sunrat Posted October 20, 2019 Share Posted October 20, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4545-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2019-16738 It was discovered that the Special:Redirect functionality of MediaWiki, a website engine for collaborative work, could expose suppressed user names, resulting in an information leak. For the oldstable distribution (stretch), this problem has been fixed in version 1:1.27.7-1~deb9u2. For the stable distribution (buster), this problem has been fixed in version 1:1.31.4-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 20, 2019 Share Posted October 20, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4546-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 20, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in cross-site scripting, denial of service, information disclosure or Kerberos user impersonation. For the stable distribution (buster), these problems have been fixed in version 11_11.0.5+10-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 22, 2019 Share Posted October 22, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4547-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 21, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tcpdump CVE ID : CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166 Several vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or, potentially, execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 4.9.3-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 4.9.3-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4548-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 21, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-8 CVE ID : CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in cross-site scripting, denial of service, information disclosure or Kerberos user impersonation. For the oldstable distribution (stretch), these problems have been fixed in version 8u232-b09-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 24, 2019 Share Posted October 24, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4549-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 24, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2019-11757 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, cross-site scripting or denial of service. Debian follows the extended support releases (ESR) of Firefox. Support for the 60.x series has ended, so starting with this update we're now following the 68.x releases. For the oldstable distribution (stretch), some additional config changes to the buildd network are needed (to provide the new Rust-based toolchain needed by ESR68). Packages will be made available when those are sorted out. For the stable distribution (buster), these problems have been fixed in version 68.2.0esr-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 25, 2019 Share Posted October 25, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4550-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : file CVE ID : CVE-2019-18218 A buffer overflow was found in file, a file type classification tool, which may result in denial of service or potentially the execution of arbitrary code if a malformed CDF (Composite Document File) file is processed. For the oldstable distribution (stretch), this problem has been fixed in version 1:5.30-1+deb9u3. For the stable distribution (buster), this problem has been fixed in version 1:5.35-4+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4551-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : golang-1.11 CVE ID : CVE-2019-17596 Daniel Mandragona discovered that invalid DSA public keys can cause a panic in dsa.Verify(), resulting in denial of service. For the stable distribution (buster), this problem has been fixed in version 1.11.6-1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted October 28, 2019 Share Posted October 28, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4552-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.0 CVE ID : CVE-2019-11043 Emil Lerner and Andrew Danau discovered that insufficient validation in the path handling code of PHP FPM could result in the execution of arbitrary code in some setups. For the oldstable distribution (stretch), this problem has been fixed in version 7.0.33-0+deb9u6. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4553-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2019-11043 Emil Lerner and Andrew Danau discovered that insufficient validation in the path handling code of PHP FPM could result in the execution of arbitrary code in some setups. For the stable distribution (buster), this problem has been fixed in version 7.3.11-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4554-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-loofah CVE ID : CVE-2019-15587 Debian Bug : 942894 It was discovered that ruby-loofah, a general library for manipulating and transforming HTML/XML documents and fragments, was susceptible to cross-site scripting. For the oldstable distribution (stretch), this problem has been fixed in version 2.0.3-2+deb9u3. For the stable distribution (buster), this problem has been fixed in version 2.2.3-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 30, 2019 Share Posted October 30, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4555-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 29, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pam-python CVE ID : CVE-2019-16729 Malte Kraus discovered that libpam-python, a PAM module allowing PAM modules to be written in Python, didn't sanitise environment variables which could result in local privilege escalation if used with a setuid binary. For the oldstable distribution (stretch), this problem has been fixed in version 1.0.6-1.1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1.0.6-1.1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 1, 2019 Share Posted November 1, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4556-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 31, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qtbase-opensource-src CVE ID : CVE-2019-18281 An out-of-bounds memory access was discovered in the Qt library, which could result in denial of service through a text file containing many directional characters. The oldstable distribution (stretch) is not affected. For the stable distribution (buster), this problem has been fixed in version 5.11.3+dfsg1-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4557-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 31, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libarchive CVE ID : CVE-2019-18408 A use-after-free was found in libarchive, a multi-format archive and compression library, which could result in denial of service and potentially the execution of arbitrary code is a malformed archive is processed. For the oldstable distribution (stretch), this problem has been fixed in version 3.2.2-2+deb9u2. For the stable distribution (buster), this problem has been fixed in version 3.3.3-4+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 5, 2019 Share Posted November 5, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4558-1 security@debian.org https://www.debian.org/security/ Alberto Garcia November 04, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2019-8625 CVE-2019-8720 CVE-2019-8769 CVE-2019-8771 Several vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2019-8625 Sergei Glazunov discovered that maliciously crafted web content may lead to universal cross site scripting. CVE-2019-8720 Wen Xu discovered that maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8769 Pierre Reimertz discovered that visiting a maliciously crafted website may reveal browsing history. CVE-2019-8771 Eliya Stein discovered that maliciously crafted web content may violate iframe sandboxing policy. For the stable distribution (buster), these problems have been fixed in version 2.26.1-3~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 6, 2019 Share Posted November 6, 2019 ------------------------------------------------------------------------- Debian Security Advisory DSA-4559-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 05, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : proftpd-dfsg CVE ID : CVE-2019-18217 Debian Bug : 942831 Stephan Zeisberg discovered that missing input validation in ProFTPD, a FTP/SFTP/FTPS server, could result in denial of service via an infinite loop. For the oldstable distribution (stretch), this problem has been fixed in version 1.3.5b-4+deb9u2. For the stable distribution (buster), this problem has been fixed in version 1.3.6-4+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted November 7, 2019 Share Posted November 7, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4560-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst November 06, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : simplesamlphp CVE ID : CVE-2019-3465 Debian Bug : 944107 It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, it was possible to circumvent XML signature verification on SAML messages. For the oldstable distribution (stretch), this problem has been fixed in version 1.14.11-1+deb9u2. For the stable distribution (buster), this problem has been fixed in version 1.16.3-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 8, 2019 Share Posted November 8, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4561-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 08, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : fribidi CVE ID : CVE-2019-18397 Debian Bug : 944327 Alex Murray discovered a stack-based buffer overflow vulnerability in fribidi, an implementation of the Unicode Bidirectional Algorithm algorithm, which could result in denial of service or potentially the execution of arbitrary code, when processing a large number of unicode isolate directional characters. For the stable distribution (buster), this problem has been fixed in version 1.0.5-3.1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 10, 2019 Share Posted November 10, 2019 - -------------------------------------------------------------------------- Debian Security Advisory DSA-4562-1 security@debian.org https://www.debian.org/security/ Michael Gilbert November 10, 2019 https://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 CVE-2019-5877 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683 CVE-2019-13685 CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691 CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695 CVE-2019-13696 CVE-2019-13697 CVE-2019-13699 CVE-2019-13700 CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704 CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708 CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713 CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717 CVE-2019-13718 CVE-2019-13719 CVE-2019-13720 CVE-2019-13721 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-5869 Zhe Jin discovered a use-after-free issue. CVE-2019-5870 Guang Gong discovered a use-after-free issue. CVE-2019-5871 A buffer overflow issue was discovered in the skia library. CVE-2019-5872 Zhe Jin discovered a use-after-free issue. CVE-2019-5874 James Lee discovered an issue with external Uniform Resource Identifiers. CVE-2019-5875 Khalil Zhani discovered a URL spoofing issue. CVE-2019-5876 Man Yue Mo discovered a use-after-free issue. CVE-2019-5877 Guang Gong discovered an out-of-bounds read issue. CVE-2019-5878 Guang Gong discovered an use-after-free issue in the v8 javascript library. CVE-2019-5879 Jinseo Kim discover that extensions could read files on the local system. CVE-2019-5880 Jun Kokatsu discovered a way to bypass the SameSite cookie feature. CVE-2019-13659 Lnyas Zhang discovered a URL spoofing issue. CVE-2019-13660 Wenxu Wu discovered a user interface error in full screen mode. CVE-2019-13661 Wenxu Wu discovered a user interface spoofing issue in full screen mode. CVE-2019-13662 David Erceg discovered a way to bypass the Content Security Policy. CVE-2019-13663 Lnyas Zhang discovered a way to spoof Internationalized Domain Names. CVE-2019-13664 Thomas Shadwell discovered a way to bypass the SameSite cookie feature. CVE-2019-13665 Jun Kokatsu discovered a way to bypass the multiple file download protection feature. CVE-2019-13666 Tom Van Goethem discovered an information leak. CVE-2019-13667 Khalil Zhani discovered a URL spoofing issue. CVE-2019-13668 David Erceg discovered an information leak. CVE-2019-13669 Khalil Zhani discovered an authentication spoofing issue. CVE-2019-13670 Guang Gong discovered a memory corruption issue in the v8 javascript library. CVE-2019-13671 xisigr discovered a user interface error. CVE-2019-13673 David Erceg discovered an information leak. CVE-2019-13674 Khalil Zhani discovered a way to spoof Internationalized Domain Names. CVE-2019-13675 Jun Kokatsu discovered a way to disable extensions. CVE-2019-13676 Wenxu Wu discovered an error in a certificate warning. CVE-2019-13677 Jun Kokatsu discovered an error in the chrome web store. CVE-2019-13678 Ronni Skansing discovered a spoofing issue in the download dialog window. CVE-2019-13679 Conrad Irwin discovered that user activation was not required for printing. CVE-2019-13680 Thijs Alkamade discovered an IP address spoofing issue. CVE-2019-13681 David Erceg discovered a way to bypass download restrictions. CVE-2019-13682 Jun Kokatsu discovered a way to bypass the site isolation feature. CVE-2019-13683 David Erceg discovered an information leak. CVE-2019-13685 Khalil Zhani discovered a use-after-free issue. CVE-2019-13686 Brendon discovered a use-after-free issue. CVE-2019-13687 Man Yue Mo discovered a use-after-free issue. CVE-2019-13688 Man Yue Mo discovered a use-after-free issue. CVE-2019-13691 David Erceg discovered a user interface spoofing issue. CVE-2019-13692 Jun Kokatsu discovered a way to bypass the Same Origin Policy. CVE-2019-13693 Guang Gong discovered a use-after-free issue. CVE-2019-13694 banananapenguin discovered a use-after-free issue. CVE-2019-13695 Man Yue Mo discovered a use-after-free issue. CVE-2019-13696 Guang Gong discovered a use-after-free issue in the v8 javascript library. CVE-2019-13697 Luan Herrera discovered an information leak. CVE-2019-13699 Man Yue Mo discovered a use-after-free issue. CVE-2019-13700 Man Yue Mo discovered a buffer overflow issue. CVE-2019-13701 David Erceg discovered a URL spoofing issue. CVE-2019-13702 Phillip Langlois and Edward Torkington discovered a privilege escalation issue in the installer. CVE-2019-13703 Khalil Zhani discovered a URL spoofing issue. CVE-2019-13704 Jun Kokatsu discovered a way to bypass the Content Security Policy. CVE-2019-13705 Luan Herrera discovered a way to bypass extension permissions. CVE-2019-13706 pdknsk discovered an out-of-bounds read issue in the pdfium library. CVE-2019-13707 Andrea Palazzo discovered an information leak. CVE-2019-13708 Khalil Zhani discovered an authentication spoofing issue. CVE-2019-13709 Zhong Zhaochen discovered a way to bypass download restrictions. CVE-2019-13710 bernardo.mrod discovered a way to bypass download restrictions. CVE-2019-13711 David Erceg discovered an information leak. CVE-2019-13713 David Erceg discovered an information leak. CVE-2019-13714 Jun Kokatsu discovered an issue with Cascading Style Sheets. CVE-2019-13715 xisigr discovered a URL spoofing issue. CVE-2019-13716 Barron Hagerman discovered an error in the service worker implementation. CVE-2019-13717 xisigr discovered a user interface spoofing issue. CVE-2019-13718 Khalil Zhani discovered a way to spoof Internationalized Domain Names. CVE-2019-13719 Khalil Zhani discovered a user interface spoofing issue. CVE-2019-13720 Anton Ivanov and Alexey Kulaev discovered a use-after-free issue. CVE-2019-13721 banananapenguin discovered a use-after-free issue in the pdfium library. For the oldstable distribution (stretch), support for chromium has been discontinued. Please upgrade to the stable release (buster) to continue receiving chromium updates or switch to firefox, which continues to be supported in the oldstable release. For the stable distribution (buster), these problems have been fixed in version 78.0.3904.97-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 12, 2019 Share Posted November 12, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4564-1 security@debian.org https://www.debian.org/security/ Ben Hutchings November 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2018-12207 It was discovered that on Intel CPUs supporting hardware virtualisation with Extended Page Tables (EPT), a guest VM may manipulate the memory management hardware to cause a Machine Check Error (MCE) and denial of service (hang or crash). The guest triggers this error by changing page tables without a TLB flush, so that both 4 KB and 2 MB entries for the same virtual address are loaded into the instruction TLB (iTLB). This update implements a mitigation in KVM that prevents guest VMs from loading 2 MB entries into the iTLB. This will reduce performance of guest VMs. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html> or in the linux-doc-4.9 or linux-doc-4.19 package. A qemu update adding support for the PSCHANGE_MC_NO feature, which allows to disable iTLB Multihit mitigations in nested hypervisors will be provided via DSA 4566-1. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0>. CVE-2019-0154 Intel discovered that on their 8th and 9th generation GPUs, reading certain registers while the GPU is in a low-power state can cause a system hang. A local user permitted to use the GPU can use this for denial of service. This update mitigates the issue through changes to the i915 driver. The affected chips (gen8 and gen9) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen8>. CVE-2019-0155 Intel discovered that their 9th generation and newer GPUs are missing a security check in the Blitter Command Streamer (BCS). A local user permitted to use the GPU could use this to access any memory that the GPU has access to, which could result in a denial of service (memory corruption or crash), a leak of sensitive information, or privilege escalation. This update mitigates the issue by adding the security check to the i915 driver. The affected chips (gen9 onward) are listed at <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen9>. CVE-2019-11135 It was discovered that on Intel CPUs supporting transactional memory (TSX), a transaction that is going to be aborted may continue to execute speculatively, reading sensitive data from internal buffers and leaking it through dependent operations. Intel calls this "TSX Asynchronous Abort" (TAA). For CPUs affected by the previously published Microarchitectural Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091), the existing mitigation also mitigates this issue. For processors that are vulnerable to TAA but not MDS, this update disables TSX by default. This mitigation requires updated CPU microcode. An updated intel-microcode package (only available in Debian non-free) will be provided via DSA 4565-1. The updated CPU microcode may also be available as part of a system firmware ("BIOS") update. Further information on the mitigation can be found at <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html> or in the linux-doc-4.9 or linux-doc-4.19 package. Intel's explanation of the issue can be found at <https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>. For the oldstable distribution (stretch), these problems have been fixed in version 4.9.189-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 4.19.67-2+deb10u2. 1 Link to comment Share on other sites More sharing options...
sunrat Posted November 13, 2019 Share Posted November 13, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4563-1 security@debian.org https://www.debian.org/security/ Alberto Garcia November 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2019-8812 CVE-2019-8814 These vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2019-8812 An anonymous researcher discovered that maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8814 Cheolung Lee discovered that maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.26.2-1~deb10+1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4567-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dpdk CVE ID : CVE-2019-14818 It was discovered that the vhost PMD in DPDK, a set of libraries for fast packet processing, was affected by memory and file descriptor leaks which could result in denial of service. For the oldstable distribution (stretch), this problem has been fixed in version 16.11.9-1+deb9u2. For the stable distribution (buster), this problem has been fixed in version 18.11.2-2+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4566-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 12, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu Debian Bug : 944623 This update for QEMU, a fast processor emulator, backports support to passthrough the pschange-mc-no CPU flag. The virtualised MSR seen by a guest is set to show the bug as fixed, allowing to disable iTLB Multihit mitigations in nested hypervisors (cf. DSA 4564-1). For the stable distribution (buster), this problem has been fixed in version 1:3.1+dfsg-8+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted November 13, 2019 Share Posted November 13, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4565-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 13, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : intel-microcode CVE ID : CVE-2019-11135 CVE-2019-11139 This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the TAA (TSX Asynchronous Abort) vulnerability. For affected CPUs, to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages as released in DSA 4564-1. For the oldstable distribution (stretch), these problems have been fixed in version 3.20191112.1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.20191112.1~deb10u1. 1 Link to comment Share on other sites More sharing options...
sunrat Posted November 15, 2019 Share Posted November 15, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4568-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 14, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-common CVE ID : CVE-2019-3466 Rich Mirch discovered that the pg_ctlcluster script didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. For the oldstable distribution (stretch), this problem has been fixed in version 181+deb9u3. For the stable distribution (buster), this problem has been fixed in version 200+deb10u3. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4569-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 14, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ghostscript CVE ID : CVE-2019-14869 Manfred Paul and Lukas Schauer reported that the .charkeys procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. For the oldstable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u6. For the stable distribution (buster), this problem has been fixed in version 9.27~dfsg-2+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted November 16, 2019 Share Posted November 16, 2019 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.2 released press@debian.org November 16th, 2019 https://www.debian.org/News/2019/20191116 ------------------------------------------------------------------------ The Debian project is pleased to announce the second update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | aegisub [1] | Fix crash when selecting a language | | | from the bottom of the "Spell checker | | | language" list; fix crash when right- | | | clicking in the subtitles text box | | | | | akonadi [2] | Fix various crashes / deadlock issues | | | | | base-files [3] | Update /etc/debian_version for the | | | point release | | | | | capistrano [4] | Fix failure to remove old releases when | | | there were too many | | | | | cron [5] | Stop using obsolete SELinux API | | | | | cyrus-imapd [6] | Fix data loss on upgrade from version | | | 3.0.0 or earlier | | | | | debian-edu-config [7] | Handle newer Firefox ESR configuration | | | files; add post-up stanza to /etc/ | | | network/interfaces eth0 entry | | | conditionally | | | | | debian-installer [8] | Fix unreadable fonts on hidpi displays | | | in netboot images booted with EFI | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [9] | | | | | | distro-info-data [10] | Add Ubuntu 20.04 LTS, Focal Fossa | | | | | dkimpy-milter [11] | New upstream stable release; fix | | | sysvinit support; catch more ASCII | | | encoding errors to improve resilience | | | against bad data; fix message | | | extraction so that signing in the same | | | pass through the milter as verifying | | | works correctly | | | | | emacs [12] | Update the EPLA packaging key | | | | | fence-agents [13] | Fix incomplete removal of fence_amt_ws | | | | | flatpak [14] | New upstream stable release | | | | | flightcrew [15] | Security fixes [CVE-2019-13032 | | | CVE-2019-13241] | | | | | fonts-noto-cjk [16] | Fix over-aggressive font selection of | | | Noto CJK fonts in modern web browsers | | | under Chinese locale | | | | | freetype [17] | Properly handle phantom points for | | | variable hinted fonts | | | | | gdb [18] | Rebuild against new libbabeltrace, with | | | higher version number to avoid conflict | | | with earlier upload | | | | | glib2.0 [19] | Ensure libdbus clients can authenticate | | | with a GDBusServer like the one in ibus | | | | | gnome-shell [20] | New upstream stable release; fix | | | truncation of long messages in Shell- | | | modal dialogs; avoid crash on | | | reallocation of dead actors | | | | | gnome-sound-recorder [21] | Fix crash when selecting a recording | | | | | gnustep-base [22] | Disable gdomap daemon that was | | | accidentally enabled on upgrades from | | | stretch | | | | | graphite-web [23] | Remove unused "send_email" function | | | [CVE-2017-18638]; avoid hourly error in | | | cron when there is no whisper database | | | | | inn2 [24] | Fix negotiation of DHE ciphersuites | | | | | libapache-mod-auth- | Fix use after free bug leading to crash | | kerb [25] | | | | | | libdate-holidays-de- | Mark International Childrens Day (Sep | | perl [26] | 20th) as a holiday in Thuringia from | | | 2019 onwards | | | | | libdatetime-timezone- | Update included data | | perl [27] | | | | | | libofx [28] | Fix null pointer dereference issue | | | [CVE-2019-9656] | | | | | libreoffice [29] | Fix the postgresql driver with | | | PostgreSQL 12 | | | | | libsixel [30] | Fix several security issues [CVE-2018- | | | 19756 CVE-2018-19757 CVE-2018-19759 | | | CVE-2018-19761 CVE-2018-19762 CVE-2018- | | | 19763 CVE-2019-3573 CVE-2019-3574] | | | | | libxslt [31] | Fix dangling pointer in xsltCopyText | | | [CVE-2019-18197] | | | | | lucene-solr [32] | Disable obsolete call to ContextHandler | | | in solr-jetty9.xml; fix Jetty | | | permissions on SOLR index | | | | | mariadb-10.3 [33] | New upstream stable release | | | | | modsecurity-crs [34] | Fix PHP script upload rules [CVE-2019- | | | 13464] | | | | | mutter [35] | New upstream stable release | | | | | ncurses [36] | Fix several security issues [CVE-2019- | | | 17594 CVE-2019-17595] and other issues | | | in tic | | | | | ndppd [37] | Avoid world writable PID file, that was | | | breaking daemon init scripts | | | | | network-manager [38] | Fix file permissions for "/var/lib/ | | | NetworkManager/secret_key" and /var/ | | | lib/NetworkManager | | | | | node-fstream [39] | Fix arbitrary file overwrite issue | | | [CVE-2019-13173] | | | | | node-set-value [40] | Fix prototype pollution [CVE-2019- | | | 10747] | | | | | node-yarnpkg [41] | Force using HTTPS for regular | | | registries | | | | | nx-libs [42] | Fix regressions introduced in previous | | | upload, affecting x2go | | | | | open-vm-tools [43] | Fix memory leaks and error handling | | | | | openvswitch [44] | Update debian/ifupdown.sh to allow | | | setting-up the MTU; fix Python | | | dependencies to use Python 3 | | | | | picard [45] | Update translations to fix crash with | | | Spanish locale | | | | | plasma-applet-redshift- | Fix manual mode when used with redshift | | control [46] | versions above 1.12 | | | | | postfix [47] | New upstream stable release; work | | | around poor TCP loopback performance | | | | | python-cryptography [48] | Fix test suite failures when built | | | against newer OpenSSL versions; fix a | | | memory leak triggerable when parsing | | | x509 certificate extensions like AIA | | | | | python-flask-rdf [49] | Add Depends on python{3,}-rdflib | | | | | python- | New upstream stable release; fix switch | | oslo.messaging [50] | connection destination when a rabbitmq | | | cluster node disappears | | | | | python-werkzeug [51] | Ensure Docker containers have unique | | | debugger PINs [CVE-2019-14806] | | | | | python2.7 [52] | Fix several security issues [CVE-2018- | | | 20852 CVE-2019-10160 CVE-2019-16056 | | | CVE-2019-16935 CVE-2019-9740 CVE-2019- | | | 9947] | | | | | quota [53] | Fix rpc.rquotad spinning at 100% CPU | | | | | rpcbind [54] | Allow remote calls to be enabled at | | | run-time | | | | | shelldap [55] | Repair SASL authentications, add a | | | 'sasluser' option | | | | | sogo [56] | Fix display of PGP-signed e-mails | | | | | spf-engine [57] | New upstream stable release; fix | | | sysvinit support | | | | | standardskriver [58] | Fix deprecation warning from | | | config.RawConfigParser; use external | | | "ip" command rather than deprecated | | | "ifconfig" command | | | | | swi-prolog [59] | Use HTTPS when contacting upstream pack | | | servers | | | | | systemd [60] | core: never propagate reload failure to | | | service result; fix sync_file_range | | | failures in nspawn containers on arm, | | | ppc; fix RootDirectory not working when | | | used in combination with User; ensure | | | that access controls on systemd- | | | resolved's D-Bus interface are enforced | | | correctly [CVE-2019-15718]; fix | | | StopWhenUnneeded=true for mount units; | | | make MountFlags=shared work again | | | | | tmpreaper [61] | Prevent breaking of systemd services | | | that use PrivateTmp=true | | | | | trapperkeeper-webserver- | Restore SSL compatibility with newer | | jetty9-clojure [62] | Jetty versions | | | | | tzdata [63] | New upstream release | | | | | ublock-origin [64] | New upstream version, compatible with | | | Firefox ESR68 | | | | | uim [65] | Resurrect libuim-data as a transitional | | | package, fixing some issues after | | | upgrades to buster | | | | | vanguards [66] | New upstream stable release; prevent a | | | reload of tor's configuration via | | | SIGHUP causing a denial-of-service for | | | vanguards protections | | | | +---------------------------+-----------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+-----------------------------+ | Advisory ID | Package | +----------------+-----------------------------+ | DSA-4509 [67] | apache2 [68] | | | | | DSA-4511 [69] | nghttp2 [70] | | | | | DSA-4512 [71] | qemu [72] | | | | | DSA-4514 [73] | varnish [74] | | | | | DSA-4515 [75] | webkit2gtk [76] | | | | | DSA-4516 [77] | firefox-esr [78] | | | | | DSA-4517 [79] | exim4 [80] | | | | | DSA-4518 [81] | ghostscript [82] | | | | | DSA-4519 [83] | libreoffice [84] | | | | | DSA-4520 [85] | trafficserver [86] | | | | | DSA-4521 [87] | docker.io [88] | | | | | DSA-4523 [89] | thunderbird [90] | | | | | DSA-4524 [91] | dino-im [92] | | | | | DSA-4525 [93] | ibus [94] | | | | | DSA-4526 [95] | opendmarc [96] | | | | | DSA-4527 [97] | php7.3 [98] | | | | | DSA-4528 [99] | bird [100] | | | | | DSA-4530 [101] | expat [102] | | | | | DSA-4531 [103] | linux-signed-amd64 [104] | | | | | DSA-4531 [105] | linux-signed-i386 [106] | | | | | DSA-4531 [107] | linux [108] | | | | | DSA-4531 [109] | linux-signed-arm64 [110] | | | | | DSA-4532 [111] | spip [112] | | | | | DSA-4533 [113] | lemonldap-ng [114] | | | | | DSA-4534 [115] | golang-1.11 [116] | | | | | DSA-4535 [117] | e2fsprogs [118] | | | | | DSA-4536 [119] | exim4 [120] | | | | | DSA-4538 [121] | wpa [122] | | | | | DSA-4539 [123] | openssl [124] | | | | | DSA-4539 [125] | openssh [126] | | | | | DSA-4541 [127] | libapreq2 [128] | | | | | DSA-4542 [129] | jackson-databind [130] | | | | | DSA-4543 [131] | sudo [132] | | | | | DSA-4544 [133] | unbound [134] | | | | | DSA-4545 [135] | mediawiki [136] | | | | | DSA-4547 [137] | tcpdump [138] | | | | | DSA-4549 [139] | firefox-esr [140] | | | | | DSA-4550 [141] | file [142] | | | | | DSA-4551 [143] | golang-1.11 [144] | | | | | DSA-4553 [145] | php7.3 [146] | | | | | DSA-4554 [147] | ruby-loofah [148] | | | | | DSA-4555 [149] | pam-python [150] | | | | | DSA-4556 [151] | qtbase-opensource-src [152] | | | | | DSA-4557 [153] | libarchive [154] | | | | | DSA-4558 [155] | webkit2gtk [156] | | | | | DSA-4559 [157] | proftpd-dfsg [158] | | | | | DSA-4560 [159] | simplesamlphp [160] | | | | | DSA-4561 [161] | fribidi [162] | | | | | DSA-4562 [163] | chromium [164] | | | | +----------------+-----------------------------+ Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------------+--------------------------------------------------+ | Package | Reason | +-------------------+--------------------------------------------------+ | firefox-esr [165] | [armel] No longer supportable due to nodejs | | | build-dependency | | | | +-------------------+--------------------------------------------------+ Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>. Link to comment Share on other sites More sharing options...
sunrat Posted November 18, 2019 Share Posted November 18, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4570-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mosquitto CVE ID : CVE-2019-11779 Debian Bug : 940654 A vulnerability was discovered in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker, allowing a malicious MQTT client to cause a denial of service (stack overflow and daemon crash), by sending a specially crafted SUBSCRIBE packet containing a topic with a extremely deep hierarchy. For the stable distribution (buster), this problem has been fixed in version 1.5.7-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4571-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2019-15903 CVE-2019-11764 CVE-2019-11763 CVE-2019-11762 CVE-2019-11761 CVE-2019-11760 CVE-2019-11759 CVE-2019-11757 CVE-2019-11755 Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code or denial of service. Debian follows the Thunderbird upstream releases. Support for the 60.x series has ended, so starting with this update we're now following the 68.x releases. For the oldstable distribution (stretch), this problem has been fixed in version 1:68.2.2-1~deb9u1. For the stable distribution (buster), this problem has been fixed in version 1:68.2.2-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 18, 2019 Share Posted November 18, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4572-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : slurm-llnl CVE ID : CVE-2019-12838 It was discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system did not escape strings when importing an archive file into the accounting_storage/mysql backend, resulting in SQL injection. For the stable distribution (buster), this problem has been fixed in version 18.08.5.2-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4573-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : symfony CVE ID : CVE-2019-18887 CVE-2019-18888 CVE-2019-18889 Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.7+dfsg-1.3+deb9u3. For the stable distribution (buster), these problems have been fixed in version 3.4.22+dfsg-2+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 19, 2019 Share Posted November 19, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4574-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 19, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redmine CVE ID : CVE-2019-17427 CVE-2019-18890 Hoger Just discovered an SQL injection in Redmine, a project management web application. In addition a cross-site scripting issue was found in Textile formatting. For the oldstable distribution (stretch), these problems have been fixed in version 3.3.1-4+deb9u3. Link to comment Share on other sites More sharing options...
sunrat Posted November 24, 2019 Share Posted November 24, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4571-2 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 24, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : enigmail DSA 4571-1 updated Thunderbird to the 68.x series, which is incompatible with the Enigmail release shipped in Debian Buster. For the stable distribution (buster), this problem has been fixed in version 2:2.1.3+ds1-4~deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted November 25, 2019 Share Posted November 25, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4575-1 security@debian.org https://www.debian.org/security/ Michael Gilbert November 24, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-13723 CVE-2019-13724 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-13723 Yuxiang Li discovered a use-after-free issue in the bluetooth service. CVE-2019-13724 Yuxiang Li discovered an out-of-bounds read issue in the bluetooth service. For the oldstable distribution (stretch), security support for the chromium package has been discontinued. For the stable distribution (buster), these problems have been fixed in version 78.0.3904.108-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 25, 2019 Share Posted November 25, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4576-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 25, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php-imagick CVE ID : CVE-2019-11037 Debian Bug : 928420 An out-of-bounds write vulnerability was discovered in php-imagick, a PHP extension to create and modify images using the ImageMagick API, which could result in denial of service, or potentially the execution of arbitrary code. For the oldstable distribution (stretch), this problem has been fixed in version 3.4.3~rc2-2+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 29, 2019 Share Posted November 29, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4577-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond November 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : haproxy CVE ID : CVE-2019-19330 Tim Düsterhus discovered that haproxy, a TCP/HTTP reverse proxy, did not properly sanitize HTTP headers when converting from HTTP/2 to HTTP/1. This would allow a remote user to perform CRLF injections. For the stable distribution (buster), this problem has been fixed in version 1.8.19-1+deb10u1.  - ------------------------------------------------------------------------- Debian Security Advisory DSA-4578-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 28, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libvpx CVE ID : CVE-2019-9232 CVE-2019-9325 CVE-2019-9433 CVE-2019-9371 Multiple security issues were found in libvpx multimedia library which could result in denial of service and potentially the execution of arbitrary code if malformed WebM files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 1.6.1-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 1.7.0-3+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted December 6, 2019 Share Posted December 6, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4579-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 06, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nss CVE ID : CVE-2019-11745 CVE-2019-17007 Two vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service and potentially the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 2:3.42.1-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted December 15, 2019 Share Posted December 15, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4580-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 09, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010 CVE-2019-17011 CVE-2019-17012 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 68.3.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.3.0esr-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4581-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 10, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : git CVE ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353 CVE-2019-1387 CVE-2019-19604 Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system. CVE-2019-1348 It was reported that the --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=..., allowing to overwrite arbitrary paths. CVE-2019-1387 It was discovered that submodule names are not validated strictly enough, allowing very targeted attacks via remote code execution when performing recursive clones. CVE-2019-19604 Joern Schneeweisz reported a vulnerability, where a recursive clone followed by a submodule update could execute code contained within the repository without the user explicitly having asked for that. It is now disallowed for `.gitmodules` to have entries that set `submodule.<name>.update=!command`. In addition this update addresses a number of security issues which are only an issue if git is operating on an NTFS filesystem (CVE-2019-1349, CVE-2019-1352 and CVE-2019-1353). For the oldstable distribution (stretch), these problems have been fixed in version 1:2.11.0-3+deb9u5. For the stable distribution (buster), these problems have been fixed in version 1:2.20.1-2+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4582-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 13, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : davical CVE ID : CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 Debian Bug : 946343 Multiple cross-site scripting and cross-site request forgery issues were discovered in the DAViCal CalDAV Server. For the oldstable distribution (stretch), these problems have been fixed in version 1.1.5-1+deb9u1. For the stable distribution (buster), these problems have been fixed in version 1.1.8-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4583-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 13, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spip CVE ID : not yet available A vulnerability was discovered in the SPIP publishing system, which could result in unauthorised writes to the database by authors. The oldstable distribution (stretch) is not affected. For the stable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4565-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 13, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : intel-microcode CVE ID : CVE-2019-11135 CVE-2019-11139 Debian Bug : 946515 This update ships updated CPU microcode for CFL-S (Coffe Lake Desktop) models of Intel CPUs which were not yet included in the Intel microcode update released as DSA 4565-1. For details please refer to https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/IPU-2019.2-microcode-update-guidance-v1.01.pdf Additionally this update rolls back CPU microcode for HEDT and Xeon processors with signature 0x50654 which were affected by a regression causing hangs on warm reboots (Cf. #946515). For the oldstable distribution (stretch), these problems have been fixed in version 3.20191115.2~deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.20191115.2~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4584-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 14, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spamassassin CVE ID : CVE-2018-11805 CVE-2019-12420 Debian Bug : 946652 946653 Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. CVE-2018-11805 Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. CVE-2019-12420 Specially crafted mulitpart messages can cause spamassassin to use excessive resources, resulting in a denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u2. For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u1. 1 Link to comment Share on other sites More sharing options...
sunrat Posted December 15, 2019 Share Posted December 15, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4585-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 15, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010 CVE-2019-17011 CVE-2019-17012 Debian Bug : 946588 Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.3.0-2~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.3.0-2~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted December 17, 2019 Share Posted December 17, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4586-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby2.5 CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4587-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby2.3 CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u7. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4588-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond December 17, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-ecdsa CVE ID : CVE-2019-14853 CVE-2019-14859 It was discovered that python-ecdsa, a cryptographic signature library for Python, incorrectly handled certain signatures. A remote attacker could use this issue to cause python-ecdsa to either not warn about incorrect signatures, or generate exceptions resulting in a denial-of-service. For the oldstable distribution (stretch), these problems have been fixed in version 0.13-2+deb9u1. For the stable distribution (buster), these problems have been fixed in version 0.13-3+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted December 19, 2019 Share Posted December 19, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4589-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 18, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : debian-edu-config CVE ID : CVE-2019-3467 Debian Bug : 946797 It was discovered that debian-edu-config, a set of configuration files used for the Debian Edu blend, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals. For the oldstable distribution (stretch), this problem has been fixed in version 1.929+deb9u4. For the stable distribution (buster), this problem has been fixed in version 2.10.65+deb10u3. Link to comment Share on other sites More sharing options...
Recommended Posts