Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4512-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 02, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : qemu

CVE ID : CVE-2019-13164 CVE-2019-14378

 

Multiple security issues were discovered in QEMU, a fast processor

emulator, which could result in denial of service, the execution of

arbitrary code or bypass of ACLs.

 

For the stable distribution (buster), these problems have been fixed in

version 1:3.1+dfsg-8+deb10u2.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4513-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 03, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

CVE ID : CVE-2019-10197

 

Stefan Metzmacher discovered a flaw in Samba, a SMB/CIFS file, print,

and login server for Unix. Specific combinations of parameters and

permissions can allow user to escape from the share path definition and

see the complete '/' filesystem. Unix permission checks in the kernel

are still enforced.

 

Details can be found in the upstream advisory at

https://www.samba.org/samba/security/CVE-2019-10197.html

 

For the stable distribution (buster), this problem has been fixed in

version 2:4.9.5+dfsg-5+deb10u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4514-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 04, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : varnish

CVE ID : CVE-2019-15892

 

Alf-Andre Walla discovered a remotely triggerable assert in the Varnish

web accelerator; sending a malformed HTTP request could result in denial

of service.

 

The oldstable distribution (stretch) is not affected.

 

For the stable distribution (buster), this problem has been fixed in

version 6.1.1-1+deb10u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4515-1 security@debian.org

https://www.debian.org/security/ Alberto Garcia

September 04, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : webkit2gtk

CVE ID : CVE-2019-8644 CVE-2019-8649 CVE-2019-8658 CVE-2019-8666

CVE-2019-8669 CVE-2019-8671 CVE-2019-8672 CVE-2019-8673

CVE-2019-8676 CVE-2019-8677 CVE-2019-8678 CVE-2019-8679

CVE-2019-8680 CVE-2019-8681 CVE-2019-8683 CVE-2019-8684

CVE-2019-8686 CVE-2019-8687 CVE-2019-8688 CVE-2019-8689

CVE-2019-8690

 

Several vulnerabilities have been discovered in the webkit2gtk web

engine:

 

CVE-2019-8644

 

G. Geshev discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8649

 

Sergei Glazunov discovered an issue that may lead to universal

cross site scripting.

 

CVE-2019-8658

 

akayn discovered an issue that may lead to universal cross site

scripting.

 

CVE-2019-8666

 

Zongming Wang and Zhe Jin discovered memory corruption issues that

can lead to arbitrary code execution.

 

CVE-2019-8669

 

akayn discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8671

 

Apple discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8672

 

Samuel Gross discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8673

 

Soyeon Park and Wen Xu discovered memory corruption issues that

can lead to arbitrary code execution.

 

CVE-2019-8676

 

Soyeon Park and Wen Xu discovered memory corruption issues that

can lead to arbitrary code execution.

 

CVE-2019-8677

 

Jihui Lu discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8678

 

An anonymous researcher, Anthony Lai, Ken Wong, Jeonghoon Shin,

Johnny Yu, Chris Chan, Phil Mok, Alan Ho, and Byron Wai discovered

memory corruption issues that can lead to arbitrary code

execution.

 

CVE-2019-8679

 

Jihui Lu discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8680

 

Jihui Lu discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8681

 

G. Geshev discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8683

 

lokihardt discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8684

 

lokihardt discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8686

 

G. Geshev discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8687

 

Apple discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8688

 

Insu Yun discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8689

 

lokihardt discovered memory corruption issues that can lead to

arbitrary code execution.

 

CVE-2019-8690

 

Sergei Glazunov discovered an issue that may lead to universal

cross site scripting.

 

You can see more details on the WebKitGTK and WPE WebKit Security

Advisory WSA-2019-0004.

 

For the stable distribution (buster), these problems have been fixed in

version 2.24.4-1~deb10u1.

  • Like 1
Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4516-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 05, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2019-9812 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743

CVE-2019-11744 CVE-2019-11746 CVE-2019-11752

 

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code, cross-site scripting, bypass of the same-origin policy, sandbox

escape, information disclosure or denial of service.

 

For the oldstable distribution (stretch), these problems have been fixed

in version 60.9.0esr-1~deb9u1.

 

For the stable distribution (buster), these problems have been fixed in

version 60.9.0esr-1~deb10u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4517-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 06, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : exim4

CVE ID : CVE-2019-15846

 

"Zerons" and Qualys discovered that a buffer overflow triggerable in the

TLS negotiation code of the Exim mail transport agent could result in the

execution of arbitrary code with root privileges.

 

For the oldstable distribution (stretch), this problem has been fixed

in version 4.89-2+deb9u6.

 

For the stable distribution (buster), this problem has been fixed in

version 4.92-8+deb10u2.

Link to comment
Share on other sites

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 10: 10.1 released press@debian.org

September 7th, 2019 https://www.debian.org/News/2019/20190907

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the first update of its stable

distribution Debian 10 (codename "buster"). This point release mainly

adds corrections for security issues, along with a few adjustments for

serious problems. Security advisories have already been published

separately and are referenced where available.

 

Please note that the point release does not constitute a new version of

Debian 10 but only updates some of the packages included. There is no

need to throw away old "buster" media. After installation, packages can

be upgraded to the current versions using an up-to-date Debian mirror.

 

Those who frequently install updates from security.debian.org won't have

to update many packages, and most such updates are included in the point

release.

 

New installation images will be available soon at the regular locations.

 

Upgrading an existing installation to this revision can be achieved by

pointing the package management system at one of Debian's many HTTP

mirrors. A comprehensive list of mirrors is available at:

 

https://www.debian.org/mirror/list

 

 

 

Miscellaneous Bugfixes

----------------------

 

This stable update adds a few important corrections to the following

packages:

 

+--------------------------+------------------------------------------+

| Package | Reason |

+--------------------------+------------------------------------------+

| acme-tiny [1] | Handle upcoming ACME protocol change |

| | |

| android-sdk-meta [2] | New upstream release; fix regex for |

| | adding Debian version to binary packages |

| | |

| apt-setup [3] | Fix preseeding of Secure Apt for local |

| | repositories via apt-setup/localX/ |

| | |

| asterisk [4] | Fix buffer overflow in |

| | res_pjsip_messaging [AST-2019-002 / |

| | CVE-2019-12827]; fix remote Crash |

| | Vulnerability in chan_sip [AST-2019- |

| | 003 / CVE-2019-13161] |

| | |

| babeltrace [5] | Bump ctf symbols depends to post merge |

| | version |

| | |

| backup-manager [6] | Fix purging of remote archives via FTP |

| | or SSH |

| | |

| base-files [7] | Update for the point release |

| | |

| basez [8] | Properly decode base64url encoded |

| | strings |

| | |

| bro [9] | Security fixes [CVE-2018-16807 CVE-2018- |

| | 17019] |

| | |

| bzip2 [10] | Fix regression uncompressing some files |

| | |

| cacti [11] | Fix some issues upgrading from the |

| | version in stretch |

| | |

| calamares-settings- | Fix permissions for initramfs image when |

| debian [12] | full-disk encryption is enabled |

| | [CVE-2019-13179] |

| | |

| ceph [13] | Rebuild against new libbabeltrace |

| | |

| clamav [14] | Prevent extraction of non-recursive zip |

| | bombs; new upstream stable release with |

| | security fixes - add scan time limit to |

| | mitigate against zip-bombs [CVE-2019- |

| | 12625]; fix out-of-bounds write within |

| | the NSIS bzip2 library [CVE-2019-12900] |

| | |

| cloudkitty [15] | Fix build failures with updated |

| | SQLAlchemy |

| | |

| console-setup [16] | Fix internationalization issues when |

| | switching locales with Perl >= 5.28 |

| | |

| cryptsetup [17] | Fix support for LUKS2 headers without |

| | any bound keyslot; fix mapped segments |

| | overflow on 32-bit architectures |

| | |

| cups [18] | Fix multiple security/disclosure issues |

| | - SNMP buffer overflows [CVE-2019-8696 |

| | CVE-2019-8675], IPP buffer overflow, |

| | Denial of Service and memory disclosure |

| | issues in the scheduler |

| | |

| dbconfig-common [19] | Fix issue caused by change in bash POSIX |

| | behaviour |

| | |

| debian-edu-config [20] | Use PXE option "ipappend 2" for LTSP |

| | client boot; fix sudo-ldap |

| | configuration; fix loss of dynamically |

| | allocated v4 IP address; several fixes |

| | and improvements to debian-edu- |

| | config.fetch-ldap-cert |

| | |

| debian-edu-doc [21] | Update Debian Edu Buster and ITIL |

| | manuals and translations |

| | |

| dehydrated [22] | Fix fetching of account information; |

| | follow-up fixes for account ID handling |

| | and APIv1 compatibility |

| | |

| devscripts [23] | debchange: target buster-backports with |

| | --bpo option |

| | |

| dma [24] | Do not limit TLS connections to using |

| | TLS 1.0 |

| | |

| dpdk [25] | New upstream stable release |

| | |

| dput-ng [26] | Add buster-backports and stretch- |

| | backports-sloppy codenames |

| | |

| e2fsprogs [27] | Fix e4defrag crashes on 32-bit |

| | architectures |

| | |

| enigmail [28] | New upstream release; security fixes |

| | [CVE-2019-12269] |

| | |

| epiphany-browser [29] | Ensure that the web extension uses the |

| | bundled copy of libdazzle |

| | |

| erlang-p1-pkix [30] | Fix handling of GnuTLS certificates |

| | |

| facter [31] | Fix parsing of Linux route non-key/value |

| | flags (e.g. onlink) |

| | |

| fdroidserver [32] | New upstream release |

| | |

| fig2dev [33] | Do not segfault on circle/half circle |

| | arrowheads with a magnification larger |

| | than 42 [CVE-2019-14275] |

| | |

| firmware-nonfree [34] | atheros: Add Qualcomm Atheros QCA9377 |

| | rev 1.0 firmware version WLAN.TF.2.1- |

| | 00021-QCARMSWP-1; realtek: Add Realtek |

| | RTL8822CU Bluetooth firmware; atheros: |

| | Revert change of QCA9377 rev 1.0 |

| | firmware in 20180518-1; misc-nonfree: |

| | add firmware for MediaTek MT76x0/MT76x2u |

| | wireless chips, MediaTek MT7622/MT7668 |

| | bluetooth chips, GV100 signed firmware |

| | |

| freeorion [35] | Fix crash when loading or saving game |

| | data |

| | |

| fuse-emulator [36] | Prefer the X11 backend over the Wayland |

| | one; show the Fuse icon on the GTK |

| | window and About dialog |

| | |

| fusiondirectory [37] | Stricter checks on LDAP lookups; add |

| | missing dependency on php-xml |

| | |

| gcab [38] | Fix corruption when extracting |

| | |

| gdb [39] | Rebuild against new libbabeltrace |

| | |

| glib2.0 [40] | Make GKeyFile settings backend create |

| | ~/.config and configuration files with |

| | restrictive permissions [CVE-2019-13012] |

| | |

| gnome-bluetooth [41] | Avoid GNOME Shell crashes when gnome- |

| | shell-extension-bluetooth-quick-connect |

| | is used |

| | |

| gnome-control- | Fix crash when the Details -> Overview |

| center [42] | (info-overview) panel is selected; fix |

| | memory leaks in Universal Access panel; |

| | fix a regression that caused the |

| | Universal Access -> Zoom mouse tracking |

| | options to have no effect; updated |

| | Icelandic and Japanese translations |

| | |

| gnupg2 [43] | Backport many bug fixes and stability |

| | patches from upstream; use |

| | keys.openpgp.org as the default |

| | keyserver; only import self-signatures |

| | by default |

| | |

| gnuplot [44] | Fix incomplete/unsafe initialization of |

| | ARGV array |

| | |

| gosa [45] | Stricter checks on LDAP lookups |

| | |

| hfst [46] | Ensure smoother upgrades from stretch |

| | |

| initramfs-tools [47] | Disable resume when there are no |

| | suitable swap devices; MODULES=most: |

| | include all keyboard driver modules, |

| | cros_ec_spi and SPI drivers, extcon- |

| | usbc-cros-ec; MODULES=dep: include |

| | extcon drivers |

| | |

| jython [48] | Preserve backward compatibility with |

| | Java 7 |

| | |

| lacme [49] | Update for removal of unauthenticated |

| | GET support from the Let's Encrypt |

| | ACMEv2 API |

| | |

| libblockdev [50] | Use existing cryptsetup API for changing |

| | keyslot passphrase |

| | |

| libdatetime-timezone- | Update included data |

| perl [51] | |

| | |

| libjavascript- | Add support for "=>" operator |

| beautifier-perl [52] | |

| | |

| libsdl2-image [53] | Fix buffer overflows [CVE-2019-5058 |

| | CVE-2019-5052 CVE-2019-7635]; fix out of |

| | bounds access in PCX handling [CVE-2019- |

| | 12216 CVE-2019-12217 CVE-2019-12218 |

| | CVE-2019-12219 CVE-2019-12220 CVE-2019- |

| | 12221 CVE-2019-12222 CVE-2019-5051] |

| | |

| libtk-img [54] | Stop using internal copies of JPEG, Zlib |

| | and PixarLog codecs, fixing crashes |

| | |

| libxslt [55] | Fix security framework bypass [CVE-2019- |

| | 11068], uninitialized read of xsl:number |

| | token [CVE-2019-13117] and uninitialized |

| | read with UTF-8 grouping chars |

| | [CVE-2019-13118] |

| | |

| linux [56] | New upstream stable release |

| | |

| linux-latest [57] | Update for 4.19.0-6 kernel ABI |

| | |

| linux-signed-amd64 [58] | New upstream stable release |

| | |

| linux-signed-arm64 [59] | New upstream stable release |

| | |

| linux-signed-i386 [60] | New upstream stable release |

| | |

| lttv [61] | Rebuild against new libbabeltrace |

| | |

| mapproxy [62] | Fix WMS Capabilities with Python 3.7 |

| | |

| mariadb-10.3 [63] | New upstream stable release; security |

| | fixes [CVE-2019-2737 CVE-2019-2739 |

| | CVE-2019-2740 CVE-2019-2758 CVE-2019- |

| | 2805]; fix segfault on |

| | 'information_schema' access; rename |

| | 'mariadbcheck' to 'mariadb-check' |

| | |

| musescore [64] | Disable webkit functionality |

| | |

| ncbi-tools6 [65] | Repackage without non-free data/UniVec.* |

| | |

| ncurses [66] | Remove "rep" from xterm-new and |

| | derived terminfo descriptions |

| | |

| netdata [67] | Remove Google Analytics from generated |

| | documentation; opt out of sending |

| | anonymous statistics; remove "sign in" |

| | button |

| | |

| newsboat [68] | Fix use after free issue |

| | |

| nextcloud-desktop [69] | Add missing dependency on nextcloud- |

| | desktop-common to nextcloud-desktop-cmd |

| | |

| node-lodash [70] | Fix prototype pollution [CVE-2019-10744] |

| | |

| node-mixin-deep [71] | Fix prototype pollution issue |

| | |

| nss [72] | Fix security issues [CVE-2019-11719 |

| | CVE-2019-11727 CVE-2019-11729] |

| | |

| nx-libs [73] | Fix a number of memory leaks |

| | |

| open-infrastructure- | Fix container start |

| compute-tools [74] | |

| | |

| open-vm-tools [75] | Correctly handle OS versions of the form |

| | "X" , rather than "X.Y" |

| | |

| openldap [76] | Restrict rootDN proxyauthz to its own |

| | databases [CVE-2019-13057]; enforce |

| | sasl_ssf ACL statement on every |

| | connection [CVE-2019-13565]; fix slapo- |

| | rwm to not free original filter when |

| | rewritten filter is invalid |

| | |

| osinfo-db [77] | Add buster 10.0 information; fix URLs |

| | for stretch download; fix the name of |

| | the parameter used to set the fullname |

| | when generating a preseed file |

| | |

| osmpbf [78] | Rebuild with protobuf 3.6.1 |

| | |

| pam-u2f [79] | Fix insecure debug file handling |

| | [CVE-2019-12209]; fix debug file |

| | descriptor leak [CVE-2019-12210]; fix |

| | out-of-bounds access; fix segfault |

| | following a failure to allocate a buffer |

| | |

| passwordsafe [80] | Install localisation files in the |

| | correct directory |

| | |

| piuparts [81] | Update configurations for the buster |

| | release; fix spurious failure to remove |

| | packages with names ending with '+'; |

| | generate separate tarball names for -- |

| | merged-usr chroots |

| | |

| postgresql-common [82] | Fix "pg_upgradecluster from postgresql- |

| | common 200, 200+deb10u1, 201, and 202 |

| | will corrupt the data_directory setting |

| | when used *twice* to upgrade a cluster |

| | (e.g. 9.6 -> 10 -> 11)" |

| | |

| pulseaudio [83] | Fix mute state restoring |

| | |

| puppet-module- | Fix attempts to write to /etc/init |

| cinder [84] | |

| | |

| python-autobahn [85] | Fix pyqrcode build dependencies |

| | |

| python-django [86] | New upstream security release [CVE-2019- |

| | 12781] |

| | |

| raspi3-firmware [87] | Add support for Raspberry Pi Compute |

| | Module 3 (CM3), Raspberry Pi Compute |

| | Module 3 Lite and Raspberry Pi Compute |

| | Module IO Board V3 |

| | |

| reportbug [88] | Update release names, following buster |

| | release; re-enable stretch-pu requests; |

| | fix crashes with package / version |

| | lookup; add missing dependency on |

| | sensible-utils |

| | |

| ruby-airbrussh [89] | Don't throw exception on invalid UTF-8 |

| | SSH output |

| | |

| sdl-image1.2 [90] | Fix buffer overflows [CVE-2019-5052 |

| | CVE-2019-7635], out-of-bounds access |

| | [CVE-2019-12216 CVE-2019-12217 CVE-2019- |

| | 12218 CVE-2019-12219 CVE-2019-12220 |

| | CVE-2019-12221 CVE-2019-12222 CVE-2019- |

| | 5051] |

| | |

| sendmail [91] | sendmail-bin.postinst, initscript: Let |

| | start-stop-daemon match on pidfile and |

| | executable; sendmail-bin.prerm: Stop |

| | sendmail before removing the |

| | alternatives |

| | |

| slirp4netns [92] | New upstream stable release with |

| | security fixes - check sscanf result |

| | when emulating ident [CVE-2019-9824]; |

| | fixes heap overflow in included libslirp |

| | [CVE-2019-14378] |

| | |

| systemd [93] | Network: Fix failure to bring up |

| | interface with Linux kernel 5.2; ask- |

| | password: Prevent buffer overflow when |

| | reading from keyring; network: Behave |

| | more gracefully when IPv6 has been |

| | disabled |

| | |

| tzdata [94] | New upstream release |

| | |

| unzip [95] | Fix zip bomb issues [CVE-2019-13232] |

| | |

| usb.ids [96] | Routine update of USB IDs |

| | |

| warzone2100 [97] | Fix a segmentation fault when hosting a |

| | multiplayer game |

| | |

| webkit2gtk [98] | New upstream stable version; stop |

| | requiring SSE2-capable CPUs |

| | |

| win32-loader [99] | Rebuild against current packages, |

| | particularly debian-archive-keyring; fix |

| | build failure by enforcing a POSIX |

| | locale |

| | |

| xymon [100] | Fix several (server only) security |

| | issues [CVE-2019-13273 CVE-2019-13274 |

| | CVE-2019-13451 CVE-2019-13452 CVE-2019- |

| | 13455 CVE-2019-13484 CVE-2019-13485 |

| | CVE-2019-13486] |

| | |

| yubikey- | Backport additional security precautions |

| personalization [101] | |

| | |

| z3 [102] | Do not set the SONAME of libz3java.so to |

| | libz3.so.4 |

| | |

+--------------------------+------------------------------------------+

 

Security Updates

----------------

 

This revision adds the following security updates to the stable release.

The Security Team has already released an advisory for each of these

updates:

 

+----------------+--------------------------+

| Advisory ID | Package |

+----------------+--------------------------+

| DSA-4477 [103] | zeromq3 [104] |

| | |

| DSA-4478 [105] | dosbox [106] |

| | |

| DSA-4479 [107] | firefox-esr [108] |

| | |

| DSA-4480 [109] | redis [110] |

| | |

| DSA-4481 [111] | ruby-mini-magick [112] |

| | |

| DSA-4482 [113] | thunderbird [114] |

| | |

| DSA-4483 [115] | libreoffice [116] |

| | |

| DSA-4484 [117] | linux [118] |

| | |

| DSA-4484 [119] | linux-signed-i386 [120] |

| | |

| DSA-4484 [121] | linux-signed-arm64 [122] |

| | |

| DSA-4484 [123] | linux-signed-amd64 [124] |

| | |

| DSA-4486 [125] | openjdk-11 [126] |

| | |

| DSA-4488 [127] | exim4 [128] |

| | |

| DSA-4489 [129] | patch [130] |

| | |

| DSA-4490 [131] | subversion [132] |

| | |

| DSA-4491 [133] | proftpd-dfsg [134] |

| | |

| DSA-4493 [135] | postgresql-11 [136] |

| | |

| DSA-4494 [137] | kconfig [138] |

| | |

| DSA-4495 [139] | linux-signed-amd64 [140] |

| | |

| DSA-4495 [141] | linux-signed-arm64 [142] |

| | |

| DSA-4495 [143] | linux [144] |

| | |

| DSA-4495 [145] | linux-signed-i386 [146] |

| | |

| DSA-4496 [147] | pango1.0 [148] |

| | |

| DSA-4498 [149] | python-django [150] |

| | |

| DSA-4499 [151] | ghostscript [152] |

| | |

| DSA-4501 [153] | libreoffice [154] |

| | |

| DSA-4502 [155] | ffmpeg [156] |

| | |

| DSA-4503 [157] | golang-1.11 [158] |

| | |

| DSA-4504 [159] | vlc [160] |

| | |

| DSA-4505 [161] | nginx [162] |

| | |

| DSA-4507 [163] | squid [164] |

| | |

| DSA-4508 [165] | h2o [166] |

| | |

| DSA-4509 [167] | apache2 [168] |

| | |

| DSA-4510 [169] | dovecot [170] |

| | |

+----------------+--------------------------+

 

Removed packages

----------------

 

The following packages were removed due to circumstances beyond our

control:

 

+-------------+--------------------------------+

| Package | Reason |

+-------------+--------------------------------+

| pump [171] | Unmaintained; security issues |

| | |

| rustc [172] | Remove outdated rust-doc cruft |

| | |

+-------------+--------------------------------+

 

Debian Installer

----------------

 

The installer has been updated to include the fixes incorporated into

stable by the point release.

 

 

URLs

----

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.org/debian/dists/buster/ChangeLog

 

 

The current stable distribution:

 

http://ftp.debian.org/debian/dists/stable/

 

 

Proposed updates to the stable distribution:

 

http://ftp.debian.org/debian/dists/proposed-updates

 

 

stable distribution information (release notes, errata etc.):

 

https://www.debian.org/releases/stable/

 

 

Security announcements and information:

 

https://www.debian.org/security/

Link to comment
Share on other sites

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 9: 9.10 released press@debian.org

September 7th, 2019 https://www.debian.org/News/2019/2019090702

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the tenth update of its

oldstable distribution Debian 9 (codename "stretch"). This point release

mainly adds corrections for security issues, along with a few

adjustments for serious problems. Security advisories have already been

published separately and are referenced where available.

 

Please note that the point release does not constitute a new version of

Debian 9 but only updates some of the packages included. There is no

need to throw away old "stretch" media. After installation, packages can

be upgraded to the current versions using an up-to-date Debian mirror.

 

Those who frequently install updates from security.debian.org won't have

to update many packages, and most such updates are included in the point

release.

 

New installation images will be available soon at the regular locations.

 

Upgrading an existing installation to this revision can be achieved by

pointing the package management system at one of Debian's many HTTP

mirrors. A comprehensive list of mirrors is available at:

 

https://www.debian.org/mirror/list

 

 

 

Miscellaneous Bugfixes

----------------------

 

This oldstable update adds a few important corrections to the following

packages:

 

+-------------------------+-------------------------------------------+

| Package | Reason |

+-------------------------+-------------------------------------------+

| base-files [1] | Update for the point release; add |

| | VERSION_CODENAME to os-release |

| | |

| basez [2] | Properly decode base64url encoded strings |

| | |

| biomaj-watcher [3] | Fix upgrades from jessie to stretch |

| | |

| c-icap-modules [4] | Add support for clamav 0.101.1 |

| | |

| chaosreader [5] | Add missing dependency on libnet-dns-perl |

| | |

| clamav [6] | New upstream stable release: add scan |

| | time limit to mitigate against zip-bombs |

| | [CVE-2019-12625]; fix out-of-bounds write |

| | within the NSIS bzip2 library [CVE-2019- |

| | 12900] |

| | |

| corekeeper [7] | Do not use a world-writable /var/crash |

| | with the dumper script; handle older |

| | versions of the Linux kernel in a safer |

| | way; do not truncate core names for |

| | executables with spaces |

| | |

| cups [8] | Fix multiple security/disclosure issues - |

| | SNMP buffer overflows [CVE-2019-8696 |

| | CVE-2019-8675], IPP buffer overflow, |

| | Denial of Service and memory disclosure |

| | issues in the scheduler |

| | |

| dansguardian [9] | Add support for clamav 0.101 |

| | |

| dar [10] | Rebuild to update "built-using" |

| | packages |

| | |

| debian-archive- | Add buster keys; remove wheezy keys |

| keyring [11] | |

| | |

| fence-agents [12] | Fix denial of service issue [CVE-2019- |

| | 10153] |

| | |

| fig2dev [13] | Do not segfault on circle/half circle |

| | arrowheads with a magnification larger |

| | than 42 [CVE-2019-14275] |

| | |

| fribidi [14] | Fix right-to-left output in debian- |

| | installer text mode |

| | |

| fusiondirectory [15] | Stricter checks on LDAP lookups; add |

| | missing dependency on php-xml |

| | |

| gettext [16] | Stop xgettext() from crashing when run |

| | with --its=FILE option |

| | |

| glib2.0 [17] | Create directory and file with |

| | restrictive permissions when using the |

| | GKeyfileSettingsBackend [CVE-2019-13012]; |

| | avoid buffer read overrun when formatting |

| | error messages for invalid UTF-8 in |

| | GMarkup [CVE-2018-16429]; avoid NULL |

| | dereference when parsing invalid GMarkup |

| | with a malformed closing tag not paired |

| | with an opening tag [CVE-2018-16429] |

| | |

| gocode [18] | gocode-auto-complete-el: Make pre- |

| | dependency on auto-complete-el versioned |

| | to fix upgrades from jessie to stretch |

| | |

| groonga [19] | Mitigate privilege escalation by changing |

| | the owner and group of logs with "su" |

| | option |

| | |

| grub2 [20] | Fixes for Xen UEFI support |

| | |

| gsoap [21] | Fix denial of service issue if a server |

| | application is built with the - |

| | DWITH_COOKIES flag [CVE-2019-7659]; fix |

| | issue with DIME protocol receiver and |

| | malformed DIME headers |

| | |

| gthumb [22] | Fix double-free bug [CVE-2018-18718] |

| | |

| havp [23] | Add support for clamav 0.101.1 |

| | |

| icu [24] | Fix segfault in pkgdata command |

| | |

| koji [25] | Fix SQL injection issue [CVE-2018- |

| | 1002161]; properly validate SCM paths |

| | [CVE-2017-1002153] |

| | |

| lemonldap-ng [26] | Fix cross-domain authentication |

| | regression; fix XML external entity |

| | vulnerability |

| | |

| libcaca [27] | Fix integer overflow issues [CVE-2018- |

| | 20545 CVE-2018-20546 CVE-2018-20547 |

| | CVE-2018-20548 CVE-2018-20549] |

| | |

| libclamunrar [28] | New upstream stable release |

| | |

| libconvert-units- | No-change rebuild with fixed version |

| perl [29] | number |

| | |

| libdatetime-timezone- | Update included data |

| perl [30] | |

| | |

| libebml [31] | Apply upstream fixes for heap-based |

| | buffer over-reads |

| | |

| libevent-rpc-perl [32] | Fix build failure due to expired test SSL |

| | certificates |

| | |

| libgd2 [33] | Fix uninitialized read in |

| | gdImageCreateFromXbm [CVE-2019-11038] |

| | |

| libgovirt [34] | Re-generate test certificates with |

| | expiration date far in the future to |

| | avoid test failures |

| | |

| librecad [35] | Fix denial of service via crafted file |

| | [CVE-2018-19105] |

| | |

| libsdl2-image [36] | Fix multiple security issues |

| | |

| libthrift-java [37] | Fix bypass of SASL negotiation [CVE-2018- |

| | 1320] |

| | |

| libtk-img [38] | Stop using internal copies of JPEG, Zlib |

| | and PixarLog codecs, fixing crashes |

| | |

| libu2f-host [39] | Fix stack memory leak [CVE-2019-9578] |

| | |

| libxslt [40] | Fix security framework bypass [CVE-2019- |

| | 11068]; fix uninitialized read of |

| | xsl:number token [CVE-2019-13117]; fix |

| | uninitialized read with UTF-8 grouping |

| | chars [CVE-2019-13118] |

| | |

| linux [41] | New upstream version with ABI bump; |

| | security fixes [CVE-2015-8553 CVE-2017- |

| | 5967 CVE-2018-20509 CVE-2018-20510 |

| | CVE-2018-20836 CVE-2018-5995 CVE-2019- |

| | 11487 CVE-2019-3882] |

| | |

| linux-latest [42] | Update for 4.9.0-11 kernel ABI |

| | |

| liquidsoap [43] | Fix compilation with Ocaml 4.02 |

| | |

| llvm-toolchain-7 [44] | New package to support building new |

| | Firefox versions |

| | |

| mariadb-10.1 [45] | New upstream stable release; security |

| | fixes [CVE-2019-2737 CVE-2019-2739 |

| | CVE-2019-2740 CVE-2019-2805 CVE-2019-2627 |

| | CVE-2019-2614] |

| | |

| minissdpd [46] | Prevent a use-after-free vulnerability |

| | that would allow a remote attacker to |

| | crash the process [CVE-2019-12106] |

| | |

| miniupnpd [47] | Fix denial of service issues [CVE-2019- |

| | 12108 CVE-2019-12109 CVE-2019-12110]; fix |

| | information leak [CVE-2019-12107] |

| | |

| mitmproxy [48] | Blacklist tests that require Internet |

| | access; prevent insertion of unwanted |

| | upper-bound versioned dependencies |

| | |

| monkeysphere [49] | Fix build failure by updating the tests |

| | to accommodate an updated GnuPG in |

| | stretch now producing a different output |

| | |

| nasm-mozilla [50] | New package to support building new |

| | Firefox versions |

| | |

| ncbi-tools6 [51] | Repackage without non-free data/UniVec.* |

| | |

| node-growl [52] | Sanitize input before passing it to exec |

| | |

| node-ws [53] | Restrict upload size [CVE-2016-10542] |

| | |

| open-vm-tools [54] | Fix possible security issue with the |

| | permissions of the intermediate staging |

| | directory and path |

| | |

| openldap [55] | Restrict rootDN proxyauthz to its own |

| | databases [CVE-2019-13057]; enforce |

| | sasl_ssf ACL statement on every |

| | connection [CVE-2019-13565]; fix slapo- |

| | rwm to not free original filter when |

| | rewritten filter is invalid |

| | |

| openssh [56] | Fix deadlock in key matching |

| | |

| passwordsafe [57] | Don't install localization files under an |

| | extra subdirectory |

| | |

| pound [58] | Fix request smuggling via crafted headers |

| | [CVE-2016-10711] |

| | |

| prelink [59] | Rebuild to update "built-using" |

| | packages |

| | |

| python-clamav [60] | Add support for clamav 0.101.1 |

| | |

| reportbug [61] | Update release names, following buster |

| | release |

| | |

| resiprocate [62] | Resolve an installation issue with |

| | libssl-dev and --install-recommends |

| | |

| sash [63] | Rebuild to update "built-using" |

| | packages |

| | |

| sdl-image1.2 [64] | Fix buffer overflows [CVE-2018-3977 |

| | CVE-2019-5058 CVE-2019-5052], out-of- |

| | bounds access [CVE-2019-12216 CVE-2019- |

| | 12217 CVE-2019-12218 CVE-2019-12219 |

| | CVE-2019-12220 CVE-2019-12221 CVE-2019- |

| | 12222 CVE-2019-5051] |

| | |

| signing-party [65] | Fix unsafe shell call enabling shell |

| | injection via a User ID [CVE-2019-11627] |

| | |

| slurm-llnl [66] | Fix potential heap overflow on 32-bit |

| | systems [CVE-2019-6438] |

| | |

| sox [67] | Fix several security issues [CVE-2019- |

| | 8354 CVE-2019-8355 CVE-2019-8356 |

| | CVE-2019-8357 927906 CVE-2019-1010004 |

| | CVE-2017-18189 881121 CVE-2017-15642 |

| | 882144 CVE-2017-15372 878808 CVE-2017- |

| | 15371 878809 CVE-2017-15370 878810 |

| | CVE-2017-11359 CVE-2017-11358 CVE-2017- |

| | 11332 |

| | |

| systemd [68] | Do not stop ndisc client in case of |

| | configuration error |

| | |

| t-digest [69] | No-change rebuild to avoid re-use of pre- |

| | epoch version 3.0-1 |

| | |

| tenshi [70] | Fix PID file issue that allows local |

| | users to kill arbitrary processes |

| | [CVE-2017-11746] |

| | |

| tzdata [71] | New upstream release |

| | |

| unzip [72] | Fix incorrect parsing of 64-bit values in |

| | fileio.c; fix zip-bomb issues [CVE-2019- |

| | 13232] |

| | |

| usbutils [73] | Update USB ID list |

| | |

| xymon [74] | Fix several (server only) security issues |

| | [CVE-2019-13273 CVE-2019-13274 CVE-2019- |

| | 13451 CVE-2019-13452 CVE-2019-13455 |

| | CVE-2019-13484 CVE-2019-13485 CVE-2019- |

| | 13486] |

| | |

| yubico-piv-tool [75] | Fix security issues [CVE-2018-14779 |

| | CVE-2018-14780] |

| | |

| z3 [76] | Do not set the SONAME of libz3java.so to |

| | libz3.so.4 |

| | |

| zfs-auto-snapshot [77] | Make cron jobs exit silently after |

| | package removal |

| | |

| zsh [78] | Rebuild to update "built-using" |

| | packages |

| | |

+-------------------------+-------------------------------------------+

Security Updates

----------------

 

This revision adds the following security updates to the oldstable

release. The Security Team has already released an advisory for each of

these updates:

 

+----------------+--------------------------+

| Advisory ID | Package |

+----------------+--------------------------+

| DSA-4435 [79] | libpng1.6 [80] |

| | |

| DSA-4436 [81] | imagemagick [82] |

| | |

| DSA-4437 [83] | gst-plugins-base1.0 [84] |

| | |

| DSA-4438 [85] | atftp [86] |

| | |

| DSA-4439 [87] | postgresql-9.6 [88] |

| | |

| DSA-4440 [89] | bind9 [90] |

| | |

| DSA-4441 [91] | symfony [92] |

| | |

| DSA-4442 [93] | cups-filters [94] |

| | |

| DSA-4442 [95] | ghostscript [96] |

| | |

| DSA-4443 [97] | samba [98] |

| | |

| DSA-4444 [99] | linux [100] |

| | |

| DSA-4445 [101] | drupal7 [102] |

| | |

| DSA-4446 [103] | lemonldap-ng [104] |

| | |

| DSA-4447 [105] | intel-microcode [106] |

| | |

| DSA-4448 [107] | firefox-esr [108] |

| | |

| DSA-4449 [109] | ffmpeg [110] |

| | |

| DSA-4450 [111] | wpa [112] |

| | |

| DSA-4451 [113] | thunderbird [114] |

| | |

| DSA-4452 [115] | jackson-databind [116] |

| | |

| DSA-4453 [117] | openjdk-8 [118] |

| | |

| DSA-4454 [119] | qemu [120] |

| | |

| DSA-4455 [121] | heimdal [122] |

| | |

| DSA-4456 [123] | exim4 [124] |

| | |

| DSA-4457 [125] | evolution [126] |

| | |

| DSA-4458 [127] | cyrus-imapd [128] |

| | |

| DSA-4459 [129] | vlc [130] |

| | |

| DSA-4460 [131] | mediawiki [132] |

| | |

| DSA-4461 [133] | zookeeper [134] |

| | |

| DSA-4462 [135] | dbus [136] |

| | |

| DSA-4463 [137] | znc [138] |

| | |

| DSA-4464 [139] | thunderbird [140] |

| | |

| DSA-4465 [141] | linux [142] |

| | |

| DSA-4466 [143] | firefox-esr [144] |

| | |

| DSA-4467 [145] | vim [146] |

| | |

| DSA-4468 [147] | php-horde-form [148] |

| | |

| DSA-4469 [149] | libvirt [150] |

| | |

| DSA-4470 [151] | pdns [152] |

| | |

| DSA-4471 [153] | thunderbird [154] |

| | |

| DSA-4472 [155] | expat [156] |

| | |

| DSA-4473 [157] | rdesktop [158] |

| | |

| DSA-4475 [159] | openssl [160] |

| | |

| DSA-4475 [161] | openssl1.0 [162] |

| | |

| DSA-4476 [163] | python-django [164] |

| | |

| DSA-4477 [165] | zeromq3 [166] |

| | |

| DSA-4478 [167] | dosbox [168] |

| | |

| DSA-4480 [169] | redis [170] |

| | |

| DSA-4481 [171] | ruby-mini-magick [172] |

| | |

| DSA-4482 [173] | thunderbird [174] |

| | |

| DSA-4483 [175] | libreoffice [176] |

| | |

| DSA-4485 [177] | openjdk-8 [178] |

| | |

| DSA-4487 [179] | neovim [180] |

| | |

| DSA-4488 [181] | exim4 [182] |

| | |

| DSA-4489 [183] | patch [184] |

| | |

| DSA-4490 [185] | subversion [186] |

| | |

| DSA-4491 [187] | proftpd-dfsg [188] |

| | |

| DSA-4492 [189] | postgresql-9.6 [190] |

| | |

| DSA-4494 [191] | kconfig [192] |

| | |

| DSA-4498 [193] | python-django [194] |

| | |

| DSA-4499 [195] | ghostscript [196] |

| | |

| DSA-4501 [197] | libreoffice [198] |

| | |

| DSA-4504 [199] | vlc [200] |

| | |

| DSA-4505 [201] | nginx [202] |

| | |

| DSA-4506 [203] | qemu [204] |

| | |

| DSA-4509 [205] | apache2 [206] |

| | |

| DSA-4510 [207] | dovecot [208] |

| | |

+----------------+--------------------------+

Removed packages

----------------

 

The following packages were removed due to circumstances beyond our

control:

 

+-----------------+----------------------------------------------------+

| Package | Reason |

+-----------------+----------------------------------------------------+

| pump [209] | Unmaintained; security issues |

| | |

| teeworlds [210] | Security issues; incompatible with current servers |

| | |

+-----------------+----------------------------------------------------+

Debian Installer

----------------

 

The installer has been updated to include the fixes incorporated into

oldstable by the point release.

 

 

URLs

----

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.org/debian/dists/stretch/ChangeLog

 

 

The current oldstable distribution:

 

http://ftp.debian.org/debian/dists/oldstable/

 

 

Proposed updates to the oldstable distribution:

 

http://ftp.debian.org/debian/dists/oldstable-proposed-updates

 

 

oldstable distribution information (release notes, errata etc.):

 

https://www.debian.org/releases/oldstable/

 

 

Security announcements and information:

 

https://www.debian.org/security/

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4518-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 07, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ghostscript

CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817

 

It was discovered that various procedures in Ghostscript, the GPL

PostScript/PDF interpreter, do not properly restrict privileged calls,

which could result in bypass of file system restrictions of the dSAFER

sandbox.

 

For the oldstable distribution (stretch), these problems have been fixed

in version 9.26a~dfsg-0+deb9u5.

 

For the stable distribution (buster), these problems have been fixed in

version 9.27~dfsg-2+deb10u2.

  • Like 1
Link to comment
Share on other sites

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 9: 9.11 released press@debian.org

September 8th, 2019 https://www.debian.org/News/2019/20190908

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the eleventh update of its

oldstable distribution Debian 9 (codename "stretch").

 

This point release is primarily an update to the recently-released 9.10,

in order to resolve a critical problem with the installer that was

discovered during image testing.

 

Please note that the point release does not constitute a new version of

Debian 9 but only updates some of the packages included. There is no

need to throw away old "stretch" media. After installation, packages can

be upgraded to the current versions using an up-to-date Debian mirror.

 

Those who frequently install updates from security.debian.org won't have

to update many packages, and most such updates are included in the point

release.

 

New installation images will be available soon at the regular locations.

 

Upgrading an existing installation to this revision can be achieved by

pointing the package management system at one of Debian's many HTTP

mirrors. A comprehensive list of mirrors is available at:

 

https://www.debian.org/mirror/list

 

 

 

Miscellaneous Bugfixes

----------------------

 

This oldstable update adds a few important corrections to the following

packages:

 

+--------------------------------+------------------------------------+

| Package | Reason |

+--------------------------------+------------------------------------+

| base-files [1] | Update for the point release |

| | |

| bogl [2] | Call iswspace instead of isspace, |

| | fixes crash on U+FEFF |

| | |

| debian-installer [3] | Rebuild against proposed-updates |

| | |

| debian-installer-netboot- | Rebuild against proposed-updates |

| images [4] | |

| | |

+--------------------------------+------------------------------------+

 

1: https://packages.debian.org/src:base-files

2: https://packages.debian.org/src:bogl

3: https://packages.debian.org/src:debian-installer

4: https://packages.debian.org/src:debian-installer-netboot-images

 

Debian Installer

----------------

 

The installer has been updated to include the fixes incorporated into

oldstable by the point release.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4519-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 08, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libreoffice

CVE ID : CVE-2019-9854

 

It was discovered that the code fixes for LibreOffice to address

CVE-2019-9852 were not complete. Additional information can be found at

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9854/

 

For the oldstable distribution (stretch), this problem has been fixed

in version 1:5.2.7-1+deb9u11.

 

For the stable distribution (buster), this problem has been fixed in

version 1:6.1.5-3+deb10u4.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4520-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 09, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : trafficserver

CVE ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-9518

 

Several vulnerabilities were discovered in the HTTP/2 code of Apache

Traffic Server, a reverse and forward proxy server, which could result

in denial of service.

 

The fixes are too intrusive to backport to the version in the oldstable

distribution (stretch). An upgrade to Debian stable (buster) is

recommended instead.

 

For the stable distribution (buster), these problems have been fixed in

version 8.0.2+ds-1+deb10u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4521-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 09, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : docker.io

CVE ID : CVE-2019-13139 CVE-2019-13509 CVE-2019-14271

 

Three security vulnerabilities have been discovered in the Docker

container runtime: Insecure loading of NSS libraries in "docker cp"

could result in execution of code with root privileges, sensitive data

could be logged in debug mode and there was a command injection

vulnerability in the "docker build" command.

 

For the stable distribution (buster), these problems have been fixed in

version 18.09.1+dfsg1-7.1+deb10u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4522-1 security@debian.org

https://www.debian.org/security/ Hugo Lefeuvre

September 15, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : faad2

CVE ID : CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2018-20194

CVE-2018-20195 CVE-2018-20197 CVE-2018-20198 CVE-2018-20357

CVE-2018-20358 CVE-2018-20359 CVE-2018-20361 CVE-2018-20362

CVE-2019-15296

Debian Bug : 914641

 

Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced

Audio Coder. These vulnerabilities might allow remote attackers to cause

denial-of-service, or potentially execute arbitrary code if crafted MPEG AAC

files are processed.

 

For the oldstable distribution (stretch), these problems have been fixed

in version 2.8.0~cvs20161113-1+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4523-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 15, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : thunderbird

CVE ID : CVE-2019-11739 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743

CVE-2019-11744 CVE-2019-11746 CVE-2019-11752

 

Multiple security issues have been found in Thunderbird which could

potentially result in the execution of arbitrary code, cross-site

scripting, information disclosure and a covert content attack on S/MIME

encryption using a crafted multipart/alternative message.

 

For the oldstable distribution (stretch), these problems have been fixed

in version 1:60.9.0-1~deb9u1.

 

For the stable distribution (buster), these problems have been fixed in

version 1:60.9.0-1~deb10u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4524-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 16, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : dino-im

CVE ID : CVE-2019-16235 CVE-2019-16236 CVE-2019-16237

 

Multiple vulnerabilities have been discovered in the Dino XMPP client,

which could allow spoofing message, manipulation of a user's roster

(contact list) and unauthorised sending of message carbons.

 

For the stable distribution (buster), these problems have been fixed in

version 0.0.git20181129-1+deb10u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4525-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

September 18, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ibus

CVE ID : CVE-2019-14822

Debian Bug : 940267

 

Simon McVittie reported a flaw in ibus, the Intelligent Input Bus. Due

to a misconfiguration during the setup of the DBus, any unprivileged

user could monitor and send method calls to the ibus bus of another

user, if able to discover the UNIX socket used by another user connected

on a graphical environment. The attacker can take advantage of this flaw

to intercept keystrokes of the victim user or modify input related

configurations through DBus method calls.

 

For the oldstable distribution (stretch), this problem has been fixed

in version 1.5.14-3+deb9u2.

 

For the stable distribution (buster), this problem has been fixed in

version 1.5.19-4+deb10u1.

Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4526-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 19, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : opendmarc
CVE ID         : CVE-2019-16378
Debian Bug     : 940081

It was discovered that OpenDMARC, a milter implementation of DMARC, is
prone to a signature-bypass vulnerability with multiple From: addresses.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.3.2-2+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 1.3.2-6+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4527-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 19, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.3
CVE ID         : CVE-2019-11036 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 
                 CVE-2019-11042

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language: Missing sanitising in the EXIF
extension and the iconv_mime_decode_headers() function could result in
information disclosure or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 7.3.9-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4528-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 19, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bird
CVE ID         : CVE-2019-16159

Daniel McCarney discovered that the BIRD internet routing daemon
incorrectly validated RFC 8203 messages in it's BGP daemon, resulting
in a stack buffer overflow.

For the stable distribution (buster), this problem has been fixed in
version 1.6.6-1+deb10u1. In addition this update fixes an incomplete
revocation of privileges and a crash triggerable via the CLI (the latter
two bugs are also fixed in the oldstable distribution (stretch) which is
not affected by CVE-2019-16159).
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4529-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 20, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.0
CVE ID         : CVE-2019-11034 CVE-2019-11035 CVE-2019-11036 CVE-2019-11038 
                 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language: Missing sanitising in the EXIF
extension and the iconv_mime_decode_headers() function could result in
information disclosure or denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 7.0.33-0+deb9u5.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4530-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 22, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : expat
CVE ID         : CVE-2019-15903
Debian Bug     : 939394

It was discovered that Expat, an XML parsing C library, did not properly
handled internal entities closing the doctype, potentially resulting in
denial of service or information disclosure if a malformed XML file is
processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.2.0-2+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 2.2.6-2+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4531-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 25, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118
                 CVE-2019-15902

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2019-14821

    Matt Delco reported a race condition in KVM's coalesced MMIO
    facility, which could lead to out-of-bounds access in the kernel.
    A local attacker permitted to access /dev/kvm could use this to
    cause a denial of service (memory corruption or crash) or possibly
    for privilege escalation.

CVE-2019-14835

    Peter Pi of Tencent Blade Team discovered a missing bounds check
    in vhost_net, the network back-end driver for KVM hosts, leading
    to a buffer overflow when the host begins live migration of a VM.
    An attacker in control of a VM could use this to cause a denial of
    service (memory corruption or crash) or possibly for privilege
    escalation on the host.

CVE-2019-15117

    Hui Peng and Mathias Payer reported a missing bounds check in the
    usb-audio driver's descriptor parsing code, leading to a buffer
    over-read.  An attacker able to add USB devices could possibly use
    this to cause a denial of service (crash).

CVE-2019-15118

    Hui Peng and Mathias Payer reported unbounded recursion in the
    usb-audio driver's descriptor parsing code, leading to a stack
    overflow.  An attacker able to add USB devices could use this to
    cause a denial of service (memory corruption or crash) or possibly
    for privilege escalation.  On the amd64 architecture, and on the
    arm64 architecture in buster, this is mitigated by a guard page
    on the kernel stack, so that it is only possible to cause a crash.

CVE-2019-15902

    Brad Spengler reported that a backporting error reintroduced a
    spectre-v1 vulnerability in the ptrace subsystem in the
    ptrace_get_debugreg() function.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.189-3+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 4.19.67-2+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4532-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
September 25, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2019-16391 CVE-2019-16392 CVE-2019-16393 CVE-2019-16394

It was discovered that SPIP, a website engine for publishing, would
allow unauthenticated users to modify published content and write to
the database, perform cross-site request forgeries, and enumerate
registered users.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.1.4-4~deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 3.2.4-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4533-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 25, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lemonldap-ng
CVE ID         : CVE-2019-15941

It was discovered that the Lemonldap::NG web SSO system did not restrict
OIDC authorization codes to the relying party.

For the stable distribution (buster), this problem has been fixed in
version 2.0.2+ds-7+deb10u2.
  • Thanks 1
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4534-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 27, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : golang-1.11
CVE ID         : CVE-2019-16276

It was discovered that the Go programming language did accept and
normalize invalid HTTP/1.1 headers with a space before the colon, which
could lead to filter bypasses or request smuggling in some setups.

For the stable distribution (buster), this problem has been fixed in
version 1.11.6-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4535-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 27, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : e2fsprogs
CVE ID         : CVE-2019-5094
Debian Bug     : 941139

Lilith of Cisco Talos discovered a buffer overflow flaw in the quota
code used by e2fsck from the ext2/ext3/ext4 file system utilities.
Running e2fsck on a malformed file system can result in the execution of
arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.43.4-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.44.5-1+deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4536-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 28, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2019-16928

A buffer overflow flaw was discovered in Exim, a mail transport agent. A
remote attacker can take advantage of this flaw to cause a denial of
service, or potentially the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 4.92-8+deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4537-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 28, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : file-roller
CVE ID         : CVE-2019-16680

It was discovered that file-roller, an archive manager for GNOME, does
not properly handle the extraction of archives with a single ./../ in a
file path. An attacker able to provide a specially crafted archive for
processing can take advantage of this flaw to overwrite files if a user
is dragging a specific file or map to a location to extract to.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.22.3-1+deb9u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4538-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
September 29, 2019                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpa
CVE ID         : CVE-2019-13377 CVE-2019-16275
Debian Bug     : 934180 940080

Two vulnerabilities were found in the WPA protocol implementation found in
wpa_supplication (station) and hostapd (access point).

CVE-2019-13377

    A timing-based side-channel attack against WPA3's Dragonfly handshake when
    using Brainpool curves could be used by an attacker to retrieve the
    password.

CVE-2019-16275

    Insufficient source address validation for some received Management frames
    in hostapd could lead to a denial of service for stations associated to an
    access point. An attacker in radio range of the access point could inject a
    specially constructed unauthenticated IEEE 802.11 frame to the access point
    to cause associated stations to be disconnected and require a reconnection
    to the network.

For the oldstable distribution (stretch), these problems have been fixed
in version $stretch_VERSION.

For the stable distribution (buster), these problems have been fixed in
version 2:2.7+git20190128+0c1e29f-6+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4539-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 01, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2019-1547 CVE-2019-1549 CVE-2019-1563

Three security issues were discovered in OpenSSL: A timing attack against
ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey()
and it was discovered that a feature of the random number generator (RNG)
intended to protect against shared RNG state between parent and child
processes in the event of a fork() syscall was not used by default.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.1.0l-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1.1.1d-0+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4540-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 01, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2019-1547 CVE-2019-1563

Two security issues were discovered in OpenSSL: A timing attack against
ECDSA and a padding oracle in PKCS7_dataDecode() and
CMS_decrypt_set1_pkey().

For the oldstable distribution (stretch), these problems have been fixed
in version 1.0.2t-1~deb9u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4509-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 2, 2019                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : subversion
Debian Bug     : 936034

The security fixes for the HTTP/2 code in Apache 2 shipped in DSA 4509
unveiled a bug in Subversion which caused a regression in mod_dav_svn
when used with HTTP/2.

For the oldstable distribution (stretch), this problem has been fixed in
version 1.9.5-1+deb9u5.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4541-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 04, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libapreq2
CVE ID         : CVE-2019-12412
Debian Bug     : 939937

Max Kellermann reported a NULL pointer dereference flaw in libapreq2, a
generic Apache request library, allowing a remote attacker to cause a
denial of service against an application using the library (application
crash) if an invalid nested "multipart" body is processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.13-7~deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 2.13-7~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4542-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
October 06, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jackson-databind
CVE ID         : CVE-2019-12384 CVE-2019-14439 CVE-2019-14540 CVE-2019-16335 
                 CVE-2019-16942 CVE-2019-16943
Debian Bug     : 941530 940498 933393 930750

It was discovered that jackson-databind, a Java library used to parse
JSON and other data formats, did not properly validate user input
before attempting deserialization. This allowed an attacker providing
maliciously crafted input to perform code execution, or read arbitrary
files on the server.

For the oldstable distribution (stretch), these problems have been fixed
in version 2.8.6-1+deb9u6.

For the stable distribution (buster), these problems have been fixed in
version 2.9.8-3+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4539-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 07, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssh
Debian Bug     : 941663

A change introduced in openssl 1.1.1d (which got released as DSA 4539-1)
requires sandboxing features which are not available in Linux kernels
before 3.19, resulting in OpenSSH rejecting connection attempts if
running on an old kernel. This does not affect Linux kernels shipped in
Debian oldstable/stable, but may affect buster systems which are running
on an older kernel.

For the stable distribution (buster), this problem has been fixed in
version 1:7.9p1-10+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4539-3                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 13, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
Debian Bug     : 941987

The update for openssl released as DSA 4539-1 introduced a regression
where AES-CBC-HMAC-SHA ciphers were not enabled. Updated openssl
packages are now available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4543-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 14, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sudo
CVE ID         : CVE-2019-14287
Debian Bug     : 942322

Joe Vennix discovered that sudo, a program designed to provide limited
super user privileges to specific users, when configured to allow a user
to run commands as an arbitrary user via the ALL keyword in a Runas
specification, allows to run commands as root by specifying the user ID
- -1 or 4294967295. This could allow a user with sufficient sudo
privileges to run commands as root even if the Runas specification
explicitly disallows root access.

Details can be found in the upstream advisory at
https://www.sudo.ws/alerts/minus_1_uid.html .

For the oldstable distribution (stretch), this problem has been fixed
in version 1.8.19p1-2.1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.8.27-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4509-3                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 15, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2019-10092
Debian Bug     : 941202

It was reported that the apache2 update released as DSA 4509-1
incorrectly fixed CVE-2019-10092. Updated apache2 packages are now
available to correct this issue. For reference, the relevant part of
the original advisory text follows.

CVE-2019-10092

    Matei "Mal" Badanoiu reported a limited cross-site scripting
    vulnerability in the mod_proxy error page.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.4.25-3+deb9u9.

For the stable distribution (buster), this problem has been fixed in
version 2.4.38-3+deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4544-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
October 16, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : unbound
CVE ID         : CVE-2019-16866
Debian Bug     : 941692

X41 D-Sec discovered that unbound, a validating, recursive, and
caching DNS resolver, did not correctly process some NOTIFY
queries. This could lead to remote denial-of-service by application
crash.

For the stable distribution (buster), this problem has been fixed in
version 1.9.0-2+deb10u1.
Link to comment
Share on other sites

×
×
  • Create New...