engine. The vulnerability is addressed by upgrading mod_jk to

the new upstream version 1.2.46, which includes additional changes.

 

https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.42_and_1.2.43

https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.43_and_1.2.44

https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.44_and_1.2.45

https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.45_and_1.2.46

 

For the stable distribution (stretch), this problem has been fixed in

version 1:1.2.46-0+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4346-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

December 23, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ghostscript

Debian Bug : 915832

 

The update for ghostscript issued as DSA-4346-1 caused a regression when

used with certain options (cf. Debian bug #915832). Updated packages are

now available to correct this issue.

 

For the stable distribution (stretch), this problem has been fixed in

version 9.26~dfsg-0+deb9u2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4358-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

December 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-sanitize

CVE ID : CVE-2018-3740

Debian Bug : 893610

 

The Shopify Application Security Team discovered that ruby-sanitize, a

whitelist-based HTML sanitizer, is prone to a HTML injection

vulnerability. A specially crafted HTML fragment can cause to allow non-

whitelisted attributes to be used on a whitelisted HTML element.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.1.0-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4359-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2018-12086 CVE-2018-18225 CVE-2018-18226

CVE-2018-18227 CVE-2018-19622 CVE-2018-19623

CVE-2018-19624 CVE-2018-19625 CVE-2018-19626

CVE-2018-19627 CVE-2018-19628

 

Multiple vulnerabilities have been discovered in Wireshark, a network

protocol analyzer, which could result in denial of service or the

execution of arbitrary code.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.6.5-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4360-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 27, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libarchive

CVE ID : CVE-2016-10209 CVE-2016-10349 CVE-2016-10350

CVE-2017-14166 CVE-2017-14501 CVE-2017-14502

CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878

CVE-2018-1000880

 

Multiple security issues were found in libarchive, a multi-format archive

and compression library: Processing malformed RAR archives could result

in denial of service or the execution of arbitrary code and malformed

WARC, LHarc, ISO, Xar or CAB archives could result in denial of service.

 

For the stable distribution (stretch), these problems have been fixed in

version 3.2.2-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4361-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

December 28, 2018 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libextractor

CVE ID : CVE-2018-20430 CVE-2018-20431

 

Several vulnerabilities were discovered in libextractor, a library to

extract arbitrary meta-data from files, which may lead to denial of

service or memory disclosure if a malformed OLE file is processed.

 

For the stable distribution (stretch), these problems have been fixed in

version 1:1.3-4+deb9u3.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4362-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 01, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : thunderbird

CVE ID : not yet available

 

Multiple security issues have been found in Thunderbird, which may lead

to the execution of arbitrary code or denial of service.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:60.4.0-1~deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4363-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 08, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : python-django

CVE ID : CVE-2019-3498

 

It was discovered that malformed URLs could spoof the content of the

default 404 page of Django, a Python web development framework.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:1.10.7-2+deb9u4.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4364-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 08, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ruby-loofah

CVE ID : CVE-2018-16468

 

It was discovered that ruby-loofah, a general library for manipulating

and transforming HTML/XML documents and fragments, performed insufficient

sanitising of SVG elements.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.0.3-2+deb9u2.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4365-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 10, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tmpreaper

CVE ID : CVE-2019-3461

 

Stephen Roettger discovered a race condition in tmpreaper, a program that

cleans up files in directories based on their age, which could result in

local privilege escalation.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.6.13+nmu1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4366-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 12, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : vlc

CVE ID : CVE-2018-19857

 

An integer underflow was discovered in the CAF demuxer of the VLC

media player.

 

For the stable distribution (stretch), this problem has been fixed in

version 3.0.6-0+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4367-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 13, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : systemd

CVE ID : CVE-2018-16864 CVE-2018-16865 CVE-2018-16866

Debian Bug : 918841 918848

 

The Qualys Research Labs discovered multiple vulnerabilities in

systemd-journald. Two memory corruption flaws, via attacker-controlled

alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw

leading to an information leak (CVE-2018-16866), could allow an attacker to

cause a denial of service or the execution of arbitrary code.

 

Further details in the Qualys Security Advisory at

https://www.qualys.com/2019/01/09/system-down/system-down.txt

 

For the stable distribution (stretch), these problems have been fixed in

version 232-25+deb9u7.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4368-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 14, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : zeromq3

CVE ID : CVE-2019-6250

 

Guido Vranken discovered that an incorrect bounds check in ZeroMQ, a

lightweight messaging kernel, could result in the execution of arbitrary

code.

 

For the stable distribution (stretch), this problem has been fixed in

version 4.2.1-4+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4369-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 14, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xen

CVE ID : CVE-2018-19961 CVE-2018-19962 CVE-2018-19965

CVE-2018-19966 CVE-2018-19967

 

Multiple vulnerabilities have been discovered in the Xen hypervisor:

 

CVE-2018-19961 / CVE-2018-19962

 

Paul Durrant discovered that incorrect TLB handling could result in

denial of service, privilege escalation or information leaks.

 

CVE-2018-19965

 

Matthew Daley discovered that incorrect handling of the INVPCID

instruction could result in denial of service by PV guests.

 

CVE-2018-19966

 

It was discovered that a regression in the fix to address

CVE-2017-15595 could result in denial of service, privilege

escalation or information leaks by a PV guest.

 

CVE-2018-19967

 

It was discovered that an error in some Intel CPUs could result in

denial of service by a guest instance.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.8.5+shim4.10.2+xsa282-1+deb9u11.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4367-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 15, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : systemd

 

The Qualys Research Labs reported that the backported security fixes

shipped in DSA 4367-1 contained a memory leak in systemd-journald. This

and an unrelated bug in systemd-coredump are corrected in this update.

 

Note that as the systemd-journald service is not restarted automatically

a restart of the service or more safely a reboot is advised.

 

For the stable distribution (stretch), these problems have been fixed in

version 232-25+deb9u8.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4370-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 17, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

CVE ID : not yet available

 

Two vulnerabilities were found in Drupal, a fully-featured content

management framework, which could result in arbitrary code execution.

 

For additional information, please refer to the upstream advisories

at https://www.drupal.org/sa-core-2019-001 and

https://www.drupal.org/sa-core-2019-002

 

For the stable distribution (stretch), this problem has been fixed in

version 7.52-2+deb9u6.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4371-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

January 22, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : apt

CVE ID : CVE-2019-3462

 

Max Justicz discovered a vulnerability in APT, the high level package manager.

The code handling HTTP redirects in the HTTP transport method doesn't properly

sanitize fields transmitted over the wire. This vulnerability could be used by

an attacker located as a man-in-the-middle between APT and a mirror to inject

malicous content in the HTTP connection. This content could then be recognized

as a valid package by APT and used later for code execution with root

privileges on the target machine.

 

Since the vulnerability is present in the package manager itself, it is

recommended to disable redirects in order to prevent exploitation during this

upgrade only, using:

 

apt -o Acquire::http::AllowRedirect=false update

apt -o Acquire::http::AllowRedirect=false upgrade

 

This is known to break some proxies when used against security.debian.org. If

that happens, people can switch their security APT source to use:

 

deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main

 

For the stable distribution (stretch), this problem has been fixed in

version 1.4.9.

[sunrat]

- ------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 9: 9.7 released press@debian.org

January 23rd, 2019 https://www.debian.org/News/2019/20190123

- ------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the seventh update of its

stable distribution Debian 9 (codename "stretch"). This point release

incorporates the recent security update for APT [1], in order to help

ensure that new installations of stretch are not vulnerable. No other

updates are included.

 

1: https://packages.debian.org/src:APT

 

New installation images will be available soon at the regular locations.

 

Upgrading an existing installation to this revision can be achieved by

pointing the package management system at one of Debian's many HTTP

mirrors. Due to the nature of the included updates, in this case it is

recommended to follow the instructions listed in DSA-4371 [2].

 

2: https://www.debian.org/security/2019/dsa-4371

 

A comprehensive list of mirrors is available at:

 

https://www.debian.org/mirror/list

 

 

 

Miscellaneous Bugfixes

- ----------------------

 

This stable update adds a few important corrections to the following

packages:

 

+----------------+------------------------------+

| Package | Reason |

+----------------+------------------------------+

| base-files [3] | Update for the point release |

| | |

+----------------+------------------------------+

 

3: https://packages.debian.org/src:base-files

 

Security Updates

- ----------------

 

This revision adds the following security updates to the stable release.

The Security Team has already released an advisory for each of these

updates:

 

+--------------+---------+

| Advisory ID | Package |

+--------------+---------+

| DSA-4371 [4] | apt [5] |

| | |

+--------------+---------+

 

4: https://www.debian.org/security/2019/dsa-4371

5: https://packages.debian.org/src:apt

 

URLs

- ----

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.org/debian/dists/stretch/ChangeLog

 

 

The current stable distribution:

 

http://ftp.debian.org/debian/dists/stable/

 

 

Proposed updates to the stable distribution:

 

http://ftp.debian.org/debian/dists/proposed-updates

 

 

stable distribution information (release notes, errata etc.):

 

https://www.debian.org/releases/stable/

 

 

Security announcements and information:

 

https://security.debian.org/ [6]

 

6: https://www.debian.org/security/

 

 

About Debian

- ------------

 

The Debian Project is an association of Free Software developers who

volunteer their time and effort in order to produce the completely free

operating system Debian.

 

 

Contact Information

- -------------------

 

For further information, please visit the Debian web pages at

https://www.debian.org/, send mail to <press@debian.org>, or contact the

stable release team at <debian-release@lists.debian.org>.

[securitybreach]

Nice.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4372-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 26, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ghostscript

CVE ID : CVE-2019-6116

 

Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL

PostScript/PDF interpreter, which may result in denial of service or the

execution of arbitrary code if a malformed Postscript file is processed

(despite the -dSAFER sandbox being enabled).

 

For the stable distribution (stretch), this problem has been fixed in

version 9.26a~dfsg-0+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4373-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

January 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : coturn

CVE ID : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059

 

Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for

VoIP.

 

CVE-2018-4056

 

An SQL injection vulnerability was discovered in the coTURN administrator

web portal. As the administration web interface is shared with the

production, it is unfortunately not possible to easily filter outside

access and this security update completely disable the web interface. Users

should use the local, command line interface instead.

 

CVE-2018-4058

 

Default configuration enables unsafe loopback forwarding. A remote attacker

with access to the TURN interface can use this vulnerability to gain access

to services that should be local only.

 

CVE-2018-4059

 

Default configuration uses an empty password for the local command line

administration interface. An attacker with access to the local console

(either a local attacker or a remote attacker taking advantage of

CVE-2018-4058) could escalade privileges to administrator of the coTURN

server.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.5.0.5-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4374-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

January 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qtbase-opensource-src

CVE ID : CVE-2018-15518 CVE-2018-19870 CVE-2018-19873

Debian Bug : 907139

 

Several issues were discovered in qtbase-opensource-src, a

cross-platform C++ application framework, which could lead to

denial-of-service via application crash. Additionally, this update

fixes a problem affecting vlc, where it would start without a GUI.

 

For the stable distribution (stretch), these problems have been fixed in

version 5.7.1+dfsg-3+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4375-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 29, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : spice

CVE ID : CVE-2019-3813

Debian Bug : 920762

 

Christophe Fergeau discovered an out-of-bounds read vulnerability in

spice, a SPICE protocol client and server library, which might result in

denial of service (spice server crash), or possibly, execution of

arbitrary code.

 

For the stable distribution (stretch), this problem has been fixed in

version 0.12.8-2.1+deb9u3.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4376-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 30, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505

 

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code or privilege escalation.

 

For the stable distribution (stretch), these problems have been fixed in

version 60.5.0esr-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4377-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

January 30, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : rssh

CVE ID : CVE-2019-1000018

Debian Bug : 919623

 

The ESnet security team discovered a vulnerability in rssh, a restricted

shell that allows users to perform only scp, sftp, cvs, svnserve

(Subversion), rdist and/or rsync operations. Missing validation in the

scp support could result in the bypass of this restriction, allowing the

execution of arbitrary shell commands.

 

Please note that with the update applied, the "-3" option of scp can no

longer be used.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.3.4-5+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4378-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

January 30, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php-pear

CVE ID : CVE-2018-1000888

Debian Bug : 919147

 

Fariskhi Vidyan discovered that the PEAR Archive_Tar package for

handling tar files in PHP is prone to a PHP object injection

vulnerability, potentially allowing a remote attacker to execute

arbitrary code.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:1.10.1+submodules+notgz-9+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4379-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 01, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : golang-1.7

CVE ID : CVE-2018-7187 CVE-2019-6486

 

A vulnerability was discovered in the implementation of the P-521 and

P-384 elliptic curves, which could result in denial of service and in

some cases key recovery.

 

In addition this update fixes a vulnerability in "go get", which could

result in the execution of arbitrary shell commands.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.7.4-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4380-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 01, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : golang-1.8

CVE ID : CVE-2018-6574 CVE-2018-7187 CVE-2019-6486

 

A vulnerability was discovered in the implementation of the P-521 and

P-384 elliptic curves, which could result in denial of service and in

some cases key recovery.

 

In addition this update fixes two vulnerabilities in "go get", which

could result in the execution of arbitrary shell commands.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.8.1-1+deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4381-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 02, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libreoffice

CVE ID : CVE-2018-16858

 

Alex Infuehr discovered a directory traversal vulnerability which could

result in the execution of Python script code when opening a malformed

document.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:5.2.7-1+deb9u5. In addition this update fixes a bug in the

validation of signed PDFs; it would display an incomplete status message

when dealing with a partial signature.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4382-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 02, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : rssh

CVE ID : CVE-2019-3463 CVE-2019-3464

 

Nick Cleaton discovered two vulnerabilities in rssh, a restricted shell

that allows users to perform only scp, sftp, cvs, svnserve (Subversion),

rdist and/or rsync operations. Missing validation in the rsync support

could result in the bypass of this restriction, allowing the execution

of arbitrary shell commands.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.3.4-5+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4383-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 03, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libvncserver

CVE ID : CVE-2018-6307 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019

CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023

CVE-2018-20024

Debian Bug : 916941

 

Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a

library to implement VNC server/client functionalities, which might result in

the execution of arbitrary code, denial of service or information disclosure.

 

For the stable distribution (stretch), these problems have been fixed in

version 0.9.11+dfsg-1.3~deb9u1.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4384-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 04, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libgd2

CVE ID : CVE-2019-6977 CVE-2019-6978

Debian Bug : 920645 920728

 

Multiple vulnerabilities have been discovered in libgd2, a library for

programmatic graphics creation and manipulation, which may result in

denial of service or potentially the execution of arbitrary code if a

malformed file is processed.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.2.4-2+deb9u4.

 

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4385-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 05, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : dovecot

CVE ID : CVE-2019-3814

 

halfdog discovered an authentication bypass vulnerability in the Dovecot

email server. Under some configurations Dovecot mistakenly trusts the

username provided via authentication instead of failing. If there is no

additional password verification, this allows the attacker to login as

anyone else in the system. Only installations using:

 

auth_ssl_require_client_cert = yes

auth_ssl_username_from_cert = yes

 

are affected by this flaw.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:2.2.27-3+deb9u3.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4386-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

February 06, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : curl

CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

 

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

 

CVE-2018-16890

 

Wenxiang Qian of Tencent Blade Team discovered that the function

handling incoming NTLM type-2 messages does not validate incoming

data correctly and is subject to an integer overflow vulnerability,

which could lead to an out-of-bounds buffer read.

 

CVE-2019-3822

 

Wenxiang Qian of Tencent Blade Team discovered that the function

creating an outgoing NTLM type-3 header is subject to an integer

overflow vulnerability, which could lead to an out-of-bounds write.

 

CVE-2019-3823

 

Brian Carpenter of Geeknik Labs discovered that the code handling

the end-of-response for SMTP is subject to an out-of-bounds heap

read.

 

For the stable distribution (stretch), these problems have been fixed in

version 7.52.1-5+deb9u9.

[sunrat]

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4387-1 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

February 09, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssh

CVE ID : CVE-2018-20685 CVE-2019-6109 CVE-2019-6111

Debian Bug : 793412 919101

 

Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in

OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities

are in found in the scp client implementing the SCP protocol.

 

CVE-2018-20685

 

Due to improper directory name validation, the scp client allows servers to

modify permissions of the target directory by using empty or dot directory

name.

 

CVE-2019-6109

 

Due to missing character encoding in the progress display, the object name

can be used to manipulate the client output, for example to employ ANSI

codes to hide additional files being transferred.

 

CVE-2019-6111

 

Due to scp client insufficient input validation in path names sent by

server, a malicious server can do arbitrary file overwrites in target

directory. If the recursive (-r) option is provided, the server can also

manipulate subdirectories as well.

.

The check added in this version can lead to regression if the client and

the server have differences in wildcard expansion rules. If the server is

trusted for that purpose, the check can be disabled with a new -T option to

the scp client.

 

For the stable distribution (stretch), these problems have been fixed in

version 1:7.4p1-10+deb9u5.