Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4545-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 18, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2019-16738

It was discovered that the Special:Redirect functionality of MediaWiki,
a website engine for collaborative work, could expose suppressed user
names, resulting in an information leak.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:1.27.7-1~deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 1:1.31.4-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4546-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 20, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11
CVE ID         : CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 
                 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 
                 CVE-2019-2978 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 
                 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, resulting in cross-site scripting, denial of service,
information disclosure or Kerberos user impersonation.

For the stable distribution (buster), these problems have been fixed in
version 11_11.0.5+10-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4547-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 21, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tcpdump
CVE ID         : CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 
                 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 
                 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 
                 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882 
                 CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230 
                 CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166

Several vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial of
service or, potentially, execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.3-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 4.9.3-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4548-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 21, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 
                 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 
                 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 
                 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, resulting in cross-site scripting, denial of service, information
disclosure or Kerberos user impersonation.

For the oldstable distribution (stretch), these problems have been fixed
in version 8u232-b09-1~deb9u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4549-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 24, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2019-11757 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 
                 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764 CVE-2019-15903

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information disclosure, cross-site scripting or denial of service.

Debian follows the extended support releases (ESR) of Firefox. Support
for the 60.x series has ended, so starting with this update we're now
following the 68.x releases.

For the oldstable distribution (stretch), some additional config changes
to the buildd network are needed (to provide the new Rust-based toolchain
needed by ESR68). Packages will be made available when those are sorted out.

For the stable distribution (buster), these problems have been fixed in
version 68.2.0esr-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4550-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 25, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : file
CVE ID         : CVE-2019-18218

A buffer overflow was found in file, a file type classification tool,
which may result in denial of service or potentially the execution of
arbitrary code if a malformed CDF (Composite Document File) file is
processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:5.30-1+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 1:5.35-4+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4551-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 25, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : golang-1.11
CVE ID         : CVE-2019-17596

Daniel Mandragona discovered that invalid DSA public keys can cause a
panic in dsa.Verify(), resulting in denial of service.

For the stable distribution (buster), this problem has been fixed in
version 1.11.6-1+deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4552-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 28, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.0
CVE ID         : CVE-2019-11043

Emil Lerner and Andrew Danau discovered that insufficient validation
in the path handling code of PHP FPM could result in the execution of
arbitrary code in some setups.

For the oldstable distribution (stretch), this problem has been fixed
in version 7.0.33-0+deb9u6.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4553-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 28, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.3
CVE ID         : CVE-2019-11043

Emil Lerner and Andrew Danau discovered that insufficient validation
in the path handling code of PHP FPM could result in the execution of
arbitrary code in some setups.

For the stable distribution (buster), this problem has been fixed in
version 7.3.11-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4554-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 28, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-loofah
CVE ID         : CVE-2019-15587
Debian Bug     : 942894

It was discovered that ruby-loofah, a general library for manipulating
and transforming HTML/XML documents and fragments, was susceptible to
cross-site scripting.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.0.3-2+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 2.2.3-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4555-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 29, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pam-python
CVE ID         : CVE-2019-16729

Malte Kraus discovered that libpam-python, a PAM module allowing PAM
modules to be written in Python, didn't sanitise environment variables
which could result in local privilege escalation if used with a
setuid binary.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.0.6-1.1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.0.6-1.1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4556-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 31, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qtbase-opensource-src
CVE ID         : CVE-2019-18281

An out-of-bounds memory access was discovered in the Qt library, which
could result in denial of service through a text file containing many
directional characters.

The oldstable distribution (stretch) is not affected.

For the stable distribution (buster), this problem has been fixed in
version 5.11.3+dfsg1-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4557-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 31, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libarchive
CVE ID         : CVE-2019-18408

A use-after-free was found in libarchive, a multi-format archive and
compression library, which could result in denial of service and
potentially the execution of arbitrary code is a malformed archive
is processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.2.2-2+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 3.3.3-4+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4558-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
November 04, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2019-8625 CVE-2019-8720 CVE-2019-8769 CVE-2019-8771

Several vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2019-8625

    Sergei Glazunov discovered that maliciously crafted web content
    may lead to universal cross site scripting.

CVE-2019-8720

    Wen Xu discovered that maliciously crafted web content may lead to
    arbitrary code execution.

CVE-2019-8769

    Pierre Reimertz discovered that visiting a maliciously crafted
    website may reveal browsing history.

CVE-2019-8771

    Eliya Stein discovered that maliciously crafted web content may
    violate iframe sandboxing policy.

For the stable distribution (buster), these problems have been fixed in
version 2.26.1-3~deb10u1.
Link to comment
Share on other sites

 -------------------------------------------------------------------------
Debian Security Advisory DSA-4559-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 05, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : proftpd-dfsg
CVE ID         : CVE-2019-18217
Debian Bug     : 942831

Stephan Zeisberg discovered that missing input validation in ProFTPD, a
FTP/SFTP/FTPS server, could result in denial of service via an infinite
loop.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.3.5b-4+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 1.3.6-4+deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4560-1                   security@debian.org
https://www.debian.org/security/                          Thijs Kinkhorst
November 06, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : simplesamlphp
CVE ID         : CVE-2019-3465
Debian Bug     : 944107

It was discovered that in SimpleSAMLphp, an implementation of the
SAML 2.0 protocol, it was possible to circumvent XML signature
verification on SAML messages.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.14.11-1+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 1.16.3-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4561-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 08, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : fribidi
CVE ID         : CVE-2019-18397
Debian Bug     : 944327

Alex Murray discovered a stack-based buffer overflow vulnerability in
fribidi, an implementation of the Unicode Bidirectional Algorithm
algorithm, which could result in denial of service or potentially the
execution of arbitrary code, when processing a large number of unicode
isolate directional characters.

For the stable distribution (buster), this problem has been fixed in
version 1.0.5-3.1+deb10u1.
Link to comment
Share on other sites

- --------------------------------------------------------------------------
Debian Security Advisory DSA-4562-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
November 10, 2019                     https://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872
                 CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 CVE-2019-5877
                 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-13659
                 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663
                 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667
                 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671
                 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676
                 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680
                 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683 CVE-2019-13685
                 CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691
                 CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695
                 CVE-2019-13696 CVE-2019-13697 CVE-2019-13699 CVE-2019-13700
                 CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704
                 CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708
                 CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713
                 CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717
                 CVE-2019-13718 CVE-2019-13719 CVE-2019-13720 CVE-2019-13721

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-5869

    Zhe Jin discovered a use-after-free issue.

CVE-2019-5870

    Guang Gong discovered a use-after-free issue.

CVE-2019-5871

    A buffer overflow issue was discovered in the skia library.

CVE-2019-5872

    Zhe Jin discovered a use-after-free issue.

CVE-2019-5874

    James Lee discovered an issue with external Uniform Resource Identifiers.

CVE-2019-5875

    Khalil Zhani discovered a URL spoofing issue.

CVE-2019-5876

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-5877

    Guang Gong discovered an out-of-bounds read issue.

CVE-2019-5878

    Guang Gong discovered an use-after-free issue in the v8 javascript
    library.

CVE-2019-5879

    Jinseo Kim discover that extensions could read files on the local
    system.

CVE-2019-5880

    Jun Kokatsu discovered a way to bypass the SameSite cookie feature.

CVE-2019-13659

    Lnyas Zhang discovered a URL spoofing issue.

CVE-2019-13660

    Wenxu Wu discovered a user interface error in full screen mode.

CVE-2019-13661

    Wenxu Wu discovered a user interface spoofing issue in full screen mode.

CVE-2019-13662

    David Erceg discovered a way to bypass the Content Security Policy.

CVE-2019-13663

    Lnyas Zhang discovered a way to spoof Internationalized Domain Names.

CVE-2019-13664

    Thomas Shadwell discovered a way to bypass the SameSite cookie feature.

CVE-2019-13665

    Jun Kokatsu discovered a way to bypass the multiple file download
    protection feature.

CVE-2019-13666

    Tom Van Goethem discovered an information leak.

CVE-2019-13667

    Khalil Zhani discovered a URL spoofing issue.

CVE-2019-13668

    David Erceg discovered an information leak.

CVE-2019-13669

    Khalil Zhani discovered an authentication spoofing issue.

CVE-2019-13670

    Guang Gong discovered a memory corruption issue in the v8 javascript
    library.

CVE-2019-13671

    xisigr discovered a user interface error.

CVE-2019-13673

    David Erceg discovered an information leak.

CVE-2019-13674

    Khalil Zhani discovered a way to spoof Internationalized Domain Names.

CVE-2019-13675

    Jun Kokatsu discovered a way to disable extensions.

CVE-2019-13676

    Wenxu Wu discovered an error in a certificate warning.

CVE-2019-13677

    Jun Kokatsu discovered an error in the chrome web store.

CVE-2019-13678

    Ronni Skansing discovered a spoofing issue in the download dialog window.

CVE-2019-13679

    Conrad Irwin discovered that user activation was not required for
    printing.

CVE-2019-13680

    Thijs Alkamade discovered an IP address spoofing issue.

CVE-2019-13681

    David Erceg discovered a way to bypass download restrictions.

CVE-2019-13682

    Jun Kokatsu discovered a way to bypass the site isolation feature.

CVE-2019-13683

    David Erceg discovered an information leak.

CVE-2019-13685

    Khalil Zhani discovered a use-after-free issue.

CVE-2019-13686

    Brendon discovered a use-after-free issue.

CVE-2019-13687

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13688

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13691

    David Erceg discovered a user interface spoofing issue.

CVE-2019-13692

    Jun Kokatsu discovered a way to bypass the Same Origin Policy.

CVE-2019-13693

    Guang Gong discovered a use-after-free issue.

CVE-2019-13694

    banananapenguin discovered a use-after-free issue.

CVE-2019-13695

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13696

    Guang Gong discovered a use-after-free issue in the v8 javascript library.

CVE-2019-13697

    Luan Herrera discovered an information leak.

CVE-2019-13699

    Man Yue Mo discovered a use-after-free issue.

CVE-2019-13700

    Man Yue Mo discovered a buffer overflow issue.

CVE-2019-13701

    David Erceg discovered a URL spoofing issue.

CVE-2019-13702

    Phillip Langlois and Edward Torkington discovered a privilege escalation
    issue in the installer.

CVE-2019-13703

    Khalil Zhani discovered a URL spoofing issue.

CVE-2019-13704

    Jun Kokatsu discovered a way to bypass the Content Security Policy.

CVE-2019-13705

    Luan Herrera discovered a way to bypass extension permissions.

CVE-2019-13706

    pdknsk discovered an out-of-bounds read issue in the pdfium library.

CVE-2019-13707

    Andrea Palazzo discovered an information leak.

CVE-2019-13708

    Khalil Zhani discovered an authentication spoofing issue.

CVE-2019-13709

    Zhong Zhaochen discovered a way to bypass download restrictions.

CVE-2019-13710

    bernardo.mrod discovered a way to bypass download restrictions.

CVE-2019-13711

    David Erceg discovered an information leak.

CVE-2019-13713

    David Erceg discovered an information leak.

CVE-2019-13714

    Jun Kokatsu discovered an issue with Cascading Style Sheets.

CVE-2019-13715

    xisigr discovered a URL spoofing issue.

CVE-2019-13716

    Barron Hagerman discovered an error in the service worker implementation.

CVE-2019-13717

    xisigr discovered a user interface spoofing issue.

CVE-2019-13718

    Khalil Zhani discovered a way to spoof Internationalized Domain Names.

CVE-2019-13719

    Khalil Zhani discovered a user interface spoofing issue.

CVE-2019-13720

    Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.

CVE-2019-13721

   banananapenguin discovered a use-after-free issue in the pdfium library.

For the oldstable distribution (stretch), support for chromium has been
discontinued.  Please upgrade to the stable release (buster) to continue
receiving chromium updates or switch to firefox, which continues to be
supported in the oldstable release.

For the stable distribution (buster), these problems have been fixed in
version 78.0.3904.97-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4564-1                   security@debian.org
https://www.debian.org/security/                            Ben Hutchings
November 12, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2018-12207

    It was discovered that on Intel CPUs supporting hardware
    virtualisation with Extended Page Tables (EPT), a guest VM may
    manipulate the memory management hardware to cause a Machine Check
    Error (MCE) and denial of service (hang or crash).

    The guest triggers this error by changing page tables without a
    TLB flush, so that both 4 KB and 2 MB entries for the same virtual
    address are loaded into the instruction TLB (iTLB).  This update
    implements a mitigation in KVM that prevents guest VMs from
    loading 2 MB entries into the iTLB.  This will reduce performance
    of guest VMs.

    Further information on the mitigation can be found at
    <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html>
    or in the linux-doc-4.9 or linux-doc-4.19 package.

    A qemu update adding support for the PSCHANGE_MC_NO feature, which
    allows to disable iTLB Multihit mitigations in nested hypervisors
    will be provided via DSA 4566-1.

    Intel's explanation of the issue can be found at
    <https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0>.

CVE-2019-0154

    Intel discovered that on their 8th and 9th generation GPUs,
    reading certain registers while the GPU is in a low-power state
    can cause a system hang.  A local user permitted to use the GPU
    can use this for denial of service.

    This update mitigates the issue through changes to the i915
    driver.

    The affected chips (gen8 and gen9) are listed at
    <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen8>.

CVE-2019-0155

    Intel discovered that their 9th generation and newer GPUs are
    missing a security check in the Blitter Command Streamer (BCS).  A
    local user permitted to use the GPU could use this to access any
    memory that the GPU has access to, which could result in a denial
    of service (memory corruption or crash), a leak of sensitive
    information, or privilege escalation.

    This update mitigates the issue by adding the security check to
    the i915 driver.

    The affected chips (gen9 onward) are listed at
    <https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units#Gen9>.

CVE-2019-11135

    It was discovered that on Intel CPUs supporting transactional
    memory (TSX), a transaction that is going to be aborted may
    continue to execute speculatively, reading sensitive data from
    internal buffers and leaking it through dependent operations.
    Intel calls this "TSX Asynchronous Abort" (TAA).

    For CPUs affected by the previously published Microarchitectural
    Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127,
    CVE-2018-12130, CVE-2019-11091), the existing mitigation also
    mitigates this issue.

    For processors that are vulnerable to TAA but not MDS, this update
    disables TSX by default.  This mitigation requires updated CPU
    microcode.  An updated intel-microcode package (only available in
    Debian non-free) will be provided via DSA 4565-1.  The updated CPU
    microcode may also be available as part of a system firmware
    ("BIOS") update.

    Further information on the mitigation can be found at
    <https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html>
    or in the linux-doc-4.9 or linux-doc-4.19 package.

    Intel's explanation of the issue can be found at
    <https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.189-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 4.19.67-2+deb10u2.
  • Like 1
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4563-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
November 12, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2019-8812 CVE-2019-8814

These vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2019-8812

    An anonymous researcher discovered that maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2019-8814

    Cheolung Lee discovered that maliciously crafted web content may
    lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in
version 2.26.2-1~deb10+1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4567-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 12, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dpdk
CVE ID         : CVE-2019-14818

It was discovered that the vhost PMD in DPDK, a set of libraries for
fast packet processing, was affected by memory and file descriptor leaks
which could result in denial of service.

For the oldstable distribution (stretch), this problem has been fixed
in version 16.11.9-1+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 18.11.2-2+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4566-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 12, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
Debian Bug     : 944623

This update for QEMU, a fast processor emulator, backports support to
passthrough the pschange-mc-no CPU flag. The virtualised MSR seen by a
guest is set to show the bug as fixed, allowing to disable iTLB Multihit
mitigations in nested hypervisors (cf. DSA 4564-1).

For the stable distribution (buster), this problem has been fixed in
version 1:3.1+dfsg-8+deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4565-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 13, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : intel-microcode
CVE ID         : CVE-2019-11135 CVE-2019-11139

This update ships updated CPU microcode for some types of Intel CPUs. In
particular it provides mitigations for the TAA (TSX Asynchronous Abort)
vulnerability. For affected CPUs, to fully mitigate the vulnerability it
is also necessary to update the Linux kernel packages as released in DSA
4564-1.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.20191112.1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 3.20191112.1~deb10u1.
  • Like 1
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4568-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 14, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-common
CVE ID         : CVE-2019-3466

Rich Mirch discovered that the pg_ctlcluster script didn't drop
privileges when creating socket/statistics temporary directories, which
could result in local privilege escalation.

For the oldstable distribution (stretch), this problem has been fixed
in version 181+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 200+deb10u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4569-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 14, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2019-14869

Manfred Paul and Lukas Schauer reported that the .charkeys procedure in
Ghostscript, the GPL PostScript/PDF interpreter, does not properly
restrict privileged calls, which could result in bypass of file system
restrictions of the dSAFER sandbox.

For the oldstable distribution (stretch), this problem has been fixed
in version 9.26a~dfsg-0+deb9u6.

For the stable distribution (buster), this problem has been fixed in
version 9.27~dfsg-2+deb10u3.
Link to comment
Share on other sites

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.2 released                        press@debian.org
November 16th, 2019            https://www.debian.org/News/2019/20191116
------------------------------------------------------------------------


The Debian project is pleased to announce the second update of its
stable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package                   | Reason                                  |
+---------------------------+-----------------------------------------+
| aegisub [1]               | Fix crash when selecting a language     |
|                           | from the bottom of the  "Spell checker  |
|                           | language"  list; fix crash when right-  |
|                           | clicking in the subtitles text box      |
|                           |                                         |
| akonadi [2]               | Fix various crashes / deadlock issues   |
|                           |                                         |
| base-files [3]            | Update /etc/debian_version for the      |
|                           | point release                           |
|                           |                                         |
| capistrano [4]            | Fix failure to remove old releases when |
|                           | there were too many                     |
|                           |                                         |
| cron [5]                  | Stop using obsolete SELinux API         |
|                           |                                         |
| cyrus-imapd [6]           | Fix data loss on upgrade from version   |
|                           | 3.0.0 or earlier                        |
|                           |                                         |
| debian-edu-config [7]     | Handle newer Firefox ESR configuration  |
|                           | files; add post-up stanza to /etc/      |
|                           | network/interfaces eth0 entry           |
|                           | conditionally                           |
|                           |                                         |
| debian-installer [8]      | Fix unreadable fonts on hidpi displays  |
|                           | in netboot images booted with EFI       |
|                           |                                         |
| debian-installer-netboot- | Rebuild against proposed-updates        |
| images [9]                |                                         |
|                           |                                         |
| distro-info-data [10]     | Add Ubuntu 20.04 LTS, Focal Fossa       |
|                           |                                         |
| dkimpy-milter [11]        | New upstream stable release; fix        |
|                           | sysvinit support; catch more ASCII      |
|                           | encoding errors to improve resilience   |
|                           | against bad data; fix message           |
|                           | extraction so that signing in the same  |
|                           | pass through the milter as verifying    |
|                           | works correctly                         |
|                           |                                         |
| emacs [12]                | Update the EPLA packaging key           |
|                           |                                         |
| fence-agents [13]         | Fix incomplete removal of fence_amt_ws  |
|                           |                                         |
| flatpak [14]              | New upstream stable release             |
|                           |                                         |
| flightcrew [15]           | Security fixes [CVE-2019-13032          |
|                           | CVE-2019-13241]                         |
|                           |                                         |
| fonts-noto-cjk [16]       | Fix over-aggressive font selection of   |
|                           | Noto CJK fonts in modern web browsers   |
|                           | under Chinese locale                    |
|                           |                                         |
| freetype [17]             | Properly handle phantom points for      |
|                           | variable hinted fonts                   |
|                           |                                         |
| gdb [18]                  | Rebuild against new libbabeltrace, with |
|                           | higher version number to avoid conflict |
|                           | with earlier upload                     |
|                           |                                         |
| glib2.0 [19]              | Ensure libdbus clients can authenticate |
|                           | with a GDBusServer like the one in ibus |
|                           |                                         |
| gnome-shell [20]          | New upstream stable release; fix        |
|                           | truncation of long messages in Shell-   |
|                           | modal dialogs; avoid crash on           |
|                           | reallocation of dead actors             |
|                           |                                         |
| gnome-sound-recorder [21] | Fix crash when selecting a recording    |
|                           |                                         |
| gnustep-base [22]         | Disable gdomap daemon that was          |
|                           | accidentally enabled on upgrades from   |
|                           | stretch                                 |
|                           |                                         |
| graphite-web [23]         | Remove unused  "send_email"  function   |
|                           | [CVE-2017-18638]; avoid hourly error in |
|                           | cron when there is no whisper database  |
|                           |                                         |
| inn2 [24]                 | Fix negotiation of DHE ciphersuites     |
|                           |                                         |
| libapache-mod-auth-       | Fix use after free bug leading to crash |
| kerb [25]                 |                                         |
|                           |                                         |
| libdate-holidays-de-      | Mark International Childrens Day (Sep   |
| perl [26]                 | 20th) as a holiday in Thuringia from    |
|                           | 2019 onwards                            |
|                           |                                         |
| libdatetime-timezone-     | Update included data                    |
| perl [27]                 |                                         |
|                           |                                         |
| libofx [28]               | Fix null pointer dereference issue      |
|                           | [CVE-2019-9656]                         |
|                           |                                         |
| libreoffice [29]          | Fix the postgresql driver with          |
|                           | PostgreSQL 12                           |
|                           |                                         |
| libsixel [30]             | Fix several security issues [CVE-2018-  |
|                           | 19756 CVE-2018-19757 CVE-2018-19759     |
|                           | CVE-2018-19761 CVE-2018-19762 CVE-2018- |
|                           | 19763 CVE-2019-3573 CVE-2019-3574]      |
|                           |                                         |
| libxslt [31]              | Fix dangling pointer in xsltCopyText    |
|                           | [CVE-2019-18197]                        |
|                           |                                         |
| lucene-solr [32]          | Disable obsolete call to ContextHandler |
|                           | in solr-jetty9.xml; fix Jetty           |
|                           | permissions on SOLR index               |
|                           |                                         |
| mariadb-10.3 [33]         | New upstream stable release             |
|                           |                                         |
| modsecurity-crs [34]      | Fix PHP script upload rules [CVE-2019-  |
|                           | 13464]                                  |
|                           |                                         |
| mutter [35]               | New upstream stable release             |
|                           |                                         |
| ncurses [36]              | Fix several security issues [CVE-2019-  |
|                           | 17594 CVE-2019-17595] and other issues  |
|                           | in tic                                  |
|                           |                                         |
| ndppd [37]                | Avoid world writable PID file, that was |
|                           | breaking daemon init scripts            |
|                           |                                         |
| network-manager [38]      | Fix file permissions for  "/var/lib/    |
|                           | NetworkManager/secret_key"  and /var/   |
|                           | lib/NetworkManager                      |
|                           |                                         |
| node-fstream [39]         | Fix arbitrary file overwrite issue      |
|                           | [CVE-2019-13173]                        |
|                           |                                         |
| node-set-value [40]       | Fix prototype pollution [CVE-2019-      |
|                           | 10747]                                  |
|                           |                                         |
| node-yarnpkg [41]         | Force using HTTPS for regular           |
|                           | registries                              |
|                           |                                         |
| nx-libs [42]              | Fix regressions introduced in previous  |
|                           | upload, affecting x2go                  |
|                           |                                         |
| open-vm-tools [43]        | Fix memory leaks and error handling     |
|                           |                                         |
| openvswitch [44]          | Update debian/ifupdown.sh to allow      |
|                           | setting-up the MTU; fix Python          |
|                           | dependencies to use Python 3            |
|                           |                                         |
| picard [45]               | Update translations to fix crash with   |
|                           | Spanish locale                          |
|                           |                                         |
| plasma-applet-redshift-   | Fix manual mode when used with redshift |
| control [46]              | versions above 1.12                     |
|                           |                                         |
| postfix [47]              | New upstream stable release; work       |
|                           | around poor TCP loopback performance    |
|                           |                                         |
| python-cryptography [48]  | Fix test suite failures when built      |
|                           | against newer OpenSSL versions; fix a   |
|                           | memory leak triggerable when parsing    |
|                           | x509 certificate extensions like AIA    |
|                           |                                         |
| python-flask-rdf [49]     | Add Depends on python{3,}-rdflib        |
|                           |                                         |
| python-                   | New upstream stable release; fix switch |
| oslo.messaging [50]       | connection destination when a rabbitmq  |
|                           | cluster node disappears                 |
|                           |                                         |
| python-werkzeug [51]      | Ensure Docker containers have unique    |
|                           | debugger PINs [CVE-2019-14806]          |
|                           |                                         |
| python2.7 [52]            | Fix several security issues [CVE-2018-  |
|                           | 20852 CVE-2019-10160 CVE-2019-16056     |
|                           | CVE-2019-16935 CVE-2019-9740 CVE-2019-  |
|                           | 9947]                                   |
|                           |                                         |
| quota [53]                | Fix rpc.rquotad spinning at 100% CPU    |
|                           |                                         |
| rpcbind [54]              | Allow remote calls to be enabled at     |
|                           | run-time                                |
|                           |                                         |
| shelldap [55]             | Repair SASL authentications, add a      |
|                           | 'sasluser' option                       |
|                           |                                         |
| sogo [56]                 | Fix display of PGP-signed e-mails       |
|                           |                                         |
| spf-engine [57]           | New upstream stable release; fix        |
|                           | sysvinit support                        |
|                           |                                         |
| standardskriver [58]      | Fix deprecation warning from            |
|                           | config.RawConfigParser; use external    |
|                           | "ip"  command rather than deprecated    |
|                           | "ifconfig"  command                     |
|                           |                                         |
| swi-prolog [59]           | Use HTTPS when contacting upstream pack |
|                           | servers                                 |
|                           |                                         |
| systemd [60]              | core: never propagate reload failure to |
|                           | service result; fix sync_file_range     |
|                           | failures in nspawn containers on arm,   |
|                           | ppc; fix RootDirectory not working when |
|                           | used in combination with User; ensure   |
|                           | that access controls on systemd-        |
|                           | resolved's D-Bus interface are enforced |
|                           | correctly [CVE-2019-15718]; fix         |
|                           | StopWhenUnneeded=true for mount units;  |
|                           | make MountFlags=shared work again       |
|                           |                                         |
| tmpreaper [61]            | Prevent breaking of systemd services    |
|                           | that use PrivateTmp=true                |
|                           |                                         |
| trapperkeeper-webserver-  | Restore SSL compatibility with newer    |
| jetty9-clojure [62]       | Jetty versions                          |
|                           |                                         |
| tzdata [63]               | New upstream release                    |
|                           |                                         |
| ublock-origin [64]        | New upstream version, compatible with   |
|                           | Firefox ESR68                           |
|                           |                                         |
| uim [65]                  | Resurrect libuim-data as a transitional |
|                           | package, fixing some issues after       |
|                           | upgrades to buster                      |
|                           |                                         |
| vanguards [66]            | New upstream stable release; prevent a  |
|                           | reload of tor's configuration via       |
|                           | SIGHUP causing a denial-of-service for  |
|                           | vanguards protections                   |
|                           |                                         |
+---------------------------+-----------------------------------------+
Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+-----------------------------+
| Advisory ID    | Package                     |
+----------------+-----------------------------+
| DSA-4509 [67]  | apache2 [68]                |
|                |                             |
| DSA-4511 [69]  | nghttp2 [70]                |
|                |                             |
| DSA-4512 [71]  | qemu [72]                   |
|                |                             |
| DSA-4514 [73]  | varnish [74]                |
|                |                             |
| DSA-4515 [75]  | webkit2gtk [76]             |
|                |                             |
| DSA-4516 [77]  | firefox-esr [78]            |
|                |                             |
| DSA-4517 [79]  | exim4 [80]                  |
|                |                             |
| DSA-4518 [81]  | ghostscript [82]            |
|                |                             |
| DSA-4519 [83]  | libreoffice [84]            |
|                |                             |
| DSA-4520 [85]  | trafficserver [86]          |
|                |                             |
| DSA-4521 [87]  | docker.io [88]              |
|                |                             |
| DSA-4523 [89]  | thunderbird [90]            |
|                |                             |
| DSA-4524 [91]  | dino-im [92]                |
|                |                             |
| DSA-4525 [93]  | ibus [94]                   |
|                |                             |
| DSA-4526 [95]  | opendmarc [96]              |
|                |                             |
| DSA-4527 [97]  | php7.3 [98]                 |
|                |                             |
| DSA-4528 [99]  | bird [100]                  |
|                |                             |
| DSA-4530 [101] | expat [102]                 |
|                |                             |
| DSA-4531 [103] | linux-signed-amd64 [104]    |
|                |                             |
| DSA-4531 [105] | linux-signed-i386 [106]     |
|                |                             |
| DSA-4531 [107] | linux [108]                 |
|                |                             |
| DSA-4531 [109] | linux-signed-arm64 [110]    |
|                |                             |
| DSA-4532 [111] | spip [112]                  |
|                |                             |
| DSA-4533 [113] | lemonldap-ng [114]          |
|                |                             |
| DSA-4534 [115] | golang-1.11 [116]           |
|                |                             |
| DSA-4535 [117] | e2fsprogs [118]             |
|                |                             |
| DSA-4536 [119] | exim4 [120]                 |
|                |                             |
| DSA-4538 [121] | wpa [122]                   |
|                |                             |
| DSA-4539 [123] | openssl [124]               |
|                |                             |
| DSA-4539 [125] | openssh [126]               |
|                |                             |
| DSA-4541 [127] | libapreq2 [128]             |
|                |                             |
| DSA-4542 [129] | jackson-databind [130]      |
|                |                             |
| DSA-4543 [131] | sudo [132]                  |
|                |                             |
| DSA-4544 [133] | unbound [134]               |
|                |                             |
| DSA-4545 [135] | mediawiki [136]             |
|                |                             |
| DSA-4547 [137] | tcpdump [138]               |
|                |                             |
| DSA-4549 [139] | firefox-esr [140]           |
|                |                             |
| DSA-4550 [141] | file [142]                  |
|                |                             |
| DSA-4551 [143] | golang-1.11 [144]           |
|                |                             |
| DSA-4553 [145] | php7.3 [146]                |
|                |                             |
| DSA-4554 [147] | ruby-loofah [148]           |
|                |                             |
| DSA-4555 [149] | pam-python [150]            |
|                |                             |
| DSA-4556 [151] | qtbase-opensource-src [152] |
|                |                             |
| DSA-4557 [153] | libarchive [154]            |
|                |                             |
| DSA-4558 [155] | webkit2gtk [156]            |
|                |                             |
| DSA-4559 [157] | proftpd-dfsg [158]          |
|                |                             |
| DSA-4560 [159] | simplesamlphp [160]         |
|                |                             |
| DSA-4561 [161] | fribidi [162]               |
|                |                             |
| DSA-4562 [163] | chromium [164]              |
|                |                             |
+----------------+-----------------------------+
Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+-------------------+--------------------------------------------------+
| Package           | Reason                                           |
+-------------------+--------------------------------------------------+
| firefox-esr [165] | [armel] No longer supportable due to nodejs      |
|                   | build-dependency                                 |
|                   |                                                  |
+-------------------+--------------------------------------------------+
Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/



About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4570-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 17, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mosquitto
CVE ID         : CVE-2019-11779
Debian Bug     : 940654

A vulnerability was discovered in mosquitto, a MQTT version 3.1/3.1.1
compatible message broker, allowing a malicious MQTT client to cause a
denial of service (stack overflow and daemon crash), by sending a
specially crafted SUBSCRIBE packet containing a topic with a extremely
deep hierarchy.

For the stable distribution (buster), this problem has been fixed in
version 1.5.7-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4571-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 17, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-15903 CVE-2019-11764 CVE-2019-11763
                 CVE-2019-11762 CVE-2019-11761 CVE-2019-11760
                 CVE-2019-11759 CVE-2019-11757 CVE-2019-11755

Multiple security issues have been found in Thunderbird which could
potentially result in the execution of arbitrary code or denial of
service.

Debian follows the Thunderbird upstream releases. Support for the 60.x
series has ended, so starting with this update we're now following the
68.x releases.
	
For the oldstable distribution (stretch), this problem has been fixed
in version 1:68.2.2-1~deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1:68.2.2-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4572-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 18, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : slurm-llnl
CVE ID         : CVE-2019-12838

It was discovered in the Simple Linux Utility for Resource Management
(SLURM), a cluster resource management and job scheduling system did
not escape strings when importing an archive file into the
accounting_storage/mysql backend, resulting in SQL injection.

For the stable distribution (buster), this problem has been fixed in
version 18.08.5.2-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4573-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 18, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : symfony
CVE ID         : CVE-2019-18887 CVE-2019-18888 CVE-2019-18889

Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to a timing attack/information leak, argument injection
and code execution via unserialization.

For the oldstable distribution (stretch), these problems have been fixed
in version 2.8.7+dfsg-1.3+deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 3.4.22+dfsg-2+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4574-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 19, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redmine
CVE ID         : CVE-2019-17427 CVE-2019-18890

Hoger Just discovered an SQL injection in Redmine, a project management
web application. In addition a cross-site scripting issue was found in
Textile formatting.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.3.1-4+deb9u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4571-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 24, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : enigmail

DSA 4571-1 updated Thunderbird to the 68.x series, which is incompatible
with the Enigmail release shipped in Debian Buster.

For the stable distribution (buster), this problem has been fixed in
version 2:2.1.3+ds1-4~deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4575-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
November 24, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-13723 CVE-2019-13724

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-13723

    Yuxiang Li discovered a use-after-free issue in the bluetooth service.

CVE-2019-13724

    Yuxiang Li discovered an out-of-bounds read issue in the bluetooth
    service.

For the oldstable distribution (stretch), security support for the chromium
package has been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 78.0.3904.108-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4576-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 25, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-imagick
CVE ID         : CVE-2019-11037
Debian Bug     : 928420

An out-of-bounds write vulnerability was discovered in php-imagick, a
PHP extension to create and modify images using the ImageMagick API,
which could result in denial of service, or potentially the execution of
arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.4.3~rc2-2+deb9u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4577-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
November 28, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : haproxy
CVE ID         : CVE-2019-19330

Tim Düsterhus discovered that haproxy, a TCP/HTTP reverse proxy, did
not properly sanitize HTTP headers when converting from HTTP/2 to
HTTP/1. This would allow a remote user to perform CRLF injections.

For the stable distribution (buster), this problem has been fixed in
version 1.8.19-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4578-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 28, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libvpx
CVE ID         : CVE-2019-9232 CVE-2019-9325 CVE-2019-9433 CVE-2019-9371

Multiple security issues were found in libvpx multimedia library which
could result in denial of service and potentially the execution of
arbitrary code if malformed WebM files are processed.
      
For the oldstable distribution (stretch), these problems have been fixed
in version 1.6.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 1.7.0-3+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4579-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 06, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss
CVE ID         : CVE-2019-11745 CVE-2019-17007

Two vulnerabilities were discovered in NSS, a set of cryptographic
libraries, which may result in denial of service and potentially the
execution of arbitrary code.
    
For the stable distribution (buster), these problems have been fixed in
version 2:3.42.1-1+deb10u2.
Link to comment
Share on other sites

  • 2 weeks later...
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4580-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 09, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010 
                 CVE-2019-17011 CVE-2019-17012

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the oldstable distribution (stretch), these problems have been fixed
in version 68.3.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 68.3.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4581-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 10, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353
                 CVE-2019-1387 CVE-2019-19604

Several vulnerabilities have been discovered in git, a fast, scalable,
distributed revision control system.

CVE-2019-1348

    It was reported that the --export-marks option of git fast-import is
    exposed also via the in-stream command feature export-marks=...,
    allowing to overwrite arbitrary paths.

CVE-2019-1387

    It was discovered that submodule names are not validated strictly
    enough, allowing very targeted attacks via remote code execution
    when performing recursive clones.

CVE-2019-19604

    Joern Schneeweisz reported a vulnerability, where a recursive clone
    followed by a submodule update could execute code contained within
    the repository without the user explicitly having asked for that. It
    is now disallowed for `.gitmodules` to have entries that set
    `submodule.<name>.update=!command`.

In addition this update addresses a number of security issues which are
only an issue if git is operating on an NTFS filesystem (CVE-2019-1349,
CVE-2019-1352 and CVE-2019-1353).

For the oldstable distribution (stretch), these problems have been fixed
in version 1:2.11.0-3+deb9u5.

For the stable distribution (buster), these problems have been fixed in
version 1:2.20.1-2+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4582-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 13, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : davical
CVE ID         : CVE-2019-18345 CVE-2019-18346 CVE-2019-18347
Debian Bug     : 946343

Multiple cross-site scripting and cross-site request forgery issues were
discovered in the DAViCal CalDAV Server.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.1.5-1+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1.1.8-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4583-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 13, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : not yet available

A vulnerability was discovered in the SPIP publishing system, which
could result in unauthorised writes to the database by authors.

The oldstable distribution (stretch) is not affected.

For the stable distribution (buster), this problem has been fixed in
version 3.2.4-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4565-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 13, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : intel-microcode
CVE ID         : CVE-2019-11135 CVE-2019-11139
Debian Bug     : 946515

This update ships updated CPU microcode for CFL-S (Coffe Lake Desktop)
models of Intel CPUs which were not yet included in the Intel microcode
update released as DSA 4565-1. For details please refer to
https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/IPU-2019.2-microcode-update-guidance-v1.01.pdf

Additionally this update rolls back CPU microcode for HEDT and Xeon
processors with signature 0x50654 which were affected by a regression
causing hangs on warm reboots (Cf. #946515).

For the oldstable distribution (stretch), these problems have been fixed
in version 3.20191115.2~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 3.20191115.2~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4584-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 14, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spamassassin
CVE ID         : CVE-2018-11805 CVE-2019-12420
Debian Bug     : 946652 946653

Two vulnerabilities were discovered in spamassassin, a Perl-based spam
filter using text analysis.

CVE-2018-11805

    Malicious rule or configuration files, possibly downloaded from an
    updates server, could execute arbitrary commands under multiple
    scenarios.

CVE-2019-12420

    Specially crafted mulitpart messages can cause spamassassin to use
    excessive resources, resulting in a denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.4.2-1~deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 3.4.2-1+deb10u1.
  • Like 1
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4585-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 15, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010
                 CVE-2019-17011 CVE-2019-17012
Debian Bug     : 946588

Multiple security issues have been found in Thunderbird which could
potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:68.3.0-2~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1:68.3.0-2~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4586-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 17, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.5
CVE ID         : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255

Several vulnerabilities have been discovered in the interpreter for the
Ruby language, which could result in unauthorized access by bypassing
intended path matchings, denial of service, or the execution of
arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 2.5.5-3+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4587-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 17, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.3
CVE ID         : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255

Several vulnerabilities have been discovered in the interpreter for the
Ruby language, which could result in unauthorized access by bypassing
intended path matchings, denial of service, or the execution of
arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 2.3.3-1+deb9u7.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4588-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
December 17, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-ecdsa
CVE ID         : CVE-2019-14853 CVE-2019-14859

It was discovered that python-ecdsa, a cryptographic signature library
for Python, incorrectly handled certain signatures. A remote attacker
could use this issue to cause python-ecdsa to either not warn about
incorrect signatures, or generate exceptions resulting in a
denial-of-service.

For the oldstable distribution (stretch), these problems have been fixed
in version 0.13-2+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 0.13-3+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4589-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 18, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : debian-edu-config
CVE ID         : CVE-2019-3467
Debian Bug     : 946797

It was discovered that debian-edu-config, a set of configuration files
used for the Debian Edu blend, configured too permissive ACLs for the
Kerberos admin server, which allowed password changes for other user
principals.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.929+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 2.10.65+deb10u3.
Link to comment
Share on other sites

×
×
  • Create New...