sunrat Posted February 11, 2019 Share Posted February 11, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4388-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 10, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mosquitto CVE ID : CVE-2018-12546 CVE-2018-12550 CVE-2018-12551 Three vulnerabilities were discovered in the Mosquitto MQTT broker, which could result in authentication bypass. Please refer to https://mosquitto.org/blog/2019/02/version-1-5-6-released/ for additional information. For the stable distribution (stretch), these problems have been fixed in version 1.4.10-3+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted February 12, 2019 Share Posted February 12, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4389-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 11, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libu2f-host CVE ID : CVE-2018-20340 Debian Bug : 921725 Christian Reitter discovered that libu2f-host, a library implementing the host-side of the U2F protocol, failed to properly check for a buffer overflow. This would allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. For the stable distribution (stretch), this problem has been fixed in version 1.1.2-2+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4377-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 11, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : rssh Debian Bug : 921655 The update for rssh issued as DSA 4377-1 introduced a regression that blocked scp of multiple files from a server using rssh. Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 2.3.4-5+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted February 13, 2019 Share Posted February 13, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4390-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : flatpak CVE ID : not yet available Debian Bug : 922059 It was discovered that Flatpak, an application deployment framework for desktop apps, insufficiently restricted the execution of "apply_extra" scripts which could potentially result in privilege escalation. For the stable distribution (stretch), this problem has been fixed in version 0.8.9-0+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted February 14, 2019 Share Posted February 14, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4391-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 14, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2018-18356 CVE-2019-5785 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 60.5.1esr-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 18, 2019 Share Posted February 18, 2019 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 9: 9.8 released press@debian.org February 16th, 2019 https://www.debian.org/News/2019/20190216 ------------------------------------------------------------------------ The Debian project is pleased to announce the eighth update of its stable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/stretch/ChangeLog - ------------------------------------------------------------------------- Debian Security Advisory DSA-4392-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 16, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2018-18356 CVE-2018-18500 CVE-2018-18501 CVE-2018-18505 CVE-2018-18509 CVE-2019-5785 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures. For the stable distribution (stretch), these problems have been fixed in version 1:60.5.1-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4388-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mosquitto Debian Bug : 922071 Kushal Kumaran reported that the update for mosquitto issued as DSA 4388-1 causes mosquitto to crash when reloading the persistent database. Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 1.4.10-3+deb9u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4393-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : systemd CVE ID : CVE-2019-6454 Chris Coulson discovered a flaw in systemd leading to denial of service. An unprivileged user could take advantage of this issue to crash PID1 by sending a specially crafted D-Bus message on the system bus. For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u9. Link to comment Share on other sites More sharing options...
sunrat Posted February 19, 2019 Share Posted February 19, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4394-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : rdesktop CVE ID : CVE-2018-8791 CVE-2018-8792 CVE-2018-8793 CVE-2018-8794 CVE-2018-8795 CVE-2018-8796 CVE-2018-8797 CVE-2018-8798 CVE-2018-8799 CVE-2018-8800 CVE-2018-20174 CVE-2018-20175 CVE-2018-20176 CVE-2018-20177 CVE-2018-20178 CVE-2018-20179 CVE-2018-20180 CVE-2018-20181 CVE-2018-20182 Multiple security issues were found in the rdesktop RDP client, which could result in denial of service, information disclosure and the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 1.8.4-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4395-1 security@debian.org https://www.debian.org/security/ Michael Gilbert February 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2018-17481 CVE-2019-5754 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5772 CVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777 CVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5782 CVE-2019-5783 CVE-2019-5784 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-17481 A use-after-free issue was discovered in the pdfium library. CVE-2019-5754 Klzgrad discovered an error in the QUIC networking implementation. CVE-2019-5755 Jay Bosamiya discovered an implementation error in the v8 javascript library. CVE-2019-5756 A use-after-free issue was discovered in the pdfium library. CVE-2019-5757 Alexandru Pitis discovered a type confusion error in the SVG image format implementation. CVE-2019-5758 Zhe Jin discovered a use-after-free issue in blink/webkit. CVE-2019-5759 Almog Benin discovered a use-after-free issue when handling HTML pages containing select elements. CVE-2019-5760 Zhe Jin discovered a use-after-free issue in the WebRTC implementation. CVE-2019-5762 A use-after-free issue was discovered in the pdfium library. CVE-2019-5763 Guang Gon discovered an input validation error in the v8 javascript library. CVE-2019-5764 Eyal Itkin discovered a use-after-free issue in the WebRTC implementation. CVE-2019-5765 Sergey Toshin discovered a policy enforcement error. CVE-2019-5766 David Erceg discovered a policy enforcement error. CVE-2019-5767 Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao reported an error in the WebAPKs user interface. CVE-2019-5768 Rob Wu discovered a policy enforcement error in the developer tools. CVE-2019-5769 Guy Eshel discovered an input validation error in blink/webkit. CVE-2019-5770 hemidallt discovered a buffer overflow issue in the WebGL implementation. CVE-2019-5772 Zhen Zhou discovered a use-after-free issue in the pdfium library. CVE-2019-5773 Yongke Wong discovered an input validation error in the IndexDB implementation. CVE-2019-5774 Jnghwan Kang and Juno Im discovered an input validation error in the SafeBrowsing implementation. CVE-2019-5775 evil1m0 discovered a policy enforcement error. CVE-2019-5776 Lnyas Zhang discovered a policy enforcement error. CVE-2019-5777 Khalil Zhani discovered a policy enforcement error. CVE-2019-5778 David Erceg discovered a policy enforcement error in the Extensions implementation. CVE-2019-5779 David Erceg discovered a policy enforcement error in the ServiceWorker implementation. CVE-2019-5780 Andreas Hegenberg discovered a policy enforcement error. CVE-2019-5781 evil1m0 discovered a policy enforcement error. CVE-2019-5782 Qixun Zhao discovered an implementation error in the v8 javascript library. CVE-2019-5783 Shintaro Kobori discovered an input validation error in the developer tools. CVE-2019-5784 Lucas Pinheiro discovered an implementation error in the v8 javascript library. For the stable distribution (stretch), these problems have been fixed in version 72.0.3626.96-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 19, 2019 Share Posted February 19, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4396-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 19, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ansible CVE ID : CVE-2018-10855 CVE-2018-10875 CVE-2018-16837 CVE-2018-16876 CVE-2019-3828 Several vulnerabilities have been found in Ansible, a configuration management, deployment, and task execution system: CVE-2018-10855 / CVE-2018-16876 The no_log task flag wasn't honored, resulting in an information leak. CVE-2018-10875 ansible.cfg was read from the current working directory. CVE-2018-16837 The user module leaked parameters passed to ssh-keygen to the process environment. CVE-2019-3828 The fetch module was susceptible to path traversal. For the stable distribution (stretch), these problems have been fixed in version 2.2.1.0-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 23, 2019 Share Posted February 23, 2019 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4377-3 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 22, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : rssh CVE ID : CVE-2019-1000018 Debian Bug : 919623 The restrictions introduced in the security fix to address CVE-2019-1000018 also disallowed the -pf and -pt options which are used by the scp support in libssh2. This update restores support for those. For the stable distribution (stretch), this problem has been fixed in version 2.3.4-5+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted February 28, 2019 Share Posted February 28, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4395-2 security@debian.org https://www.debian.org/security/ Michael Gilbert February 26, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium Debian Bug : 922794 923298 A regression was introduced in the previous chromium security update. The browser would always crash when launched in headless mode. This update fixes this problem. A file conflict with the buster chromium packages is also fixed. For the stable distribution (stretch), this problem has been fixed in version 72.0.3626.96-1~deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted February 28, 2019 Share Posted February 28, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4397-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ldb CVE ID : CVE-2019-3824 Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare() function of ldb, a LDAP-like embedded database, resulting in denial of service. For the stable distribution (stretch), this problem has been fixed in version 2:1.1.27-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4398-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.0 CVE ID : CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023 CVE-2019-9024 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Multiple out-of-bounds memory accesses were found in the xmlrpc, mbstring and phar extensions and the dns_get_record() function. For the stable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4399-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ikiwiki CVE ID : CVE-2019-9187 Joey Hess discovered that the aggregate plugin of the Ikiwiki wiki compiler was susceptible to server-side request forgery, resulting in information disclosure or denial of service. For the stable distribution (stretch), this problem has been fixed in version 3.20170111.1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4400-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl1.0 CVE ID : CVE-2019-1559 Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 1, 2019 Share Posted March 1, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4401-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond March 01, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149 CVE-2018-20150 CVE-2018-20151 CVE-2018-20152 CVE-2018-20153 CVE-2019-8942 Debian Bug : 916403 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and PHP injections attacks, delete files, leak potentially sensitive data, create posts of unauthorized types, or cause denial-of-service by application crash. For the stable distribution (stretch), these problems have been fixed in version 4.7.5+dfsg-2+deb9u5. Link to comment Share on other sites More sharing options...
sunrat Posted March 2, 2019 Share Posted March 2, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4387-2 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez March 02, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssh CVE ID : CVE-2019-6111 Debian Bug : 923486 It was found that a security update (DSA-4387-1) of OpenSSH, an implementation of the SSH protocol suite, was incomplete. This update did not completely fix CVE-2019-6111, an arbitrary file overwrite vulnerability in the scp client implementing the SCP protocol. For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u6. Link to comment Share on other sites More sharing options...
sunrat Posted March 5, 2019 Share Posted March 5, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4402-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 05, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mumble CVE ID : CVE-2018-20743 It was discovered that insufficient restrictions in the connection handling of Mumble, a low latency encrypted VoIP client, could result in denial of service. For the stable distribution (stretch), this problem has been fixed in version 1.2.18-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 9, 2019 Share Posted March 9, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4403-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 08, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.0 CVE ID : not yet available Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: The EXIF extension had multiple cases of invalid memory access and rename() was implemented insecurely. For the stable distribution (stretch), this problem has been fixed in version 7.0.33-0+deb9u3 Link to comment Share on other sites More sharing options...
sunrat Posted March 10, 2019 Share Posted March 10, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4404-1 security@debian.org https://www.debian.org/security/ Michael Gilbert March 09, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-5786 Clement Lecigne discovered a use-after-free issue in chromium's file reader implementation. A maliciously crafted file could be used to remotely execute arbitrary code because of this problem. This update also fixes a regression introduced in a previous update. The browser would always crash when launched in remote debugging mode. For the stable distribution (stretch), this problem has been fixed in version 72.0.3626.122-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4405-1 security@debian.org https://www.debian.org/security/ Luciano Bello March 10, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjpeg2 CVE ID : CVE-2017-17480 CVE-2018-5785 CVE-2018-6616 CVE-2018-14423 CVE-2018-18088 Debian Bug : 884738 888533 889683 904873 910763 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, that could be leveraged to cause a denial of service or possibly remote code execution. CVE-2017-17480 Write stack buffer overflow in the jp3d and jpwl codecs can result in a denial of service or remote code execution via a crafted jp3d or jpwl file. CVE-2018-5785 Integer overflow can result in a denial of service via a crafted bmp file. CVE-2018-6616 Excessive iteration can result in a denial of service via a crafted bmp file. CVE-2018-14423 Division-by-zero vulnerabilities can result in a denial of service via a crafted j2k file. CVE-2018-18088 Null pointer dereference can result in a denial of service via a crafted bmp file. For the stable distribution (stretch), these problems have been fixed in version 2.1.2-1.1+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted March 13, 2019 Share Posted March 13, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4406-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : waagent CVE ID : CVE-2019-0804 Francis McBratney discovered that the Windows Azure Linux Agent created swap files with world-readable permissions, resulting in information disclosure. For the stable distribution (stretch), this problem has been fixed in version 2.2.18-3~deb9u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4407-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xmltooling CVE ID : CVE-2019-9628 Ross Geerlings discovered that the XMLTooling library didn't correctly handle exceptions on malformed XML declarations, which could result in denial of service against the application using XMLTooling. For the stable distribution (stretch), this problem has been fixed in version 1.6.0-4+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted March 18, 2019 Share Posted March 18, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4408-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : liblivemedia CVE ID : CVE-2019-6256 CVE-2019-7314 CVE-2019-9215 Multiple security issues were discovered in liveMedia, a set of C++ libraries for multimedia streaming which could result in the execution of arbitrary code or denial of service when parsing a malformed RTSP stream. For the stable distribution (stretch), these problems have been fixed in version 2016.11.28-1+deb9u2. Link to comment Share on other sites More sharing options...
sunrat Posted March 19, 2019 Share Posted March 19, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4409-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : neutron CVE ID : CVE-2019-9735 Erik Olof Gunnar Andersson discovered that incorrect validation of port settings in the iptables security group driver of Neutron, the OpenStack virtual network service, could result in denial of service in a multi tenant setup. For the stable distribution (stretch), this problem has been fixed in version 2:9.1.1-3+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 20, 2019 Share Posted March 20, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4410-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 20, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-8 CVE ID : CVE-2019-2422 A memory disclosure vulnerability was discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in information disclosure or bypass of sandbox restrictions. For the stable distribution (stretch), this problem has been fixed in version 8u212-b01-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4411-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 20, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 60.6.0esr-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4412-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 20, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : not yet available It was discovered that missing input sanitising in the file module of Drupal, a fully-featured content management framework, could result in cross-site scripting. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-004. For the stable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u7. Link to comment Share on other sites More sharing options...
sunrat Posted March 21, 2019 Share Posted March 21, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4413-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 21, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ntfs-3g CVE ID : CVE-2019-9755 A heap-based buffer overflow was discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation. For the stable distribution (stretch), this problem has been fixed in version 1:2016.2.22AR.1+dfsg-1+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 24, 2019 Share Posted March 24, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4414-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst March 23, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libapache2-mod-auth-mellon CVE ID : CVE-2019-3877 CVE-2019-3878 Debian Bug : 925197 Several issues have been discovered in Apache module auth_mellon, which provides SAML 2.0 authentication. CVE-2019-3877 It was possible to bypass the redirect URL checking on logout, so the module could be used as an open redirect facility. CVE-2019-3878 When mod_auth_mellon is used in an Apache configuration which serves as a remote proxy with the http_proxy module, it was possible to bypass authentication by sending SAML ECP headers. For the stable distribution (stretch), these problems have been fixed in version 0.12.0-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 24, 2019 Share Posted March 24, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4415-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : passenger CVE ID : CVE-2017-16355 Debian Bug : 884463 An arbitrary file read vulnerability was discovered in passenger, a web application server. A local user allowed to deploy an application to passenger, can take advantage of this flaw by creating a symlink from the REVISION file to an arbitrary file on the system and have its content displayed through passenger-status. For the stable distribution (stretch), this problem has been fixed in version 5.0.30-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4416-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 Debian Bug : 923611 It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 2.6.7-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4417-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 24, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2019-9810 CVE-2019-9813 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 60.6.1esr-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 29, 2019 Share Posted March 29, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4418-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dovecot CVE ID : CVE-2019-7524 A vulnerability was discovered in the Dovecot email server. When reading FTS or POP3-UIDL headers from the Dovecot index, the input buffer size is not bounds-checked. An attacker with the ability to modify dovecot indexes, can take advantage of this flaw for privilege escalation or the execution of arbitrary code with the permissions of the dovecot user. Only installations using the FTS or pop3 migration plugins are affected. For the stable distribution (stretch), this problem has been fixed in version 1:2.2.27-3+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted March 31, 2019 Share Posted March 31, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4419-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond March 29, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : twig CVE ID : CVE-2019-9942 Fabien Potencier discovered that twig, a template engine for PHP, did not correctly enforce sandboxing. This could result in potential information disclosure. For the stable distribution (stretch), this problem has been fixed in version 1.24.0-2+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4420-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 30, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code or denial of service. For the stable distribution (stretch), these problems have been fixed in version 1:60.6.1-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 31, 2019 Share Posted March 31, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4421-1 security@debian.org https://www.debian.org/security/ Michael Gilbert March 31, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-5787 Zhe Jin discovered a use-after-free issue. CVE-2019-5788 Mark Brand discovered a use-after-free issue in the in the FileAPI implementation. CVE-2019-5789 Mark Brand discovered a use-after-free issue in the in the WebMIDI implementation. CVE-2019-5790 Dimitri Fourny discovered a buffer overflow issue in the v8 javascript library. CVE-2019-5791 Choongwoo Han discovered a type confusion issue in the v8 javascript library. CVE-2019-5792 pdknsk discovered an integer overflow issue in the pdfium library. CVE-2019-5793 Jun Kokatsu discovered a permissions issue in the Extensions implementation. CVE-2019-5794 Juno Im of Theori discovered a user interface spoofing issue. CVE-2019-5795 pdknsk discovered an integer overflow issue in the pdfium library. CVE-2019-5796 Mark Brand discovered a race condition in the Extensions implementation. CVE-2019-5797 Mark Brand discovered a race condition in the DOMStorage implementation. CVE-2019-5798 Tran Tien Hung disoceved an out-of-bounds read issue in the skia library. CVE-2019-5799 sohalt discovered a way to bypass the Content Security Policy. CVE-2019-5800 Jun Kokatsu discovered a way to bypass the Content Security Policy. CVE-2019-5802 Ronni Skansing discovered a user interface spoofing issue. CVE-2019-5803 Andrew Comminos discovered a way to bypass the Content Security Policy. For the stable distribution (stretch), these problems have been fixed in version 73.0.3683.75-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 4, 2019 Share Posted April 4, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4422-1 security@debian.org https://www.debian.org/security/ Stefan Fritsch April 03, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0196 CVE-2019-0211 CVE-2019-0217 CVE-2019-0220 Debian Bug : 920302 920303 Several vulnerabilities have been found in the Apache HTTP server. CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2. By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service. CVE-2018-17199 Diego Angulo from ImExHS discovered that mod_session_cookie does not respect expiry time. CVE-2019-0196 Craig Young discovered that the http/2 request handling in mod_http2 could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly. CVE-2019-0211 Charles Fol discovered a privilege escalation from the less-privileged child process to the parent process running as root. CVE-2019-0217 A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. The issue was discovered by Simon Kappel. CVE-2019-0220 Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL normalizations were inconsistently handled. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u7. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4423-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 03, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : putty CVE ID : CVE-2019-9894 CVE-2019-9895 CVE-2019-9897 CVE-2019-9898 Multiple vulnerabilities were found in the PuTTY SSH client, which could result in denial of service and potentially the execution of arbitrary code. In addition, in some situations random numbers could potentially be re-used. For the stable distribution (stretch), these problems have been fixed in version 0.67-3+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 4, 2019 Share Posted April 4, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4424-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 04, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pdns CVE ID : CVE-2019-3871 Debian Bug : 924966 Adam Dobrawy, Frederico Silva and Gregory Brzeski from HyperOne.com discovered that pdns, an authoritative DNS server, did not properly validate user-supplied data when building a HTTP request from a DNS query in the HTTP Connector of the Remote backend. This would allow a remote user to cause either a denial-of-service, or information disclosure. For the stable distribution (stretch), this problem has been fixed in version 4.0.3-1+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted April 6, 2019 Share Posted April 6, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4425-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 05, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wget CVE ID : CVE-2019-5953 Debian Bug : 926389 Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted April 7, 2019 Share Posted April 7, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4426-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 07, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tryton-server CVE ID : CVE-2019-10868 Cedric Krier discovered that missing access validation in Tryton could result in information disclosure . For the stable distribution (stretch), this problem has been fixed in version 4.2.1-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted April 9, 2019 Share Posted April 9, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4427-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 08, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : samba CVE ID : CVE-2019-3880 Michael Hanselmann discovered that Samba, a SMB/CIFS file, print, and login server for Unix, was vulnerable to a symlink traversal attack. It would allow remote authenticated users with write permission to either write or detect files outside of Samba shares. For the stable distribution (stretch), this problem has been fixed in version 2:4.5.16+dfsg-1+deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4428-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : systemd CVE ID : CVE-2019-3842 Jann Horn discovered that the PAM module in systemd insecurely uses the environment and lacks seat verification permitting spoofing an active session to PolicyKit. A remote attacker with SSH access can take advantage of this issue to gain PolicyKit privileges that are normally only granted to clients in an active session on the local console. For the stable distribution (stretch), this problem has been fixed in version 232-25+deb9u11. Link to comment Share on other sites More sharing options...
Recommended Posts