Jump to content
Bruno

NEW UPDATES Debian

Recommended Posts

sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4388-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 10, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mosquitto

CVE ID : CVE-2018-12546 CVE-2018-12550 CVE-2018-12551

 

Three vulnerabilities were discovered in the Mosquitto MQTT broker, which

could result in authentication bypass. Please refer to

https://mosquitto.org/blog/2019/02/version-1-5-6-released/ for additional

information.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.4.10-3+deb9u3.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4389-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

February 11, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libu2f-host

CVE ID : CVE-2018-20340

Debian Bug : 921725

 

Christian Reitter discovered that libu2f-host, a library implementing

the host-side of the U2F protocol, failed to properly check for a

buffer overflow. This would allow an attacker with a custom made

malicious USB device masquerading as a security key, and physical

access to a computer where PAM U2F or an application with libu2f-host

integrated, to potentially execute arbitrary code on that computer.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.1.2-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4377-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 11, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : rssh

Debian Bug : 921655

 

The update for rssh issued as DSA 4377-1 introduced a regression that

blocked scp of multiple files from a server using rssh. Updated packages

are now available to correct this issue.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.3.4-5+deb9u3.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4390-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 12, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : flatpak

CVE ID : not yet available

Debian Bug : 922059

 

It was discovered that Flatpak, an application deployment framework for

desktop apps, insufficiently restricted the execution of "apply_extra"

scripts which could potentially result in privilege escalation.

 

For the stable distribution (stretch), this problem has been fixed in

version 0.8.9-0+deb9u2.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4391-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 14, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2018-18356 CVE-2019-5785

 

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code.

 

For the stable distribution (stretch), these problems have been fixed in

version 60.5.1esr-1~deb9u1.

Share this post


Link to post
Share on other sites
sunrat

------------------------------------------------------------------------

The Debian Project https://www.debian.org/

Updated Debian 9: 9.8 released press@debian.org

February 16th, 2019 https://www.debian.org/News/2019/20190216

------------------------------------------------------------------------

 

 

The Debian project is pleased to announce the eighth update of its

stable distribution Debian 9 (codename "stretch"). This point release

mainly adds corrections for security issues, along with a few

adjustments for serious problems. Security advisories have already been

published separately and are referenced where available.

 

Please note that the point release does not constitute a new version of

Debian 9 but only updates some of the packages included. There is no

need to throw away old "stretch" media. After installation, packages can

be upgraded to the current versions using an up-to-date Debian mirror.

 

Those who frequently install updates from security.debian.org won't have

to update many packages, and most such updates are included in the point

release.

 

New installation images will be available soon at the regular locations.

 

The complete lists of packages that have changed with this revision:

 

http://ftp.debian.org/debian/dists/stretch/ChangeLog

 

 

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4392-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 16, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : thunderbird

CVE ID : CVE-2018-18356 CVE-2018-18500 CVE-2018-18501

CVE-2018-18505 CVE-2018-18509 CVE-2019-5785

 

Multiple security issues have been found in the Thunderbird mail client,

which could lead to the execution of arbitrary code, denial of service

or spoofing of S/MIME signatures.

 

For the stable distribution (stretch), these problems have been fixed in

version 1:60.5.1-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4388-2 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 17, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mosquitto

Debian Bug : 922071

 

Kushal Kumaran reported that the update for mosquitto issued as DSA

4388-1 causes mosquitto to crash when reloading the persistent database.

Updated packages are now available to correct this issue.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.4.10-3+deb9u4.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4393-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 18, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : systemd

CVE ID : CVE-2019-6454

 

Chris Coulson discovered a flaw in systemd leading to denial of service.

An unprivileged user could take advantage of this issue to crash PID1 by

sending a specially crafted D-Bus message on the system bus.

 

For the stable distribution (stretch), this problem has been fixed in

version 232-25+deb9u9.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4394-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 18, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : rdesktop

CVE ID : CVE-2018-8791 CVE-2018-8792 CVE-2018-8793 CVE-2018-8794

CVE-2018-8795 CVE-2018-8796 CVE-2018-8797 CVE-2018-8798

CVE-2018-8799 CVE-2018-8800 CVE-2018-20174

CVE-2018-20175 CVE-2018-20176 CVE-2018-20177

CVE-2018-20178 CVE-2018-20179 CVE-2018-20180

CVE-2018-20181 CVE-2018-20182

 

Multiple security issues were found in the rdesktop RDP client, which

could result in denial of service, information disclosure and the

execution of arbitrary code.

 

For the stable distribution (stretch), these problems have been fixed in

version 1.8.4-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4395-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

February 18, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium

CVE ID : CVE-2018-17481 CVE-2019-5754 CVE-2019-5755 CVE-2019-5756

CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760

CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765

CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769

CVE-2019-5770 CVE-2019-5772 CVE-2019-5773 CVE-2019-5774

CVE-2019-5775 CVE-2019-5776 CVE-2019-5777 CVE-2019-5778

CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5782

CVE-2019-5783 CVE-2019-5784

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2018-17481

 

A use-after-free issue was discovered in the pdfium library.

 

CVE-2019-5754

 

Klzgrad discovered an error in the QUIC networking implementation.

 

CVE-2019-5755

 

Jay Bosamiya discovered an implementation error in the v8 javascript

library.

 

CVE-2019-5756

 

A use-after-free issue was discovered in the pdfium library.

 

CVE-2019-5757

 

Alexandru Pitis discovered a type confusion error in the SVG image

format implementation.

 

CVE-2019-5758

 

Zhe Jin discovered a use-after-free issue in blink/webkit.

 

CVE-2019-5759

 

Almog Benin discovered a use-after-free issue when handling HTML pages

containing select elements.

 

CVE-2019-5760

 

Zhe Jin discovered a use-after-free issue in the WebRTC implementation.

 

CVE-2019-5762

 

A use-after-free issue was discovered in the pdfium library.

 

CVE-2019-5763

 

Guang Gon discovered an input validation error in the v8 javascript

library.

 

CVE-2019-5764

 

Eyal Itkin discovered a use-after-free issue in the WebRTC implementation.

 

CVE-2019-5765

 

Sergey Toshin discovered a policy enforcement error.

 

CVE-2019-5766

 

David Erceg discovered a policy enforcement error.

 

CVE-2019-5767

 

Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao reported an error

in the WebAPKs user interface.

 

CVE-2019-5768

 

Rob Wu discovered a policy enforcement error in the developer tools.

 

CVE-2019-5769

 

Guy Eshel discovered an input validation error in blink/webkit.

 

CVE-2019-5770

 

hemidallt discovered a buffer overflow issue in the WebGL implementation.

 

CVE-2019-5772

 

Zhen Zhou discovered a use-after-free issue in the pdfium library.

 

CVE-2019-5773

 

Yongke Wong discovered an input validation error in the IndexDB

implementation.

 

CVE-2019-5774

 

Jnghwan Kang and Juno Im discovered an input validation error in the

SafeBrowsing implementation.

 

CVE-2019-5775

 

evil1m0 discovered a policy enforcement error.

 

CVE-2019-5776

 

Lnyas Zhang discovered a policy enforcement error.

 

CVE-2019-5777

 

Khalil Zhani discovered a policy enforcement error.

 

CVE-2019-5778

 

David Erceg discovered a policy enforcement error in the Extensions

implementation.

 

CVE-2019-5779

 

David Erceg discovered a policy enforcement error in the ServiceWorker

implementation.

 

CVE-2019-5780

 

Andreas Hegenberg discovered a policy enforcement error.

 

CVE-2019-5781

 

evil1m0 discovered a policy enforcement error.

 

CVE-2019-5782

 

Qixun Zhao discovered an implementation error in the v8 javascript library.

 

CVE-2019-5783

 

Shintaro Kobori discovered an input validation error in the developer

tools.

 

CVE-2019-5784

 

Lucas Pinheiro discovered an implementation error in the v8 javascript

library.

 

For the stable distribution (stretch), these problems have been fixed in

version 72.0.3626.96-1~deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4396-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 19, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ansible

CVE ID : CVE-2018-10855 CVE-2018-10875 CVE-2018-16837 CVE-2018-16876

CVE-2019-3828

 

Several vulnerabilities have been found in Ansible, a configuration

management, deployment, and task execution system:

 

CVE-2018-10855 / CVE-2018-16876

 

The no_log task flag wasn't honored, resulting in an information leak.

 

CVE-2018-10875

 

ansible.cfg was read from the current working directory.

 

CVE-2018-16837

 

The user module leaked parameters passed to ssh-keygen to the process

environment.

 

CVE-2019-3828

 

The fetch module was susceptible to path traversal.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.2.1.0-2+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- - -------------------------------------------------------------------------

Debian Security Advisory DSA-4377-3 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 22, 2019 https://www.debian.org/security/faq

- - -------------------------------------------------------------------------

 

Package : rssh

CVE ID : CVE-2019-1000018

Debian Bug : 919623

 

The restrictions introduced in the security fix to address

CVE-2019-1000018 also disallowed the -pf and -pt options which are used

by the scp support in libssh2. This update restores support for those.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.3.4-5+deb9u4.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4395-2 security@debian.org

https://www.debian.org/security/ Michael Gilbert

February 26, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium

Debian Bug : 922794 923298

 

A regression was introduced in the previous chromium security update. The

browser would always crash when launched in headless mode. This update fixes

this problem.

 

A file conflict with the buster chromium packages is also fixed.

 

For the stable distribution (stretch), this problem has been fixed in

version 72.0.3626.96-1~deb9u2.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4397-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

February 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ldb

CVE ID : CVE-2019-3824

 

Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare()

function of ldb, a LDAP-like embedded database, resulting in denial of

service.

 

For the stable distribution (stretch), this problem has been fixed in

version 2:1.1.27-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4398-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php7.0

CVE ID : CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023

CVE-2019-9024

 

Multiple security issues were found in PHP, a widely-used open source

general purpose scripting language: Multiple out-of-bounds memory

accesses were found in the xmlrpc, mbstring and phar extensions and

the dns_get_record() function.

 

For the stable distribution (stretch), these problems have been fixed in

version 7.0.33-0+deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4399-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ikiwiki

CVE ID : CVE-2019-9187

 

Joey Hess discovered that the aggregate plugin of the Ikiwiki wiki

compiler was susceptible to server-side request forgery, resulting in

information disclosure or denial of service.

 

For the stable distribution (stretch), this problem has been fixed in

version 3.20170111.1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4400-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

February 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssl1.0

CVE ID : CVE-2019-1559

 

Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding

oracle attack in OpenSSL.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.0.2r-1~deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4401-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 01, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wordpress

CVE ID : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149 CVE-2018-20150

CVE-2018-20151 CVE-2018-20152 CVE-2018-20153 CVE-2019-8942

Debian Bug : 916403

 

Several vulnerabilities were discovered in Wordpress, a web blogging

tool. They allowed remote attackers to perform various Cross-Side

Scripting (XSS) and PHP injections attacks, delete files, leak

potentially sensitive data, create posts of unauthorized types, or

cause denial-of-service by application crash.

 

For the stable distribution (stretch), these problems have been fixed in

version 4.7.5+dfsg-2+deb9u5.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4387-2 security@debian.org

https://www.debian.org/security/ Yves-Alexis Perez

March 02, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openssh

CVE ID : CVE-2019-6111

Debian Bug : 923486

 

It was found that a security update (DSA-4387-1) of OpenSSH, an implementation

of the SSH protocol suite, was incomplete. This update did not completely fix

CVE-2019-6111, an arbitrary file overwrite vulnerability in the scp client

implementing the SCP protocol.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:7.4p1-10+deb9u6.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4402-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 05, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : mumble

CVE ID : CVE-2018-20743

 

It was discovered that insufficient restrictions in the connection

handling of Mumble, a low latency encrypted VoIP client, could result in

denial of service.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.2.18-1+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4403-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 08, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : php7.0

CVE ID : not yet available

 

Multiple security issues were found in PHP, a widely-used open source

general purpose scripting language: The EXIF extension had multiple cases

of invalid memory access and rename() was implemented insecurely.

 

For the stable distribution (stretch), this problem has been fixed in

version 7.0.33-0+deb9u3

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4404-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

March 09, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium

CVE ID : CVE-2019-5786

 

Clement Lecigne discovered a use-after-free issue in chromium's file

reader implementation. A maliciously crafted file could be used to

remotely execute arbitrary code because of this problem.

 

This update also fixes a regression introduced in a previous update. The

browser would always crash when launched in remote debugging mode.

 

For the stable distribution (stretch), this problem has been fixed in

version 72.0.3626.122-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4405-1 security@debian.org

https://www.debian.org/security/ Luciano Bello

March 10, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openjpeg2

CVE ID : CVE-2017-17480 CVE-2018-5785 CVE-2018-6616 CVE-2018-14423

CVE-2018-18088

Debian Bug : 884738 888533 889683 904873 910763

 

Multiple vulnerabilities have been discovered in openjpeg2, the

open-source JPEG 2000 codec, that could be leveraged to cause a denial

of service or possibly remote code execution.

 

CVE-2017-17480

 

Write stack buffer overflow in the jp3d and jpwl codecs can result

in a denial of service or remote code execution via a crafted jp3d

or jpwl file.

 

CVE-2018-5785

 

Integer overflow can result in a denial of service via a crafted bmp

file.

 

CVE-2018-6616

 

Excessive iteration can result in a denial of service via a crafted

bmp file.

 

CVE-2018-14423

 

Division-by-zero vulnerabilities can result in a denial of service via

a crafted j2k file.

 

CVE-2018-18088

 

Null pointer dereference can result in a denial of service via a

crafted bmp file.

 

 

For the stable distribution (stretch), these problems have been fixed in

version 2.1.2-1.1+deb9u3.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4406-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 12, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : waagent

CVE ID : CVE-2019-0804

 

Francis McBratney discovered that the Windows Azure Linux Agent created

swap files with world-readable permissions, resulting in information

disclosure.

 

For the stable distribution (stretch), this problem has been fixed in

version 2.2.18-3~deb9u2.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4407-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 12, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : xmltooling

CVE ID : CVE-2019-9628

 

Ross Geerlings discovered that the XMLTooling library didn't correctly

handle exceptions on malformed XML declarations, which could result in

denial of service against the application using XMLTooling.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.6.0-4+deb9u2.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4408-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 17, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : liblivemedia

CVE ID : CVE-2019-6256 CVE-2019-7314 CVE-2019-9215

 

Multiple security issues were discovered in liveMedia, a set of C++

libraries for multimedia streaming which could result in the execution

of arbitrary code or denial of service when parsing a malformed RTSP

stream.

 

For the stable distribution (stretch), these problems have been fixed in

version 2016.11.28-1+deb9u2.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4409-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 18, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : neutron

CVE ID : CVE-2019-9735

 

Erik Olof Gunnar Andersson discovered that incorrect validation of port

settings in the iptables security group driver of Neutron, the OpenStack

virtual network service, could result in denial of service in a multi

tenant setup.

 

For the stable distribution (stretch), this problem has been fixed in

version 2:9.1.1-3+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4410-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 20, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : openjdk-8

CVE ID : CVE-2019-2422

 

A memory disclosure vulnerability was discovered in OpenJDK, an

implementation of the Oracle Java platform, resulting in information

disclosure or bypass of sandbox restrictions.

 

For the stable distribution (stretch), this problem has been fixed in

version 8u212-b01-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4411-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 20, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791

CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796

 

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code.

 

For the stable distribution (stretch), these problems have been fixed in

version 60.6.0esr-1~deb9u1.

 

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4412-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 20, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : drupal7

CVE ID : not yet available

 

It was discovered that missing input sanitising in the file module of

Drupal, a fully-featured content management framework, could result in

cross-site scripting.

 

For additional information, please refer to the upstream advisory

at https://www.drupal.org/sa-core-2019-004.

 

For the stable distribution (stretch), this problem has been fixed in

version 7.52-2+deb9u7.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4413-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 21, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : ntfs-3g

CVE ID : CVE-2019-9755

 

A heap-based buffer overflow was discovered in NTFS-3G, a read-write

NTFS driver for FUSE. A local user can take advantage of this flaw for

local root privilege escalation.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:2016.2.22AR.1+dfsg-1+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4414-1 security@debian.org

https://www.debian.org/security/ Thijs Kinkhorst

March 23, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : libapache2-mod-auth-mellon

CVE ID : CVE-2019-3877 CVE-2019-3878

Debian Bug : 925197

 

Several issues have been discovered in Apache module auth_mellon, which

provides SAML 2.0 authentication.

 

CVE-2019-3877

 

It was possible to bypass the redirect URL checking on logout, so

the module could be used as an open redirect facility.

 

CVE-2019-3878

 

When mod_auth_mellon is used in an Apache configuration which

serves as a remote proxy with the http_proxy module, it was

possible to bypass authentication by sending SAML ECP headers.

 

For the stable distribution (stretch), these problems have been fixed in

version 0.12.0-2+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4415-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 24, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : passenger

CVE ID : CVE-2017-16355

Debian Bug : 884463

 

An arbitrary file read vulnerability was discovered in passenger, a web

application server. A local user allowed to deploy an application to

passenger, can take advantage of this flaw by creating a symlink from

the REVISION file to an arbitrary file on the system and have its

content displayed through passenger-status.

 

For the stable distribution (stretch), this problem has been fixed in

version 5.0.30-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4416-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 24, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wireshark

CVE ID : CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719

CVE-2019-9208 CVE-2019-9209 CVE-2019-9214

Debian Bug : 923611

 

It was discovered that Wireshark, a network traffic analyzer, contained

several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE,

ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of

service.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.6.7-1~deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4417-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 24, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : firefox-esr

CVE ID : CVE-2019-9810 CVE-2019-9813

 

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code.

 

For the stable distribution (stretch), these problems have been fixed in

version 60.6.1esr-1~deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4418-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

March 28, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : dovecot

CVE ID : CVE-2019-7524

 

A vulnerability was discovered in the Dovecot email server. When reading

FTS or POP3-UIDL headers from the Dovecot index, the input buffer size

is not bounds-checked. An attacker with the ability to modify dovecot

indexes, can take advantage of this flaw for privilege escalation or the

execution of arbitrary code with the permissions of the dovecot user.

Only installations using the FTS or pop3 migration plugins are affected.

 

For the stable distribution (stretch), this problem has been fixed in

version 1:2.2.27-3+deb9u4.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4419-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

March 29, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : twig

CVE ID : CVE-2019-9942

 

Fabien Potencier discovered that twig, a template engine for PHP, did

not correctly enforce sandboxing. This could result in potential

information disclosure.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.24.0-2+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4420-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

March 30, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : thunderbird

CVE ID : CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791

CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796

 

Multiple security issues have been found in the Thunderbird mail client,

which could lead to the execution of arbitrary code or denial of service.

 

For the stable distribution (stretch), these problems have been fixed in

version 1:60.6.1-1~deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4421-1 security@debian.org

https://www.debian.org/security/ Michael Gilbert

March 31, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : chromium

CVE ID : CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790

CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794

CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798

CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803

 

Several vulnerabilities have been discovered in the chromium web browser.

 

CVE-2019-5787

 

Zhe Jin discovered a use-after-free issue.

 

CVE-2019-5788

 

Mark Brand discovered a use-after-free issue in the in the FileAPI

implementation.

 

CVE-2019-5789

 

Mark Brand discovered a use-after-free issue in the in the WebMIDI

implementation.

 

CVE-2019-5790

 

Dimitri Fourny discovered a buffer overflow issue in the v8 javascript

library.

 

CVE-2019-5791

 

Choongwoo Han discovered a type confusion issue in the v8 javascript

library.

 

CVE-2019-5792

 

pdknsk discovered an integer overflow issue in the pdfium library.

 

CVE-2019-5793

 

Jun Kokatsu discovered a permissions issue in the Extensions

implementation.

 

CVE-2019-5794

 

Juno Im of Theori discovered a user interface spoofing issue.

 

CVE-2019-5795

 

pdknsk discovered an integer overflow issue in the pdfium library.

 

CVE-2019-5796

 

Mark Brand discovered a race condition in the Extensions implementation.

 

CVE-2019-5797

 

Mark Brand discovered a race condition in the DOMStorage implementation.

 

CVE-2019-5798

 

Tran Tien Hung disoceved an out-of-bounds read issue in the skia library.

 

CVE-2019-5799

 

sohalt discovered a way to bypass the Content Security Policy.

 

CVE-2019-5800

 

Jun Kokatsu discovered a way to bypass the Content Security Policy.

 

CVE-2019-5802

 

Ronni Skansing discovered a user interface spoofing issue.

 

CVE-2019-5803

 

Andrew Comminos discovered a way to bypass the Content Security Policy.

 

For the stable distribution (stretch), these problems have been fixed in

version 73.0.3683.75-1~deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4422-1 security@debian.org

https://www.debian.org/security/ Stefan Fritsch

April 03, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : apache2

CVE ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0196 CVE-2019-0211

CVE-2019-0217 CVE-2019-0220

Debian Bug : 920302 920303

 

Several vulnerabilities have been found in the Apache HTTP server.

 

CVE-2018-17189

 

Gal Goldshtein of F5 Networks discovered a denial of service

vulnerability in mod_http2. By sending malformed requests, the

http/2 stream for that request unnecessarily occupied a server

thread cleaning up incoming data, resulting in denial of service.

 

CVE-2018-17199

 

Diego Angulo from ImExHS discovered that mod_session_cookie does not

respect expiry time.

 

CVE-2019-0196

 

Craig Young discovered that the http/2 request handling in mod_http2

could be made to access freed memory in string comparison when

determining the method of a request and thus process the request

incorrectly.

 

CVE-2019-0211

 

Charles Fol discovered a privilege escalation from the

less-privileged child process to the parent process running as root.

 

CVE-2019-0217

 

A race condition in mod_auth_digest when running in a threaded

server could allow a user with valid credentials to authenticate

using another username, bypassing configured access control

restrictions. The issue was discovered by Simon Kappel.

 

CVE-2019-0220

 

Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL

normalizations were inconsistently handled. When the path component

of a request URL contains multiple consecutive slashes ('/'),

directives such as LocationMatch and RewriteRule must account for

duplicates in regular expressions while other aspects of the servers

processing will implicitly collapse them.

 

For the stable distribution (stretch), these problems have been fixed in

version 2.4.25-3+deb9u7.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4423-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 03, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : putty

CVE ID : CVE-2019-9894 CVE-2019-9895 CVE-2019-9897 CVE-2019-9898

 

Multiple vulnerabilities were found in the PuTTY SSH client, which could

result in denial of service and potentially the execution of arbitrary

code. In addition, in some situations random numbers could potentially be

re-used.

 

For the stable distribution (stretch), these problems have been fixed in

version 0.67-3+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4424-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

April 04, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : pdns

CVE ID : CVE-2019-3871

Debian Bug : 924966

 

Adam Dobrawy, Frederico Silva and Gregory Brzeski from HyperOne.com

discovered that pdns, an authoritative DNS server, did not properly

validate user-supplied data when building a HTTP request from a DNS

query in the HTTP Connector of the Remote backend. This would allow a

remote user to cause either a denial-of-service, or information

disclosure.

 

For the stable distribution (stretch), this problem has been fixed in

version 4.0.3-1+deb9u4.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4425-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 05, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : wget

CVE ID : CVE-2019-5953

Debian Bug : 926389

 

Kusano Kazuhiko discovered a buffer overflow vulnerability in the

handling of Internationalized Resource Identifiers (IRI) in wget, a

network utility to retrieve files from the web, which could result in

the execution of arbitrary code or denial of service when recursively

downloading from an untrusted server.

 

For the stable distribution (stretch), this problem has been fixed in

version 1.18-5+deb9u3.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4426-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

April 07, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : tryton-server

CVE ID : CVE-2019-10868

 

Cedric Krier discovered that missing access validation in Tryton could

result in information disclosure .

 

For the stable distribution (stretch), this problem has been fixed in

version 4.2.1-2+deb9u1.

Share this post


Link to post
Share on other sites
sunrat

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4427-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

April 08, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : samba

CVE ID : CVE-2019-3880

 

Michael Hanselmann discovered that Samba, a SMB/CIFS file, print, and

login server for Unix, was vulnerable to a symlink traversal

attack. It would allow remote authenticated users with write

permission to either write or detect files outside of Samba shares.

 

For the stable distribution (stretch), this problem has been fixed in

version 2:4.5.16+dfsg-1+deb9u1.

 

- -------------------------------------------------------------------------

Debian Security Advisory DSA-4428-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

April 08, 2019 https://www.debian.org/security/faq

- -------------------------------------------------------------------------

 

Package : systemd

CVE ID : CVE-2019-3842

 

Jann Horn discovered that the PAM module in systemd insecurely uses the

environment and lacks seat verification permitting spoofing an active

session to PolicyKit. A remote attacker with SSH access can take

advantage of this issue to gain PolicyKit privileges that are normally

only granted to clients in an active session on the local console.

 

For the stable distribution (stretch), this problem has been fixed in

version 232-25+deb9u11.

Share this post


Link to post
Share on other sites

×
×
  • Create New...