Jump to content


NEW UPDATES Debian

debian updates sunrat bruno v.t. eric layton

  • Please log in to reply
1592 replies to this topic

#1576 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 23 May 2019 - 09:48 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4448-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 22, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2018-18511 CVE-2019-5798  CVE-2019-7317  CVE-2019-9797
                 CVE-2019-9800  CVE-2019-9816  CVE-2019-9817  CVE-2019-9819
                 CVE-2019-9820  CVE-2019-11691 CVE-2019-11692 CVE-2019-11693
                 CVE-2019-11698

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 60.7.0esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4449-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 22, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2018-15822 CVE-2018-1999011 CVE-2019-9718
                 CVE-2019-11338

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.
      
For the stable distribution (stretch), these problems have been fixed in
version 7:3.2.14-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1577 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 25 May 2019 - 10:19 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4450-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
May 24, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpa
CVE ID         : CVE-2019-11555
Debian Bug     : 927463

A vulnerability was found in the WPA protocol implementation found in
wpa_supplication (station) and hostapd (access point).

The EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) doesn't properly validate fragmentation reassembly state when receiving
an unexpected fragment. This could lead to a process crash due to a NULL
pointer derefrence.

An attacker in radio range of a station or access point with EAP-pwd support
could cause a crash of the relevant process (wpa_supplicant or hostapd),
ensuring a denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 2:2.4-1+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4451-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 24, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2018-18511 CVE-2019-5798 CVE-2019-7317 CVE-2019-9797
                 CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819
                 CVE-2019-9820 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693
                 CVE-2019-11698

Multiple security issues have been found in Thunderbird: Multiple
vulnerabilities may lead to the execution of arbitrary code or denial of
service.

For the stable distribution (stretch), these problems have been fixed in
version 1:60.7.0-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4452-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 24, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jackson-databind
CVE ID         : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718
                 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360
                 CVE-2018-19361 CVE-2018-19362 CVE-2019-12086

Multiple security issues were found in jackson-databind, a Java library
to parse JSON and other data formats which could result in information
disclosure or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.8.6-1+deb9u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1578 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 29 May 2019 - 07:47 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4453-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 29, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2019-2602 CVE-2019-2684 CVE-2019-2698

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service or sandbox bypass.

For the stable distribution (stretch), these problems have been fixed in
version 8u212-b03-2~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1579 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 31 May 2019 - 07:32 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4454-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 30, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2018-11806 CVE-2018-12617 CVE-2018-16872 CVE-2018-17958
                 CVE-2018-18849 CVE-2018-18954 CVE-2018-19364 CVE-2018-19489
                 CVE-2019-3812 CVE-2019-6778 CVE-2019-9824 CVE-2019-12155

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service, the execution of
arbitrary code or information disclosure.

In addition this update backports support to passthrough the new
md-clear CPU flag added in the intel-microcode update shipped in DSA 4447
to x86-based guests.

For the stable distribution (stretch), these problems have been fixed in
version 1:2.8+dfsg-6+deb9u6.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1580 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 04 June 2019 - 02:04 AM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4455-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 03, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : heimdal
CVE ID         : CVE-2018-16860 CVE-2019-12098
Debian Bug     : 928966 929064

Several vulnerabilities were discovered in Heimdal, an implementation of
Kerberos 5 that aims to be compatible with MIT Kerberos.

CVE-2018-16860

    Isaac Boukris and Andrew Bartlett discovered that Heimdal was
    susceptible to man-in-the-middle attacks caused by incomplete
    checksum validation. Details on the issue can be found in the Samba
    advisory at https://www.samba.or...2018-16860.html

CVE-2019-12098

    It was discovered that failure of verification of the PA-PKINIT-KX key
    exchange client-side could permit to perform man-in-the-middle attack.

For the stable distribution (stretch), these problems have been fixed in
version 7.1.0+dfsg-13+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1581 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 05 June 2019 - 08:07 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4456-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 05, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2019-10149

The Qualys Research Labs reported a flaw in Exim, a mail transport
agent. Improper validation of the recipient address in the
deliver_message() function may result in the execution of arbitrary
commands.

For the stable distribution (stretch), this problem has been fixed in
version 4.89-2+deb9u4.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1582 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 06 June 2019 - 07:24 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4454-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 06, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
Debian Bug     : 929067

Vincent Tondellier reported that the qemu update issued as DSA 4454-1
did not correctly backport the support to define the md-clear bit to
allow mitigation of the MDS vulnerabilities. Updated qemu packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.8+dfsg-6+deb9u7.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1583 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 07 June 2019 - 08:13 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4457-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
June 07, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : evolution
CVE ID         : CVE-2018-15587
Debian Bug     : 924616

Hanno Böck discovered that Evolution was vulnerable to OpenPGP
signatures being spoofed for arbitrary messages using a specially
crafted HTML email. This issue was mitigated by moving the security
bar with encryption and signature information above the message
headers.

For the stable distribution (stretch), this problem has been fixed in
version 3.22.6-1+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1584 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 08 June 2019 - 10:26 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4458-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : cyrus-imapd
CVE ID         : CVE-2019-11356

A flaw was discovered in the CalDAV feature in httpd of the Cyrus IMAP
server, leading to denial of service or potentially the execution of
arbitrary code via a crafted HTTP PUT operation for an event with a long
iCalendar property name.

For the stable distribution (stretch), this problem has been fixed in
version 2.5.10-3+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1585 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 11 June 2019 - 07:05 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4459-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 12, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : not yet available

Multiple security issues were discovered in the VLC media player, which
could result in the execution of arbitrary code or denial of service if
a malformed file/stream is processed.

For the stable distribution (stretch), these problems have been fixed in
version 3.0.7-0+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4460-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 12, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2019-11358 CVE-2019-12466 CVE-2019-12467 CVE-2019-12468
                 CVE-2019-12469 CVE-2019-12470 CVE-2019-12471 CVE-2019-12472
                 CVE-2019-12473 CVE-2019-12474

Multiple security vulnerabilities have been discovered in MediaWiki, a
website engine for collaborative work, which may result in authentication
bypass, denial of service, cross-site scripting, information disclosure
and bypass of anti-spam measures.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.27.7-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4461-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 12, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : zookeeper
CVE ID         : CVE-2019-0201

Harrison Neil discovered that the getACL() command in Zookeeper, a
service for maintaining configuration information, did not validate
permissions, which could result in information disclosure.

For the stable distribution (stretch), this problem has been fixed in
version 3.4.9-3+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1586 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 13 June 2019 - 07:07 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4462-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 13, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dbus
CVE ID         : CVE-2019-12749
Debian Bug     : 930375

Joe Vennix discovered an authentication bypass vulnerability in dbus, an
asynchronous inter-process communication system. The implementation of
the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a
symbolic link attack. A local attacker could take advantage of this flaw
to bypass authentication and connect to a DBusServer with elevated
privileges.

The standard system and session dbus-daemons in their default
configuration are not affected by this vulnerability.

The vulnerability was addressed by upgrading dbus to a new upstream
version 1.10.28 which includes additional fixes.

For the stable distribution (stretch), this problem has been fixed in
version 1.10.28-0+deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1587 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 14 June 2019 - 07:31 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4463-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 14, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : znc
CVE ID         : CVE-2019-9917 CVE-2019-12816
Debian Bug     : 925285

Two vulnerabilities were discovered in the ZNC IRC bouncer which could
result in remote code execution (CVE-2019-12816) or denial of service
via invalid encoding (CVE-2019-9917).

For the stable distribution (stretch), these problems have been fixed in
version 1.6.5-1+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1588 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 15 June 2019 - 08:55 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4464-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 15, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-11703 CVE-2019-11704 CVE-2019-11705 CVE-2019-11706

Multiple security issues have been found in Thunderbird which may lead
to the execution of arbitrary code if malformed email messages are read.

For the stable distribution (stretch), these problems have been fixed in
version 1:60.7.1-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1589 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 17 June 2019 - 10:39 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4465-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 17, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503
                 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
                 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833
                 CVE-2019-11884
Debian Bug     : 928989

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2019-3846, CVE-2019-10126

    huangwen reported multiple buffer overflows in the Marvell wifi
    (mwifiex) driver, which a local user could use to cause denial of
    service or the execution of arbitrary code.

CVE-2019-5489

    Daniel Gruss, Erik Kraft, Tri****a Tiwari, Michael Schwarz, Ari
    Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh
    discovered that local users could use the mincore() system call to
    obtain sensitive information from other processes that access the
    same memory-mapped file.

CVE-2019-9500, CVE-2019-9503

    Hugues Anguelkov discovered a buffer overflow and missing access
    validation in the Broadcom FullMAC wifi driver (brcmfmac), which a
    attacker on the same wifi network could use to cause denial of
    service or the execution of arbitrary code.

CVE-2019-11477

    Jonathan Looney reported that a specially crafted sequence of TCP
    selective acknowledgements (SACKs) allows a remotely triggerable
    kernel panic.

CVE-2019-11478

    Jonathan Looney reported that a specially crafted sequence of TCP
    selective acknowledgements (SACKs) will fragment the TCP
    retransmission queue, allowing an attacker to cause excessive
    resource usage.

CVE-2019-11479

    Jonathan Looney reported that an attacker could force the Linux
    kernel to segment its responses into multiple TCP segments, each of
    which contains only 8 bytes of data, drastically increasing the
    bandwidth required to deliver the same amount of data.

    This update introduces a new sysctl value to control the minimal MSS
    (net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-
    coded value of 48.  We recommend raising this to 536 unless you know
    that your network requires a lower value.

CVE-2019-11486

    Jann Horn of Google reported numerous race conditions in the
    Siemens R3964 line discipline. A local user could use these to
    cause unspecified security impact. This module has therefore been
    disabled.

CVE-2019-11599

    Jann Horn of Google reported a race condition in the core dump
    implementation which could lead to a use-after-free.  A local
    user could use this to read sensitive information, to cause a
    denial of service (memory corruption), or for privilege
    escalation.

CVE-2019-11815

    It was discovered that a use-after-free in the Reliable Datagram
    Sockets protocol could result in denial of service and potentially
    privilege escalation.  This protocol module (rds) is not auto-
    loaded on Debian systems, so this issue only affects systems where
    it is explicitly loaded.

CVE-2019-11833

    It was discovered that the ext4 filesystem implementation writes
    uninitialised data from kernel memory to new extent blocks.  A
    local user able to write to an ext4 filesystem and then read the
    filesystem image, for example using a removable drive, might be
    able to use this to obtain sensitive information.

CVE-2019-11884

    It was discovered that the Bluetooth HIDP implementation did not
    ensure that new connection names were null-terminated.  A local
    user with CAP_NET_ADMIN capability might be able to use this to
    obtain sensitive information from the kernel stack.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.168-1+deb9u3.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1590 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 18 June 2019 - 06:15 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4466-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 18, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2019-11707

Samuel Gross discovered a type confusion bug in the Javascript engine of
the Mozilla Firefox web browser, which could result in the execution of
arbitrary code when browsing a malicious website.

For the stable distribution (stretch), this problem has been fixed in
version 60.7.1esr-1~deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4467-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 18, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vim
CVE ID         : CVE-2019-12735

User "Arminius" discovered a vulnerability in Vim, an enhanced version of the
standard UNIX editor Vi (Vi IMproved). The "Common vulnerabilities and
exposures project" identifies the following problem:
  
Editors typically provide a way to embed editor configuration commands (aka
modelines) which are executed once a file is opened, while harmful commands
are filtered by a sandbox mechanism. It was discovered that the "source"
command (used to include and execute another file) was not filtered, allowing
shell command execution with a carefully crafted file opened in Vim.

For the stable distribution (stretch), this problem has been fixed in
version 8.0.0197-4+deb9u2.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1591 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 20 June 2019 - 09:45 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4447-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
Jun 20, 2019                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : intel-microcode
CVE ID         : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
                 CVE-2019-11091

DSA 4447-1 shipped updated CPU microcode for most types of Intel CPUs as
mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware vulnerabilities.

This update provides additional support for some Sandybridge server
and Core-X CPUs which were not covered in the original May microcode
release. For a list of specific CPU models now supported please refer
to the entries listed under CPUID 206D6 and 206D7 at
https://www.intel.co...ce_05132019.pdf

For the stable distribution (stretch), these problems have been fixed in
version 3.20190618.1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1592 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted 23 June 2019 - 07:32 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4468-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 21, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-horde-form
CVE ID         : CVE-2019-9858
Debian Bug     : 930321

A path traversal vulnerability due to an unsanitized POST parameter was
discovered in php-horde-form, a package providing form rendering,
validation, and other functionality for the Horde Application Framework.
An attacker can take advantage of this flaw for remote code execution.

For the stable distribution (stretch), this problem has been fixed in
version 2.0.15-1+deb9u1.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4469-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 22, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libvirt
CVE ID         : CVE-2019-10161 CVE-2019-10167

Two vulnerabilities were discovered in Libvirt, a virtualisation
abstraction library, allowing an API client with read-only permissions
to execute arbitrary commands via the virConnectGetDomainCapabilities
API, or read or execute arbitrary files via the
virDomainSaveImageGetXMLDesc API.

Additionally the libvirt's cpu map was updated to make addressing
CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091 easier by supporting
the md-clear, ssbd, spec-ctrl and ibpb CPU features when picking CPU
models without having to fall back to host-passthrough.

For the stable distribution (stretch), these problems have been fixed in
version 3.0.0-4+deb9u4.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4467-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 23, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vim
CVE ID         : CVE-2019-12735

The update for vim released as DSA 4467-1 introduced a regression which
broke syntax highlighting in some circumstances. Updated vim packages
are now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 8.0.0197-4+deb9u3.

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4470-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 23, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pdns
CVE ID         : CVE-2019-10162 CVE-2019-10163

Two vulnerabilities have been discovered in pdns, an authoritative DNS
server which may result in denial of service via malformed zone records
and excessive NOTIFY packets in a master/slave setup.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.3-1+deb9u5.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#1593 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,898 posts

Posted Yesterday, 07:34 PM

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4471-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 24, 2019                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-11707 CVE-2019-11708

Multiple security issues have been found in Thunderbird which may lead
to the execution of arbitrary code if malformed email messages are read.

For the stable distribution (stretch), these problems have been fixed in
version 1:60.7.2-1~deb9u1.
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.





Also tagged with one or more of these keywords: debian, updates, sunrat, bruno, v.t. eric layton

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users