Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1517 replies to this topic

#1501 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 22 November 2018 - 06:21 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4339-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 21, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ceph
Debian Bug     : 913909

The update for ceph issued as DSA-4339-1 caused a build regression for
the i386 builds. Updated packages are now available to address this
issue. For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system: The cephx authentication protocol was susceptible to
replay attacks and calculated signatures incorrectly, "ceph mon" did not
validate capabilities for pool operations (resulting in potential
corruption or deletion of snapshot images) and a format string
vulnerability in libradosstriper could result in denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 10.2.11-2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1502 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 24 November 2018 - 10:02 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4343-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 23, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : liblivemedia
CVE ID         : CVE-2018-4013

It was discovered that a buffer overflow in liveMedia, a set of C++
libraries for multimedia streaming could result in the execution of
arbitrary code when parsing a malformed RTSP stream.

For the stable distribution (stretch), this problem has been fixed in
version 2016.11.28-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4344-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 24, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2018-19206

Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to a cross-site scripting
vulnerability in handling invalid style tag content.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.3+dfsg.1-4+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1503 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 27 November 2018 - 06:29 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4345-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

CVE-2018-14629

    Florian Stuelpner discovered that Samba is vulnerable to
    infinite query recursion caused by CNAME loops, resulting in
    denial of service.

    https://www.samba.or...2018-14629.html

CVE-2018-16841

    Alex MacCuish discovered that a user with a valid certificate or
    smart card can crash the Samba AD DC's KDC when configured to accept
    smart-card authentication.

    https://www.samba.or...2018-16841.html

CVE-2018-16851

    Garming Sam of the Samba Team and Catalyst discovered a NULL pointer
    dereference vulnerability in the Samba AD DC LDAP server allowing a
    user able to read more than 256MB of LDAP entries to crash the Samba
    AD DC's LDAP server.

    https://www.samba.or...2018-16851.html

For the stable distribution (stretch), these problems have been fixed in
version 2:4.5.12+dfsg-2+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1504 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 29 November 2018 - 06:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4346-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed
(despite the -dSAFER sandbox being enabled).

This update rebases ghostscript for stretch to the upstream version 9.26
which includes additional changes.

For the stable distribution (stretch), these problems have been fixed in
version 9.26~dfsg-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4347-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 29, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-18311

    Jayakrishna Menon and Christophe Hauser discovered an integer
    overflow vulnerability in Perl_my_setenv leading to a heap-based
    buffer overflow with attacker-controlled input.

CVE-2018-18312

    Eiichi Tsukata discovered that a crafted regular expression could
    cause a heap-based buffer overflow write during compilation,
    potentially allowing arbitrary code execution.

CVE-2018-18313

    Eiichi Tsukata discovered that a crafted regular expression could
    cause a heap-based buffer overflow read during compilation which
    leads to information leak.

CVE-2018-18314

    Jakub Wilk discovered that a specially crafted regular expression
    could lead to a heap-based buffer overflow.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1505 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 01 December 2018 - 09:58 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4348-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 30, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2018-0732 CVE-2018-0734 CVE-2018-0735 CVE-2018-0737
                 CVE-2018-5407

Several local side channel attacks and a denial of service via large
Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets
Layer toolkit.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0j-1~deb9u1. Going forward, openssl security updates for
stretch will be based on the 1.1.0x upstream releases.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4349-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 30, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2017-11613 CVE-2017-17095 CVE-2018-5784
                 CVE-2018-7456  CVE-2018-8905  CVE-2018-10963
CVE-2018-17101 CVE-2018-18557 CVE-2018-15209
CVE-2018-16335

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code if malformed image files are processed.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1506 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 08 December 2018 - 06:40 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4350-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 06, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : policykit-1
CVE ID         : CVE-2018-19788
Debian Bug     : 915332

It was discovered that incorrect processing of very high UIDs in
Policykit, a framework for managing administrative policies and
privileges, could result in authentication bypass.

For the stable distribution (stretch), this problem has been fixed in
version 0.105-18+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4351-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 07, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libphp-phpmailer
CVE ID         : CVE-2018-19296
Debian Bug     : 913912

It was discovered that PHPMailer, a library to send email from PHP
applications, is prone to a PHP object injection vulnerability,
potentially allowing a remote attacker to execute arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 5.2.14+dfsg-2.3+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4352-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
December 07, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2018-17480 CVE-2018-17481 CVE-2018-18335 CVE-2018-18336
                 CVE-2018-18337 CVE-2018-18338 CVE-2018-18339 CVE-2018-18340
                 CVE-2018-18341 CVE-2018-18342 CVE-2018-18343 CVE-2018-18344
                 CVE-2018-18345 CVE-2018-18346 CVE-2018-18347 CVE-2018-18348
                 CVE-2018-18349 CVE-2018-18350 CVE-2018-18351 CVE-2018-18352
                 CVE-2018-18353 CVE-2018-18354 CVE-2018-18355 CVE-2018-18356
                 CVE-2018-18357 CVE-2018-18358 CVE-2018-18359

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-17480

    Guang Gong discovered an out-of-bounds write issue in the v8 javascript
    library.

CVE-2018-17481

    Several use-after-free issues were discovered in the pdfium library.

CVE-2018-18335

    A buffer overflow issue was discovered in the skia library.

CVE-2018-18336

    Huyna discovered a use-after-free issue in the pdfium library.

CVE-2018-18337

    cloudfuzzer discovered a use-after-free issue in blink/webkit.

CVE-2018-18338

    Zhe Jin discovered a buffer overflow issue in the canvas renderer.

CVE-2018-18339

    cloudfuzzer discovered a use-after-free issue in the WebAudio
    implementation.

CVE-2018-18340

    A use-after-free issue was discovered in the MediaRecorder implementation.

CVE-2018-18341

    cloudfuzzer discovered a buffer overflow issue in blink/webkit.

CVE-2018-18342

    Guang Gong discovered an out-of-bounds write issue in the v8 javascript
    library.

CVE-2018-18343

    Tran Tien Hung discovered a use-after-free issue in the skia library.

CVE-2018-18344

    Jann Horn discovered an error in the Extensions implementation.

CVE-2018-18345

    Masato Kinugawa and Jun Kokatsu discovered an error in the Site Isolation
    feature.

CVE-2018-18346

    Luan Herrera discovered an error in the user interface.

CVE-2018-18347

    Luan Herrera discovered an error in the Navigation implementation.

CVE-2018-18348

    Ahmed Elsobky discovered an error in the omnibox implementation.

CVE-2018-18349

    David Erceg discovered a policy enforcement error.

CVE-2018-18350

    Jun Kokatsu discovered a policy enforcement error.

CVE-2018-18351

    Jun Kokatsu discovered a policy enforcement error.

CVE-2018-18352

    Jun Kokatsu discovered an error in Media handling.

CVE-2018-18353

    Wenxu Wu discovered an error in the network authentication implementation.

CVE-2018-18354

    Wenxu Wu discovered an error related to integration with GNOME Shell.

CVE-2018-18355

    evil1m0 discovered a policy enforcement error.

CVE-2018-18356

    Tran Tien Hung discovered a use-after-free issue in the skia library.

CVE-2018-18357

    evil1m0 discovered a policy enforcement error.

CVE-2018-18358

    Jann Horn discovered a policy enforcement error.

CVE-2018-18359

    cyrilliu discovered an out-of-bounds read issue in the v8 javascript
    library.

Several additional security relevant issues are also fixed in this update
that have not yet received CVE identifiers.

For the stable distribution (stretch), these problems have been fixed in
version 71.0.3578.80-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1507 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 11 December 2018 - 06:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4353-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 10, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.0
CVE ID         : CVE-2018-14851 CVE-2018-14883 CVE-2018-17082
                 CVE-2018-19518 CVE-2018-19935

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language: The EXIF module was susceptible to
denial of service/information disclosure when parsing malformed images,
the Apache module allowed cross-site-scripting via the body of a
"Transfer-Encoding: chunked" request and the IMAP extension performed
insufficient input validation which can result in the execution of
arbitrary shell commands in the imap_open() function and denial of
service in the imap_mail() function.

For the stable distribution (stretch), these problems have been fixed in
version 7.0.33-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1508 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 15 December 2018 - 06:33 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4354-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 12, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-12405 CVE-2018-17466 CVE-2018-18492
                 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or bypass of the same-origin policy.

For the stable distribution (stretch), these problems have been fixed in
version 60.4.0esr-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1509 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 19 December 2018 - 11:25 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4355-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 19, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl1.0
CVE ID         : CVE-2018-0732 CVE-2018-0734 CVE-2018-0737 CVE-2018-5407

Several local side channel attacks and a denial of service via large
Diffie-Hellman parameters were discovered in OpenSSL, a Secure Sockets
Layer toolkit.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.2q-1~deb9u1. Going forward, openssl1.0 security updates for
stretch will be based on the 1.0.2x upstream releases.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1510 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 20 December 2018 - 10:06 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4356-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 20, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : netatalk
CVE ID         : CVE-2018-1160
Debian Bug     : 916930

Jacob Baines discovered a flaw in the handling of the DSI Opensession
command in Netatalk, an implementation of the AppleTalk Protocol Suite,
allowing an unauthenticated user to execute arbitrary code with root
privileges.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.5-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4357-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 20, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libapache-mod-jk
CVE ID         : CVE-2018-11759

Raphael Arrouas and Jean Lejeune discovered an access control bypass
vulnerability in mod_jk, the Apache connector for the Tomcat Java
servlet engine. The vulnerability is addressed by upgrading mod_jk to
the new upstream version 1.2.46, which includes additional changes.

https://tomcat.apach...2.42_and_1.2.43
https://tomcat.apach...2.43_and_1.2.44
https://tomcat.apach...2.44_and_1.2.45
https://tomcat.apach...2.45_and_1.2.46

For the stable distribution (stretch), this problem has been fixed in
version 1:1.2.46-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1511 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 23 December 2018 - 05:41 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4346-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 23, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
Debian Bug     : 915832

The update for ghostscript issued as DSA-4346-1 caused a regression when
used with certain options (cf. Debian bug #915832). Updated packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 9.26~dfsg-0+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1512 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 29 December 2018 - 01:33 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4358-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-sanitize
CVE ID         : CVE-2018-3740
Debian Bug     : 893610

The Shopify Application Security Team discovered that ruby-sanitize, a
whitelist-based HTML sanitizer, is prone to a HTML injection
vulnerability. A specially crafted HTML fragment can cause to allow non-
whitelisted attributes to be used on a whitelisted HTML element.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.0-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4359-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wireshark
CVE ID         : CVE-2018-12086 CVE-2018-18225 CVE-2018-18226
                 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623
CVE-2018-19624 CVE-2018-19625 CVE-2018-19626
CVE-2018-19627 CVE-2018-19628

Multiple vulnerabilities have been discovered in Wireshark, a network
protocol analyzer, which could result in denial of service or the
execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.6.5-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4360-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 27, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libarchive
CVE ID         : CVE-2016-10209 CVE-2016-10349   CVE-2016-10350
                 CVE-2017-14166 CVE-2017-14501   CVE-2017-14502
CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878
CVE-2018-1000880

Multiple security issues were found in libarchive, a multi-format archive
and compression library: Processing malformed RAR archives could result
in denial of service or the execution of arbitrary code and malformed
WARC, LHarc, ISO, Xar or CAB archives could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 3.2.2-2+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4361-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 28, 2018                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libextractor
CVE ID         : CVE-2018-20430 CVE-2018-20431

Several vulnerabilities were discovered in libextractor, a library to
extract arbitrary meta-data from files, which may lead to denial of
service or memory disclosure if a malformed OLE file is processed.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.3-4+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1513 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 02 January 2019 - 07:37 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4362-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 01, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : not yet available

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code or denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 1:60.4.0-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1514 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 08 January 2019 - 07:06 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4363-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 08, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-django
CVE ID         : CVE-2019-3498

It was discovered that malformed URLs could spoof the content of the
default 404 page of Django, a Python web development framework.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.10.7-2+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4364-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 08, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-loofah
CVE ID         : CVE-2018-16468

It was discovered that ruby-loofah, a general library for manipulating
and transforming HTML/XML documents and fragments, performed insufficient
sanitising of SVG elements.

For the stable distribution (stretch), this problem has been fixed in
version 2.0.3-2+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1515 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 12 January 2019 - 11:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4365-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 10, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tmpreaper
CVE ID         : CVE-2019-3461

Stephen Roettger discovered a race condition in tmpreaper, a program that
cleans up files in directories based on their age, which could result in
local privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.13+nmu1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4366-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 12, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2018-19857

An integer underflow was discovered in the CAF demuxer of the VLC
media player.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.6-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1516 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 13 January 2019 - 08:30 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4367-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 13, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : systemd
CVE ID         : CVE-2018-16864 CVE-2018-16865 CVE-2018-16866
Debian Bug     : 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in
systemd-journald. Two memory corruption flaws, via attacker-controlled
alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw
leading to an information leak (CVE-2018-16866), could allow an attacker to
cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at
https://www.qualys.c...system-down.txt

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u7.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1517 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 15 January 2019 - 04:56 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4368-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 14, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zeromq3
CVE ID         : CVE-2019-6250

Guido Vranken discovered that an incorrect bounds check in ZeroMQ, a
lightweight messaging kernel, could result in the execution of arbitrary
code.

For the stable distribution (stretch), this problem has been fixed in
version 4.2.1-4+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4369-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 14, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-19961 CVE-2018-19962 CVE-2018-19965
                 CVE-2018-19966 CVE-2018-19967

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-19961 / CVE-2018-19962

    Paul Durrant discovered that incorrect TLB handling could result in
    denial of service, privilege escalation or information leaks.

CVE-2018-19965

    Matthew Daley discovered that incorrect handling of the INVPCID
    instruction could result in denial of service by PV guests.

CVE-2018-19966

    It was discovered that a regression in the fix to address
    CVE-2017-15595 could result in denial of service, privilege
    escalation or information leaks by a PV guest.

CVE-2018-19967

    It was discovered that an error in some Intel CPUs could result in
    denial of service by a guest instance.
    
For the stable distribution (stretch), these problems have been fixed in
version 4.8.5+shim4.10.2+xsa282-1+deb9u11.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4367-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 15, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : systemd

The Qualys Research Labs reported that the backported security fixes
shipped in DSA 4367-1 contained a memory leak in systemd-journald. This
and an unrelated bug in systemd-coredump are corrected in this update.

Note that as the systemd-journald service is not restarted automatically
a restart of the service or more safely a reboot is advised.

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u8.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1518 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,743 posts

Posted 18 January 2019 - 07:29 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4370-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 17, 2019                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : drupal7
CVE ID         : not yet available

Two vulnerabilities were found in Drupal, a fully-featured content
management framework, which could result in arbitrary code execution.

For additional information, please refer to the upstream advisories
at https://www.drupal.o...a-core-2019-001 and
https://www.drupal.o...a-core-2019-002

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users