Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1564 replies to this topic

#1551 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 24 March 2019 - 12:51 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4414-1                   security@debian.org
https://www.debian.org/security/                          Thijs Kinkhorst
March 23, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-mellon
CVE ID         : CVE-2019-3877 CVE-2019-3878
Debian Bug     : 925197

Several issues have been discovered in Apache module auth_mellon, which
provides SAML 2.0 authentication.

CVE-2019-3877

    It was possible to bypass the redirect URL checking on logout, so
    the module could be used as an open redirect facility.

CVE-2019-3878

    When mod_auth_mellon is used in an Apache configuration which
    serves as a remote proxy with the http_proxy module, it was
    possible to bypass authentication by sending SAML ECP headers.

For the stable distribution (stretch), these problems have been fixed in
version 0.12.0-2+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1552 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 24 March 2019 - 06:07 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4415-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 24, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : passenger
CVE ID         : CVE-2017-16355
Debian Bug     : 884463

An arbitrary file read vulnerability was discovered in passenger, a web
application server. A local user allowed to deploy an application to
passenger, can take advantage of this flaw by creating a symlink from
the REVISION file to an arbitrary file on the system and have its
content displayed through passenger-status.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.30-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4416-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 24, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719
                 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214
Debian Bug     : 923611

It was discovered that Wireshark, a network traffic analyzer, contained
several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE,
ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of
service.

For the stable distribution (stretch), these problems have been fixed in
version 2.6.7-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4417-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 24, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2019-9810 CVE-2019-9813

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the stable distribution (stretch), these problems have been fixed in
version 60.6.1esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1553 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 29 March 2019 - 01:02 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4418-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 28, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dovecot
CVE ID         : CVE-2019-7524

A vulnerability was discovered in the Dovecot email server. When reading
FTS or POP3-UIDL headers from the Dovecot index, the input buffer size
is not bounds-checked. An attacker with the ability to modify dovecot
indexes, can take advantage of this flaw for privilege escalation or the
execution of arbitrary code with the permissions of the dovecot user.
Only installations using the FTS or pop3 migration plugins are affected.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.2.27-3+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1554 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 30 March 2019 - 08:10 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4419-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 29, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : twig
CVE ID         : CVE-2019-9942

Fabien Potencier discovered that twig, a template engine for PHP, did
not correctly enforce sandboxing. This could result in potential
information disclosure.

For the stable distribution (stretch), this problem has been fixed in
version 1.24.0-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4420-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 30, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791
                 CVE-2019-9792 CVE-2019-9793  CVE-2019-9795 CVE-2019-9796

Multiple security issues have been found in the Thunderbird mail client,
which could lead to the execution of arbitrary code or denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 1:60.6.1-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1555 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 31 March 2019 - 07:27 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4421-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 31, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790
                 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794
                 CVE-2019-5795 CVE-2019-5796 CVE-2019-5797 CVE-2019-5798
                 CVE-2019-5799 CVE-2019-5800 CVE-2019-5802 CVE-2019-5803

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-5787

    Zhe Jin discovered a use-after-free issue.

CVE-2019-5788

    Mark Brand discovered a use-after-free issue in the in the FileAPI
    implementation.

CVE-2019-5789

    Mark Brand discovered a use-after-free issue in the in the WebMIDI
    implementation.

CVE-2019-5790

    Dimitri Fourny discovered a buffer overflow issue in the v8 javascript
    library.

CVE-2019-5791

    Choongwoo Han discovered a type confusion issue in the v8 javascript
    library.

CVE-2019-5792

    pdknsk discovered an integer overflow issue in the pdfium library.

CVE-2019-5793

    Jun Kokatsu discovered a permissions issue in the Extensions
    implementation.

CVE-2019-5794

    Juno Im of Theori discovered a user interface spoofing issue.

CVE-2019-5795

    pdknsk discovered an integer overflow issue in the pdfium library.

CVE-2019-5796

    Mark Brand discovered a race condition in the Extensions implementation.

CVE-2019-5797

    Mark Brand discovered a race condition in the DOMStorage implementation.

CVE-2019-5798

    Tran Tien Hung disoceved an out-of-bounds read issue in the skia library.

CVE-2019-5799

    sohalt discovered a way to bypass the Content Security Policy.

CVE-2019-5800

    Jun Kokatsu discovered a way to bypass the Content Security Policy.

CVE-2019-5802

    Ronni Skansing discovered a user interface spoofing issue.

CVE-2019-5803

    Andrew Comminos discovered a way to bypass the Content Security Policy.

For the stable distribution (stretch), these problems have been fixed in
version 73.0.3683.75-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1556 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 04 April 2019 - 01:09 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4422-1                   security@debian.org
https://www.debian.org/security/                           Stefan Fritsch
April 03, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2018-17189 CVE-2018-17199 CVE-2019-0196 CVE-2019-0211
                 CVE-2019-0217 CVE-2019-0220
Debian Bug     : 920302 920303

Several vulnerabilities have been found in the Apache HTTP server.

CVE-2018-17189

    Gal Goldshtein of F5 Networks discovered a denial of service
    vulnerability in mod_http2. By sending malformed requests, the
    http/2 stream for that request unnecessarily occupied a server
    thread cleaning up incoming data, resulting in denial of service.

CVE-2018-17199

    Diego Angulo from ImExHS discovered that mod_session_cookie does not
    respect expiry time.

CVE-2019-0196

    Craig Young discovered that the http/2 request handling in mod_http2
    could be made to access freed memory in string comparison when
    determining the method of a request and thus process the request
    incorrectly.

CVE-2019-0211

    Charles Fol discovered a privilege escalation from the
    less-privileged child process to the parent process running as root.

CVE-2019-0217

    A race condition in mod_auth_digest when running in a threaded
    server could allow a user with valid credentials to authenticate
    using another username, bypassing configured access control
    restrictions. The issue was discovered by Simon Kappel.

CVE-2019-0220

    Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL
    normalizations were inconsistently handled. When the path component
    of a request URL contains multiple consecutive slashes ('/'),
    directives such as LocationMatch and RewriteRule must account for
    duplicates in regular expressions while other aspects of the servers
    processing will implicitly collapse them.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u7.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4423-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 03, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : putty
CVE ID         : CVE-2019-9894 CVE-2019-9895 CVE-2019-9897 CVE-2019-9898

Multiple vulnerabilities were found in the PuTTY SSH client, which could
result in denial of service and potentially the execution of arbitrary
code. In addition, in some situations random numbers could potentially be
re-used.

For the stable distribution (stretch), these problems have been fixed in
version 0.67-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1557 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 04 April 2019 - 05:22 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4424-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 04, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pdns
CVE ID         : CVE-2019-3871
Debian Bug     : 924966

Adam Dobrawy, Frederico Silva and Gregory Brzeski from HyperOne.com
discovered that pdns, an authoritative DNS server, did not properly
validate user-supplied data when building a HTTP request from a DNS
query in the HTTP Connector of the Remote backend. This would allow a
remote user to cause either a denial-of-service, or information
disclosure.

For the stable distribution (stretch), this problem has been fixed in
version 4.0.3-1+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1558 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 05 April 2019 - 08:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4425-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 05, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wget
CVE ID         : CVE-2019-5953
Debian Bug     : 926389

Kusano Kazuhiko discovered a buffer overflow vulnerability in the
handling of Internationalized Resource Identifiers (IRI) in wget, a
network utility to retrieve files from the web, which could result in
the execution of arbitrary code or denial of service when recursively
downloading from an untrusted server.

For the stable distribution (stretch), this problem has been fixed in
version 1.18-5+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1559 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 07 April 2019 - 06:40 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4426-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 07, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tryton-server
CVE ID         : CVE-2019-10868

Cedric Krier discovered that missing access validation in Tryton could
result in information disclosure .

For the stable distribution (stretch), this problem has been fixed in
version 4.2.1-2+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1560 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 09 April 2019 - 02:24 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4427-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 08, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2019-3880

Michael Hanselmann discovered that Samba, a SMB/CIFS file, print, and
login server for Unix, was vulnerable to a symlink traversal
attack. It would allow remote authenticated users with write
permission to either write or detect files outside of Samba shares.

For the stable distribution (stretch), this problem has been fixed in
version 2:4.5.16+dfsg-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4428-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 08, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : systemd
CVE ID         : CVE-2019-3842

Jann Horn discovered that the PAM module in systemd insecurely uses the
environment and lacks seat verification permitting spoofing an active
session to PolicyKit. A remote attacker with SSH access can take
advantage of this issue to gain PolicyKit privileges that are normally
only granted to clients in an active session on the local console.

For the stable distribution (stretch), this problem has been fixed in
version 232-25+deb9u11.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1561 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 10 April 2019 - 05:36 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4429-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 10, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
Debian Bug     : 926764

It was discovered that SPIP, a website engine for publishing, did not
properly sanitize its user input. This would allow an authenticated
user to perform arbitrary command execution.

For the stable distribution (stretch), this problem has been fixed in
version 3.1.4-4~deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1562 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 12 April 2019 - 09:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4430-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
April 10, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpa
CVE ID         : CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499
Debian Bug     : 926801

Mathy Vanhoef (NYUAD) and Eyal Ronen (Tel Aviv University & KU Leuven) found
multiple vulnerabilities in the WPA implementation found in wpa_supplication
(station) and hostapd (access point). These vulnerability are also collectively
known as "Dragonblood".

CVE-2019-9495

    Cache-based side-channel attack against the EAP-pwd implementation: an
    attacker able to run unprivileged code on the target machine (including for
    example javascript code in a browser on a smartphone) during the handshake
    could deduce enough information to discover the password in a dictionary
    attack.

CVE-2019-9497

    Reflection attack against EAP-pwd server implementation: a lack of
    validation of received scalar and elements value in the EAP-pwd-Commit
    messages could result in attacks that would be able to complete EAP-pwd
    authentication exchange without the attacker having to know the password.
    This does not result in the attacker being able to derive the session key,
    complete the following key exchange and access the network.

CVE-2019-9498

    EAP-pwd server missing commit validation for scalar/element: hostapd
    doesn't validate values received in the EAP-pwd-Commit message, so an
    attacker could use a specially crafted commit message to manipulate the
    exchange in order for hostapd to derive a session key from a limited set of
    possible values. This could result in an attacker being able to complete
    authentication and gain access to the network.

CVE-2019-9499

    EAP-pwd peer missing commit validation for scalar/element: wpa_supplicant
    doesn't validate values received in the EAP-pwd-Commit message, so an
    attacker could use a specially crafted commit message to manipulate the
    exchange in order for wpa_supplicant to derive a session key from a limited
    set of possible values. This could result in an attacker being able to
    complete authentication and operate as a rogue AP.

Note that the Dragonblood moniker also applies to CVE-2019-9494 and
CVE-2014-9496 which are vulnerabilities in the SAE protocol in WPA3. SAE is not
enabled in Debian stretch builds of wpa, which is thus not vulnerable by default.

Due to the complexity of the backporting process, the fix for these
vulnerabilities are partial. Users are advised to use strong passwords to
prevent dictionary attacks or use a 2.7-based version from stretch-backports
(version above 2:2.7+git20190128+0c1e29f-4).

For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1563 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 13 April 2019 - 07:27 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4431-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 13, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libssh2
CVE ID         : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
                 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
                 CVE-2019-3863
Debian Bug     : 924965

Chris Coulson discovered several vulnerabilities in libssh2, a SSH2
client-side library, which could result in denial of service,
information leaks or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 1.7.0-1+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1564 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 16 April 2019 - 08:46 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4432-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 16, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2019-3835 CVE-2019-3838
Debian Bug     : 925256 925257

Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in bypass of file system
restrictions of the dSAFER sandbox.

For the stable distribution (stretch), these problems have been fixed in
version 9.26a~dfsg-0+deb9u2.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4433-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 16, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.3
CVE ID         : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323
                 CVE-2019-8324 CVE-2019-8325

Several vulnerabilities have been discovered in the Rubygems included in
the interpreter for the Ruby language, which may result in denial of
service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1565 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,846 posts

Posted 22 April 2019 - 01:34 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4434-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 20, 2019                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : CVE-2019-11358
Debian Bug     : 927330

A cross-site scripting vulnerability has been found in Drupal, a
fully-featured content management framework. For additional information,
please refer to the upstream advisory at
https://www.drupal.o...a-core-2019-006 .

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u8.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users