Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1601 replies to this topic

#1501 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 22 November 2018 - 06:21 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4339-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 21, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ceph
Debian Bug     : 913909

The update for ceph issued as DSA-4339-1 caused a build regression for
the i386 builds. Updated packages are now available to address this
issue. For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system: The cephx authentication protocol was susceptible to
replay attacks and calculated signatures incorrectly, "ceph mon" did not
validate capabilities for pool operations (resulting in potential
corruption or deletion of snapshot images) and a format string
vulnerability in libradosstriper could result in denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 10.2.11-2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1502 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 24 November 2018 - 10:02 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4343-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 23, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : liblivemedia
CVE ID         : CVE-2018-4013

It was discovered that a buffer overflow in liveMedia, a set of C++
libraries for multimedia streaming could result in the execution of
arbitrary code when parsing a malformed RTSP stream.

For the stable distribution (stretch), this problem has been fixed in
version 2016.11.28-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4344-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 24, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2018-19206

Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to a cross-site scripting
vulnerability in handling invalid style tag content.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.3+dfsg.1-4+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1503 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 27 November 2018 - 06:29 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4345-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

CVE-2018-14629

    Florian Stuelpner discovered that Samba is vulnerable to
    infinite query recursion caused by CNAME loops, resulting in
    denial of service.

    https://www.samba.or...2018-14629.html

CVE-2018-16841

    Alex MacCuish discovered that a user with a valid certificate or
    smart card can crash the Samba AD DC's KDC when configured to accept
    smart-card authentication.

    https://www.samba.or...2018-16841.html

CVE-2018-16851

    Garming Sam of the Samba Team and Catalyst discovered a NULL pointer
    dereference vulnerability in the Samba AD DC LDAP server allowing a
    user able to read more than 256MB of LDAP entries to crash the Samba
    AD DC's LDAP server.

    https://www.samba.or...2018-16851.html

For the stable distribution (stretch), these problems have been fixed in
version 2:4.5.12+dfsg-2+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1504 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 29 November 2018 - 06:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4346-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed
(despite the -dSAFER sandbox being enabled).

This update rebases ghostscript for stretch to the upstream version 9.26
which includes additional changes.

For the stable distribution (stretch), these problems have been fixed in
version 9.26~dfsg-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4347-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 29, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-18311

    Jayakrishna Menon and Christophe Hauser discovered an integer
    overflow vulnerability in Perl_my_setenv leading to a heap-based
    buffer overflow with attacker-controlled input.

CVE-2018-18312

    Eiichi Tsukata discovered that a crafted regular expression could
    cause a heap-based buffer overflow write during compilation,
    potentially allowing arbitrary code execution.

CVE-2018-18313

    Eiichi Tsukata discovered that a crafted regular expression could
    cause a heap-based buffer overflow read during compilation which
    leads to information leak.

CVE-2018-18314

    Jakub Wilk discovered that a specially crafted regular expression
    could lead to a heap-based buffer overflow.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1505 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 01 December 2018 - 09:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4348-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 30, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2018-0732 CVE-2018-0734 CVE-2018-0735 CVE-2018-0737
                 CVE-2018-5407

Several local side channel attacks and a denial of service via large
Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets
Layer toolkit.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0j-1~deb9u1. Going forward, openssl security updates for
stretch will be based on the 1.1.0x upstream releases.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4349-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 30, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2017-11613 CVE-2017-17095 CVE-2018-5784
                 CVE-2018-7456  CVE-2018-8905  CVE-2018-10963
CVE-2018-17101 CVE-2018-18557 CVE-2018-15209
CVE-2018-16335

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code if malformed image files are processed.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1506 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 08 December 2018 - 06:40 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4350-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 06, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : policykit-1
CVE ID         : CVE-2018-19788
Debian Bug     : 915332

It was discovered that incorrect processing of very high UIDs in
Policykit, a framework for managing administrative policies and
privileges, could result in authentication bypass.

For the stable distribution (stretch), this problem has been fixed in
version 0.105-18+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4351-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 07, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libphp-phpmailer
CVE ID         : CVE-2018-19296
Debian Bug     : 913912

It was discovered that PHPMailer, a library to send email from PHP
applications, is prone to a PHP object injection vulnerability,
potentially allowing a remote attacker to execute arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 5.2.14+dfsg-2.3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4352-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
December 07, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2018-17480 CVE-2018-17481 CVE-2018-18335 CVE-2018-18336
                 CVE-2018-18337 CVE-2018-18338 CVE-2018-18339 CVE-2018-18340
                 CVE-2018-18341 CVE-2018-18342 CVE-2018-18343 CVE-2018-18344
                 CVE-2018-18345 CVE-2018-18346 CVE-2018-18347 CVE-2018-18348
                 CVE-2018-18349 CVE-2018-18350 CVE-2018-18351 CVE-2018-18352
                 CVE-2018-18353 CVE-2018-18354 CVE-2018-18355 CVE-2018-18356
                 CVE-2018-18357 CVE-2018-18358 CVE-2018-18359

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-17480

    Guang Gong discovered an out-of-bounds write issue in the v8 javascript
    library.

CVE-2018-17481

    Several use-after-free issues were discovered in the pdfium library.

CVE-2018-18335

    A buffer overflow issue was discovered in the skia library.

CVE-2018-18336

    Huyna discovered a use-after-free issue in the pdfium library.

CVE-2018-18337

    cloudfuzzer discovered a use-after-free issue in blink/webkit.

CVE-2018-18338

    Zhe Jin discovered a buffer overflow issue in the canvas renderer.

CVE-2018-18339

    cloudfuzzer discovered a use-after-free issue in the WebAudio
    implementation.

CVE-2018-18340

    A use-after-free issue was discovered in the MediaRecorder implementation.

CVE-2018-18341

    cloudfuzzer discovered a buffer overflow issue in blink/webkit.

CVE-2018-18342

    Guang Gong discovered an out-of-bounds write issue in the v8 javascript
    library.

CVE-2018-18343

    Tran Tien Hung discovered a use-after-free issue in the skia library.

CVE-2018-18344

    Jann Horn discovered an error in the Extensions implementation.

CVE-2018-18345

    Masato Kinugawa and Jun Kokatsu discovered an error in the Site Isolation
    feature.

CVE-2018-18346

    Luan Herrera discovered an error in the user interface.

CVE-2018-18347

    Luan Herrera discovered an error in the Navigation implementation.

CVE-2018-18348

    Ahmed Elsobky discovered an error in the omnibox implementation.

CVE-2018-18349

    David Erceg discovered a policy enforcement error.

CVE-2018-18350

    Jun Kokatsu discovered a policy enforcement error.

CVE-2018-18351

    Jun Kokatsu discovered a policy enforcement error.

CVE-2018-18352

    Jun Kokatsu discovered an error in Media handling.

CVE-2018-18353

    Wenxu Wu discovered an error in the network authentication implementation.

CVE-2018-18354

    Wenxu Wu discovered an error related to integration with GNOME Shell.

CVE-2018-18355

    evil1m0 discovered a policy enforcement error.

CVE-2018-18356

    Tran Tien Hung discovered a use-after-free issue in the skia library.

CVE-2018-18357

    evil1m0 discovered a policy enforcement error.

CVE-2018-18358

    Jann Horn discovered a policy enforcement error.

CVE-2018-18359

    cyrilliu discovered an out-of-bounds read issue in the v8 javascript
    library.

Several additional security relevant issues are also fixed in this update
that have not yet received CVE identifiers.

For the stable distribution (stretch), these problems have been fixed in
version 71.0.3578.80-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1507 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 11 December 2018 - 06:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4353-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 10, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.0
CVE ID         : CVE-2018-14851 CVE-2018-14883 CVE-2018-17082
                 CVE-2018-19518 CVE-2018-19935

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language: The EXIF module was susceptible to
denial of service/information disclosure when parsing malformed images,
the Apache module allowed cross-site-scripting via the body of a
"Transfer-Encoding: chunked" request and the IMAP extension performed
insufficient input validation which can result in the execution of
arbitrary shell commands in the imap_open() function and denial of
service in the imap_mail() function.

For the stable distribution (stretch), these problems have been fixed in
version 7.0.33-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1508 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 15 December 2018 - 06:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4354-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 12, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-12405 CVE-2018-17466 CVE-2018-18492
                 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or bypass of the same-origin policy.

For the stable distribution (stretch), these problems have been fixed in
version 60.4.0esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1509 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 19 December 2018 - 11:25 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4355-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 19, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-5407

Several local side channel attacks and a denial of service via large
Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets
Layer toolkit.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2q-1~deb9u1. Going forward, openssl1.0 security updates for
stretch will be based on the 1.0.2x upstream releases.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1510 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 20 December 2018 - 10:06 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4356-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 20, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : netatalk
CVE ID         : CVE-2018-1160
Debian Bug     : 916930

Jacob Baines discovered a flaw in the handling of the DSI Opensession
command in Netatalk, an implementation of the AppleTalk Protocol Suite,
allowing an unauthenticated user to execute arbitrary code with root
privileges.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.5-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4357-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 20, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libapache-mod-jk
CVE ID         : CVE-2018-11759

Raphael Arrouas and Jean Lejeune discovered an access control bypass
vulnerability in mod_jk, the Apache connector for the Tomcat Java
servlet engine. The vulnerability is addressed by upgrading mod_jk to
the new upstream version 1.2.46, which includes additional changes.

https://tomcat.apach...2.42_and_1.2.43
https://tomcat.apach...2.43_and_1.2.44
https://tomcat.apach...2.44_and_1.2.45
https://tomcat.apach...2.45_and_1.2.46

For the stable distribution (stretch), this problem has been fixed in
version 1:1.2.46-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1511 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 23 December 2018 - 05:41 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4346-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 23, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
Debian Bug     : 915832

The update for ghostscript issued as DSA-4346-1 caused a regression when
used with certain options (cf. Debian bug #915832). Updated packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 9.26~dfsg-0+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1512 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 29 December 2018 - 01:33 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4358-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-sanitize
CVE ID         : CVE-2018-3740
Debian Bug     : 893610

The Shopify Application Security Team discovered that ruby-sanitize, a
whitelist-based HTML sanitizer, is prone to a HTML injection
vulnerability. A specially crafted HTML fragment can cause to allow non-
whitelisted attributes to be used on a whitelisted HTML element.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.0-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4359-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2018-12086 CVE-2018-18225 CVE-2018-18226
                 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623
CVE-2018-19624 CVE-2018-19625 CVE-2018-19626
CVE-2018-19627 CVE-2018-19628

Multiple vulnerabilities have been discovered in Wireshark, a network
protocol analyzer, which could result in denial of service or the
execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.6.5-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4360-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libarchive
CVE ID         : CVE-2016-10209 CVE-2016-10349   CVE-2016-10350
                 CVE-2017-14166 CVE-2017-14501   CVE-2017-14502
CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878
CVE-2018-1000880

Multiple security issues were found in libarchive, a multi-format archive
and compression library: Processing malformed RAR archives could result
in denial of service or the execution of arbitrary code and malformed
WARC, LHarc, ISO, Xar or CAB archives could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 3.2.2-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4361-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 28, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libextractor
CVE ID         : CVE-2018-20430 CVE-2018-20431

Several vulnerabilities were discovered in libextractor, a library to
extract arbitrary meta-data from files, which may lead to denial of
service or memory disclosure if a malformed OLE file is processed.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.3-4+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1513 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 02 January 2019 - 07:37 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4362-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 01, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : not yet available

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 1:60.4.0-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1514 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 08 January 2019 - 07:06 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4363-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 08, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-django
CVE ID         : CVE-2019-3498

It was discovered that malformed URLs could spoof the content of the
default 404 page of Django, a Python web development framework.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.10.7-2+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4364-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 08, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-loofah
CVE ID         : CVE-2018-16468

It was discovered that ruby-loofah, a general library for manipulating
and transforming HTML/XML documents and fragments, performed insufficient
sanitising of SVG elements.

For the stable distribution (stretch), this problem has been fixed in
version 2.0.3-2+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1515 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 12 January 2019 - 11:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4365-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 10, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tmpreaper
CVE ID         : CVE-2019-3461

Stephen Roettger discovered a race condition in tmpreaper, a program that
cleans up files in directories based on their age, which could result in
local privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.13+nmu1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4366-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 12, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2018-19857

An integer underflow was discovered in the CAF demuxer of the VLC
media player.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.6-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1516 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 13 January 2019 - 08:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4367-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 13, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : systemd
CVE ID         : CVE-2018-16864 CVE-2018-16865 CVE-2018-16866
Debian Bug     : 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in
systemd-journald. Two memory corruption flaws, via attacker-controlled
alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw
leading to an information leak (CVE-2018-16866), could allow an attacker to
cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at
https://www.qualys.c...system-down.txt

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u7.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1517 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 15 January 2019 - 04:56 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4368-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 14, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zeromq3
CVE ID         : CVE-2019-6250

Guido Vranken discovered that an incorrect bounds check in ZeroMQ, a
lightweight messaging kernel, could result in the execution of arbitrary
code.

For the stable distribution (stretch), this problem has been fixed in
version 4.2.1-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4369-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 14, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-19961 CVE-2018-19962 CVE-2018-19965
                 CVE-2018-19966 CVE-2018-19967

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-19961 / CVE-2018-19962

    Paul Durrant discovered that incorrect TLB handling could result in
    denial of service, privilege escalation or information leaks.

CVE-2018-19965

    Matthew Daley discovered that incorrect handling of the INVPCID
    instruction could result in denial of service by PV guests.

CVE-2018-19966

    It was discovered that a regression in the fix to address
    CVE-2017-15595 could result in denial of service, privilege
    escalation or information leaks by a PV guest.

CVE-2018-19967

    It was discovered that an error in some Intel CPUs could result in
    denial of service by a guest instance.
    
For the stable distribution (stretch), these problems have been fixed in
version 4.8.5+shim4.10.2+xsa282-1+deb9u11.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4367-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 15, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : systemd

The Qualys Research Labs reported that the backported security fixes
shipped in DSA 4367-1 contained a memory leak in systemd-journald. This
and an unrelated bug in systemd-coredump are corrected in this update.

Note that as the systemd-journald service is not restarted automatically
a restart of the service or more safely a reboot is advised.

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u8.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1518 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 18 January 2019 - 07:29 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4370-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 17, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : not yet available

Two vulnerabilities were found in Drupal, a fully-featured content
management framework, which could result in arbitrary code execution.

For additional information, please refer to the upstream advisories
at https://www.drupal.o...a-core-2019-001 and
https://www.drupal.o...a-core-2019-002

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1519 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 22 January 2019 - 08:49 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4371-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
January 22, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apt
CVE ID         : CVE-2019-3462

Max Justicz discovered a vulnerability in APT, the high level package manager.
The code handling HTTP redirects in the HTTP transport method doesn't properly
sanitize fields transmitted over the wire. This vulnerability could be used by
an attacker located as a man-in-the-middle between APT and a mirror to inject
malicous content in the HTTP connection. This content could then be recognized
as a valid package by APT and used later for code execution with root
privileges on the target machine.

Since the vulnerability is present in the package manager itself, it is
recommended to disable redirects in order to prevent exploitation during this
upgrade only, using:

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If
that happens, people can switch their security APT source to use:

deb http://cdn-fastly.de...debian-security stable/updates main

For the stable distribution (stretch), this problem has been fixed in
version 1.4.9.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1520 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 23 January 2019 - 06:13 PM

- ------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 9: 9.7 released                          press@debian.org
January 23rd, 2019             https://www.debian.o...s/2019/20190123
- ------------------------------------------------------------------------


The Debian project is pleased to announce the seventh update of its
stable distribution Debian 9 (codename "stretch"). This point release
incorporates the recent security update for APT [1], in order to help
ensure that new installations of stretch are not vulnerable. No other
updates are included.

    1: https://packages.debian.org/src:APT

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. Due to the nature of the included updates, in this case it is
recommended to follow the instructions listed in DSA-4371 [2].

    2: https://www.debian.o...y/2019/dsa-4371

A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
- ----------------------

This stable update adds a few important corrections to the following
packages:

+----------------+------------------------------+
| Package        | Reason                       |
+----------------+------------------------------+
| base-files [3] | Update for the point release |
|                |                              |
+----------------+------------------------------+

    3: https://packages.deb.../src:base-files

Security Updates
- ----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+--------------+---------+
| Advisory ID  | Package |
+--------------+---------+
| DSA-4371 [4] | apt [5] |
|              |         |
+--------------+---------+

    4: https://www.debian.o...y/2019/dsa-4371
    5: https://packages.debian.org/src:apt

URLs
- ----

The complete lists of packages that have changed with this revision:

http://ftp.debian.or...retch/ChangeLog


The current stable distribution:

http://ftp.debian.or...n/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.or...roposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.o...eleases/stable/


Security announcements and information:

https://security.debian.org/ [6]

    6: https://www.debian.org/security/


About Debian
- ------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
- -------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1521 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 24,585 posts

Posted 23 January 2019 - 06:55 PM

Nice. :thumbsup:
Posted ImagePosted Image
Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#1522 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 27 January 2019 - 07:03 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4372-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 26, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2019-6116

Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed
(despite the -dSAFER sandbox being enabled).

For the stable distribution (stretch), this problem has been fixed in
version 9.26a~dfsg-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1523 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 28 January 2019 - 09:01 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4373-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
January 28, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : coturn
CVE ID         : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059

Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for
VoIP.

CVE-2018-4056

    An SQL injection vulnerability was discovered in the coTURN administrator
    web portal. As the administration web interface is shared with the
    production, it is unfortunately not possible to easily filter outside
    access and this security update completely disable the web interface. Users
    should use the local, command line interface instead.

CVE-2018-4058

    Default configuration enables unsafe loopback forwarding. A remote attacker
    with access to the TURN interface can use this vulnerability to gain access
    to services that should be local only.

CVE-2018-4059

    Default configuration uses an empty password for the local command line
    administration interface. An attacker with access to the local console
    (either a local attacker or a remote attacker taking advantage of
    CVE-2018-4058) could escalade privileges to administrator of the coTURN
    server.

For the stable distribution (stretch), these problems have been fixed in
version 4.5.0.5-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4374-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
January 28, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qtbase-opensource-src
CVE ID         : CVE-2018-15518 CVE-2018-19870 CVE-2018-19873
Debian Bug     : 907139

Several issues were discovered in qtbase-opensource-src, a
cross-platform C++ application framework, which could lead to
denial-of-service via application crash. Additionally, this update
fixes a problem affecting vlc, where it would start without a GUI.

For the stable distribution (stretch), these problems have been fixed in
version 5.7.1+dfsg-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1524 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 29 January 2019 - 07:36 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4375-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 29, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spice
CVE ID         : CVE-2019-3813
Debian Bug     : 920762

Christophe Fergeau discovered an out-of-bounds read vulnerability in
spice, a SPICE protocol client and server library, which might result in
denial of service (spice server crash), or possibly, execution of
arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 0.12.8-2.1+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1525 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,916 posts

Posted 30 January 2019 - 06:57 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4376-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 30, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or privilege escalation.

For the stable distribution (stretch), these problems have been fixed in
version 60.5.0esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4377-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 30, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : rssh
CVE ID         : CVE-2019-1000018
Debian Bug     : 919623

The ESnet security team discovered a vulnerability in rssh, a restricted
shell that allows users to perform only scp, sftp, cvs, svnserve
(Subversion), rdist and/or rsync operations. Missing validation in the
scp support could result in the bypass of this restriction, allowing the
execution of arbitrary shell commands.

Please note that with the update applied, the "-3" option of scp can no
longer be used.

For the stable distribution (stretch), this problem has been fixed in
version 2.3.4-5+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4378-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 30, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-pear
CVE ID         : CVE-2018-1000888
Debian Bug     : 919147

Fariskhi Vidyan discovered that the PEAR Archive_Tar package for
handling tar files in PHP is prone to a PHP object injection
vulnerability, potentially allowing a remote attacker to execute
arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.10.1+submodules+notgz-9+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users