[SECURITY] [DSA 4031-1] ruby2.3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4031-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 11, 2017 https://www.debian.org/security/faq - - Package: ruby2.3 CVE ID : CVE-2017-0898 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 Debian Bug : 875928 875931 875936 879231 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-0898 aerodudrizzt reported a buffer underrun vulnerability in the sprintf method of the Kernel module resulting in heap memory corruption or information disclosure from the heap. CVE-2017-0903 Max Justicz reported that RubyGems is prone to an unsafe object deserialization vulnerability. When parsed by an application which processes gems, a specially crafted YAML formatted gem specification can lead to remote code execution. CVE-2017-10784 Yusuke Endoh discovered an escape sequence injection vulnerability in the Basic authentication of WEBrick. An attacker can take advantage of this flaw to inject malicious escape sequences to the WEBrick log and potentially execute control characters on the victim's terminal emulator when reading logs. CVE-2017-14033 asac reported a buffer underrun vulnerability in the OpenSSL extension. A remote attacker can take advantage of this flaw to cause the Ruby interpreter to crash leading to a denial of service. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u2. We recommend that you upgrade your ruby2.3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloHDDxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QeVxAAmgX73N/qK9JzF4UGZS0P5ZjGs55ZvxrKjlhhnj5FqmHU2mkVo3se+yEO evdVAxaPD8t82fhZKcysav1yixCvoKSfridq5ZDDbsFahFi5UZC1cmHF5rkGdWru rG+jrxbFFZz0r32oSeMJVPu4dSHFyG7ToDloTzME/iubJZN3kyR6cKSm6MbKD6X2 yNlNoMKK/riTF1n9ZnLJ7GSY9vi4vyn0OZa4IyuRdIxsY9BEdBIJrWPNgBuOqwwf jtxn+BROE2b3EZi9t6zEXRiuLauDe5FRCXgNeNWpsAMbPakkRmIU5Ru3cncuPYIh puEGq4pQds/EX+/dGlw5IAY7EFDXVz4gA+8TrajUR2nwkAqXTeWkJ52JALb23MTX r7UU4LBMJRyq4pX3tH2xrncta4Hohty/vj9T+g9G+KCzLGN0HKHWDjl01SJRNahX /7CDCx0WAtxruwPu/2wM2S85giwM00RnD2LDcmjs/W18zbnGj0e9oxbboVQHC8VW UqqdbDNaiVAqma3j/vHPuGdgpNXGeOo0DkvWwKunl21EhJxis8czbppgycpRi5vP sKoNazt3alumZHWYO2FmOcZJs/BAq6+dfVUfON34S20i8KOA6Zu1DYmQZelTJg1E THqiQoPnU5obhJOviI7Dwrpiuy9irNYg2EP33pJQLszJKcqTLXo= =86GG -END PGP SIGNATURE-
[SECURITY] [DSA 4016-1] irssi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4016-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 03, 2017 https://www.debian.org/security/faq - - Package: irssi CVE ID : CVE-2017-10965 CVE-2017-10966 CVE-2017-15227 CVE-2017-15228 CVE-2017-15721 CVE-2017-15722 CVE-2017-15723 Debian Bug : 867598 879521 Multiple vulnerabilities have been discovered in Irssi, a terminal based IRC client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-10965 Brian 'geeknik' Carpenter of Geeknik Labs discovered that Irssi does not properly handle receiving messages with invalid time stamps. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. CVE-2017-10966 Brian 'geeknik' Carpenter of Geeknik Labs discovered that Irssi is susceptible to a use-after-free flaw triggered while updating the internal nick list. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. CVE-2017-15227 Joseph Bisch discovered that while waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. CVE-2017-15228 Hanno Boeck reported that Irssi does not properly handle installing themes with unterminated colour formatting sequences, leading to a denial of service if a user is tricked into installing a specially crafted theme. CVE-2017-15721 Joseph Bisch discovered that Irssi does not properly handle incorrectly formatted DCC CTCP messages. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. CVE-2017-15722 Joseph Bisch discovered that Irssi does not properly verify Safe channel IDs. A malicious IRC server can take advantage of this flaw to cause Irssi to crash, resulting in a denial of service. CVE-2017-15723 Joseph Bisch reported that Irssi does not properly handle overlong nicks or targets resulting in a NULL pointer dereference when splitting the message and leading to a denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 0.8.17-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 1.0.2-1+deb9u3. CVE-2017-10965 and CVE-2017-10966 were already fixed in an earlier point release. We recommend that you upgrade your irssi packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln8xgBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Tveg//WJQYUrHbLp7uoh1Q8jGtvhmign14OsHCjpvVgEnK9kwfEqEz/oVhdIEl xupGFD08ukB3HIz/NsS6IRplStPltWA43ZKv54q7GvchL5VS4NngLtRpYvodQ75P B7qluHzyedwA7UCbxAN9EBwkqDdOtx+NXCcKU7ho43QSxrDtyjx2OjlajTqePW0r Svu/qpaISotY9LDjy8m4VFNdzhqm1NQeTtSvw/q3u/t75SDi9MKNxCpMG/31KZZi ACRndQ1NV9aNWZ0AzxwHhfypAS7BUOLZRHHMXStiSvORltXOONAzDusrRjJTzXQs 8E35GFhghWsaiiCxF5zjWiUQ0SpzPvd4viKZW8Vd+DaF3Ccy2FtZtts543Ra3A4Q I+pawFKWbZDtLSzawiVz8dkXD4FmGT6gM0OLfc8pdECCP0t3KSDOpE6vdBURvxNZ WRHS6eqiz5wqd04cZ1gpkg2M6jQONSKDvvnArSY3+G5amPpiHzdSbGfdlO+7Jj0p cuAuxSsDjLfoxfqes7WietnMnm4BQH28ZzXwqWkAcdn7HzuqKD0LbWGwHeO/c43v JOYz6cIwQQOd2T363atKZVjzqwRzIoYrWAQ6kU9qwjbFjpfVeJVpcwX+1dHJsBfs G6N+EoVxAAAjU9k90tWKMaYlLNdee4ZkfzfXzzO0wb5CrulN5NY= =SCm0 -END PGP SIGNATURE-
[SECURITY] [DSA 4059-1] libxcursor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4059-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 08, 2017 https://www.debian.org/security/faq - - Package: libxcursor CVE ID : CVE-2017-16612 Debian Bug : 883792 It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file. For the oldstable distribution (jessie), these problems have been fixed in version 1:1.1.14-1+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1:1.1.14-1+deb9u1. We recommend that you upgrade your libxcursor packages. For the detailed security status of libxcursor please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxcursor Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloq6oFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QSjA/+JDR6jRLYoUQJvaOyt0B1OgCRMZl8O2pwbuJjP6I9QQkoAJ8JIn2QJNgx CaRk/DgSlkCqAgHS8GJXMd5qWK2nct4fastz4K4GtyD9VUQt1vtq9mHcitRwvfkg sTgrcl7cNMQ8u0B6D+JFnYNyVmROe9Kvmly+FceszeFF9Pjql9RRdzCH4OJkh0Zp GXImCk5Gk46JonznsHot4FtrR4eaLPgC6lmIhRYZg2WZMR5D6gYikhRy3bWM8CCf Uz8dLSFeMhqPhN/LoEOb4cKPSP2lOEiWFbTCDt1wlokdTp8bOXU7SLFUwjVurKcU 5vvIdWYPezdkAwj0dbWyvkMJo8qmHzLChkxZEb8L9w8LMUIUpYe/XG8N++WOEsvW 1fhTsbOsxCBNp4g+R8d2c8sj1bTxCXgKrWHa4hcoLCi091gtoLEMv63yG+wEUqYu QeGCJDJNrhz1amuianzrUaRQ9byMUYrdVrg+PjKATOxIdEaaFAGDrk1AFnEb6LQ2 t4U4WYzw0ca/Eyyx8HFCU9MLrpwYOtir5iUwMtMxRAPg2KUUi7g3X4GOXwhB5uHy E2uqSNbhl+/dOA+2g8CcUAGrVr8rGriyHOTytXt3zKku7H53itbDI6oLoyP2Ip+7 JNKY372psYmfoPlDKsvEdUoaMTPcAZoENr+k7uPVUpsmjIVhdHw= =Od3E -END PGP SIGNATURE-
[SECURITY] [DSA 4058-1] optipng security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4058-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 08, 2017 https://www.debian.org/security/faq - - Package: optipng CVE ID : CVE-2017-16938 CVE-2017-1000229 Debian Bug : 878839 882032 Two vulnerabilities were discovered in optipng, an advanced PNG optimizer, which may result in denial of service or the execution of arbitrary code if a malformed file is processed. For the oldstable distribution (jessie), these problems have been fixed in version 0.7.5-1+deb8u2. For the stable distribution (stretch), these problems have been fixed in version 0.7.6-1+deb9u1. We recommend that you upgrade your optipng packages. For the detailed security status of optipng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/optipng Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAloq4QRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TROw//YYc0chWPcYu/JJ/Mde9Xniom3xVem5uW6bNIxsYGD//93yDP9ykAwpcd Gz3mGPrBIQq+U1qP+8xKq6ubjsDobzvXXWaKEPbjaz41npFm8XXUvIDlPKlKu91k 8g+j22qGj0f/k28hHv84O+YfdLzu56TkV0zSJMVCbvqN4OeI+p3wJFY7GFopabZi neDkuVM8MsR7aJCfb9KwZqpe3oJrHnRfvi0cegmaHiezZFwIn3/U7xyZzJH6R3ZR ny7GUoBLNuCiMo9caqppARCjT+py27KyDTioIXWBhJG9pTCtOpFGOYe1oY2gaS1F AHfuvYlrPLHH5xCVcaxcxVoEMwxFz3NGQX6elI15KgN5eAJywJfYJrhsL2U87i+H zStsvF1lBSUYW9XCH34h2FDd9IY1VVtcDdrpUZXT77w93zgkVRkw9+9yIHbHttyB lzwz5TppZ0DuLnaAvk/yHK2918Jsj9v2iKmG/xMfofSJr/3vUd2/bFFZk4VaB3QQ X1GEsOWmi4mIByQTBu5FcgKQ71t1WhWK29kzYu3MNmQeE3j1fdhRZ0tVJWNM9sk/ lLWB9r9iLnXl604ZxLqFRapBzP1Y7XvHUVgf7VXJN2WIAu8Bia8uaT9+P92ph+5x ByNbPkp8ZBLF3Z4fKCgeuRDE2Nt3pGHD+8gDUJa5qoYL01HrixA= =Dh/t -END PGP SIGNATURE-
[SECURITY] [DSA 4193-1] wordpress security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4193-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 05, 2018 https://www.debian.org/security/faq - - Package: wordpress CVE ID : CVE-2018-10100 CVE-2018-10101 CVE-2018-10102 Debian Bug : 895034 Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects. More information can be found in the upstream advisory at https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/ For the oldstable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u17. For the stable distribution (stretch), these problems have been fixed in version 4.7.5+dfsg-2+deb9u3. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlruHnVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ra9w/+IJaTGk2eUDAxJb0U0FtjONhU0T4HqTXrv7QIyUmMLYA0ey3poWRIZghK 1IY6/aGdmYw0wec21UITiqDHXlsUd6MYH4M9/4P9lwL86NPKV1scvAFyuw3d99tK mhrZ8VUiusiQh8BKSd9l7Z5Y52MaVbUm2Ay7GV/fwaODSQAY4RnKBpWWZBAl7Nmp AVNBJr1lo8hcFWf5uZXZ2UUoWYs4iNZWfr3dKPB9AD86E+2FZRztrPuOzR5HtBsg kTSQn4CeiQMfsKivt+wJQKV5+jbJ9JzcMz+U6H3LjR5FfpckEM28eiwwwbEVgkq4 nXz6rhCbSZ/a4a88LOScMDFAKWHFrCouf74ziBAjJhW6vT1IzswR3rZ1/FhSrr6A GdaoiAjYTfQIe7baL2N8RewPT0YB1tWLm0N58zTT62UFo4i6+Scu7JzatPTfPHno J4Ht2R2PWt3/mz0jzHfpgUxxG7rbAyyJ3apviobcK3LVFqLSEvshfBv0EJBi/l8/ yHSiRLRoisKB+heNn06J5tL46km7Rkx8ykWZVvTd+7WaDCwqagyuRD5ZKqmIy/lI /ZrRwIYhnmMYmcB3JpkrUmF21bj7X4ogc/BwFwHdNlIzj0PyUkrjJ7Egpl1m8MxT C859O/2dNz8nzwAjA8kgRi+ePKbK5Tpc1UpAVGC/oWd1JxRZEMA= =ARA/ -END PGP SIGNATURE-
[SECURITY] [DSA 4196-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4196-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 08, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-1087 CVE-2018-8897 Debian Bug : 897427 897599 898067 898100 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-1087 Andy Lutomirski discovered that the KVM implementation did not properly handle #DB exceptions while deferred by MOV SS/POP SS, allowing an unprivileged KVM guest user to crash the guest or potentially escalate their privileges. CVE-2018-8897 Nick Peterson of Everdox Tech LLC discovered that #DB exceptions that are deferred by MOV SS or POP SS are not properly handled, allowing an unprivileged user to crash the kernel and cause a denial of service. For the oldstable distribution (jessie), these problems have been fixed in version 3.16.56-1+deb8u1. This update includes various fixes for regressions from 3.16.56-1 as released in DSA-4187-1 (Cf. #897427, #898067 and #898100). For the stable distribution (stretch), these problems have been fixed in version 4.9.88-1+deb9u1. The fix for CVE-2018-1108 applied in DSA-4188-1 is temporarily reverted due to various regression, cf. #897599. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlryHFFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SMQA/9HoJDt2OdyqqtfNUuWfP3sgGV1QVjIJnF39unKRdIaGw9m0RHQUu1G3rC cgxcYcpQ0h10Yy5KVh4APqt55K7aVWVQT6xB0yx2VddMEwwl3rp2r/eL7EtoOkQT zZW5JponzlEAjC9uGk7CouA7z/qFtd5awufFhAjMF5eL4ZQ6pG8wWEbae6DbU9nz c7F+okC4hL6yPuWVEWzTRUFK1W0hs2N+VQgHV/afZaMAAooeZJDJeq1Hn/PVYvwJ IHSOs01+kn0OUFHkVRA7kVdFAYUJlfhsDcXd9nB/lkxhc/HNI1g/dK76mRxjsiMo pJlkPbEmZlOtmNG7vogxEp72ab24j2CITIHiID7ftZH5R/I2CSxp2dIzRVKdmP6P tsfh/KcpUMNwwiPiGed1DMCjtsHOodBOkLtVsoHHJVMZg2xqfCrlqNRUn9o+0DcR gO7HBsWG9K1qvSBWuRtQLT8QP00P3dSdhHmfWyfN8eJxTot+WJuMF/o+jbF6GGrZ lPmzWqg4oL7jvQO8nlEkatjIFejEg0jmt+rCXyEbK8Uc9xjJk35GKIZne5X09BFe 36zY7HbMlPvLP/VHSb6fcPBpQo/HuG0/htAB1HpWS1fPrth1J76g2EmwFSG5Lo51 IRxTXP4UZuOL1sJHQ80220tThKs2dk1Yy77dKk8qQiQ2nC2JgNs= =CskH -END PGP SIGNATURE-
[SECURITY] [DSA 4195-1] wget security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4195-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 08, 2018 https://www.debian.org/security/faq - - Package: wget CVE ID : CVE-2018-0494 Debian Bug : 898076 Harry Sintonen discovered that wget, a network utility to retrieve files from the web, does not properly handle '\r\n' from continuation lines while parsing the Set-Cookie HTTP header. A malicious web server could use this flaw to inject arbitrary cookies to the cookie jar file, adding new or replacing existing cookie values. For the oldstable distribution (jessie), this problem has been fixed in version 1.16-1+deb8u5. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u2. We recommend that you upgrade your wget packages. For the detailed security status of wget please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wget Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrxemlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ThxQ/9FYza3/uH04QOLtluPk5H60uqOsbt2fza1vkZ+7xx3TzD72Ekge72F+j/ iexJmwe8HKLO7na27k2aIhR5abdUjhKjhM8NCwX/0Va6AJpO+5P98mbMQ+gMO/01 imwVtCJNT/bk0/nwbj6vJFzkG0NC1V7Y4v7/fnccChkvehgql82FtDT6FK0vmVpg X2NVuDahvtUEuA4bSeqD5DUVLzRbLtZsC0iLMqaRDoeVQVQ50ZLXWOZU02SVwg5v xtoqdGANxNRBceQ9n2SfaDnJFZD/oBbMdg6if5/jJdfZUKQMs2PQmOMgOzItHEnj Zw5btNdyhqYs7aPAYjWpapWkvEN1cZfI+/s8vAuiLO9F5i1u8ffLWekU+5vPQboG 2kzZJewyT6I9ngh28z+jlorGQrAiAE7XhUqUAORBX/gY0EyORLm0476BIUlyl8Xe KdKc9IHGaPAF8HlS46FGfMCmEPO+Ad8YUV+m3GPjCuLSfvvHZ0X35saESKW09qOo pN2i3O8mkWzoH79qcOubuekyf79xcov1dS/SZgTD3K+ExQAwjOIHHTK82N9jfjtC WyB/x0DKe5gc81kdSwf8plj47WEy6Y1mIZwtbEqJRbxSMuEGvNWwv0Onxp7tnoeB I+CDhRHrJAmYQTaIpz3MaxoLEFpFtQ34+eo52QUyzvcv/mas+ug= =vQ4n -END PGP SIGNATURE-
[SECURITY] [DSA 4208-1] procps security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4208-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 22, 2018 https://www.debian.org/security/faq - - Package: procps CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 Debian Bug : 899170 The Qualys Research Labs discovered multiple vulnerabilities in procps, a set of command line and full screen utilities for browsing procfs. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-1122 top read its configuration from the current working directory if no $HOME was configured. If top were started from a directory writable by the attacker (such as /tmp) this could result in local privilege escalation. CVE-2018-1123 Denial of service against the ps invocation of another user. CVE-2018-1124 An integer overflow in the file2strvec() function of libprocps could result in local privilege escalation. CVE-2018-1125 A stack-based buffer overflow in pgrep could result in denial of service for a user using pgrep for inspecting a specially crafted process. CVE-2018-1126 Incorrect integer size parameters used in wrappers for standard C allocators could cause integer truncation and lead to integer overflow issues. For the oldstable distribution (jessie), these problems have been fixed in version 2:3.3.9-9+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 2:3.3.12-3+deb9u1. We recommend that you upgrade your procps packages. For the detailed security status of procps please refer to its security tracker page at: https://security-tracker.debian.org/tracker/procps Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsEOvJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QQLA//cysJZC9QFcw9FipzNT3qTGvvGXI08EzA25AhNAkvRmP/QTfJe/xh+nKG pLFxy54BYCJfRP/mpVZXlr3i1/i5594xWoofDcvrVyhT+l2IoIXs4XhLlUalr6/+ MabPCEq2CBZ3gfJN6y6KILh/KYT4mAeMqXwqO6IcmnL2AkXI5CR4cwjaFyabheHn VrO0geWUA9YyUOrrEaBS4LJUxs1LXCMNVD3qLRNCn063lMj3U4XXWsFbtZCmCVgZ NMgiOm92gfTlwDRYXby7l4aWDvK5cuPhp+q7k6bepaUIElr5ijbtME7Xeqf/4peU r1Rawz3DcxSwag6WBsaQD1aeWoMY65BP366ghIsrfO28qZkeW4SPbe1iUaiZHBGd lmMYRkYEeJiOYvsd0XUms53pzym3AsF1IsNzzS9LgFYZvEp9DsO4M57e4UllYXiS gCEAwJsWYOeaggN07OfhV6qRrggdiBN1fPUEgiQ30IahzCg6NCDaIgLJ7OauHPBS xxN07Y+KnQ8oaPH3Lex1qzqKEeyUn9CV76nWbaWRtJwCyRmC3/SD5wJp94OUuAVE LyHstcL7QrfodcZ/Ff7++Q/zEhUo8IeCtA0kspXyzemN2dE80CBERB4T+5hi0oRi EHncQMzJ7J6DelBpUBS13TyXHrW1mVqtdtulwiWAwsScHXBY/Zo= =9bCU -END PGP SIGNATURE-
[SECURITY] [DSA 4207-1] packagekit security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4207-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 22, 2018 https://www.debian.org/security/faq - - Package: packagekit CVE ID : CVE-2018-1106 Debian Bug : 896703 Matthias Gerstner discovered that PackageKit, a DBus abstraction layer for simple software management tasks, contains an authentication bypass flaw allowing users without privileges to install local packages. For the stable distribution (stretch), this problem has been fixed in version 1.1.5-2+deb9u1. We recommend that you upgrade your packagekit packages. For the detailed security status of packagekit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/packagekit Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsEEelfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RtcBAAkz5QNrbIi9yCnBb8HA6O60s2KJt16bq/5WJ2Dg7vdvVvo9uQvhASnlfA /MNbEUq5u+esQQazEoboFGlTPBkyHKD5DNJPT3KJq5xwZypiNugzwRzuifK1hCV1 5g0eK65J8qRYT8d5Ix3R9xdqb1DMCBmyGZd20EtRqIVmlfB1b4HvDT3wXqS2hfSR C7BwS9iEiSPmjn7FbXlRlVOiOI9pHj7wdYV7ncBQoc+Bf7zBMggerh8Tg8U6bZVE DL+vFsD8cXr9JgNmlhDI4m99cb6uSRLEYRZx/Fy+4o7epfNyw8e7OBIubhqlXolf x4yNDWaa5IGuDtntIbAsEGsXQq422hpyX31AUtHluKyLmBrG8raa5+8CoJD3X4ZV fBarmn4O6Zg2wu10fUdd7KvY6TDSvTDXOoFGVExlt3ZxZ3K9MQ2sayN0o8QN9mHh WCQxbVGfz8Kfsb93DBa04HBO6RrXuqdPSxLAxsjZ/7pDQE1diFCOEUkjFfhWjec4 VHBjTGw1IGtxGlYRQM2ygQsCDdU+E41JCohBdjjZodSzKstVaGFoathKYktCMu6o TxoGy3lSN2nrLLKnepwKJR02JtnsO7VtwpZo/49U7Zwa8XEjdJzIDaKWZMWk2QD4 ES2EReYmNDu5dRjxlqjHgcNNM8nqQVtKgl5kxJg8N9KABtETPeo= =9d7t -END PGP SIGNATURE-
[SECURITY] [DSA 4226-1] perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4226-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq - - Package: perl CVE ID : CVE-2018-12015 Debian Bug : 900834 Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive. For the oldstable distribution (jessie), this problem has been fixed in version 5.20.2-3+deb8u11. For the stable distribution (stretch), this problem has been fixed in version 5.24.1-3+deb9u4. We recommend that you upgrade your perl packages. For the detailed security status of perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/perl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsfUF9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R0vw/8C8JM4x+DX3SAMCQsP0jLshcMMLZ4HJ/3aloi/3+cfzyJO4J/DOaxM4BA cPEW5HdcuGWKcAJl/SMy5j94RdIlYgh08lQDEbJwCgxxmVlzC1e7LgSdxFuqTTSb uRAdTvEpDj5s+tTLKWkZrr6WALrs/yg+RFsxtbZ7NvgFu1Uj3HGHpav0ylQY8YRR yaq43eLvFp/znPrXkAeja7pY0hPLAaSkxN7NuMM/osJ/sKiTzpXeinQoxIc5qCqC lhso86lb+hq6iZ7T78nUbe+jb/a3K+feAfXsCjdYI37tMgNRE4EosWKREhp0h1J7 WqvXvQpxlbwd4Ilf6SnKmhUcrtC7NL/t7wIsmvsLU88rgmOOpOqlDbCPRVTsNVdq Ccx/+qZYc0d5Jiq0NHxRCpSU5W0TgoekOWs2C4jYTJ7dH/7IxWB6fe/VagHLhQAq D16UHe+3Y7RkLa+44Za4JHGzjURwwjYzbS+MOIZFHz6/hk+gZBvEIF//6AJgXtZL NMXzhOstl35abQ6EoR82nx71gYbVyG4022K3XWcUhX+UUeLAYv1+b3ZGVXHjBiQB mLnCwG+l7TdQyWDMWswrf/MT9k8BsmIUe9K0XXSRsr+NAXRzEQjMhiJJIwiFp0YG 8bTjHqaQuvrop7CwC/d9vtj7852ukAnnGL32FRQwDlu14gTarsM= =22Iz -END PGP SIGNATURE-
[SECURITY] [DSA 4227-1] plexus-archiver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4227-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 12, 2018 https://www.debian.org/security/faq - - Package: plexus-archiver CVE ID : CVE-2018-1002200 Debian Bug : 900953 Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive. For the oldstable distribution (jessie), this problem has been fixed in version 1.2-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.2-1+deb9u1. We recommend that you upgrade your plexus-archiver packages. For the detailed security status of plexus-archiver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/plexus-archiver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsgMF5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QIPQ//S3tpIdi8iCWQUB2FpqeL1m+XBizbpV43Hdz2liX/pRsk6Im/eCGa5szJ fdX+pIh5zk0lTm4JNynCiVwVMSkIaXuG8dHybEziMQQXnV0llnuIwEmOcP6KHTQC XMvWf6/F/7GBYO4OCgQt5FIoou9q8tBorVNMQhCts6utc3P6jjfSIo+8kzn65mfA 0jrutylpxalhIS7p7QowR/YXMvIbEbAUTKe/RJS5FMbAJmPn+aQ3O47D6O50fsoQ /yY3LTWJRxVDCdngZ2FiiushhsFOWCwqFhXhTeVlIzgFPnUeNQULrmiNHeAY2rHw M5/YYgeUU3Bv8sdnhay0vnswSSu0gJttG03h3EK4qbxs1XjJE60l15KPMQv/jmwx F0rqfqoz/Plhs7nE6V/7pYzomvQoxeZjz+I6pv875Q2/qZeYUUOoM0UNg0b+S1OZ eqAJC2I+WHmiA//qIg3HDH8FfTLk0n7giXoOezGuiePHAT8FQcr4XSoy/KbB7vEs mBktw9raYooxJLnt0ReYymuNMGABM3cXLyGJc+fJOTgGuZJQNfIcOmiW30avXqD/ qjEvOc3ONkR78iAupJPC/twBWSKtpax0SdfPu17FQdslsUwsMUqFy/BvFcq9G2NK Qsaqge5uIWuKo3SzuyW6IPqs/hOiXZXKmbKCnFq4UFW7vSxC9Pg= =/BX6 -END PGP SIGNATURE-
[SECURITY] [DSA 4231-1] libgcrypt20 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4231-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 17, 2018 https://www.debian.org/security/faq - - Package: libgcrypt20 CVE ID : CVE-2018-0495 It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys. For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3. We recommend that you upgrade your libgcrypt20 packages. For the detailed security status of libgcrypt20 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgcrypt20 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsmrSFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S3nQ/+N2faeYmzfivM/uZ076nRP+G5q8pv57WcLRBCNXnAWnZ4WKaMYzhbscl3 jG+Bm9mxZipZID6xpmVxOD3oeMNiMMfSKFgNix1ee4wFGI43h52J4lWWlPj4hGXr 7eWEVVAxQr9KibFHHLMt86sHZqc5ybln6Ugexfza01+5VdKde1JaO/bH8mTbZpt9 jFQEezZ0xV9bIii8oS8zMpwsWkaWzSLVJaeZgHJw2lqjfuWQwL4ZshMkermkRGok H1NOifC8z9S0Zon4pmzEp4wJuikqgjNhk43y47e2qyHVXezfmp1F1HfjYikWPIbQ yNP5AkNIJhCTVujoQplIMqZGWA+ExoFnP+a8VfFUjS3VgKrzAQ6nY0OVXT7tLfX5 Cs/yJMIFKfJZucSrA4PwldTpGPRc2/AcQ1me3z8GGeE2bVmmky/LhjXd8umLuPD8 iWm6xOUKJj7LEQ2O9VUoK72apGgF77sQ31wU53gHNr0biVZn42JDRE2VkLLT3YRz OsGOqwrWJKiN1T+xhzNrcI1sBo/ntF1lOjpsCw42HYnNLkgcaksUO2wnQgrujZsN jbEODishgXkslPHDg1ubUWhikDhKz9itBIa0PVfiKY2FYdQdl216o//nPCVb5BER CNpbWgXDT4GVDw/23bDTHgyzBSNYGx4yecuLH0XnC59eqgTPl74= =IbLR -END PGP SIGNATURE-
[SECURITY] [DSA 4223-1] gnupg1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4223-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg1 CVE ID : CVE-2018-12020 Debian Bug : 901088 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the stable distribution (stretch), this problem has been fixed in version 1.4.21-4+deb9u1. We recommend that you upgrade your gnupg1 packages. For the detailed security status of gnupg1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+M9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q1wg/+LcbFthhjHEXY0itTJrfbXHvqR8JQ7OzEA+yRybho71ZM3LwjFO2Pl9j0 oNbn20soT5uX1MfP4sORaiOMIUKh2k4zbYQrS4BRV7TWoae3zmHQEhDFfhEhM17O JMnh3NqVs1NpNe7gn1+hBQCzlOmNYU3UvmXwCX3P5yyhSuO6isvLfZURHQB8qvmd RdNZu3nUYI8UfPp1j6wFrdR+rpUUATYy2MHZkD/BbVowk657Bul5Arx/r0QCaH88 ywMGMGvugsVQOdA02cKvCyzXVS/qgVjDsJH2ssDFPI4txKB3hEgYTBoKyoFpzHqc I7BOuDmo6/FpUuuruQcRPQk+5BDeiW2jazwf8WoCXYocwOAw7FTTLTEkZZm2Ce+c jtM7Bvhz3cXoQsTtze/t/BTWZuUWATsiRPgJSyKF2kPFwZIWhLu2BWF8LTGliX9M 8uXxi4ml1v2ISLlo8BEkETBrP+m77rKqfph0uV3sySXBv2qUDfJX2xNF/ig4eMfy zlIaZgv82ZIf+mCD0/Ji0HmsKG3C8RxEhwwr4R/oG7Q7qr07LMjKZhRLIE2ZkCC2 XM8IAdJLIzJckllI8mkPmm0GTZ6lX+BRrUSUKxKxY94QKNLRFzK7mMMWhJq3gMX8 PaYsTU67ZrDd4WPubFNzHC6DP+Fd4YZblXd8dyv1uSoe1/pIr78= =xHpn -END PGP SIGNATURE-
[SECURITY] [DSA 4224-1] gnupg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4224-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5. We recommend that you upgrade your gnupg packages. For the detailed security status of gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+NFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RlwA/+PHaY6JTa53Q9gM9MMbEV9aJ3aXvl3VAvu4EC8Ei/rxZH0kIOO25aL+Yc DsXwWmLl2FWuwLCRQ2HPsDuWLiNiuo4eAwM3pKg5vovAe4TbGLhd7VaSdTWa+PVj 3WwIgkZvOddPlR7saq48Lcc0taZAZwR1hQCS5bPDUzUhlzc2yMy+pi/oXioTvBxm xOd4899wWcuRpfiZBss6veONbnf12zq/H3aCJshZrIGKxU8b7Fc+Oyq+QyK4B6sO zMo134gF1M3HhjUxPjauX9keJe6/EMFHgjwQpA96JkNoKi96wWx31oBBJwHmLhRY tl0FaXsBuQbZNWDU+QLbH6g2r90uuOsDHK9oY8SKIHN92/s1zW4pv2rbmcmHMPrV oyabPZL10eH3wGf9NJAGhSO1vHOARdGJ2N3KL1AaIWLNfgXLt8QO+IH7OY3S04Y9 /sw89ojtrwIjcLpQ2DJ56Wd0LU/Jc0pNXUeEjkXthPD2VGKCYZm55yhDA5fKvBqo m1BeKMN1qf64c40ZXq3uxV8xnt9yaFMXtX9FMZnigS7doiJhcCjggGZvzbIFoWLE mhsDfST65Sbb9RE8q4V+tl14ssOFsQLhwByl3UzY89GpILU1qwnDyaQ2QgBI4Z18 oDQfpFkwka4Yy0iy8iqdi+DPN/VWBiIoC63ouO9MOU4rA8/VrNY= =WGe/ -END PGP SIGNATURE-
[SECURITY] [DSA 4222-1] gnupg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4222-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg2 CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2. We recommend that you upgrade your gnupg2 packages. For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+MZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sj/Q//S9O9UEDpOL16FPrsYWFohmcoDPspWHyACdFxoGOxJTZxDjDS6IsLuLu7 uSsSNyW1nQt1ghxuKO+XGEHfxMiPh54BdGf1w4PtUUw/1m9uQrlMsuyYGo2O4lMx NvpxN+IVKbKhDYHknH4f59KBv4cVZuLK6R2vuAidUmEoY0H+IEWmwdQxqRommUNh HYziSdcQgFEqWZ6HThqWPqJbvTHk3rX4viezex6TxfXBX88RgfHgxSLEV7xkJkHi X2oM3kEylacb53p3wlXrtpvTwXheIPvquIgOF8LIRGlMk2Hjz+I0jVYPZQL9Pz87 +PmJ2pmTtYFK6FI3LZcxs2JOuUKKEOSv7U7WkRb40tSDlY0mD1DgGghiYuL7tPid NbBRIKsrkvDGfvb1nL54QJ4Ej1J7yeYglxIoF7DW9l7bWgyIZfaIU0VesU9UpQUq YX/iQi1Pt/y6ZCuRlAF2Xg9VLKW/94HWYdD8KKOc8113JeJnlcEOmYDBjbsIdSuK R3hHVoKhZD+oDA2Hww/pDKeow0/9F6Zd/pxSZXxVcVvcT59y7T9XW18f0efZcBHf T2V019/YkYN2RasgDjjw1r1OOjitQn5ktvbdZfNW9BXq8NJiwLd99A3coLZx1GTv +Fl4up+v2d/zUKSXtvLfUyWjqem/keT6PKSBN4g9a5VyKLOj3Js= =2Ci/ -END PGP SIGNATURE-
[SECURITY] [DSA 4191-2] redmine regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4191-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 03, 2018 https://www.debian.org/security/faq - - Package: redmine Debian Bug : 900283 The redmine security update announced as DSA-4191-1 caused regressions with multi-value fields while doing queries on project issues due to an bug in the patch to address CVE-2017-15569. Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 3.3.1-4+deb9u2. We recommend that you upgrade your redmine packages. For the detailed security status of redmine please refer to its security tracker page at: https://security-tracker.debian.org/tracker/redmine Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsTpTxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TXOg/9GNJ9+29acRbuozEZZyqzK56a5kCyKws69Td+TYNMMYWKgDtNARHVhs31 yH/eGID7Er3MfxkME85OQrfwCLYSaJOHBnOglIicf2dqUi6F2/pee/nfnAGad7th 7L58ohdGuOfH/vZn0BEXzsbpWiAiX03jxwZll1vbTVjNrjaejO/H8dbo10IiQ40B QJUeSPVzvOrZQ916H9p7gaQj8QUwc1UwT4ZgXTYICX1Md/rxn7WLCNV8tkxBYOqZ 8TCEIx1XQlGc4nkOe05vB09rLQGI9tPSk3o6gsJser15Kc3SqFZ4IfUvROBrwOOS cAKp8FoyVs4jsLsIedUA7GkN3jai+tvhahLWTH0ap8ayhnF5KIVQxllrE1g0UklH QNv7BytSRyb0hyvwkZpN9cXMC5H5tEbEKrCC36v8tbt4Nkf/Q72nHfowRuIOwTV7 TZrza15NEJLKtStLfzF5c2plWxs0ULBmDQ9cNiFHC+d54MqBr2PCYb3386dnwP3y 5Us+pBhDsHQ2/cWe2Vj0RsDt70k8TSWNBdxnsvoZZtYE3h0i2gAD00mR5wMJWa1y 3sG6I+D1cnBBPQW5GqrvFm9mx28PdgSGi8NipLJeeTOr3HXLlGOPIp9mWQAxqg// oNV5IZkJahG0KSXCPJ7l/k7yXw2hdVdLIns9DhaG4b/d1keTBSc= =6iKm -END PGP SIGNATURE-
[SECURITY] [DSA 4216-1] prosody security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4216-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 02, 2018 https://www.debian.org/security/faq - - Package: prosody CVE ID : CVE-2018-10847 Debian Bug : 900524 It was discovered that Prosody, a lightweight Jabber/XMPP server, does not properly validate client-provided parameters during XMPP stream restarts, allowing authenticated users to override the realm associated with their session, potentially bypassing security policies and allowing impersonation. Details can be found in the upstream advisory at https://prosody.im/security/advisory_20180531/ For the oldstable distribution (jessie), this problem has been fixed in version 0.9.7-2+deb8u4. For the stable distribution (stretch), this problem has been fixed in version 0.9.12-2+deb9u2. We recommend that you upgrade your prosody packages. For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsS59lfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q2xA//cqTm2GZYDmK4TI03zJ2n5km2o7IbHXvclgabl82I3XlhyAhf2pG/b5NS L/B3anqledd8+mJbgIBbJ6UoBi9TUMYTDBItbKXEE+GUEnp0avEPEbi5ukoAogWI F4Z8ourLACU7nNYHQPfxw2UatKdDcCDM2NPgRvN2/tHiTlPbJhm+E5q6byNPMavC naz0fzYnJhYagl13sy2cdWTt7F2H1+Cn45766iwcnR4vYO7uRVKB/siT7fgtbwPB 2DbTuuYujk3pfkrofS0T0Onff5PHKm4T3/mTRFbbJQySQHNZv5tz1vSqz7P1G6L4 169QQfa/5DNn5HkkT3dNAZvrunEdcZrERxPTMLthe2JM6NKUHP7eG3figWsvFoHM 3AK7jdiwHHXIzgURLR1igwcATRoDCZ3RnaMQqhXMF5ZvettrJmhMNjgKOAd934DE gQs7MLISzzjqfO/DXZoGHClbl7R6gsAgwWnOnm+15V2yMJVmoTWNWRmNs0/Ho/0T LvkIyd4uhMlk+SaKW6l+c2BblTkUZ5F7Dtt1l2qPQiZ3/VjCCQXQKoBh29yuxTn7 GccU3HvKkCCtMsZF6nJPr0Gu5ygWMb2R32MkFvRDnSpW8s2ITKBXunSs3+Y/B8JB XtWCCUBTAagrOh/elgZ+ZdFAqNCsHyFzt6yL1ihKK3oCN95QcOE= =aITq -END PGP SIGNATURE-
[SECURITY] [DSA 4218-1] memcached security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4218-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 06, 2018 https://www.debian.org/security/faq - - Package: memcached CVE ID : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127 Debian Bug : 868701 894404 Several vulnerabilities were discovered in memcached, a high-performance memory object caching system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-9951 Daniel Shapira reported a heap-based buffer over-read in memcached (resulting from an incomplete fix for CVE-2016-8705) triggered by specially crafted requests to add/set a key and allowing a remote attacker to cause a denial of service. CVE-2018-1000115 It was reported that memcached listens to UDP by default. A remote attacker can take advantage of it to use the memcached service as a DDoS amplifier. Default installations of memcached in Debian are not affected by this issue as the installation defaults to listen only on localhost. This update disables the UDP port by default. Listening on the UDP can be re-enabled in the /etc/memcached.conf (cf. /usr/share/doc/memcached/NEWS.Debian.gz). CVE-2018-1000127 An integer overflow was reported in memcached, resulting in resource leaks, data corruption, deadlocks or crashes. For the oldstable distribution (jessie), these problems have been fixed in version 1.4.21-1.1+deb8u2. For the stable distribution (stretch), these problems have been fixed in version 1.4.33-1+deb9u1. We recommend that you upgrade your memcached packages. For the detailed security status of memcached please refer to its security tracker page at: https://security-tracker.debian.org/tracker/memcached Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsYLGtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q+HhAAoEuUicW14NzDTX0yGH8ZluMAK4Woha1rODMJdchudHtMfTiqIhTfZhUk Gs8mOrR67F7XNKJx78DmIp7s1LNclwxbAt/UlUV3m+TaV3udK2Ai16kIaNms3soj JEkJI9W0w7EyG4q0oyvAaEDDRPP25m3LiO05mW2qDOZUpKYdGLxnONTFngMJ/3Ov bTNo8cUR203wyCSxyPv1Ye1Lr7anM61OzmUTg7pnE5a4e5D4ojrVx8Fjox43ppfa KIcdqtJCZ3jTZaBqgKc2XhuhbDoOv8/apWDqefqxWI+S0GiQHvS2PuWY5q5b79AW Xkppog9Q0NGj1Z6BX/G+LOwDGsp/kLtD+59rYdThBW2J5cKMrNOtgHlP6QjRfDYY TWQPTWJzbWvOLiNBqtmN+Ryvcwvi11dSl8OsY/7Kh430zwE4q2/I9IMvZ0emRFXx zw2QzlrpI5v753geHrV1UktPU8Wb/UWZbPZBCqmhTF5awLWY8NgcYZ5VowMuUqOG ODLQ+dN0MKlV/qQPC3VyGMruY8zLt7X8a2UPINI6R1qL0bJ6CVwGCAgIFVo1OyTp Yo6VXgYb0cIxmimh0q4up25FSXqXCh9ppbgZsvdFdAw4+zy1m9B0TprWJf+SRoms LYwT76G0a8yuBnzMF616PQsi1yR6eKTRGKXxY9Si9Ai5JfYtJZM= =HIAh -END PGP SIGNATURE-
[SECURITY] [DSA 4188-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4188-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 01, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193 CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224 CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-1108 CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781 CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the "retpoline" compiler feature which allows indirect branches to be isolated from speculative execution. CVE-2017-5753 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 1 (bounds-check bypass) and is mitigated by identifying vulnerable code sections (array bounds checking followed by array access) and replacing the array access with the speculation-safe array_index_nospec() function. More use sites will be added over time. CVE-2017-17975 Tuba Yavuz reported a use-after-free flaw in the USBTV007 audio-video grabber driver. A local user could use this for denial of service by triggering failure of audio registration. CVE-2017-18193 Yunlei He reported that the f2fs implementation does not properly handle extent trees, allowing a local user to cause a denial of service via an application with multiple threads. CVE-2017-18216 Alex Chen reported that the OCFS2 filesystem failed to hold a necessary lock during nodemanager sysfs file operations, potentially leading to a null pointer dereference. A local user could use this for denial of service. CVE-2017-18218 Jun He reported a user-after-free flaw in the Hisilicon HNS ethernet driver. A local user could use this for denial of service. CVE-2017-18222 It was reported that the Hisilicon Network Subsystem (HNS) driver implementation does not properly handle ethtool private flags. A local user could use this for denial of service or possibly have other impact. CVE-2017-18224 Alex Chen reported that the OCFS2 filesystem omits the use of a semaphore and consequently has a race condition for access to the extent tree during read operations in DIRECT mode. A local user could use this for denial of service. CVE-2017-18241 Yunlei He reported that the f2fs implementation does not properly initialise its state if the "noflush_merge" mount option is used. A local user with access to a filesystem mounted with this option could use this to cause a denial of service. CVE-2017-18257 It was reported that the f2fs implementation is prone to an infinite loop caused by an integer overflow in the __get_data_block() function. A local user can use this for denial of service via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. CVE-2018-1065 The syzkaller tool found a NULL pointer dereference flaw in the netfilter subsystem when handling certain malformed iptables rulesets. A local user with the CAP_NET_RAW or CAP_NET_ADMIN capability (in any user namespace) could use this to cause a denial of service. Debian disables unprivileged user namespaces by default. CVE-2018-1066 Dan Aloni reported to Red Hat that the CIFS client implementation would dereference a null pointer if the server sent an invalid response during NTLMSSP setup negotiation. This could be used by a malicious server for denial of service. CVE-2018-1068 The syzkaller tool found that the 32-bit compatibility layer
[SECURITY] [DSA 4180-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4180-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 25, 2018https://www.debian.org/security/faq - - Package: drupal7 CVE ID : CVE-2018-7602 Debian Bug : 896701 A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-004 For the oldstable distribution (jessie), this problem has been fixed in version 7.32-1+deb8u12. For the stable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u4. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrg1NVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qsaw/+MUBRyJRiMPeFg5wk+1wjZcZAf55OIkeJb9QgJoI4rshAQf7aB+gi7O0z 3r/0Q+IOTXh3VtCLWKOCg4kSDd03OZhVGVYwlkaZ3GyvVSD5WFhphtWV7p6ePzcm DbR4B1gOiDGR5MsWXw6PWxBuhgsppTVFXmyrA6hloEebIKXKwDU3HY5h2ZpBoAR8 GYjk3SQZbuODkjRZitPKxiu0fBriN5qz/tIhvMGjNFZHmJ3UVF877gou6kD2cV36 WjgUWhzg+JxZ/9gQ5aKzuO4yMBlaXuNCsIxvuEU3Gw3FeJIA/Sos0iGgvXR7p7iE PBtKWisc0z1f0Vt48jxR22C6sfvoxzrVjRD3ylwYMZPR2CkFoklKPGNC9Plfj5mG KcKOSAIfIv/1dXCDsddjY8zIrvTaJGokHmdkeNDTNFVfcEcDT5/vDwstWwBVheq6 7uFoJvHkWp+/oL4ysZT7pAk5Z+Lg1dkZ2IBxI7nJILPx81SIGzK0yGrrmTOVwtfZ L7xlFSQMDIhu9941GOZu8OC/gLQGqdsnNr28Bl2rMcZfAHwgCVkzof61kAi3eddG X/WC1EufxfLgJodRPuOuBsoxBDa76uli0vV2oh0DECD2oehMVEuDckr3q2npWWJ/ UNEOzBuxkWWO+HI2lwaNuKXkJQYlFoeHJKQvaHe97Ofsyvmut/Q= =Xddc -END PGP SIGNATURE-
[SECURITY] [DSA 4181-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4181-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018https://www.debian.org/security/faq - - Package: roundcube CVE ID : CVE-2018-9846 Debian Bug : 895184 Andrea Basile discovered that the 'archive' plugin in roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize a user-controlled parameter, allowing a remote attacker to inject arbitrary IMAP commands and perform malicious actions. For the stable distribution (stretch), this problem has been fixed in version 1.2.3+dfsg.1-4+deb9u2. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrkD/VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TqIg/+J7QKaTDGTrtXrd0PcOLYZnuag7l5Wj+QXispJDNQ9v6Plxp4x0lFW5EC HC110TE1lg9cXHH6SV0EVrY1kPDao0dUiemL3BNRW+7RxEMF3J0Hw7qBjt8YxQtV +Ef9c7FXJ5IcSBvDFs6wz0WKjzaHzvY7WrGt20lujKf+2BhWapTp7sv4tBhGkdEv piJZlkL5jXzAurvKfw9YKFUEQ0xJg/8VUwEyaHbUNFX3SKgHwM+yB5woz+hoPNCm 8yNvOjfl006rStfQcxLMk3G+d6mGLin6BF/Tx7sTh2QQnMKSfR2Ym/WZvYJyDZd+ M3ekHlIQcaAM+Up5Za1uUSIB5X0aErroMTW8WSYE8wTC920xmgFMmoFVMa0EI/aY dGQrFu2JfA2rZw3pLX7TjkHPAg0aL50paAJ63G0zabehYSMQE6Pt603RrHA+8Dkb EvnfgCZlGXUrUAGrhHuGYJiKK4lD33/4NWEi1JdPLwlxkUZMqEXn2k5cDGdZmhlK utn2TtlKKyTD2AgOyp6/b6mi6FJr3VtX/lWOksfODwaL/BElWL1T+gc8Ldz4Qit3 +TRRQGPRtlJrGOnqBxrxU8l+ImLTxpvvFPlA48vdA1yPjT9xzTpx+Ig2KGBuaFer JIo6n5RcPsLFtac9ym+pwlWHQNcBqebG8SFoZ5KgnbP/ENtbTcw= =xeJP -END PGP SIGNATURE-
[SECURITY] [DSA 4183-1] tor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4183-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018https://www.debian.org/security/faq - - Package: tor CVE ID : CVE-2018-0490 It has been discovered that Tor, a connection-based low-latency anonymous communication system, contains a protocol-list handling bug that could be used to remotely crash directory authorities with a null-pointer exception (TROVE-2018-001). For the stable distribution (stretch), this problem has been fixed in version 0.2.9.15-1. We recommend that you upgrade your tor packages. For the detailed security status of tor please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tor Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrkGXFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TpCA//fKRGHY+MMVk7QAkWJZgxSovG7R9J1mcq5c29kvzaYJRFxmRH5/ru91t1 /Hr4UCSTKfVwyVhb6soV9hvgTf+Zr6/fJSa1cX3zIqKrlEnZfwby6ssE4vO22YYQ 8pJKucGqPcuE3SmzxX+zuEFhrbINzru3vfB0NXeZRnrGrbUUdyBIcL/gllXMdFIF jVREw3Ma74/DpsMrzft6kdXwEyYyFckBScYkhmU0b2d8u/qp0LyKpiOrx6dIWBlX s4LX8H+JLEcvjuCub/uiy8CiZFGwW/6L/zIAx8j1ozhbYleGychN8U3GL4Mp0NWe hxu+7gZME+KMPubR5PcMECcB+JTz2kUKGb3zwkoZRVKeuBr70/7Pl0h+upBLOKcB rEr3ucuTl+57edh2uHWaPtzFg26KNX6ZmMCR+j7OAo01j0btfybmJ1TtxLqVCAaz cAkT1gPE5xUoGoXJv/JaAj2yubmBf1pU7YYOxAf+XD+6weN8zfb+sPFv2RwZ6llj GNPNavaK48bG8Gdb3tTwa/xyov51vSyurvaEQkTtnrmsZTRQrYU3enb7hqoTYIM8 tN2wl8BnseQMhKc2XSRvqTpel0fyJngMy5cyEgsSiFvNrnXxLkQo8/t8EMvb96lY q7xM9X67thDv90FR7SmjJvdykEkgKefuL/tw4Ls5NoIgzNpVyzA= =3Nub -END PGP SIGNATURE-
[SECURITY] [DSA 4184-1] sdl-image1.2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4184-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018https://www.debian.org/security/faq - - Package: sdl-image1.2 CVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 CVE-2018-3837 CVE-2018-3838 CVE-2018-3839 Debian Bug : 878267 Multiple vulnerabilities have been discovered in the image loading library for Simple DirectMedia Layer 1.2, which could result in denial of service or the execution of arbitrary code if malformed image files are opened. For the oldstable distribution (jessie), these problems have been fixed in version 1.2.12-5+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1.2.12-5+deb9u1. We recommend that you upgrade your sdl-image1.2 packages. For the detailed security status of sdl-image1.2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sdl-image1.2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrkyb1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TZog//ayJ8Vts0SVEvs7XESknn5WiaV5vVQrXolV/TtAgE/P44dIsSWc69KF9H Ekow/khSG+IAWmDsvTPNQhuzaukmdANGwSmr5zBU0mrnAI8k+yGzsGEGcN6WntUx O2hVSxN1VwpuPwFKll0Xcl4gESFwGE9b/67frQVj7ESoAzJ+Ox7Z6Y7I24DOvSbr 86Sxw6cD3X6gm33qKsvwq2cQX/ra1VLQGNiMvxgt0m5c0Nfru4kjwLIOu2dJtaJG WBqag5uwJxYxQJg9tll3Fb5oSqcTRAeLjkK3ucNbiMqmOotGekMY139wKkUJikrD ZQNAdm1pmRwBJUy37eKIU9ZdF0pYAiOVDozrlGHVdxuijwLpMOAgE7AAmnFw86pS TOIBekAZghasNIt+fUhgV5clg2FE+g4sz34QYu8d4tavnQstcTJB2mn/LqVKvB7T asX+WbxjtNTZ7tqhGYYNlfGFC6LfVzULowK0ESDttuuKajUqLWqvWh/16E5LpP8L GIQYqq21jDTtKNiCjiqpgYOD4oQKxpvxG9htbIzEznjZwvpnuUlcf+MQiXirYTzM fXBRGAmo1Bsh9fQDZJqiuG7SZ7cMpvgXdiV1cAHqgFrskqJJd85FsCgyVqbDa1fv amJNEe+EkEsKitITbzKsty2CxeseEauTJtui0TGqtOL9Uhj8xFo= =oVng -END PGP SIGNATURE-
[SECURITY] [DSA 4003-1] libvirt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4003-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2017 https://www.debian.org/security/faq - - Package: libvirt CVE ID : CVE-2017-1000256 Debian Bug : 878799 Daniel P. Berrange reported that Libvirt, a virtualisation abstraction library, does not properly handle the default_tls_x509_verify (and related) parameters in qemu.conf when setting up TLS clients and servers in QEMU, resulting in TLS clients for character devices and disk devices having verification turned off and ignoring any errors while validating the server certificate. More informations in https://security.libvirt.org/2017/0002.html . For the stable distribution (stretch), this problem has been fixed in version 3.0.0-4+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 3.8.0-3. We recommend that you upgrade your libvirt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlno9OVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QRyw/6A2XRsNCEoahfEg5jb1CwR7zi3kTQ4sb5jcgXXQqPReLJmAjoa3cwt9lJ h7TYzcoggNV70DcqMkhjAM+KpQtuAdedxARLgto/uirFrDbvt+JODlvwccJ9eXBp PNqi4WX8KqrwOONTvl9kFeyqm+b44LL4cuv0pJ3jBknt48d0rWy44OhjGQ/Yn2mH J90gRbKPel1GRGG+/aypMCP1Waplr7g126GSvu7hXaLBxQjp5Y7AKXcbIE7EpX2S DM4R+4oTaqhfumTlP+2f9eqw7pJveqplANQZF0wWq5bWeCVIcuMLNDqmXxXef/PY +0oiBMmjNq0Bj8RUXRdQUCv+EqQoIsGRPDPg2+fmR24jYNTgjufAm3Qkix/R6/6U nwz6zQsJ3TqKLYFfdisjr9o3AVFzLg8/UNX/ypTEGv9J7ZPx3q29sG7FGPW4pyGI Iet1o3kqJ2eA/hCnCXbGJIXFoQibZKFHCtDUC+HM84XQs+XB96cI1D0BxHbXur11 VZQ9SZ4627v4XyS3ROCWr57RYin9lCRcCAMgASQHuEmFS25xy1THEph53QT8ynvL Yann1IhOgqzjHHXMdgcH1Rq5jARseiHTrOq+Gt1LHMvbpGvhqdYRXLCVSGTp4vAH e/jP2M46z82K2jiv7XcQ3Tq6wp2OaTrAjHFWni/+xCX21qyVYZQ= =A8fk -END PGP SIGNATURE-
[SECURITY] [DSA 4002-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4002-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2017 https://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 Debian Bug : 878402 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.58, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.58-0+deb8u1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlno3SRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q+HQ/+P/0IcQyp2tYhAgi5TcF7XrjLEfVJkfD+35CGH1BbGtABE8fPSM6+tFgd bp7rGXF2xLThokC91auLudPwgMeZ93nrc0P2pHMwyfGlPECAXa7803eVQF34S24H UkVWND3xKFKLfYsLiJU7PDo9pBCfePqivu5RT7/GrogrDTkmYK9RCc9WNdFcJlaZ eAqZWI6FznDjNf6uU3YJ5kHWIhxvURPoBXggrpZVQ8xcK1PxzG1327Fq+dxnYGi8 30iIDZ0i2hV1tTjioP8C2UfLZXtTo/BewW+OSkIw9gh+syk18a932v3kLEhAOj20 Hg8asnklrqimM5CdKM1C5FCqJCVUWgp/KmlTI9a0HM1XIcAHwfxwi4QGGR1nBuTl 2t4LIVsw7UMqIgcrmaXYffcDHRhBqMl5a2LdPu6ku/kzkXzMet9zWnFD2lbyWwaM EC6IWTNFltU/QyQ4Rz5/s/Q+TEpZX68t+oUXtipx+UthRVm0QJJ+4savicbmtxzY LEC42BhkIylJHizH4f91qzuVROffGzG5/UEV/t81zEnnBHV5MR6bA9QjAvS5NMO7 D4E0Vy0uYmehMS+ne+PwriDkKLGRrkvBZzIl/joHrBgqDrjk3HSBO1PtR5EGtL8O HXktLgF69LiYTgNU5XMtSF80letbz2HrXYpMkNoO9cR4odyuDSo= =4QVw -END PGP SIGNATURE-
[SECURITY] [DSA 4082-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4082-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 09, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2017-5754 CVE-2017-8824 CVE-2017-15868 CVE-2017-16538 CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5754 Multiple researchers have discovered a vulnerability in Intel processors, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack. This solution might have a performance impact, and can be disabled at boot time by passing `pti=off' to the kernel command line. CVE-2017-8824 Mohamed Ghannam discovered that the DCCP implementation did not correctly manage resources when a socket is disconnected and reconnected, potentially leading to a use-after-free. A local user could use this for denial of service (crash or data corruption) or possibly for privilege escalation. On systems that do not already have the dccp module loaded, this can be mitigated by disabling it: echo >> /etc/modprobe.d/disable-dccp.conf install dccp false CVE-2017-15868 Al Viro found that the Bluebooth Network Encapsulation Protocol (BNEP) implementation did not validate the type of the second socket passed to the BNEPCONNADD ioctl(), which could lead to memory corruption. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-16538 Andrey Konovalov reported that the dvb-usb-lmedm04 media driver did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash). CVE-2017-16939 Mohamed Ghannam reported (through Beyond Security's SecuriTeam Secure Disclosure program) that the IPsec (xfrm) implementation did not correctly handle some failure cases when dumping policy information through netlink. A local user with the CAP_NET_ADMIN capability can use this for denial of service (crash or data corruption) or possibly for privilege escalation. CVE-2017-17448 Kevin Cernekee discovered that the netfilter subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace, not just the root namespace, to enable and disable connection tracking helpers. This could lead to denial of service, violation of network security policy, or have other impact. CVE-2017-17449 Kevin Cernekee discovered that the netlink subsystem allowed users with the CAP_NET_ADMIN capability in any user namespace to monitor netlink traffic in all net namespaces, not just those owned by that user namespace. This could lead to exposure of sensitive information. CVE-2017-17450 Kevin Cernekee discovered that the xt_osf module allowed users with the CAP_NET_ADMIN capability in any user namespace to modify the global OS fingerprint list. CVE-2017-17558 Andrey Konovalov reported that that USB core did not correctly handle some error conditions during initialisation. A physically present user with a specially designed USB device can use this to cause a denial of service (crash or memory corruption), or possibly for privilege escalation. CVE-2017-17741 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). CVE-2017-17805 Dmitry Vyukov reported that the KVM implementation for x86 would over-read data from memory when emulating an MMIO write if the kvm_mmio tracepoint was enabled. A guest virtual machine might be able to use this to cause a denial of service (crash). CVE-2017-17806 It was discovered that the HMAC implementation
[SECURITY] [DSA 4086-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4086-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 13, 2018 https://www.debian.org/security/faq - - Package: libxml2 CVE ID : CVE-2017-15412 Debian Bug : 883790 Nick Wellnhofer discovered that certain function calls inside XPath predicates can lead to use-after-free and double-free errors when executed by libxml2's XPath engine via an XSLT transformation. For the oldstable distribution (jessie), this problem has been fixed in version 2.9.1+dfsg1-5+deb8u6. For the stable distribution (stretch), this problem has been fixed in version 2.9.4+dfsg1-2.2+deb9u2. We recommend that you upgrade your libxml2 packages. For the detailed security status of libxml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpaNZ1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T36Q/9FndoMjDnq0FHYDjDu1P3HdQnsbCsDDIRMVx7xPhaPgAYjXaCIGCkw5vQ ib0QddenfirPEtX46xER/QoreBGe8HhzjUNzOYgmWYgpnSLvW+GIlBUeRrebX6c0 zWBvsWxjxNbgEqllAR2DD6OKvXz7y1ZIV7vDHVTmSIDc7hxMgf/Ypb3kURpdq9HH 6JnM9aIeRJFaw/MB6jwBShHEp5tUaIx5j4JYX1oI4mqdqhImH1wXiERp72TrYhPV 4NzB1ANwCwQTQhPQGKCe5ecdNfGOGhhmtS9U5CrdqjWL0lc2ryXdBh1Aitdty+dx EbK5K+A15syFtVpCLCf8IOnpIPR+bgkDlnTflXoCEfczrOZ2vXKb5GDV+fWYZ1Hr OTpDakt40H0KSPg2dOOHynpcuuIkFrd70Bhsb6svvlrlB/45ZjuiUXrSH9fYIsxX phbFtPglrKKAK5i+mmLR5vyERJnFp4zL9N2XV6BBvoeMF99+vj5COWFyX3FSFpvI izVYX/uPmHJ4DhSsxWs0xkIL+sLRCIMvTWWjQj308eBAqqpQtK2M8ai86+XfhG/8 jN94aZVEk24FNalifHWmecK5Nul7Q0jfxKFHQlQfDZhhNXUuvaW/mHWAkNPoB0UG mFQCoFn6m/9p56/P+N3mu1B7PjmrIZntCMhFHXtFoo8WdjJITso= =TV2m -END PGP SIGNATURE-
[SECURITY] [DSA 4089-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4089-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 16, 2018 https://www.debian.org/security/faq - - Package: bind9 CVE ID : CVE-2017-3145 Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server implementation, was improperly sequencing cleanup operations, leading in some cases to a use-after-free error, triggering an assertion failure and crash in named. For the oldstable distribution (jessie), this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u15. For the stable distribution (stretch), this problem has been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u4. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpedglfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QpmhAAi8d529DGMZOzcaRyvyWEa+Hth+CLca5y/4Wugv/BrRjTn+tDzYriNatW wtLQLWZOiyxtPvcQjU+lwxRzSh4r++JorSbTdq6SNSKK1VTe67yCst0n7O5k9jhb G31FXHeXyYjp7JMGPxQ1T6xwvbjpOnI3wwE7LkxZY69Lo/bOLoeiY9BDojdkuexd KK4vPQFkMwrARszjEb3QriCJbkhv8uiCA0vg15cD4zFJJ3yYiB/+sVJScc7jnSwo pxdSSIQrYzRNNN5vqkTV6JHta+fwX3taN4U5Ov7QD3v5NkL/yR53Wv3V2O7jlfLs 0AV2Lhm3CyB2VGp0XzTSIGvUvlROGDmsSvwM+QT+zbg5+7JVu3UI25YpL7faJ5oy MPmj/w+tZkFepxFuRjV8LwSdcP1JtNd9UIN/5ugbOk6R95vse5WXwQKa1eZ6a7X2 3sTwlFC2aN9kLfD51ROzYKb0sJbgu9tEscJYJ6kz77pSA0LZ22K37XHq80z3wuLh xCCS3YEjxVl/Zh+qLmAekZgKih2lWGt5inTstRzcVqzJlJoz1xoLBR7LoEW9sp1R 4XcGxh38QGdpxTs6sr71cRIPr6DpA1tpDt5EOaIw+nIC/t0JxVvbX6V15UYTd6++ X4hS2czq3HAR8J52MlMSjyXrdvp4u6Drta0D/axxa/YAHI5KXWA= =84Lf -END PGP SIGNATURE-
[SECURITY] [DSA 4095-1] gcab security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4095-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 24, 2018 https://www.debian.org/security/faq - - Package: gcab CVE ID : CVE-2018-5345 Debian Bug : 887776 It was discovered that gcab, a Microsoft Cabinet file manipulation tool, is prone to a stack-based buffer overflow vulnerability when extracting .cab files. An attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running gcab, if a specially crafted .cab file is processed. For the stable distribution (stretch), this problem has been fixed in version 0.7-2+deb9u1. We recommend that you upgrade your gcab packages. For the detailed security status of gcab please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gcab Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpo6kRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TLGQ//SlIEWkG2FFPQN+Qnl5kUX1wJLfs/u7P/kzwlqjFjSgQAPqre+llu27I/ Hxt8y2xBS8BiFTKXsxDAKJ5AH22lSfx7GP5zxNH60vyTPuKETj6EVIpw99VtRI1k p8S7qteakBKCRbBrsFWpNUYgnxx6iI9dxD6SZZX5p+vsgL33nSrJvNkEvyQzAEjf dmw2R7ozXZNerChPL3tVObsNfq2FSoHI0hm5TdM4C+aAj0Bg9kY/DQoApl7lt4m1 gbN8JSMu5QJkTbCKWDhrGM4O5uH7/ASKDQFP27VHCsGhfhsKq36i6fWUXAOMIdxN +YQQgcAVXKVFA4esi1oCf+b0NFvQ0kcDUJRo0xgcfFtug7e0ZJX7SzIIwD0smMTu tILCQMWPd0y93gsdOflJqW5H7uYHWzLBQVAC8XvJ7i+WX+itBU88k6Kis4oCK4it FBbfd8ma6yDYwHSOc3Ceq3+XYdDBu3wXRjAh4ZyjgTqjyXxW0iXalm3WMWxh11j2 YomV8N6CTel8MBXZcLlNz+G/M1qt3UHzTTpufgQEo8ud5+NDeUh+CgMpKyvUBDaP xD65XPhB71jzI1/yeSCc84exSCdLuj1o4+uyhsA/GRaR1WMueZhnZjJyFll/4oJh fuFJGDaTfpk3r1+6Rpdk+3ln6f8bYN8lbxjYQVNho7ykbgayId8= =RwBy -END PGP SIGNATURE-
[SECURITY] [DSA 4104-1] p7zip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4104-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 04, 2018 https://www.debian.org/security/faq - - Package: p7zip CVE ID : CVE-2017-17969 Debian Bug : 888297 'landave' discovered a heap-based buffer overflow vulnerability in the NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted shrinked ZIP archive is processed. For the oldstable distribution (jessie), this problem has been fixed in version 9.20.1~dfsg.1-4.1+deb8u3. For the stable distribution (stretch), this problem has been fixed in version 16.02+dfsg-3+deb9u1. We recommend that you upgrade your p7zip packages. For the detailed security status of p7zip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/p7zip Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp3b2tfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TrkA//VNLdog0TJNf4fHBagj2qd9UFUInov6I6r4Bc0nfuyL66LY57riC8yLnF jiqq3+q86aXqokRO6/enP2v8d4OCS/jcZhMFmg86CE+1em+jBFdUcNijZUzIZjpA pEEbfNCYZ+aOrhDHAZn4HvjCnxRk5zseGmvfCNPtbJOxbeUh5tVcbXy/2768t/v0 s9n9cAI1BsvE/4M6/6PH/HEemJbHQpYUi+cE2WR0GEAszQd4U988Vf4LG/1ZhuN9 /rpfbvDw/OwTYlWFQyvzPl+lnyWrUXgY5EYrhllNXBUFfIzQg+NqlapWj37AR54+ 1UI4FVTjmcio6DYvtCfG704oL2yviKjxPddOSg+nJBuQTOcpskJtQPXHq3k0ELRE vWRehSemSj+XhZI9NV7TQ0n2UQfUQTIK04l2LOxN7Uozf7S6rRe653TFnk4VGsLi 1CQr1ek7YwepfSuaLl2eyUZl6xe3tFIeDtDbTLU9g1Cv8RIlMOU1KiVaSPhfjO/3 Gnx29JzqwM216gQl/8N9SUA7vtZJDbwAwzo/bMDHEpvvoqR4jVEKK4pLRm9UsQyX EKT26ZJqEuegV792xcowNpvn3s2H0TM+3u6DLGHUq2xC2TgsgHYy5zWeDnnx/5R2 yr0F9qPl9kefqabDCM4Tqvu32YYym5UUIqiq+iYQaDwDorDx7Bo= =T7ze -END PGP SIGNATURE-
[SECURITY] [DSA 4106-1] libtasn1-6 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4106-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 07, 2018 https://www.debian.org/security/faq - - Package: libtasn1-6 CVE ID : CVE-2017-10790 CVE-2018-6003 Debian Bug : 867398 Two vulnerabilities were discovered in Libtasn1, a library to manage ASN.1 structures, allowing a remote attacker to cause a denial of service against an application using the Libtasn1 library. For the stable distribution (stretch), these problems have been fixed in version 4.10-1.1+deb9u1. We recommend that you upgrade your libtasn1-6 packages. For the detailed security status of libtasn1-6 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libtasn1-6 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp7TPxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QbRBAAnPEkX4R68VOr/kwZz4u61IrGctvG5lA8JkLTy25i48uwyVpWxpDHFVO3 8WHArjVtiSP2M0PpeOA6sz1nbmgwDOuIcMnEEeTX1dncL42MXUY1vhB9OcMs48LN LC8DUhF7LXQh7F3P27ipe9/4UecO6xd+wq70lScwLI0EFscrtqNi5Gap4Jyj7IMl fUUOMEBPafBPtDRHY+Pu4pwq5QrIqhppn5cPpJFuBmFhcHCBj3uH+9eg58leHP6J 05t26TTDcNR8ZDPB0SxmCHgrr6vVG/48ANoCJWjkHxjxyUkM7HI38uSZIk0TZ0IR JxiUdqMIgB6Z9wJWjzXuclZmF6jnpG5O7WMQW2S3b+ADyqRl7o/+Kq6nH6p5BeKA WNdI82MPpZz1VohH1ShJ9DHHOOqIBJu1NmTle92O62I++/soJ3GRO4ppxMsgrNLk b9J9V790SPeW0OcI1CyEVdoxK8xZlPA22lR+3ywhTTcrmvQQaeFtuVKGjE4gQCKY CfTZ4J+qxf+1yJSi4iVAv85bbi3/GonwYb2c+xAPvkQkczaxpkeM1yATKC64HjK5 IKHurF8uj+0yuE5H8lv6zp6kUcYD7iSNncvmTZd5AzLHo/Ly2+rjs//RjomZjP6a /2opnm4uV1BoQbF4tPCEhQ1zHyVW9xDqFQ4/ndIYOPk5abIy4Yg= =LK24 -END PGP SIGNATURE-
[SECURITY] [DSA 4107-1] django-anymail security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4107-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 07, 2018 https://www.debian.org/security/faq - - Package: django-anymail CVE ID : CVE-2018-6596 Debian Bug : 889450 It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events. For the stable distribution (stretch), this problem has been fixed in version 0.8-2+deb9u1. We recommend that you upgrade your django-anymail packages. For the detailed security status of django-anymail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/django-anymail Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp7dTRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QXHQ//Wg7cVA6F4jaTXbWJOWh7misVrTlw16sHiyF+qsc0oAmtOpqVuTMgtYXa ClJKpme7TMsy8rVkb//cJCFrkz2KQ2YF2Rj7keH2QZqzYG8aU2aDOT8H6l8R7iS9 Fvwx37Pzf2O+NTOhWwuw3EPFoWnNmkfKDNwYIw3gW2pRxuTUuAR7DjEP1qjVsO83 o81VLnrjFVmyBEkfKpFGhfddYx3RnIK/XZiwJ+VAdx+J0F29x9+lmUqB7d7XeU2p 5NOWa6r14xnAQOgfEFU/edv6v6Dd4wo0tUT6k05MBTgex+yOuxaCiuiHKnvVIzhO dGrHUpD/DG8b0//WPg4f39MeSHRr8bBuPs/lcqel5OpmyaIJf/1mekEA9jMZ+HEl 7+uOWbkLoNPo9IBLIqsDQ3L4FxP4rtJcmOr8oKcEjhhI8fda5Se/GTxAJCZax8WU 1cSOJRlEPX1CyryF9WPQuF+o4xrgAO92wa5MeLVK3HcCEQDAGpcpqyLnawp8eHoF ZDoXzBFmUi7Qn8oxBjkjVGhdAinP6oPIRRmtCOSRn25/dQtPhZwAKA+F3E1IW+ZT BOd3dUyoD8IdqASCvPd89RKUFItJ3cydtYPM0E0LVyum9LAzjY2mLCWiY3abNald ATvIdVyPCBg4oCSgeO9WcK/44woT5r1sE7wBTDKmIcfjfrGPgiw= =36tg -END PGP SIGNATURE-
[SECURITY] [DSA 4110-1] exim4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4110-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 10, 2018 https://www.debian.org/security/faq - - Package: exim4 CVE ID : CVE-2018-6789 Debian Bug : 89 Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message. For the oldstable distribution (jessie), this problem has been fixed in version 4.84.2-2+deb8u5. For the stable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u3. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp/OdZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QGYw/8CEODJxVLvPJU1f6DhBJIaTaQrEt4EjXqTn8RbVI/DqzjWKE7tXuPxRO0 7e0x1MeAIqHWZasXJjuNQOdKdlyd3F9/foOP0uA8cImrv+0Tq62zYf/v85V3y6/O l7I2SFvDtM5Jg2l562jpctjKY/wgGJ1DZ2K6bB4A1d8SUXZbTB801l2yzTOyk/R4 ESE2xpUhZaD37192mp5oNIi4SWnq+riORPgqwnrU47GR7xNhAL9XpsBZIqK/B0Yc jSiiIdoto70tHpAukWH/Hf62cnq+kvFp1i8FlK3cO+VZTxCcE42HnOLpAjom1zHS Psf33gOACPmOd+P/cTuB6w2isCZT2MpQiJwgvVCgePpPJUrRXjBBCurnU8XaHJFZ Z0LX/Gj22clgOrI2NkeB6vHJC1bcoOxmbSZD7QDOMbX8sn9jeW7iiTf4E55GSXfr o0pevsE5tbwsLwDz0j+gGIofaiDCPwA3hw4R6srTqvvq5r9UQSOkO5x+i/tIvZls rzb78Ye9j322S3dVKOK0f8eQ/vbWdWPr6oPJhFQI13YbeQs1bixo36RF2GXwjz6w z9VzJBhOaDNC2iGHirFv/ru2bR7sSCuN3lqpI+INwYtXI0YLIlACt05YDBufe+vW srEJIc6V/iBGFsH1TcOp8iC9+Jb6RT7hsBZnDYDwO8Nb29TUwIY= =adqv -END PGP SIGNATURE-
[SECURITY] [DSA 4115-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4115-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 15, 2018 https://www.debian.org/security/faq - - Package: quagga CVE ID : CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381 Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-5378 It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attribute length is invalid. A configured BGP peer can take advantage of this bug to read memory from the bgpd process or cause a denial of service (daemon crash). https://www.quagga.net/security/Quagga-2018-0543.txt CVE-2018-5379 It was discovered that the Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes, resulting in a denial of service (bgpd daemon crash). https://www.quagga.net/security/Quagga-2018-1114.txt CVE-2018-5380 It was discovered that the Quagga BGP daemon, bgpd, does not properly handle internal BGP code-to-string conversion tables. https://www.quagga.net/security/Quagga-2018-1550.txt CVE-2018-5381 It was discovered that the Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface). https://www.quagga.net/security/Quagga-2018-1975.txt For the oldstable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 1.1.1-3+deb9u2. We recommend that you upgrade your quagga packages. For the detailed security status of quagga please refer to its security tracker page at: https://security-tracker.debian.org/tracker/quagga Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqGBaVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RpyRAAhVpntFw+LSUUzL2/cx7m+s4fHijhOkU/AjKKmW4a9rAi0iJYW4HNv5BU cKfz6yhngFUzCa+Glhmiwzt77eAoeksJSvxkKio5CTqjV3OxCWbDPPz/iRRHcKvK MGhnqyShMCF8boQU0plmqNbfhnSWNAObbaI2fPmjLOU4A4jPY1T/fbzu4Sd3k5qY ETeHq9+HlVdGnyNEoYnoO0XQH56ueNHy3VlChJ0S2OPtFtoKXkjM/er+yG6413+G 3e90tcbm2xlitmrTyZm9K/Q08UWLJx510n1rxehaO1DTEz+bqSNezySOhyNb8sTA fuadDpgs2ozwgSmxyuWFj0RL3fKvgycw1ZeNiS5nUmRJTobrPlnjyX+A8FEJhPuI 9xyVa8j6wUeBVZdgd9b/EWLQ1Z9oDRiXmHRJeVOtz4JRNPP1KLtBcsPxFW9eCp83 9gFMqk/vMYQSpRqtQdnl5OawEpeurMtusBsnlEV5y9afiHU9jKB8N7RPwxCJgtjP /jmhS4lOvn3F5lNILahaL3lrk/b0EsECajBltbN9YVU0yabWWRWSMrJ3ujamhaXE aUQKmVj1alwDyg90vToiUftdr3R0hPPFuzA0BAK55SJVzjwJ2XInzItr+2y1tMPn dSpd32tzrxpDm86rvmRIiAJbj28n7QnX9I9BlKZqWq2fUUhTkNg= =Gy8j -END PGP SIGNATURE-
[SECURITY] [DSA 4118-1] tomcat-native security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4118-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 17, 2018 https://www.debian.org/security/faq - - Package: tomcat-native CVE ID : CVE-2017-15698 Jonas Klempel reported that tomcat-native, a library giving Tomcat access to the Apache Portable Runtime (APR) library's network connection (socket) implementation and random-number generator, does not properly handle fields longer than 127 bytes when parsing the AIA-Extension field of a client certificate. If OCSP checks are used, this could result in client certificates that should have been rejected to be accepted. For the oldstable distribution (jessie), this problem has been fixed in version 1.1.32~repack-2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.2.12-2+deb9u1. We recommend that you upgrade your tomcat-native packages. For the detailed security status of tomcat-native please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat-native Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqINN9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QCFA/+NIKcWWK9+5NHMyYJumS9DE317Lxg/7xo2c46YxFIWX+WbYu7NX+H/YqP 0AhRYNVO5cQJCymGl2LAWuIITMOtvE+cybI5q9Ayjy3fj02LqUHsawKwGtIj8166 X6PH/R08HlMm2rPJdcQzQ+RsALAyToNwABxLdWgDAdBSy1mWoAS3XzCGj46rha0K 1yQay4vG+FszZz9aJA7/E9SOFBdljzeATbrAcdtutsK4ebRvASabJEon2XzDkzJy 2RClV8+qMp9qppPB8Y0dmisLVuIsoVWp1VGmx8ZVEKaj0G9hVvpc1lrNkS6hwJVC 0eTuYvp2d5VJ2tXPAqjqU3KnvEHvKx3VPNDlUVcHkgET/+G3W6AUjR+U10TzRL52 A+aNELQg8FqlE2NPIB3+1dNxSedFhLl5w7kLYvJFTAd27hZaqK66qt28UyRkuS2x YX5g0UvYPbsIO6FshvCOC/ASvqZIrrUHrWZWr5i+9JWvbQYJOb0pCWAQ1jMYZbTp 10b+CSrcKY/FiCrpNFmuAwBiatGBPr9O5y4ybxsVLeQ/VvhIqSuRZF4Q1LMHFa79 S4iquPbTTBBgqPAtybbTjUNgEHvRep2IXa1qRLMDPH3SyEa87mb3XRVIgW2mSG/e rQalkoijLqb7DPAgXn+2Zuaw/Ld97lj+0i9N5IesMfhX9XmE194= =KKIX -END PGP SIGNATURE-
[SECURITY] [DSA 4122-1] squid3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4122-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 23, 2018 https://www.debian.org/security/faq - - Package: squid3 CVE ID : CVE-2018-124 CVE-2018-127 Debian Bug : 888719 888720 Several vulnerabilities have been discovered in Squid3, a fully featured web proxy cache. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-124 Louis Dion-Marcil discovered that Squid does not properly handle processing of certain ESI responses. A remote server delivering certain ESI response syntax can take advantage of this flaw to cause a denial of service for all clients accessing the Squid service. This problem is limited to the Squid custom ESI parser. http://www.squid-cache.org/Advisories/SQUID-2018_1.txt CVE-2018-127 Louis Dion-Marcil discovered that Squid is prone to a denial of service vulnerability when processing ESI responses or downloading intermediate CA certificates. A remote attacker can take advantage of this flaw to cause a denial of service for all clients accessing the Squid service. http://www.squid-cache.org/Advisories/SQUID-2018_2.txt For the oldstable distribution (jessie), these problems have been fixed in version 3.4.8-6+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 3.5.23-5+deb9u1. We recommend that you upgrade your squid3 packages. For the detailed security status of squid3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqPVb9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RGOw//Yr5/j5S5xNQEM7HI+6mBcPEczGMFgUxYas9lQpaNlcD8Rxx+5sozlya7 pCr+SB0IcPfKzdB+1DhpmHUBr+AsAA6OHyf7xtgG0dPAq5SX+sHz1CbO3110k8j+ rdUotCf+xhLQ+2q8Cbi9YfQd5EPpdtzx/8cXVQomTcXt2nmHIlk91rNOZs0/gg2D WAAaeV3SEcR8mzLfWRqUSqSutdCGboOSbhHl7zeTdm9cPAYXrbRBmjjAisxcMSdy 1PeHmaoqlp1/dwMWUWu4qXeT2yT92BFjhj1dHvUlpbdJtvvRohD3WjORBIBe9Gc+ eWxKrpVR4d9lyb8ipsf2nt+/b+v5jkvrg9W3yL0HEKjPa54wr92kGArb948A3vPJ YWbomuwhhKW0DIqI1nES9R2XzZZgFo1DZpXmchYqM+sC2e8+rUBmfn9MUVOWG/9U X5JMhKiNHpIYTf9bKSqc4OSbtL+nJ5uY2g6+HrElwI/319CPxxdfr9iplP10ITVX ofjZecqjT24Nfra5ZvN6Pscpg9E34xgpd9fzOPgB7bq3BemYDT2GDaB/o3TXsVTO 4j84gg+9b68PICJgqsRdFAuiseycRZbXnzdvbBWB0mcKileFUIyZn+o9v4TQzWt+ +6Ebi7CpnEAttJ2Cyhw32B3XUuLQoBy/CWdruaFrEJu/EMr/ZxU= =mMK9 -END PGP SIGNATURE-
[SECURITY] [DSA 4260-1] libmspack security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4260-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 02, 2018 https://www.debian.org/security/faq - - Package: libmspack CVE ID : CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682 Debian Bug : 904799 904800 904801 904802 Several vulnerabilities were discovered in libsmpack, a library used to handle Microsoft compression formats. A remote attacker could craft malicious CAB, CHM or KWAJ files and use these flaws to cause a denial of service via application crash, or potentially execute arbitrary code. For the stable distribution (stretch), these problems have been fixed in version 0.5-1+deb9u2. We recommend that you upgrade your libmspack packages. For the detailed security status of libmspack please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libmspack Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltjchxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SH7w//aMohH/3ymPCXrXB3RR+NmXpAFeVWO6EbKW2g3J/YEZAWe/nssupxK6Ws 3s8eHYhFxbffpzonkyVQ7E8nfBtp3osUmd9Ir+T2ftzpuSfsCWYFhERpep8c5eAP 4l43UOB118A3fWmVc6i/44/gc0XCRVfWF/SfEofx20x4CQSCliuTHRrQVqudFkgF SsqVwbcpKhiMvUH9eq8Csi0LRywLdz7rX6dEKJ131bxcUmPIP02/wwmHDJQcjbg/ EEyCVbEYYIrIJiUh58OF/OmBFTT1im6rCYmfeyrPiotacSBT5K1dorjvnUytFuO/ Yf/2I1tSEb325hoqx+958pGj0Y+4ubjIpRuvhV/rM4r9kKmQbW344dft2FTqKOp/ a6K+LuaobcqXf9qZC1E/EytJuZNl57pdRAiOTVt3szNSfT3WCHrLWf6ZwF6PwTII HKmfvNPrmfSJI7KEKpmra9FW21jwAcYJL6Xt6LWPKoPVR52rJv1WMd84edsg2mGI J0P62TOKv3ZaJvpBrQ+bkuFoBrQE10RN43iAzOWVqBnw1LxMqq2WOnxHpcYduOBr VduZWPiA8sN9Ee1WrVUn/ct81yie9RxJ21SZZEnoFR3wpMqBsIzeNsB9ISMVtalv TeCi0ZETyCgdFPs7jEIA8F2q0Gg9DgXtcjnc4aIkOSA5IOj0G1w= =fFmf -END PGP SIGNATURE-
[SECURITY] [DSA 4257-1] fuse security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4257-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 28, 2018 https://www.debian.org/security/faq - - Package: fuse CVE ID : CVE-2018-10906 Debian Bug : 904439 Jann Horn discovered that FUSE, a Filesystem in USErspace, allows the bypass of the 'user_allow_other' restriction when SELinux is active (including in permissive mode). A local user can take advantage of this flaw in the fusermount utility to bypass the system configuration and mount a FUSE filesystem with the 'allow_other' mount option. For the stable distribution (stretch), this problem has been fixed in version 2.9.7-1+deb9u1. We recommend that you upgrade your fuse packages. For the detailed security status of fuse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/fuse Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltcenNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QvRg//W3kUaO9PE7ctcY3CxCa5uej51kqun1Jy7JAw0fjQK84pTH//J8GCJnAs vbcONxyvrkxlLMRamvRrKU0EfH0vLHkvjcfVY2l5ECPBEISkpVff/MPWCwTplzF9 GMUFdrF+qJNC7EW2y5BfMwkBFn7FYTyEoroSm1AmQjjqncSuzvxIjK8p+P/NVq20 RawwRsEJIquVQQ3ZYE9mnJ9QixYI1+le33bg/FI9eIUy44W43m+OPqmf7kvwH7Qh SamYcFMvl8uc8reijl2cSoZ1ocCJAr4etJ3M/C0Br/wtQxedk4+bAtYjxxolR101 VBZqh9bnTsBpVnQaMjcBsGsT77IupfCY4nraZQJqcDF9N4712W6MUKckaP933HQa VKWjlSUqNlIUh2UocONgPWU8yvxtkSHiQIkEEQnuNchNPGGcu+zrdTR3BY/oBIHc yDgBqk1SV0CNLTzZj/fzDmwaVgzYrE8Dc2+TPok1O8UgnifSlRBmQrLJNxaQE4FL TDhBB3O+H3laHAFeMPMi92tvr66r/QI5EEhNXBCpauOwYLg32DhL9RJ64FY+mOr6 /YrQMyfX5fI1v/WaqRB4rNgaQROYFaC9uOtSp6UTRa8w2R98JSEUrKuaE/ndVJM+ HtFaaKkequ/hcIARHdiCeya3jZVCOhMgeIJZEcw0G2LntY1z46M= =MTqc -END PGP SIGNATURE-
[SECURITY] [DSA 4254-1] slurm-llnl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4254-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 24, 2018 https://www.debian.org/security/faq - - Package: slurm-llnl CVE ID : CVE-2018-7033 CVE-2018-10995 Debian Bug : 893044 900548 Several vulnerabilities were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-7033 Incomplete sanitization of user-provided text strings could lead to SQL injection attacks against slurmdbd. CVE-2018-10995 Insecure handling of user_name and gid fields leading to improper authentication handling. For the stable distribution (stretch), these problems have been fixed in version 16.05.9-1+deb9u2. We recommend that you upgrade your slurm-llnl packages. For the detailed security status of slurm-llnl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/slurm-llnl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltXfe1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RnFw//VfeqZuQodnCLjYWSBEP3XytVOtzF03e0fAW44M0jruAxYcoQ3uy6knwc EKK8Nbjjfg23kWygJO7pPmmpbqkYlhBXAin2/NCXa6svCtxeXY9zGZWlo94hsxva 239bhOAy20crSRX3oITbsxPs+x46ZEDriLR2C2GpMFNzTRyBWeDuy6/UIlBZtkXf IeyKThCrPECg5I8gqkSTKua+or9VBwMjMwp6Y7GAfA60I0Fws4JYe2ZEIWRRa8SU NalUGUduVJ+OHWiwGj8tpFPzwcpIHAC7oZp5EQbe2vMSpcsRcaKusEsc9cXU8ILD UTl/ZFbeO3+9WlXf62aXZ1g8Obb3T6kq+MbxpiEom0fbyHCKgxjE+OI7Soivsvjz p/HS7jmBoRZiUIJ4GcF8wr8RoXrr41PCIU74NsiZvIFlJ9HlvqyIO+SNg+BBaLVy ttOPJsFcfbJf/qHlLu4ut0xeP1PvrlqJYPXo19e94g6fmIKuJ38WW2tKAa+KHGuK v+e4eYa4qpem593KslJM5TE+OGJTf189bZQzsnhUQ2a0zAgasUYngdRvk/i2HEMA DeOdSdj00L3z1VlIgPDFBhcX33d1Rpr/pjM3ZqZl7Fc3F9AjpfffUWPRJ4MiKyZf Tp0gVTfSsAH6xVlnkVlSN/18UW4WPrbJn8mS6DhYbvPnU6OUYM0= =VIY2 -END PGP SIGNATURE-
[SECURITY] [DSA 4255-1] ant security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4255-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 24, 2018 https://www.debian.org/security/faq - - Package: ant CVE ID : CVE-2018-10886 Danny Grander reported that the unzip and untar tasks in ant, a Java based build tool like make, allow the extraction of files outside a target directory. An attacker can take advantage of this flaw by submitting a specially crafted Zip or Tar archive to an ant build to overwrite any file writable by the user running ant. For the stable distribution (stretch), this problem has been fixed in version 1.9.9-1+deb9u1. We recommend that you upgrade your ant packages. For the detailed security status of ant please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ant Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltXhnhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S5jw/+LdWQYYhHov+fFxJJiowkO/aAhi+whhvcw3scGVij+fZjoHOuCcdQ+koP /ja+01SUeQ74Sa3G2AuBnL97qzg0C1oxwIa55FbIoIpsJhqFD+kt4jdirEAHr4qG c9PLzUXBOIAyHJAjwbO33mTlj8TP/0XAUYqriierRKWtFOKGSi7tF40nZwyhfOc8 +dZ8WwGwsO3BdshQfvUzntWMwzvGhuwiNbrPc/Kd8PKXWTPGeDkLWuVuGH8x/07i 3vgdYslK8/QrVbbIYKdSidUSOeJFgHeENd10YHYyyQIfLGBOz+o2gOuLrRTXHCU4 V7yWPbllN2CzcQjBJ/GSxGSJ+JpvjgX7boOBUQQuEf7Cic8fhqMJgEGStjk+NakK lXhpJlm2exf4+Q0GuZig4RaBY/N7pUJmqu5qNulyjjgSK5sx72Eldg44hto4iuKt aB3o37YWIwavG0POi9uQ//dZ7m7KGmTE8y2LSmUAaB3DpXErrWBbB3TW0ap5Ui5j jex795cyUOIDtCgkVqgOHRWYYNOM4F4g5AzxT6cxfB7YR1j4rh52OayvTcvl97Qb 5uhBu8OgYHF0lCGPJS2GJ0J+LZhn9NDsnAB4PBmYNvOiIxz+W1rvLmI5PLMeTAFD EfyqNWMUKEDMSofOF+HIhD9wYmoCcxMvjBa8cxlwyV0/5viGXTE= =c/tN -END PGP SIGNATURE-
[SECURITY] [DSA 4267-1] kamailio security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4267-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 08, 2018 https://www.debian.org/security/faq - - Package: kamailio CVE ID : CVE-2018-14767 Henning Westerholt discovered a flaw related to the To header processing in kamailio, a very fast, dynamic and configurable SIP server. Missing input validation in the build_res_buf_from_sip_req function could result in denial of service and potentially the execution of arbitrary code. For the stable distribution (stretch), this problem has been fixed in version 4.4.4-2+deb9u2. We recommend that you upgrade your kamailio packages. For the detailed security status of kamailio please refer to its security tracker page at: https://security-tracker.debian.org/tracker/kamailio Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltrTaBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TNXBAAgXAYyk+Y9DCSh/VL5dIs/4JUHMI66xnZSH9k7haETlMT+6ZhTMm/06wY Q6O0nvAdP7RaG4/j3CiHgTnp3Z1k4zK1S8NNEbsg6AY+vfappu/6bECY7nSB7ljr N/ATqLg8Vn5LuLegiGtzC8jvdMn4cDW9bmYCAYWznX/As/23F8ye3v9mlLCwcl28 XIxPBG/1ZC8aqdAveInm2LqRIWpSAIBxOp8S7eICPtYEAOjxZmxytTvrmMAhDvkS L9IhP/BVV3Td9FTNlLVHkGGuE3aym0uGRHC8WmrbBzALMAIV1Bpu9Cgvy1F/RMaB qLNsWASjgt/ULwsVo+ZtldA3uN2y6Z1NeGJRSZaQ3EK5qvKgViTpULCqW+CrQl7w 63uUtGOXMVPMc4oCNbHbf8hP0kPHKNPBXuiU09txvgQSNJ07XUg8/cmVUy3whp9C sRX6o9VEmxfqZJpvX+7l9VzL584DuptOTdH4Y1rcL//7BoJvioqwd2iUh9t2p+in zysbgwicx8AnQy65iH0AhViJimlktT/g0ygvj3Vxsa49w4MGjB8cEH2CMQCCT7Cy Q0oiG6hBPePEcb4a1p8BfhwHYmRpx87sxFEdPAjsWB/bz/P5465dWyWAoB1iA/er 2xkQur1NV5A0Vwza2Cy5PdfsM5zKkpiEpHqUhO7DNBd6L5zZ5iU= =UQT1 -END PGP SIGNATURE-
[SECURITY] [DSA 4266-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4266-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 06, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-5390 CVE-2018-13405 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation or denial of service. CVE-2018-5390 Juha-Matti Tilli discovered that a remote attacker can trigger the worst case code paths for TCP stream reassembly with low rates of specially crafted packets leading to remote denial of service. CVE-2018-13405 Jann Horn discovered that the inode_init_owner function in fs/inode.c in the Linux kernel allows local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u1. This update includes fixes for several regressions in the latest point release. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltolY5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T1cBAAhxrsiYuYMiQj9x+shNxxp6gWEXpDoOCwU0cXzZ2lii2uSPzP5TsIQey3 3nBjPCZthg8Q0fL2m0thbfS+i1HTT9tlJT7EjBGDjA0jm2o/lQCmH5rp8DDPtbwZ 2iZ9HyfosEFnbCd6VHtWIM3NoGZFUjvBWkb29/op800BqkHk69WchT1ZWSE8G85S NAwG7tf/mfWIc0nYgieFo9i2X2bk0mNUOjC8xnVnK2TZY5jzK7f9fmQzdPAglZaI t1UoQS4PMl6UTi7AJephorP6+6KJPg3n0rCgJYYXtnRO4PilSLveg7dNniKpCaDo jJKVIcug8Hqo1zc6Uk0tgdZBPILZULyMGr7XUJ97cyA6i+9xhDpGPmqH6pbWQ+YZ JplAY4PHZ2PUi+6is4LE7kYQfPk8+KvvshUB8Qr2Xa61GUDcgpdcaTmNmFYH3EAF St27o/Nbs8WsKNzkOMxtyva88YJr7RDHr+nX/I1fKlI8zC8k3gHYYtJ11QhCDWKT 1O42ppxxaBUMo5ns0ZCjNBaMFPTaKrDYocAzhVot94I2++8InhFWbAzRq7B44fKe E4Q6jDXY3x5MexSyZG3sGc6EwUtr/Gr8trB4TZkvNrQtZ9WBh28TOsldecGsncqw I62eV7vx701dQDjtcDy/yZlGDjFTULQkyX8GPL9hIBeRjCFRhrA= =h8it -END PGP SIGNATURE-
[SECURITY] [DSA 4272-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4272-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 14, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-5391 CVE-2018-5391 (FragmentSmack) Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can take advantage of this flaw to trigger time and calculation expensive fragment reassembly algorithms by sending specially crafted packets, leading to remote denial of service. This is mitigated by reducing the default limits on memory usage for incomplete fragmented packets. The same mitigation can be achieved without the need to reboot, by setting the sysctls: net.ipv4.ipfrag_high_thresh = 262144 net.ipv6.ip6frag_high_thresh = 262144 net.ipv4.ipfrag_low_thresh = 196608 net.ipv6.ip6frag_low_thresh = 196608 The default values may still be increased by local configuration if necessary. For the stable distribution (stretch), this problem has been fixed in version 4.9.110-3+deb9u2. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltzSylfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RaQQ//ZmbZqbqzS25ZDtEN7fJbInoznmfFiXHYCS9/GNEID3ODvPEn34omQ+Tj HJHroMWFsXROIaViHvJ2mZB3dpgv+ge1huvqXFTh+VrnQxvmdzzNy0UiDUH3B7jU BnbI7IS5x2dBC4cY+5vJ1fn0mWnvh/Bg9D+HEce3mmz9f/bTmXXiwPosyCM0KnzC R8aq73EU61A+IYJd+otICU6jZk+4IdgZRhW6q8F5OgHrnBryr0Xem8hSeL4Nkv3y aLX2Ca20eAgfeGo/SAHmG+FfJLR6dG8frz1k8HsKWNW16O8AC6lDbRC1+teK1e43 6GoIjfU9fBy3Cc35I1JQ85cfzfDLaETQ6IQ23o9SUP6qh8QKtUYDIU2sEDAThmrA IeoJsscGUvRMOx/XzuW8xN6rgbU+uNp8NIYXonZjy+U28dGp11obq3ka02railwj VEhm3YPIddeySofS0tZuBJ1XKL1/a5voLQ9GEBk+wq10DPdfYvSmIXxVR/FOfYy5 mLLTdtHINomfeihEI9AOWqq7w5bVIIidWB2a5FJiBZKWW1OdiNRHlD4hNMCR5xRv vK2PPXYcCxBuO4mdcnYydDcmrDvD22b6AhN1sm8FqUkWSXQbRoHNan95A8KbgZw0 Rk68oRCEFKcScB67ZhK2hUue7hZhkz52MlbS7pJgBPSuKrVsZtw= =WPm5 -END PGP SIGNATURE-
[SECURITY] [DSA 4271-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4271-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 14, 2018 https://www.debian.org/security/faq - - Package: samba CVE ID : CVE-2018-10858 CVE-2018-10919 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-10858 Svyatoslav Phirsov discovered that insufficient input validation in libsmbclient allowed a malicious Samba server to write to the client's heap memory. CVE-2018-10919 Phillip Kuhrt discovered that Samba when acting as an Active Domain controller disclosed some sensitive attributes. For the stable distribution (stretch), these problems have been fixed in version 2:4.5.12+dfsg-2+deb9u3. We recommend that you upgrade your samba packages. For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltyqgxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qigg//Zteq0rjPoRFziKxzZ4xT5vHYGEDWjt+EckUkNqyk1bPPWQAZON+bmS0L X295kRL+EFKlzUFc1l0LiFE+7bsoQQtcToFxgeHM9YZ2F0eAaUYlCaGeIPl7pW/U 0ewB1kT1ZsWaM0XGZjUgiFYvmAAcSN6EqMMkFDRW5On+SpitzRDe0QKdAlNZ/RdP 69IJFM3nBdB4JTLhmD4uOD7di+QLdyvQu5AmksjJ0r/+NNeHSyrtOq0TQTdr8nBP /RVtHZQXM7LaILgTfRXpSpcoEk6RMPIiSts3AjivLotYqyUMfmzrvcft0eG3wUYZ 5JgV0i6xypKt1Xb9v7itW/mJa7RFjuAeODOUdqCU3Mp6g2yh+k33ViH4lAGiAiWb 7gVUxZOmNjZ2PXgUjesZj2UdNssOTH7P61A7vvoMGFPg7xzgAIAqo5DIZaGPkRZq HcQYNjBa7aZsG+8spYlitXBwlm5/fYnniEAKHZY56N/kuJdZzAKf/QiIyNPX87wi N1AxFjdh8S8cbp66PmuZ1vo7n/FG+bcO5QKG121m2znk8pr4R04vN7/37PE/Mxo1 rzXqwxz1iVLBb2mW0P6N3b6e8YqVnGl0R/w26kX6cK3+qhOPgH43WpYyBt2yt+Vb XwfAv2B9Gdx6VM2Zy3833HXiKtw66RB6cAg3rXyWU5lVPydt8zU= =jcl0 -END PGP SIGNATURE-
[SECURITY] [DSA 4277-1] mutt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4277-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 17, 2018 https://www.debian.org/security/faq - - Package: mutt CVE ID : CVE-2018-14349 CVE-2018-14350 CVE-2018-14351 CVE-2018-14352 CVE-2018-14353 CVE-2018-14354 CVE-2018-14355 CVE-2018-14356 CVE-2018-14357 CVE-2018-14358 CVE-2018-14359 CVE-2018-14360 CVE-2018-14361 CVE-2018-14362 CVE-2018-14363 Debian Bug : 904051 Several vulnerabilities were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, potentially leading to code execution, denial of service or information disclosure when connecting to a malicious mail/NNTP server. For the stable distribution (stretch), these problems have been fixed in version 1.7.2-1+deb9u1. We recommend that you upgrade your mutt packages. For the detailed security status of mutt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mutt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt3EAdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QAKA/+Irajn4bq8uLkHS+/vihSkRRplD45EDrKpWPt+gAITgi9/JWuvKLqqURF JvozT6/aWE+2wTtVUiABV6jxYsfn1mV1MN8sud7SRk6IvUutbEplX2BxR1sDfLS6 h0/OL+5klD7BLU8Ba48sQzp8UtSjRwrLg+3iO84XNMrMSpHF+d6xhnkPF/pa+hMv rdlIoS7bqzYTgc2eqS7IcSL3eUxIp19DdSccpSHTSP6JHc90DqctlA5jWnu7b1bg 51Kq15X9GJjuwdmGoyQjX6AkK4R1ipsN9Zu/E/XAWEO7VGsSM8c2ZUpf/ZyhOXZk lxbW9mtxyvryXkFssYEaF+wxhWTVeCnypEOM/F/b+xAMp1Zy4sHlUzsiiX3nDrc3 RxQDxvyyVRDbFNTyUegehH6nslW/C6FbJzo8SM+qKLsCw9kda/ZYPVVuvmap3Xm6 5etRnSSftKgyMTCzXN92A3CpZKt8h9M30GmbgqJhTsVTqwb+l05G+/T0k+wQV5eR rPfzCKrdFsrR+t+idEDnm1gMJUF/lJlRX9/BEPJIWXBMNkr7A0gQZKFLUzeaJhba Jpgeeabp/0wkWNkyerBnJ8B7MneGQHg7vByBYJ7G/85dqyotaREAiTup1EFqQJ6o S57Bj6GkfrHnwt7rqHrCXBZUDFf9o3gnq2dorgbmoCp+L8Nlmrc= =IHBe -END PGP SIGNATURE-
[SECURITY] [DSA 4279-2] linux regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4279-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 22, 2018 https://www.debian.org/security/faq - - Package: linux Debian Bug : 906769 The security update announced as DSA 4279-1 caused regressions on the ARM architectures (boot failures on some systems). Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 4.9.110-3+deb9u4. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt9vElfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QK8BAAor9KlyD5w13q5VIwWuRx/y+wOuKsgr4fHKqoig/15moR3YaXQsGIsHRl CHfZnjPv9jLeNg5CbNYNyZ4YvGL3yhMQZjAvhRLhx0/v+HIjGRitFk7qPIxUObBb DRjtqhMYlf9fS2VS3XFt6HMmViyRSBS+bLYDI9Fvpj1oWbFwbcxPQ+FRVnFX3B8i 1jyR+qFVaPgbLHjSve3bqRWbh3BwSiroC4kLcKrvTuaJon8Lvxm2LY0fKWjAM4SS UTCfYqpbyugivFPznc9a8N5UDBgfpei4zU4qQ2JpT+a3Vjh0riKqWMfF15kCK4Dm WGKfpQmQDnvWJxKpc6qn4FFqzQ3KPhydeOC/pXzFA9qQMyXHClynFB4BgJIGtqF/ f4u6A4ZqmTTXxNtsicHFc2zLFcKper5qZ3sdd61PbKz1K2xaKN1lDb+RNy9rhIGd ueNtLleGh2qmfmzgLP+2uKXzaHnhlwbXoQSbaF0tR8WvCPCnW9Cykx89Alj4SYxO 1gv7Ct7MAfoKSRoQehnOCLADq3M9dmZigI3G4NrH+uFnJ56lfNoLW+j4+Ghe5vvv Su4gVIFFgKHRJ9oL3xtjZBx+y8Qd9XIGSFc5MFXQ9QeaLfR/Nqkef2aktVqVKKe0 qb2sruAtVYxhL4tGjQ+ojOxz/TEFCpIsbxai4nicjMqQxjWv0GU= =KuqM -END PGP SIGNATURE-
[SECURITY] [DSA 4279-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4279-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 20, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-3620 CVE-2018-3646 Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt6p8ZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TBJg//VmtxfP6VLm5Q2hHuOlUejrc2W4hOcNRR0Ud7DjJ0B5Gfb9y/u1k+RXBj akX5/Csi6l+kLOWs4/amX3VAxdQRYFL6eEJBNZzlCkBasu1DpkvJdL9F0EP9gru7 Xd/StpSQs8GaBAlklQsckHtKqPzhB5D56gLosLupfmdNovlRKPhX282Ae5JCgjyf BjQv7Oa5K+pUw7F4sZUsdTPZHvl3bZ14u2SDzkIYX6K0KSRi3r4kBNGlRkCnRUTd AW8LpC2uWFX584LhVqJhnKhtd2lveadkwjX9TTRDJkJJOW88Yf2hDSyvWRAKS90D 65SEB2SIrgYiOTqCW4TQXPv5cNSn+LPimrkPus4likNyxJajbck5lB5GVLTTd0dp X0WPp4uhNsISHERZzdJpT8Y3uu5VrPzgSxPay/aPh+n7vy/wFknliZ4IfBSZtOri J5OrlN+Dal0M7eli1ojoByMLsH5Tzzd6/pfmOtWH/wNUFuMPdNwM/KuzcZRn+aMY FZ6jk6Ge0UNgFoQQPb6ddu0YBlPQGK5t+jPS47qR8fEqV7VxBDFVQYKK5Lni9iwi bIarRFTWQNj3nYZ44VOsk95QuyKe2Gw5NkjzlsEhQdQ318urQ6tpAAvjet/xbaHv 6SO/0r3APr5jxH2GGrLUvRRezbXYkBhEVhWOtcOQryXEzPAbcGc= =Cd8P -END PGP SIGNATURE-
[SECURITY] [DSA 4246-1] mailman security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4246-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 15, 2018 https://www.debian.org/security/faq - - Package: mailman CVE ID : CVE-2018-0618 Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. discovered that mailman, a web-based mailing list manager, is prone to a cross-site scripting flaw allowing a malicious listowner to inject scripts into the listinfo page, due to not validated input in the host_name field. For the stable distribution (stretch), this problem has been fixed in version 1:2.1.23-1+deb9u3. We recommend that you upgrade your mailman packages. For the detailed security status of mailman please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mailman Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltLmNBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R/QQ/9HUE6xVbVmD2gccUeli5423s5IzalCDLYCPB+mTQRzXLpIVkwzL2E4mlk QaQT1WEd+RFoPdXmAKKBnl0QPiYp7oooCEmXKQYAOfo/Lpr2Habo3j1B0JhSR5Kg WDEzGc2vpcL4fcoP8CBejlQvqsghvnPOekqMfn4oB3gSRX4Xh5HpcDP9EtnfVGeQ wHkN554lRJJ0egUpTyqvylc95pYbs1Cu1tyIEzZfvG6kLTyGZuHW0KNjEBlYMitL EgXy0D0q5TAWhHP37l3j5bEXz9Fs7ie/Q2cVqYbtXpJPFEEre+giwUC8jU5cR37e eiuOsRP7AyV5zbbpD+vu4I626WomGi5a3H8aEqEnGpFZVoI1EhWKF69lgY9mG71J rrtQ+BWE+cRlgfsmCS2fbcEoXblJvdJfTAaBNrvOAY6YZG5vn4GSv8dM/4ToNW3Q tw1eFv/9tytVMnIQKjEa1IgGZmsoAIhAOolWG1n4bA4v48OgWtzpgrVITkG18mfy 4vqc9sSMomIuvyY8NcO6gHccBnH9lrhahkGLhn56hvSghOEubHIOOPI0kz3qU/43 2N45F8u5vyKKmlis4mE7+ddH/LzHr/bPxbwQm2PrhlXAxHCHfJ463wdcF7NPS0BP h6VGbH1VPTeYL2WajDvM52r0lk2798Lbn1jvXZRSSVFqBeW3W+4= =hO38 -END PGP SIGNATURE-
[SECURITY] [DSA 4253-1] network-manager-vpnc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4253-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 23, 2018 https://www.debian.org/security/faq - - Package: network-manager-vpnc CVE ID : CVE-2018-10900 Debian Bug : 904255 Denis Andzakovic discovered that network-manager-vpnc, a plugin to provide VPNC support for NetworkManager, is prone to a privilege escalation vulnerability. A newline character can be used to inject a Password helper parameter into the configuration data passed to vpnc, allowing a local user with privileges to modify a system connection to execute arbitrary commands as root. For the stable distribution (stretch), this problem has been fixed in version 1.2.4-4+deb9u1. We recommend that you upgrade your network-manager-vpnc packages. For the detailed security status of network-manager-vpnc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/network-manager-vpnc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltWQhJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SKCw//VcNh7gs/gMCYvTOr3+nN0GCSpvDEif63vC9quWGN2KvBclc927tpajgV eAbYAW+Wr7mm/IV7g0nLR5WK51qnJ6QAevJmkYKWzAQpDnDM85UkNvcYkgbZ7Btp BMw+1e7EQv/C94nKw9KARZjco8/bo6L5A2AF59HLYAK5BjRblCWyc5dqDSj4gylE EQUdkODJPuH7s35LUqRhsTvUiQRPaOjZ0oDIkhC44GkWPnwy5yljmRPq54mqhMYU +NrDQjKwW1eMBNrF8/BrQq0CHP8sxftlvcgMoJzwK0YX8mS3nfhtnQRbMeBWSkId FYkHFOCdExyZDJ145NQPeVFmHj1qHElcr2swqQg1QmH4twkDhGU90zJBNwOzPTn4 7XQYeH4o29TSNMYC5b/3OpVdrq6BlVMJjTVz92yfaMO2h0ypTqyoBYQ72kZLS9kG PkKCL1WQWSdVJ4VNqufUiBrJNVREiSeOs00f3uBYgWYocX40b679pm8YbaQj/mUZ NIVlPJvlrhA7UkJv5VDOZyc6DPbVnLZGB8X14+L86D98JKtfbE/RnW+m2FUkwKEW 462OYIdudV0fDDneDD2e87p8DDdTIMwgO1Smgj8062RMhiv/L6FL/5XUxr1DMS6U AQLfdnpEf3Am6cL6FTIsj53SAmh1L9B3EHEkAPH7AxX/pogBlGU= =VkVy -END PGP SIGNATURE-
[SECURITY] [DSA 4285-1] sympa security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4285-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 05, 2018https://www.debian.org/security/faq - - Package: sympa CVE ID : CVE-2018-1000550 Michael Kaczmarczik discovered a vulnerability in the web interface template editing function of Sympa, a mailing list manager. Owner and listmasters could use this flaw to create or modify arbitrary files in the server with privileges of sympa user or owner view list config files even if edit_list.conf prohibits it. For the stable distribution (stretch), this problem has been fixed in version 6.2.16~dfsg-3+deb9u1. We recommend that you upgrade your sympa packages. For the detailed security status of sympa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sympa Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluQLrtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T/ow/+Piml6kbT2V/uwN88inH8NzNnjDQNj0HSVOAUyA0b9XdVfd6PhSDZgVm8 wi45hG9S0B8LduMCPP78sqdsDi/Wstrgr8oaLZyszF0eEFGeMJpyhQ8byacC2BjX U2VOZuOUVcE1A9IzubpYSDU9A3cZDGEayxQhUGkOG71QIOF1eTWHE4MGu3aT5ck2 3/NjGJgUwsf+a86php6PqzsqibKkKLj3uez4wQSAdM5rlkn8C8rEdgAtLAhScrSs DKHUtZ0fiKXzt6G4X9uYAfhnVECcGBBtaiyuo76VgYEgMQghrAhVtPIdE8Be867t 4n2Nx8qJE/Fggm8UlDnzc3U/dyY/xLmiJmfn63dI0QvibcsxYB+SbRgO4+WpOD3H 8+iZyAQdX6/msuDkX640ehg8qHH6cVp7b2v2KS3F/yFvFiKr3Lw729TPB5gHheOd b8MwDXNIC7Oi0lc2gXV5LxzVORxFmakaQmf83KK1ySREa82qC1W7MaSqHz7sDCyd 2Tf3e79d8ekXowWOD1mxUESiHCrE8LCDs7B7SfULOu8OI6CQ/Gq1jJNuUsQwTXkh ZyHB3HnuEldlCrFXLVsDvozbGYX1gxlIB2+DHlD3RxnCMrZMPD5Ij1NUmQXdJP2P btnBI0nxBwvS9Pa16FTmbIrS+LctZhHl/GAgJVIsSIVjuInTmaU= =SpYh -END PGP SIGNATURE-
[SECURITY] [DSA 4290-1] libextractor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4290-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2018https://www.debian.org/security/faq - - Package: libextractor CVE ID : CVE-2018-14346 CVE-2018-14347 CVE-2018-16430 Debian Bug : 904903 904905 907987 Several vulnerabilities were discovered in libextractor, a library to extract arbitrary meta-data from files, which may lead to denial of service or the execution of arbitrary code if a specially crafted file is opened. For the stable distribution (stretch), these problems have been fixed in version 1:1.3-4+deb9u2. We recommend that you upgrade your libextractor packages. For the detailed security status of libextractor please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libextractor Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluW2HFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TuAw//coqF5yAP3KzdcUKz1hkByk0J5mquiLKliZii5RikJHlX72+ZZQjMaZBn GCQqRYOfgmzK+0uRnVxg1c/7EJVQXyWeKkYysp20PT3qA/aEMg0BqbjfEakGU242 veS5iHgUUjB3D5IyR3cnl5+MGWmfWtN2UyR37a5V6y4ApDFTYRjHf+FyIyKFhm8L RxhB5mD8+y8Pnj3YLMYUjmI7pIrTHeF9QOYgYyBvL274MQH4GYhUr/RxWWlDD/Q1 IShcpjYI51fNnHvTFFgoKEMqlSGls46zWJustKezgf5OXTM2rKiBWtpYrW0C6dJw 7pw+ErioW10CHNYuQaP78NGSc9iBTrikAkKFhfrUXypgCcu0HQ+WtbclyU7fSnqn rsl4IP0o/EOtaNKLMpFi8OrJb52+e6JgtXTwnQzlqTlpYLh3F4x+9tebSZW4vgjL EI2xs0M790JPDZARYXuwOdH/sFd/vTy7IAJgiCmMG+js8/imRHwLcTsKAB6fVgo3 chu3C28K/a9W4JCnK9tlYkJyserVtCLpioAfFinNPTzM0EMHAV8TVZHGo+oBU/Nj 50oIVxaZ/Jbv70GwV5MIPPW3DmuYH15TtBKh9o8I3gAkbWHYwcw4xKzj08NPBSuF had3/Zr9dPlinR1gXLLRL4qEUhQ9xMioHpDycD9daVOvdfIpTAI= =4CIW -END PGP SIGNATURE-
[SECURITY] [DSA 4242-1] ruby-sprockets security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4242-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 09, 2018 https://www.debian.org/security/faq - - Package: ruby-sprockets CVE ID : CVE-2018-3760 Debian Bug : 901913 Orange Tsai discovered a path traversal flaw in ruby-sprockets, a Rack-based asset packaging system. A remote attacker can take advantage of this flaw to read arbitrary files outside an application's root directory via specially crafted requests, when the Sprockets server is used in production. For the stable distribution (stretch), this problem has been fixed in version 3.7.0-1+deb9u1. We recommend that you upgrade your ruby-sprockets packages. For the detailed security status of ruby-sprockets please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-sprockets Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltDzlFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RwKBAAlp2bvRjUHhtND6Kd/3+UsSESPn+1myDCsVPRX+LJF1YEMVHbekkAxQ74 ktE9ImqtkYn5PmmUCJJiD/IjOqg1/7gsIdjFkBvL2/H3YYk+AyRj/FSS6tdwCH9y wJp7Vs6MgYWcWa2yKHbASQGBgPcPHjMBEcXIotahGJ9ZRARCD8PvXW+/r6vX5BwE VjFOxvmgbj2SrCS38e3ryIw60lpa13FL6eswVltM/e6Sv7RIk0pGM39k41Q6f9H9 +cLxS0zCXsNN0gVUoUfYvg6cFrtOg4Ri7YHGwNoACaKM/e3TrSwBop5VgXTQq9wa Kzuhe2yxsrJce+DA1rumQEEYjGAA2PUJf8/MVOdfCTyf2z3cuW6XhsdbdRMDIJGM w4lmgnzHBN3/q1wVkCK0M+M+M9Wh3iAZZvNkKO/SCwoYqBLEgSfa+j4ZZohGnA/A Xol3BD3zRIlP4J52STga1bkOiiOPFwzNTmIxnr5H13gFPSmmA9O91BN3p1vm/Ij+ aVl4gJ6UOU0g6+R6mN2iW28h7iadvIS6FUTa8+4lCigyrlc4iRpDTTTyWfhCedzh Jc4Z8aBC9kptQ3Y0nXlpyi08DPzX/hSajS7rGBN35UdteDW45Ht5zAS+t2mAt+/2 GxgcK/SUTwJ6qmxBqZYqPN7KUH6LC1553mIYRUqC1X67mF1MG2Q= =5deX -END PGP SIGNATURE-
[SECURITY] [DSA 4133-1] isc-dhcp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4133-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 07, 2018https://www.debian.org/security/faq - - Package: isc-dhcp CVE ID : CVE-2017-3144 CVE-2018-5732 CVE-2018-5733 Debian Bug : 887413 891785 891786 Several vulnerabilities have been discovered in the ISC DHCP client, relay and server. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3144 It was discovered that the DHCP server does not properly clean up closed OMAPI connections, which can lead to exhaustion of the pool of socket descriptors available to the DHCP server, resulting in denial of service. CVE-2018-5732 Felix Wilhelm of the Google Security Team discovered that the DHCP client is prone to an out-of-bound memory access vulnerability when processing specially constructed DHCP options responses, resulting in potential execution of arbitrary code by a malicious DHCP server. CVE-2018-5733 Felix Wilhelm of the Google Security Team discovered that the DHCP server does not properly handle reference counting when processing client requests. A malicious client can take advantage of this flaw to cause a denial of service (dhcpd crash) by sending large amounts of traffic. For the oldstable distribution (jessie), these problems have been fixed in version 4.3.1-6+deb8u3. For the stable distribution (stretch), these problems have been fixed in version 4.3.5-3+deb9u1. We recommend that you upgrade your isc-dhcp packages. For the detailed security status of isc-dhcp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/isc-dhcp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqgZQdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S4qQ//VNSM01tKHKfBTlVrJdIqghjEyanHVqExQCBATd4SzRKykKsEnBi2L1q3 o4aAkINuGcjSCbK21GywMygRJDGcALZG2ppSIycdnZvmtszIKhsLYKSBlF5sR0J9 /EWzp9EkcvJfdhpU5lytl33JjyqmNA2YM/dixoPTqhZi/xHBxlTPuj/H9lB2phyV I4c6x4zefXRTLNSRJkeedvgV63nnM71zmbkICdsXQ35xtDa/RWwJIEhOBgsUINbY OG/YUMZlhxo74eaCb91xDFB+zIwhK3JAUk6zKVVaElTwxhb7sdWaPS3x6lz7rCe+ uzjiHHmFDYvtIGGCO8umzZR9KYZd8DjekzbRvs8ROL4CaWCoaplx9ESm6E/rTdHh VU+bDrDQsJt0CLHziekTu6KjWZQkEUUI/48SOBY4olKshLbQFV76kSr1HZZ6SmBb EkKQHNF9kgS6eXwekxV0RG6tSudPZaDtBldPqEQUPoeRMrDawDO4SjGbMz7bzgEU 3nJOn9AdYzGfLkpHukTP9JSJiHh0hQUsB0MlA+Khs/OzbG7Drr0zjWi8naz1d0ZI v3svwC3DLryNOk5ePYDkrRXvTyzKXCiF1X29mxpfQDB3lLkFaie/MDM8alKQr1Lr EwCwSRx6UjpXFhB8jhktM55aKz8zyZyW2JtLwKeGB74ZbM8LH+Q= =sS82 -END PGP SIGNATURE-
[SECURITY] [DSA 4134-1] util-linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4134-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 10, 2018https://www.debian.org/security/faq - - Package: util-linux CVE ID : CVE-2018-7738 Debian Bug : 892179 Bjorn Bosselmann discovered that the umount bash completion from util-linux does not properly handle embedded shell commands in a mountpoint name. An attacker with rights to mount filesystems can take advantage of this flaw for privilege escalation if a user (in particular root) is tricked into using the umount completion while a specially crafted mount is present. For the stable distribution (stretch), this problem has been fixed in version 2.29.2-1+deb9u1. We recommend that you upgrade your util-linux packages. For the detailed security status of util-linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/util-linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqkUlhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SBvw//Y+r6WIIllVv5g4A4Oi+2x0jsJ4zlFek1Qbsx0RTXdWTKd7si3GjNnEN3 brn0Ml7GVgPY096nId0lwXQ4DhIVxy22KD9UU3UJSfJ4raK5P/auwSe+Xv9zzYAp NuArtByKca08wInZTxTT2ZkpGcc4mlC+L66ZKtTfQ0SsaPpZLs3tRc2KHjRhxtbM WGkNFfxLsAzp4p1UEQrYL9Zo02ka4GerSQrmbVfPZ44Ku99ZrRwsz458Wk4PjOSR DB8z7txkO16xX4iF7Er+eq1OaKEeVXUu1a3pCXdglWWWQAlegP9f+dPUVuviDJWV XEoCAK0BNtrtitMiV1a1FjvLp0ABfJmqa+26GYUvWGj2YCRd6lee7MgWfb+Hc+6G NxcDNDEIdPN5G94oOh29R3dJ6bST+Boi0eYd7Znuj4sIiU7nhbgYVUTd4dGR1WWM EAsKO4xrHQ5ucmhrb+F28E2N/c81FDeHzgdnOJnwKlCYW2dN2PIW65o6pENE6sQU aqo+SmdplPQFOha9BAprfKiZ+VIBOVL741RB6wr0i7gnIBH5eCp00XB4Q4l7dLzu Yg8jWPHPUVJ9m7caJwAj54EnfiKnjvboLVjETbdH99VI0SuaylxE4uzhPhZIob6I oess20eJQ1EhkjuVQ3cEg6coLeaYPgLIxDsYI8/1YrQpk8KYAbE= =ne8E -END PGP SIGNATURE-
[SECURITY] [DSA 4135-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4135-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 13, 2018https://www.debian.org/security/faq - - Package: samba CVE ID : CVE-2018-1050 CVE-2018-1057 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-1050 It was discovered that Samba is prone to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. https://www.samba.org/samba/security/CVE-2018-1050.html CVE-2018-1057 Bjoern Baumbach from Sernet discovered that on Samba 4 AD DC the LDAP server incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users passwords, including administrative users. https://www.samba.org/samba/security/CVE-2018-1057.html https://wiki.samba.org/index.php/CVE-2018-1057 For the oldstable distribution (jessie), CVE-2018-1050 will be addressed in a later update. Unfortunately the changes required to fix CVE-2018-1057 for Debian oldstable are too invasive to be backported. Users using Samba as an AD-compatible domain controller are encouraged to apply the workaround described in the Samba wiki and upgrade to Debian stretch. For the stable distribution (stretch), these problems have been fixed in version 2:4.5.12+dfsg-2+deb9u2. We recommend that you upgrade your samba packages. For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqnnphfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q7xQ//bGpp8gLoxYxiaUaVJCxN08djsPRx3mas0VF319Te6Fg/iLntI2LzSx6b HmdtJ/ZZz6lLrvG5LMfeqZwgFlztUoJ8JR0Mjd+m83Rf9ccX+8dlPJQq8509WuYM tBj+DmLpLQMLxAfMDWohO3A3qDGw2jOrjsbv1Viex4NYn7JWsQVpiYb3L27pn6kp hl88nu5doRFk57bID5TjgFnA14gMJQjXj7E3y/4bc5B07ee8tantewcLYL3Nknvw r5aVZ3/Hvxs+6sArKNBwjynFuKNFPhgtE2LGOW3hp17dYX4e/uMHiyrnHjXnfI/j Ak7TZHi/vq7EWApbtvXcFCTZ3dqWlrxC2WSge0Xl5oT8hMhV3IdvoIhO6rs/wgQ4 N2ZhtphVG/8ZKhoQx5h+f5eJnuvP7iIPHmviHcgE3im9mKl/XrXhHL0rPCB2qzvH 3I5BixpwyMLU6cunGWkMHahobjPdlnl5aOpMedBnCs2DjnIRi+Jy5NJmaPdyWSeL BSkxPUrUwUhxhH3P1AChctJWwNNPJAlcoSR7EWV3M9AQhelrWdACOMb1iOK+VCTm 65UGzyGagkUW+ui/azeypHvBZM07CwS+69J5CBGVFNfHvvFGZ9HEGndMhItV7eok Ta27LiGU+Fq1S7h5QiPWmyUo5qsD9Vefh056JqMQtQVCEdwLmnw= =ajOu -END PGP SIGNATURE-
[SECURITY] [DSA 4168-1] squirrelmail security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4168-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 08, 2018https://www.debian.org/security/faq - - Package: squirrelmail CVE ID : CVE-2018-8741 Debian Bug : 893202 Florian Grunow und Birk Kauer of ERNW discovered a path traversal vulnerability in SquirrelMail, a webmail application, allowing an authenticated remote attacker to retrieve or delete arbitrary files via mail attachment. For the oldstable distribution (jessie), this problem has been fixed in version 2:1.4.23~svn20120406-2+deb8u2. We recommend that you upgrade your squirrelmail packages. For the detailed security status of squirrelmail please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squirrelmail Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrJyshfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ROLQ/+ILcsLCgwuYN0h2hldhFLOFbleNYkFzuqlg3ZDEfdE0YrmwimHYntN6oe GFc6PKMXap74rBOEcZY98oPvj3HIHQAur5+PTi09dfNyXC/ninmro7jPUE+23R7+ dMNEsI/w4wFzx9LjFHyfi6BWvxlZ9+IpGbZzaEVwM0AnGB0YTuDqzISlbRqXp+Ed 9xT09JTBpALzjqIt11gnJBh14hBz7egoVFXsklSVOx/sa/FwDKH7m/ksmJdFtBNB TaVqeLZxxLKVK04Zu8eb9O0LhdddMNR4x51/yN6xNihDoKAGBAI6NsJsxtaUuNj/ b3KrFAXm+m6NOwrEh3EM0xWmc1QMsDpxSyS8CHvTSsOQRKoKa7jOViOtygBauY4p ByZnRj6+hgTp2qBFJ1f4v5sm+ZHfHfoD3GFLHvyPWze6ioUg0IY02Qwk+WYwkJW8 Oiau0C2419WINbgmtQNRd6ZZ7lNXsOMwScVI7xUybhBUhgaoylFa0RifcckgBObE mDsOE6ltaytGFAX0ooNAJBbCYW9irQCpvCoB+krKb6S5z5Dg2/W6syizm6scQdyI MW1RgTxrJB5FYagI06aBcmYl4fSFMGJG0qJL3vhPE9Y9oiV+NmST8uo6TaUMsHLE 6DEUbCI4+zG5/kFw0vQW7u27An/p+2410rD+9L+4GJfDoqBbkLc= =zgnB -END PGP SIGNATURE-
[SECURITY] [DSA 4079-2] poppler regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4079-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 12, 2018https://www.debian.org/security/faq - - Package: poppler CVE ID : CVE-2017-9776 Debian Bug : 890826 It was discovered that the poppler upload for the oldstable distribution (jessie), released as DSA-4079-1, did not correctly address CVE-2017-9776 and additionally caused regressions when rendering PDFs embedding JBIG2 streams. Updated packages are now available to correct this issue. For the oldstable distribution (jessie), this problem has been fixed in version 0.26.5-2+deb8u4. We recommend that you upgrade your poppler packages. For the detailed security status of poppler please refer to its security tracker page at: https://security-tracker.debian.org/tracker/poppler Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrPX7hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RTwg/7Bmho3vLAxQs0z/Sn2c4WDLzAlzeQ4g5ObCoWmN/fa+Hn5fDoG5Vi2aaC MHiG0XRM058pCd6+MOy4QwIt5rZfabLJHbKMlmn7yHDWNYQNDMyo6ILxet1IRled 1uG9ReHemdTxn0zdLKP5BS8ZQDQs1+KIinZApB/8/G+Q2n4ZHjIiOk15cTKP7U7J xuzS4G+XefLPlyvC26dTq4cTubJ7PUCIEHk5QXUJgu7IONskQEpJhsJu44YnmWMO V9yNitwiHc0r5YHi3+U6hdPHOd0m88AckVDdhRFHclSUlE8VIGs0s7y0AfAYBwEF /VA85dkFFS3Y0vRCEgdZxh7j5wt/dYrojqi6c7HjyKC5j9UkrjlBkq3uuBP2A0/t LVRfmNeJFl3CHMLfuNhklzdGRslUYLemtXR+vVUTLFoN6g5dElHYyo4jzUdkM+GX uG7bkCPS6ZATCE1Y1PATdeCAFCse/D/PK+tLQc1aE/ZzGodRDkW5RIZ1aFNq8vPx H4wnQyOGvtC5lP7QxGLlNo7Gm8sbt2tO8NThkWGSWFRRZmrQ5+FYUHRVUgQ03mu5 o6Yi75kcf2TXkkSR5ZEkNR926R3AGOI2aO9ztjqiDNfqnYp29WC/53h+bpcyXFgL cOoaluc4f3KgAv8v1m12+TuXEtQThUh4D7Tzet1WkvGCsrcMPWQ= =74Ox -END PGP SIGNATURE-
[SECURITY] [DSA 4176-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4176-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2018https://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.60, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.60-0+deb8u1. We recommend that you upgrade your mysql-5.5 packages. For the detailed security status of mysql-5.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mysql-5.5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrZpShfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TABg//QQL5c047WK3H01Q5qcFlUpZ2oKDcPJP4kUmal3Z+lKjgFBtwentNDtQV 0fUNcPguOkKwrqLHmZMJE/KbWB0tvWHhMDFTvrSdo/73aE6g749RHKwQMO0R03Y0 Pwwihk4elD6ZVu9dWnOgqVvbwp5cFuJBM6ye+126kpuMA7Soj9v4eRZE73uHDbdb 0ZSQKDkyimhs+S+AN+odpR8+TwvGlrjUmoeN33MoGGIfxCUtIWtFZ1bzUjuAKGpl KcUtIqZZn36Ac8k5/iqYrX/lBktfwA+pL7BEUfhSXB8nWwCPnkgDtP3dpq4XghZF x03qIue0myjxdU0xpeqdPJL8nA8WFnIWEe0ZcFjyT1ZJwbsnfElQdJtGMCa7Ge27 iJuibnSMLaZhKEbsI3VcSdBXXTFDrdB356S5HDcjBfcO+mpKVf2o8GfLm7ycAdBG nEwhBVjASCkqoSHOCdhizKf/iXxT7wl9K6+Xlr+ed5MkP5/SWdECH/67tlws26O2 rAKinW36xvTPpiOWYpAbCAs6/HhqQiNz6CuATBO0JkaODHHB5bxDJcc/8/gWeKib hifWNQ3pTmkhPyTXNwAKzxTCsT+8ZL89pJshZakJ4s56NSY+xlxmAPgAV++MM0xb DyZUF8HIg7Id7uEn1E8kLxIwf72yyWtj3MyQ9LUMhJ7IrGnTqUM= =bFdk -END PGP SIGNATURE-
[SECURITY] [DSA 4175-1] freeplane security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4175-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2018https://www.debian.org/security/faq - - Package: freeplane CVE ID : CVE-2018-169 Debian Bug : 893663 Wojciech Regula discovered an XML External Entity vulnerability in the XML Parser of the mindmap loader in freeplane, a Java program for working with mind maps, resulting in potential information disclosure if a malicious mind map file is opened. For the oldstable distribution (jessie), this problem has been fixed in version 1.3.12-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.5.18-1+deb9u1. We recommend that you upgrade your freeplane packages. For the detailed security status of freeplane please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freeplane Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrWxN9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TWZQ//e38sUdwj6IZXNKfGIwUhzXXYJEt3Sq4VIBYzUIKz62+vDI6JKtFcfgC9 u+VN8bsClzlJwpsJltJXP8XNObvlXdi+xoD/+KcXhrmj0r7I77ZcfkKmD8L1zeR9 R+4tTVsUjahFELM7WcvNMcRPyIYa/fOYDIWYnzLqdHlCKHAfqDUgAcg4l76K44i5 dLC8JfQNMVe/oH2vR5N+nmZzBml44uURsV+D2We0Fr/q4OBcHtFw8vVziiZ8ZWuu fRyR72sX+pjgmFoa2725D9XnRMVOdaCSc778jiwPVRkvWvc6oFtW1shQ4waWl7WO qQggaU6vLot2M0HYdWVLazT3vX6GyVXFV5d9FfHm2/GCcoz/F84Pjwg3Y01X3hCz VBTZUN6B+1WqvxcXSKS33xPIORmMwQZ0jCa+IgNxKUFlnfvML9lsUXSajBNnSziF 1eDw3/opvqom9jluJsCLdeWiDH2Ya3p0C/jJAwYQGZLZZema9FkPI9D6slydJjUE byAo8gmJKUmlHoWNxieumNDfyqzExvGLEsgcLlRtrJoyO4M4l/Uk2BuauEXEkgim 0AW/5biL/gYBX82c5oDx6w1JiKDyJ/lAKmb0ihHcZsPeVJeHIW+tdR6sEfZOrkdM GZtBt39gzpoUesykcGYRWtHq11gxa3JPBEq/6OD6IgZ6XIwPAYw= =VS6n -END PGP SIGNATURE-
[SECURITY] [DSA 4179-1] linux-tools security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4179-1 secur...@debian.org https://www.debian.org/security/Ben Hutchings April 24, 2018https://www.debian.org/security/faq - - Package: linux-tools This update doesn't fix a vulnerability in linux-tools, but provides support for building Linux kernel modules with the "retpoline" mitigation for CVE-2017-5715 (Spectre variant 2). This update also includes bug fixes from the upstream Linux 3.16 stable branch up to and including 3.16.56. For the oldstable distribution (jessie), this problem has been fixed in version 3.16.56-1. We recommend that you upgrade your linux-tools packages. For the detailed security status of linux-tools please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux-tools Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrfLWxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TCNBAAkmZlNuXx/bOIDLWZoKJvSUL6a8FylzBpdyFYILGcF8bU9CUjQM1M8QD1 bzl+kiWt6UJ5swpujfqfjkYTen4/42FYbMSrrAKy1wygCISyH5MrsKlymmOWNPK3 NVXzxKg4XAYoof16BvYvTavjOhsxHDqtTh0ehwLmqCpzTKvJ05miA8upxxQ1klmU LpsB3QoRaBnPm0qST4FUgEroZxvByTe3RqbHoYoRFXjV3ffmAnVyZKQF3p0PfpGZ zgt0MepINIk3mzpNBqpEFAGbB09mnEC/D8Jko/G0NTZgJzAUdEsauqOs7Q7sPlxb zuG1gS2oxKI+4uXw5mdUPPfWcQHkNTu6W3QaBVyw9D5S7MPUaSppNMgs53e0lCzP KGAwvV4f+tWvsSVSVKb6qXXdILLFo5FfmQRtwvB3d8dJpq8Zc3yDiL2RqPM9sSMz eZw/g2aN1OhVfPSglu53aVRfUok8rCxA3KujNG8vvzE8KoWp8aFauNH/XTlXe6ph o/8/urw2mPuPhGAiwOhgA3uUtsMaXpbvIjhkzO2bmJm19ewj7LW2S7/ufhBjNzvq Cte8X6V3+X20GIp4e4QIsdDlGeHYFBm+HOhPCDyWdZ/82AaWHsWKHP6QyKN6+c54 lX9EJ/g4wFt0Y8ueOgFf5d/Y1Ck9BcZp+Pc2TjEmtq5aOHHchYE= =4qrq -END PGP SIGNATURE-
[SECURITY] [DSA 4151-1] librelp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4151-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 26, 2018https://www.debian.org/security/faq - - Package: librelp CVE ID : CVE-2018-1000140 Bas van Schaik and Kevin Backhouse discovered a stack-based buffer overflow vulnerability in librelp, a library providing reliable event logging over the network, triggered while checking x509 certificates from a peer. A remote attacker able to connect to rsyslog can take advantage of this flaw for remote code execution by sending a specially crafted x509 certificate. Details can be found in the upstream advisory: http://www.rsyslog.com/cve-2018-1000140/ For the oldstable distribution (jessie), this problem has been fixed in version 1.2.7-2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.2.12-1+deb9u1. We recommend that you upgrade your librelp packages. For the detailed security status of librelp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/librelp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq5V7pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RJyg//fjmV4pPHVxtmPabtneJIPj0RCMREfcx4qtFqjpP8n9X/KRQmq3gmv8C8 NtLfysFkTLcoFqaoI/ayeTog523/uuTH6w6tRFnNakx4BdRwsj3WXzldU6XsYQUa P9iu4oV6wstEU2p1K1IG1K/id+TEBmaITeVoxf4arYCDzcGySpZgxOau30u9gVi8 Wx1QBF7ajQrtwX3WnLGfjQjU6QGD4sGMN3S37Wq3adj2t2ocT8bs8kI6460ntaaD /y1TlAlZzrssvXczHzpV7boQFcjEXX2x8C1YLgqkFK59W5LDFemdDpXMedoyOtsM uY0vRHu6AqV9m/VZPW8ETDGLCusGnhUr8O4UgMngNpt0hMi0L6Iz1je6I6evfKiL yDSDWli4EwmhdyW4ZrYe+vxdEqm2MB6PzjZr+sn8kLChVk5Eb2TuAv/hNMGP0t9A snxJISBLnfCrDVoexb7og0b/MCngpUAmZBU4M5pS5XNC+866q1ZzYyrnYBA+vDW+ kywomUwb1w6gIBQQbfYf1VCfA6yvZtemDeYb+xs922z48P0F5BAlYqkelMc9FLnn JETFPzqLpSATuPVLivxiki8WyPBBCQlbiZ30c0LwtZmtx+xVtrKgj8YK66sbrBoq s815gPmJ7d6NT65SxYVoXdNtIynFKTmAU/xSeEfIUtWcrs6SSfc= =Gprz -END PGP SIGNATURE-
[SECURITY] [DSA 4154-1] net-snmp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4154-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 28, 2018https://www.debian.org/security/faq - - Package: net-snmp CVE ID : CVE-2015-5621 CVE-2018-1000116 Debian Bug : 788964 894110 A heap corruption vulnerability was discovered in net-snmp, a suite of Simple Network Management Protocol applications, triggered when parsing the PDU prior to the authentication process. A remote, unauthenticated attacker can take advantage of this flaw to crash the snmpd process (causing a denial of service) or, potentially, execute arbitrary code with the privileges of the user running snmpd. For the oldstable distribution (jessie), these problems have been fixed in version 5.7.2.1+dfsg-1+deb8u1. For the stable distribution (stretch), these problems have been fixed before the initial release. We recommend that you upgrade your net-snmp packages. For the detailed security status of net-snmp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/net-snmp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq7XNZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RkPg//W2NXTKaf7mL0ewk5xR0bEaW2+nnuFYx2ETH6i83sjqxYH4Om7zFwhHUV OPeJhUoXdhH/6id0vtQpV94llVUJPDAfmZhad1Pwq+I7hTAYAFUQphc+Xj6MQJuV wCPUG4GICd+G0drzI83tHkczEZTtQhvY90rMgx2Mv6k4agbU76hUBwR6kTuITUMX t3Zqypv36UNvku+xrxwppKUMzpWgFNVOI6bBeWIjzosjTBOFNLFSVGSWNujQuJCk Q/rdvf46Nsz1Jko8QmjMiZvpiiBT6JxVkSoh3IhAQGy0iGbF59iqaqRNlJFNpVEs OxyFIIXOPaTlwHR21KYEXnuh9+uqIHPNojBfpW9GsWwaTWPHHEbsDrldWHt+pZNE Hmye8FFdkouIO6uu3DSjkPwuvWrtACYT1CDiBSW7gprIkeNY2DddVbSI9HWbIAoM lsI/RoaeIKUMbgs2YJ5Oir+Su4SiMQpmYcaMFW1h43+P1KrcYpc5BtdFc8aRS7xZ aNf+G23esxwl8C0G0+QEHjvuOGL3mjSbtkpodQyJ5yvc1DXRgE1zg8Gpactw2mXk 3i7rNNllwI/F5g72N5b5Kq/F2I8EKayq4vnvHpWKsyMeBzmbE4woLCfuzLbCskXe Rd8dKA6fafGy2IgKNKmSKoxa2V/Ko2Mm0sgq8cV1RqViEZvBiS0= =MR4R -END PGP SIGNATURE-
[SECURITY] [DSA 4156-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4156-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 29, 2018https://www.debian.org/security/faq - - Package: drupal7 CVE ID : CVE-2018-7600 Debian Bug : 894259 A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-002 For the oldstable distribution (jessie), this problem has been fixed in version 7.32-1+deb8u11. For the stable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u3. We recommend that you upgrade your drupal7 packages. For the detailed security status of drupal7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/drupal7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq8EmVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RSvhAAmzzV41FcC0QKQYhwrxHx0uW+9uwzzkZojCdYV9KYtPOCM3EniFHKTjMy 3FaTedigWBu1x7Lpx/PtzIiapKwXFOTGk5C1TflHv6SbwMNV9kEpHsPK5YMFM234 lEyOqxlvIG2f/c2VeVumBPpmzAjTS+Id6dLC/vGl57IunAMeMl/WEN47f/RdA4qa dc52xocGdt2ldfZgkRuiWpfZV7Pz8EJBLXkATwzDTuvlzJp+anfUc/EZAoFiN7vp xwwSJYOyZhz3ikDtskYy0iq5BSeG4ic1qlqnkpDT1CUENjLY9uGHbnBDGZGftWZK 025qAtndSPc9AhI4aR+aNTDtUtu1VhNEEKi8SD5CeQ0mSmETvoEJCXmtMdP/aLns wHE/M+hGiwffFjJpyuoE0baVnII+ZPylEZG3kS2zJ/bbnnqIdoyD5PzdIVfzwORF rHACntrWzjZYrjHztlfwxv5/K3YdwcAdGavm+LGZTxXM8IalDkyEBL3tHiCgaipC E4pyFx00gzQ0M1U0Q8vzBFX6SRWV/6BOFTEEIucCFFZjfzD3aqYAHY0CtwDgACEG 6Vd9FiGosNt0W0xiTq0xDkNrA4b/Frb2mDCXFe+VZXo6GpWoWXEc/1oQLlAH9MOJ QwEr9sTpe+Mlm+irfgZAvdUK6m2zSE6XR9ePQ+PQ6o5QAMUlFZQ= =4O6l -END PGP SIGNATURE-
[SECURITY] [DSA 4164-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4164-1 secur...@debian.org https://www.debian.org/security/ Stefan Fritsch April 03, 2018https://www.debian.org/security/faq - - Package: apache2 CVE ID : CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301 CVE-2018-1303 CVE-2018-1312 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-15710 Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, could cause an of bound write if supplied with a crafted Accept-Language header. This could potentially be used for a Denial of Service attack. CVE-2017-15715 Elar Lang discovered that expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. CVE-2018-1283 When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user could influence their content by using a "Session" header. CVE-2018-1301 Robert Swiecki reported that a specially crafted request could have crashed the Apache HTTP Server, due to an out of bound access after a size limit is reached by reading the HTTP header. CVE-2018-1303 Robert Swiecki reported that a specially crafted HTTP request header could have crashed the Apache HTTP Server if using mod_cache_socache, due to an out of bound read while preparing data to be cached in shared memory. CVE-2018-1312 Nicolas Daniels discovered that when generating an HTTP Digest authentication challenge, the nonce sent by mod_auth_digest to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. For the oldstable distribution (jessie), these problems have been fixed in version 2.4.10-10+deb8u12. For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u4. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrDpChfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TbeA/5Ac73NH0cpU8BbqrzN5BRCaMYnMWAYmJbpQ+QXoVkyWUyJJmX+/2mAoMZ xeuVR5buOHyDfG1PbOVh8vf43OlDB6dss8OwGPb7aDiPeT5G4jpZ5HtGtH+VOZNj t0S/EocZq0e+rHGxkx0d9s/vRyNP8kxhyH/bXBerrPv5otDboOlEXyNeHpoeGqWi 4HIavCRFrbdpU786tyYOZCz+Sl3I1veOXrfMe3flCpNgcs2mWYc3rlDZ8FSYyB0M eIBHEInt64lhT7w9ZtFs5BaVekbHPMLdMSLKZY7WBB040W8bnHhs4aUCszCePw5/ 3gG/TR5xWaAzqRBDh/m9HYvC91NzicoJSHEobrAXGRO2uFJQrF7cB9faGW0361VY NJCBv+/csW3t73h8M+X530owtgYPEWJZWZLDYQuk+SX4aXMttW14U7qKbsrlK7Np 6VLhFk53C9OWvKkzGnloJ6NxSdpDPkSANmTSVzAk/2n5Lgml7h0kWSjhK9GYOL0x ZI6cZtKmAoFUw+GASQW7nXH+2+h60OKi+W7+M5kW1zpnx8BFvfu3NjElRpEp5RgT 4vmtpcmY3xVduS12USxjHzhYjHDi4XOLXE2J7wWenvj5FRVYbAeBATD/pJEKLDnn 4Hqk2DLv9YYp8sCF0N7wne3pfqk27OudZ8W64c9AEz70NJaw5vs= =lCvc -END PGP SIGNATURE-
[SECURITY] [DSA 4157-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4157-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 29, 2018https://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2017-3738 CVE-2018-0739 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2017-3738 David Benjamin of Google reported an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. CVE-2018-0739 It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service. Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt For the oldstable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected by CVE-2017-3738. For the stable distribution (stretch), these problems have been fixed in version 1.1.0f-3+deb9u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq9UxtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qi/Q//U7BsT4ITKgPcpErXfKx5RXi2xcPw/trUr83HqZvNIR99HUnQPVYbkyyX PLvB6xhmPAjx4cQFff8e5EIHR2OpoRzZ5nAvqo2b2bn1liVL1/pllYmj5HiHz5tb 8NXuDrDpO432rFDgrba6LDlXulq4Kux/NJpg1G/CkzNHMXXZR9xi3JZDMZU7jiZC eGynQd1MLlF2+6qWIX/7KJHI+tmT4ZNDK9IDMv/YH71gvku0ICY8zB+1qeHP7mPN dYYC6v5rqrES1SF//NxYu26E/YNo7krn6tN0OPhoDRZ3aPuqyOfB7QpxHOsdztfQ 2mIcXzS5JXdhQ5J8aEBrziAQ/nSoW+T533LniXVIiSQn+sYjrjg1vRt5PrBLx2N0 CNX4OVcstV2bGYKknOGYBVnEzURGoeydHx3zZn/OflCe+X6lpxQAwmfgrw4+T+FX QxnjVEn4e5HeR2RGOnHzA6g3GuyJ+OeU3g0WEbAgOhqowTx3OOX7/htYnt702GKQ 9aA4ypYG8228owbno857nfnDb6eGbeqeH3BF8B20p4VHwlL1+XxyMmM+yzgbwCoA 8npl1DiiyUNBFl3WpQrjg7NwWXw+EGp5F+GxRip9yO/8cxKXn3+LqZP7gGR/+Mz5 ATXpKzuY6L8Gzh4Y+W7IH+iApSpSOlDXzo18PVCfp9qxnKNjetA= =whaV -END PGP SIGNATURE-
[SECURITY] [DSA 4158-1] openssl1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4158-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 29, 2018https://www.debian.org/security/faq - - Package: openssl1.0 CVE ID : CVE-2018-0739 It was discovered that constructed ASN.1 types with a recursive definition could exceed the stack, potentially leading to a denial of service. Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20180327.txt For the stable distribution (stretch), this problem has been fixed in version 1.0.2l-2+deb9u3. We recommend that you upgrade your openssl1.0 packages. For the detailed security status of openssl1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlq9WYdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sb9RAAoKGLpk9eLzxogiZ5mrFolsRAsDX+zWuzzDjWbg4qf06vi8Vtvk0pkT+Q vUV7UT5imCs1g72I2jN8zfkzGWsZS0mb5SdgZ2+k7IwAElCPg3wsv1l9/WAcIFJC 7GdB4jtgbgWyNNplGPUmbfpl88gHPVOq9J/7uwut3mUDi2MN/pDGr2rk0JE+1i05 BY2krOz5Pn9HBKKg46713I9s3BfgqaDt9W4sAOh+A4+vmXT1fw5c+TNKedCC05Vu W6gEUcxTwlgJN5Sf9+gUXg1VGyfYrYs4re55rsog6bUBDmisD3bb0lUNp97z5VZN epkZlZs+PlBP8hYhDFRzgpmzoJs5sMqBXUwCdF9JNRvzUF8xwlZ90T3/ZOv2LkOd S3Gl7HKgyRqQZzFRXVYeWi5Mo0zUOq9qqOI2C3X41T40VHcVTicYEi/hMFvGsLjA SnRXlc7tGc4qE+QXzNK5XXZKdCnJkruZA6Ch2obzfD6UBipQRNLP4nDw7B5m3bXS fMu86Zamp1uaziEFZU769GyAc9gTqSpoD2MDK0NCAbWbbPMJP4E+gtvxeT3OYvm9 TWSvf/YkUnge0RCu93mDxVAHXac8bVIGjyTyqBw+OZApCQHq4vjPxP+HDs0OS+6H d8CBhzzKxOk5+9uWskywfVaCB4Zd2q5KNcAY78UfMsdswpEsjm4= =Nuhw -END PGP SIGNATURE-
[SECURITY] [DSA 4141-1] libvorbisidec security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4141-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 16, 2018https://www.debian.org/security/faq - - Package: libvorbisidec CVE ID : CVE-2018-5147 Debian Bug : 893132 Huzaifa Sidhpurwala discovered that an out-of-bounds memory write in the codebook parsing code of the Libtremor multimedia library could result in the execution of arbitrary code if a malformed Vorbis file is opened. For the oldstable distribution (jessie), this problem has been fixed in version 1.0.2+svn18153-1~deb8u2. For the stable distribution (stretch), this problem has been fixed in version 1.0.2+svn18153-1+deb9u1. We recommend that you upgrade your libvorbisidec packages. For the detailed security status of libvorbisidec please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvorbisidec Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsMoZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RusxAAky9XYo+9XeZK8rUyu91/MFSvOwCxgHahp9DVQ7mTc2W8RTLAW/NDN2Rg HOGb9Mz//l631kmK5pxk778WRcRPxD8F7M1BuR726onh1WsvrMMFrYqaSyN+9rtO Q2CoF3SD5GcyzOLe25+HudW32hIH3Qh0m18aPQo6Bl7QVluxg0Sk/OHArccMlE9t /N2Z+5WccjDPZW/ZDJXlaKflkXf66Npe9QZGY45VdBFygz24pqw1NV3Hpl4U93cw rCywm/9UnGti1s4yRCr/55Lil8Afnm5cj2HfibHqcpBfpMGY98sKfY3N03YE/ZO2 4tHwxqI1o/8SoktkcXrltnqd0eYGGR0CDPccJ6yoFAjfMX6WNSTJwauWMZZ0yDko GRQv/ZhKVTvmEDgPTbJD3xflKmO5UDcgbLOq8MjdoBUOvbYgrkksrERodnzqRYcO 8/NXw+a0dmUcEnqtcBAQKqHejGlibsFsKlKFIUR8kos5efXaI3+6aLHJmahTwlW+ SOc7amh9xEa0eF/MKSSl9bGBNMMSJlnIarIe+pwurdeDPLECvM1XieJZYU9ue5v0 yrlZS3t9nmCdtyp/6yHbAQ65I4rMlnn0s2utfH3/15KadGvxuPLyROVeY/ZWMTor HmPLHlACNYRU/b+/9IDRu47IcgPI3iXkJCFCeAPKWHdAb/CEkAI= =hYbe -END PGP SIGNATURE-
[SECURITY] [DSA 4140-1] libvorbis security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4140-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 16, 2018https://www.debian.org/security/faq - - Package: libvorbis CVE ID : CVE-2018-5146 Debian Bug : 893130 Richard Zhu discovered that an out-of-bounds memory write in the codeboook parsing code of the Libvorbis multimedia library could result in the execution of arbitrary code. For the oldstable distribution (jessie), this problem has been fixed in version 1.3.4-2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.3.5-4+deb9u2. We recommend that you upgrade your libvorbis packages. For the detailed security status of libvorbis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvorbis Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqsHaFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R6Lg//a5WzBUPLpIOpFUf/P1HLtnOFrzz+5v6K6zc5FBJTfc9xwcQUThKW4ZeL C1I0MHRTZF3f7yr6DShwe8bb0QCc+erZX7+YSlhgx7/LpIo2mWNn5sxUnZUzGJEH 8xNKBtAOSerMQsC27GmYkSz28Xt1QJlG07hk31+FsE8sNnxIg6kyR81nkm0DY9Lg MDAcgG7VeQ9ZvfE9u49i6VD3vskcEfZGLhqfTo/9waE+hDorVhlwqQ6hZotOmnEp xpMauT71LHqQV28FMj+y/GpSEDqinWIyZlSPzcYMf3MQOeyu+ouEXeyeasKkt1rJ EDiipr303ddOB+1IyA6bFka8bAQ0XETC1TVsEY42pQsyteNWa6zs4lQNMD8NNZy2 BqNaN9PBtw2bpfpIdtjJwo+lO5sMMHN4IRTRKF/g7vcRRfCCK/AH+9agQqcE9Krv 73U2dmoyfKAzHS62YiAWVEqybVBA2DcbfljMq+k68zJro8g/vKLoHcjuEI+Zp9Oe GaW5GcQxuY3zamvHicGJ56hU/Z1TYD834VqrE/GiqY+IHohe666pw9NCssy8fy+D 1OnzrcJhy3mRzTcg1RljbxhVVPADu2B5zQ60DgbVhvdi1jI+U6TX5taQlXycoUOM 2OSB+JRF7IWJSCK1Fd8Ouh96ddMxKVSY6tyX/Tm9tY8ePXQAFFk= =n//t -END PGP SIGNATURE-
[SECURITY] [DSA 4142-1] uwsgi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4142-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 17, 2018https://www.debian.org/security/faq - - Package: uwsgi CVE ID : CVE-2018-7490 Debian Bug : 891639 Marios Nicolaides discovered that the PHP plugin in uWSGI, a fast, self-healing application container server, does not properly handle a DOCUMENT_ROOT check during use of the --php-docroot option, allowing a remote attacker to mount a directory traversal attack and gain unauthorized read access to sensitive files located outside of the web root directory. For the oldstable distribution (jessie), this problem has been fixed in version 2.0.7-1+deb8u2. This update additionally includes the fix for CVE-2018-6758 which was aimed to be addressed in the upcoming jessie point release. For the stable distribution (stretch), this problem has been fixed in version 2.0.14+20161117-3+deb9u2. We recommend that you upgrade your uwsgi packages. For the detailed security status of uwsgi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/uwsgi Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqtRdhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TSEw/9ENqkSLIKr7ycKubV4ffEnoEtghxJSPVHcD3BSH545dDw4G8m3sZqZFxi 7bMwXVNhPNNjuWQGiPNPC9iSepxWnBo/R/a9+Krb6KUBXm/j4ekoe0TQKt2Btc4E B3LbGahpeAPsw9/B7eCiK6g+HtfEI7yOj4Cx1uC3NtaX4f9AfbSV2sBwXOz4i/Qz 1OfsqCycKKZrstRfqABsTjDdMHY58CWICwO4X+7Tm6JaGzDPtShBr+2ZOY8gNFU9 r0j8K3fS07r4RdfLrkbBmeioG2CJViDNcF0fswJ/Yabn5AovvPj7W0eZYlHe2eEA 4kUJmXmMnQWDmnHnEeSSPGOborTtiQUiUeLK2FV2Dp4SzafRR0tCGjS8dYi/ge01 RxWfOSOt3Ibbi7MidfEoNNzZ69k5DkKdwwjN3hzBrxUNjbDiJDPomxKlDHjBIJE3 6K6quT+A4excEftuhJqu2Av2Q9eYwSi3B/hVdKz6z7r8VdXC91UDvCBR2Bkm6v+A zdluUsUus045V9O5jdtgrA1kUuKqvGpcRYwtGBtY95owEcu04yFvl0pt/RS7Degp lYQDigPZ3ANVTcVOMkcKVfLAXNQokTDzEHPa1F7ls/0p1+vINmi65iudW3cCpTWb suh0CV5zHS0eOt/bWu/BwyvU/ELfq8HBQ4qo9sXyw9hAld8TN+I= =CnYR -END PGP SIGNATURE-
[SECURITY] [DSA 4120-2] linux regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4120-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 03, 2018https://www.debian.org/security/faq - - Package: linux Debian Bug : 891249 The security update announced as DSA-4120-1 caused regressions on the powerpc kernel architecture (random programs segfault, data corruption). Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 4.9.82-1+deb9u3. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqaZIVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R9ORAAjs+kirfLv0yyg9vzkpr6VhXyjzJrjtkoEjOkBvJLwkFNki6EjBN0wacG H39INrvPr/oE14LIwyI7VBQ4okp7GwjyLhn2q/g6CyoGP4+iKlZSQ8IO30yQ/JUe T3bbM85Z98UYcnQ1DBCfWrLFrzCtkCBroz3l5uxl01l8eGhrtUFBizJdgCGj1ux+ DU9Wm45L7JNcGSw2SPYiyXqtBSiHRXX+AevkSQ72YRyVzFjSosrea8WoKnWcx5rF qzjYgsvycNdBkC+FvIyf0wziDDEaaBHrg0mmoV3gf0Z6L2JjvWDs4v3fjf5vPvO4 TkPhBhW34mi0Rljb/PPdVMGOCL8Iu/96+qlcIyonWsfyF8CJzJ9m1eBHu6M5F6Pd t/YeSqBXWr0pfz6CQkfIXgLv2FuBGvsebDMZ6HHXHPlfYjyNNgpBf4ExLGrCw97M CklveuCocw36XQ+FYZ/cDVbpD3iCJVW3HjEe+um7WvlHKpHUVVQpUDE2YgVlWxaB cdjm8J4oIAq7LDfw5v9wDGn/38irG3kMj0bCl+G8CRFfj07qcaT9agAzAp2/OeCM BYD9NMm04rX306rftHENQWdM4GIN8MLTgpUQ4d0Y0wjF0SSaCCo3QUG6QWXDDktl i45ZXMWgqA/iU1H8jdPqsOu1pgmuKg6Ya+UMr6KXbuYVnWYd6Nw= =1aAU -END PGP SIGNATURE-
[SECURITY] [DSA 4130-1] dovecot security update
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian Security Advisory DSA-4130-1 secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 02, 2018https://www.debian.org/security/faq
- -
Package: dovecot
CVE ID : CVE-2017-14461 CVE-2017-15130 CVE-2017-15132
Debian Bug : 888432 891819 891820
Several vulnerabilities have been discovered in the Dovecot email
server. The Common Vulnerabilities and Exposures project identifies the
following issues:
CVE-2017-14461
Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that
Dovecot does not properly parse invalid email addresses, which may
cause a crash or leak memory contents to an attacker.
CVE-2017-15130
It was discovered that TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted, resulting in a denial of service. Only
Dovecot configurations containing local_name { } or local { }
configuration blocks are affected.
CVE-2017-15132
It was discovered that Dovecot contains a memory leak flaw in the
login process on aborted SASL authentication.
For the oldstable distribution (jessie), these problems have been fixed
in version 1:2.2.13-12~deb8u4.
For the stable distribution (stretch), these problems have been fixed in
version 1:2.2.27-3+deb9u2.
We recommend that you upgrade your dovecot packages.
For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqZzelfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0T8fg/+KmUzgEXDQFSnWOmSt+8GXFB08C2XtXmopMuej/1tjkZZ7B04vXfkgYZ9
u7zICbM56VrTmnXOYnLuXjqLrzGO0Y9jX+Z5G4BSw0TgP+g6ME72ZvqxuE4IKQqi
QlaKTX86B1AMpzvkLrhwXlArJDr7pJzOonFJds6rKtVA4OvY4/fAAWrH89BFchet
VwdO5rngcd/qnAYVOZglTMfgVlzxvenx+0fbQ6JFS6T8ODOFSsnwth64u3KY8yYj
4PGTBqX4m+2S2q2qGinueBgHNUV4RK71Zw1QYDa2gMBQR3HtlMnDhmQ4uYCvKP04
Z1GJYX6dMxMSWPKC2WecrdCSV+QAdMlYypKbhqcLA4LHcdPR+v35oQT4X/SYd2WS
Zf50KMYUm9Q3YiOHVDrJo+o21hX4g8hRw1wdewZz+wyQ1n1TOlVtRh4vmACKRzNx
7bUayEvVU3q3VQd+dDH2Bl+TBiO7RB5/b2pHp8vHwAlVX00jYSSnoLUKT0L4BQ54
+1DZ8j88OFKDxTgOsbk19rhfraY7iejAjHZDVnJBwC/tB9REG6DOrDIG4OJqTKw4
sP1JaHryOGXzOf/8h61rY5HAuwofGkAZN7S+Bel0+zGYJvIcSyxpBKvJB/0TDNjm
E5KphLFG9RGVmdeVkQzG6tGUMnMXxFrAD5U3hlzUsNGLLA+RE78=
=Yh09
-END PGP SIGNATURE-
[SECURITY] [DSA 4311-1] git security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4311-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 05, 2018 https://www.debian.org/security/faq - - Package: git CVE ID : CVE-2018-17456 joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules. For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u4. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu3u3VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0THNg//bQWiuaFs6H9tqs7zriONRYmNkx0yrM1MMJw+OmwrBHhNyLBOxu3eLybi qexWWiDUeGeqa+RWYNzsUQDQqM2uGlj8BOwPmVD1m53LM1CdOJVgqPt+m1iVyTqV 5gg279p+Svyv8JCcoXRNOd6RysPaqZDcy/9gAb2GgLZ/uOQM1SnCDRd1br+V2NHE hmF/DQcwU4OM8sDVECtUhiECQJw0/Gwrc/U0ROkZwycj1VdfDvEFmUohscBnwBIA agBJ1Nl+z/bxLOwMkXcp9dLsmJO9OtJ7SU+oM9Kii18MNpZcz+WdrIMN6Lqk3oIX b8BkK5/nUWInKLpp2KYEXg0QODkcCPKbITyY4KkKcT98BYWlixvddMkXc3Q1mDzc 8yZ52fksUkvF9LWWHsnQowdemjLeUNszYoLdTUaJdngKUwLcwVHJJLtThHXXc7+q CDwPDOugPpQ37cLu9/LxT2GFdM94F5H1315MV+kugPE5ufUugAtVIzaeT1FGQQpQ tiESs7oC33U3Gcd3oQbFL7XCx42Xrso/ODXR9hM1tGnYGLbnXI1GBxpUlYZ9Mbnw jgAAlGI2u11INJNRmtUd1Z2bKFf8DwnQqxGrIN3Z7xc+BwNuXBYNyg9nXXnL5/SG QISYd9OlWOHq1Ohr1z2j9ltiyRZR5a2zTdvFmRHi/P5VFfZxvVA= =F/9G -END PGP SIGNATURE-
[SECURITY] [DSA 4332-1] ruby2.3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4332-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 03, 2018 https://www.debian.org/security/faq - - Package: ruby2.3 CVE ID : CVE-2018-16395 CVE-2018-16396 Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16395 Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal. CVE-2018-16396 Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives. For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvddxtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T+Ww//bmL3sQ21jGprHqKM84o0GWsJjCAongfgntjfoKIQiKAo398hXgGCaRji d9CEIWzgAwDloy6uk6bWiVMYZyh6/5WmxsNAPpeLk9hPYzEJHWL2L9sxGJ05baPF cChPQQDzBITv8SpCNs+8tTvenDuUnJvPZVkAtm905wbCjEfLeSMiUsZ+Fy1g/Pgc xoAJdfSU+3s44AI69vLbggQ/8ZhYswlPp6meL6Fth2KWpbFqVepNkKpvEz6c0vTV UADysfdv7lRn8k95vBhXn3fyAASh+J7lJBRQqVU7r3W9g/PmAhdiqkcTAkF4ZhW5 RtU1LMxKr9aBQ3NSPkMYwB8BC5LdvyEUKrFsx1lzbaiYyWqz1QqQ0Qvo0f8Bo7kc ptsR8WjYFiSKcwnBDE7K2GmO/1xHpMurgTy438OuilWIhK2QaIThI/ee9wJu9Yn1 JeNSEZeGGhqZRKo46oOJkfIrxbm2tWXTsFPo2W3IzhYODTF1E3UrMmJmWKU4mRV0 r0CobRKQuRQC50soHBjmiNSzx+lP0cm7HXP7oAnkjL8vkh+DJ7C+7nGZzu0W+EXJ CA8LFekHIw4KvL3hpCELCaCH0Z+iGvjKeTfM2aKYH/csRIIhuCWmOxNOgwMBfJbC 11gZ53gILXdSvRran1ZlNA1A3Dq3GGKZF1ZB2FKsR/LejDCrnwA= =Goo2 -END PGP SIGNATURE-
[SECURITY] [DSA 4336-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4336-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 10, 2018 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2018-11645 CVE-2018-17961 CVE-2018-18073 CVE-2018-18284 Debian Bug : 910678 910758 911175 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service, disclosure of existence and size of arbitrary files, or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). This update rebases ghostscript for stretch to the upstream version 9.25 which includes additional non-security related changes. For the stable distribution (stretch), these problems have been fixed in version 9.25~dfsg-0+deb9u1. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvm/ClfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Se0A//YW62Md2U7/eOOqJ7C9xL++VpSl9R6e+6+8gJmPnaP9O7QMjVo3TWOGbm Hsr39ILp1eGX+g6OdlcGqLuX4GokpGrWfo82QcJmMPeezQRkFwLM6D5SeRgHvTAF MqScvxUmeZ6vCtdFYYabYfRpiRGfP63z718vh4PtkHVVy+/svS7cmScM14nDMpKl suj5LvHLB8u3/DFHApz8SBXW9mM2skvPU9rrzx5ChHTE/e4hdSuYdfwC8zod/70N /LRXY33Eo4SAb7PV0vtPTfg0flqpKPVzYLVOUQjev2M0aPOsIk5bIMJYy7Gn6RqM MBnS+ojmW+glUi9y6aF50vnm9xq6Kby1YgK+V/qCAnQVkkfiQKRBMAaQWXHRfgYn aZ0HFUDPp0DfVkSjAU2+REhx3qs4lRJe6bpznwgJQatLzWZZW8UnkPD7O7md2SyW bAwdzF8A6833qnx6zH1RhYMTEpzEacHFqmCRCMtq90rPMeDhOKal+lcG18WfUMtf j6CIpY4KDB8U7vK8iyS7Ozx79kk4vT5lNOrMAvp26oIio+MN2/VQgqtavTH7OpW3 dxrkM6fQQoGYwnbuYzRBHYY1PIK5QO4tUinnXQwuuaMUid/pKj+b7o0s0qlmjH+z QIdS0yArvt5hIfkp++Go/TiEt/SNk7lSh3lGLBbkYmd7FQe3z8Q= =q/b+ -END PGP SIGNATURE-
[SECURITY] [DSA 4312-1] tinc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4312-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 08, 2018 https://www.debian.org/security/faq - - Package: tinc CVE ID : CVE-2018-16738 CVE-2018-16758 Several vulnerabilities were discovered in tinc, a Virtual Private Network (VPN) daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16738 Michael Yonli discovered a flaw in the implementation of the authentication protocol that could allow a remote attacker to establish an authenticated, one-way connection with another node. CVE-2018-16758 Michael Yonli discovered that a man-in-the-middle that has intercepted a TCP connection might be able to disable encryption of UDP packets sent by a node. For the stable distribution (stretch), these problems have been fixed in version 1.0.31-1+deb9u1. We recommend that you upgrade your tinc packages. For the detailed security status of tinc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu7kBdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S4fg/+JoS522AqBOO+Oqs9ePNh8OAVeQTfJL8ITyRqphrkxaprJPxc6Kfubqqs bYRhiLTSfRvNB/BzP69f1dp6nKoB7MDS/mTDgT5IvmhzS8bAjbY7VvXInSB7CMdd mLKwqNKpgfIZSIBA/PeCzdcjwPTZA447/LgleTzjFI2I6XrUkk7pUIpGpWu2KpgI aXKcuLcPA1bDPuaek7URMTew2x5u3fy0oM2dPzeFk3rcPAOk/W5nu+StbEWdxNGY IoaLNcDWt5HuFaL8Y52HJgAllcxLTWh0jcmmh3D1P8x90ilv6+FsBow9LFMGSc5s XsC934NszQ6QiyCxpR8GAZ+8kttWC53dE/w+0Rgm5RNyzU9GOOyHE5VO3moL0cVN 83fmAdSXg4S7TbOSugLPbz3+k1Cr/ibrzM9FlwQudmvlnopsGX4asrSyt1aVYF/I hAv8OVLNE8md12BDZuvq+bghXDZASMfLizCk3NFkaffjex20zmrcuo3/nn2Sv8AH 9grUjeZ1cFLeKixl6e4rWw4vQBNxhHZntWDCyiUrkdaSGX63I3Jx1viCS0sj8sa9 Zr/BksW5+5aV/K7orc2Ir6I7L2jxoMw0fudnflG4CeiMV8Q1Wxu9KdfcPuiQqGqT ANgQzOf5g7oOtxGxnmndWbP6al7bv9YeaEbw2xuyi6sRMo2624o= =o+91 -END PGP SIGNATURE-
[SECURITY] [DSA 4313-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4313-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 08, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-15471 CVE-2018-18021 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-15471 (XSA-270) Felix Wilhelm of Google Project Zero discovered a flaw in the hash handling of the xen-netback Linux kernel module. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in privilege escalation, denial of service, or information leaks. https://xenbits.xen.org/xsa/advisory-270.html CVE-2018-18021 It was discovered that the KVM subsystem on the arm64 platform does not properly handle the KVM_SET_ON_REG ioctl. An attacker who can create KVM based virtual machines can take advantage of this flaw for denial of service (hypervisor panic) or privilege escalation (arbitrarily redirect the hypervisor flow of control with full register control). For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u6. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu7uMNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RtEg/8DXFvVd/xcV3Wz5bm2v+UUbzQwz5rsbzGZDNagWw/17c/S7HpDe3gvgSN tw9JzMt+6ZIHTBN7owc6wNjh6e8t38rCTBaQCJwAe3plNTKI0VtamHkzozgS80mm VSv92jLSYHx19wi9ThXkxVCKzVdTSeJv+fBi7OVJoErcKj4iSmDVHZjOsTmuCkmw 1j2Lvy8DUBdkXpS2FbG03DnszkHU62Z4gF3WCcga/TG/bOApI8dCwrb3+CDrBw/N +IP2SGTb3MB/OK4iLJcKf5mv0Pg1bxflWRw12kRtEDk5auoYtyp9Ce9w5UqyPYtj +zxmvytKSQWHMz3Tx5TM3rQz8LfWCFLjfiNm18NzXSg8bnznXtnL+1CypdVclJx8 gol89yjhBoMX26S426hVvMeQPntd1pg5eOtos8DwEe5SHg9gfpyMDDvuvNCcoXV2 37rYW0BeuBUfkOZnUnXR4B2T11ejuzGc33sA6WlRprele10kpR0JeT3RPxBYRoAe O1uew8o+IPTvUsUrNorBMeaWrwzqCDmpkWJDoumyNvLKtXm9F2KVbT5cLoD1kRW+ VQ/oy7oItKRQttSbagAsipCVO9er/B4vjSAahuUnXS+OtctwJX3VFbVFyK2LYk9D OHvDu8iDZsWc6/TDoAXlAEtzwRpwOjypvD8NaB88EQbBWaGVX6U= =RKUP -END PGP SIGNATURE-
[SECURITY] [DSA 4308-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4308-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 01, 2018 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363 CVE-2018-9516 CVE-2018-10902 CVE-2018-10938 CVE-2018-13099 CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption). CVE-2018-6555 A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash). CVE-2018-7755 Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data. CVE-2018-9363 It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution. CVE-2018-9516 It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, by default debugfs is only accessible by the root user. CVE-2018-10902 It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation. CVE-2018-10938 Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang). CVE-2018-13099 Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2018-14609 Wen Xu from SSLab at Gatech reported a potential null pointer dereference in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash). CVE-2018-14617 Wen Xu from SSLab at Gatech reported a potential null pointer dereference in the HFS+ implementation. An attacker able to mount a crafted HFS+ volume could use this to cause a denial of service (crash). CVE-2018-14633 Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target. CVE-2018-14678 M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash). CVE-2018-14734 A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation. CVE-2018-15572 Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users. CVE-2018-15594 Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive
[SECURITY] [DSA 4310-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4310-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 03, 2018 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2018-12386 CVE-2018-12387 Two security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code inside the sandboxed content process. For the stable distribution (stretch), these problems have been fixed in version 60.2.2esr-1~deb9u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu1D/FfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R/MA//bZW/Aut01FjL9dWwij6rwQg/s6nCbTSaDMP85q5qOux1YmL9SzLLJVeZ RDWS5WIiCzRQ+YxpXVbytMS8uR4ecAkYVzG5tli46QBaVAnLtohSSUU1NYJMctiH Zd66VwUGzXNSAzJ7jzVYloCzqnjuE4vp7sIOk6p8Ojo8vQnBk3Vzrkqi1cOFEO4Q LImlwJAcYGBPdiqzagbfuqdX0/f/6jdWXP02YNq7FV/iyZT5LVJroGZj2psTLWgX kOkFWyHoSOLYXmsow+AAAUgUvnJIh0CqG3LSiP4NC3FAeM+bYSPN3e4ybmyGyPjz 4RPEJxqwcLciYGEA6HaDEzWqKpYuW8YxQae57qxMAd2SiCheTDFBo4CpNScHv7R3 LtAbigvPBCYDkilELBrONApbmpVnSWlt8L3UjnUq/XLHNysQl2aykmkQ3mT7ZCWp 6pchP3WQC5/4sV2RNt9cOlksg0rKcpTkQGOni9F0YS9F1iRVY8bvNlUmoOpwjm53 wuyIqrAeJAJiYggAEVBcVhdDWE2a+VFxfjJgOt/OSNH2LSnuJRPH6VrkZSc4Y0i+ rVPW584bMZF2hLtq1LVgtLIp/SNWdUVCIsO0+GN/z5yUb4N+FrraVOOGf2Z1hgym +xvKpEB+86aO3qp8qXztgkY6dqpbH35Vsf+oitXBdY2OP+YwpUo= =l7xj -END PGP SIGNATURE-
[SECURITY] [DSA 4300-1] libarchive-zip-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4300-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 22, 2018https://www.debian.org/security/faq - - Package: libarchive-zip-perl CVE ID : CVE-2018-10860 Debian Bug : 902882 It was discovered that Archive::Zip, a perl module for manipulation of ZIP archives, is prone to a directory traversal vulnerability. An attacker able to provide a specially crafted archive for processing can take advantage of this flaw to overwrite arbitrary files during archive extraction. For the stable distribution (stretch), this problem has been fixed in version 1.59-1+deb9u1. We recommend that you upgrade your libarchive-zip-perl packages. For the detailed security status of libarchive-zip-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive-zip-perl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlumSjRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S8Pg/8CAnTKwQA0p+HU2QY9gRpSiK5ILsXLjf3E+D/98+uJYYmt1OQuU/AXaEN m1N6VZAnGC1NikhJqF9jnMSet20MbcvWlDQ3zPY1LPaivAmMGebjYGVuxfPckB3T Y32/xpfyKG+0fBQPDateC5fihbsHWhJzQWjEWVzCr1O78jad4y3b855FKIqqopkg 1sI7JlzbNMNY0B9jZTG2XLRyy8P8ottkWlIa/V2sLZ14uTYmo3xYlay60c+9z+0f VB2TorTx+EI4CeuG1C2JDWXTD/tk9QbO/qSl5DapnppfbEzQrqyAjqMGtuLIe3PO qmScYYu1NR29oNoHgTg2nJCR3VSkuF3zajrUkAM8ajdi7xDwaAvafrmgI1pyRnkj XFnIhlj17wvnJjhl+EbXAyiADQJZNs1v4pikkiEhwugQAv/PWwLxPZO8W7C6SDSb vkumfMVmQR0XHeV40VIJuPZkPQYcotS3aAidXdDbL3GE7GMezkuPIIJaFavoIuiy luaa7R1hAW6qSeoZNnI6XpW1hdytRC/EO2cPqN6tAc+7wo3jqX3jZxq1WIEL/pXn C8qYQK3Qq8Hmp39DP8rwan0Ohtn3VID5qAzJUtfQ0HFYtDtVk7n180aiRC8WO92O 5jKX1g3Z+kGyS2ymytyh65NPqGuz1XKK88obYpxOfqiuGxI3yfE= =+XHL -END PGP SIGNATURE-
[SECURITY] [DSA 4302-1] openafs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4302-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 23, 2018https://www.debian.org/security/faq - - Package: openafs CVE ID : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949 Debian Bug : 908616 Several vulnerabilities were discovered in openafs, an implementation of the distributed filesystem AFS. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16947 Jeffrey Altman reported that the backup tape controller (butc) process does accept incoming RPCs but does not require (or allow for) authentication of those RPCs, allowing an unauthenticated attacker to perform volume operations with administrator credentials. https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt CVE-2018-16948 Mark Vitale reported that several RPC server routines do not fully initialize output variables, leaking memory contents (from both the stack and the heap) to the remote caller for otherwise-successful RPCs. https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt CVE-2018-16949 Mark Vitale reported that an unauthenticated attacker can consume large amounts of server memory and network bandwidth via specially crafted requests, resulting in denial of service to legitimate clients. https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt For the stable distribution (stretch), these problems have been fixed in version 1.6.20-2+deb9u2. We recommend that you upgrade your openafs packages. For the detailed security status of openafs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openafs Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlunsg9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Tjyw//WwsLK94ASt5DibQOayv7L4ALd3idR/jgtBZOpyBy4jXceYUgjQX6z+eh 3cdhzDV9N9mzpv592Z/txSeZ+1jptNvIxeYQGGLmxOqRfWxvG7rGUXZEF3wdBcv/ 5oajzwRYDiRBz+AygXA4DQVsNe+jAkUdNcclq5W5akI3MOEqTLxO/pR5qu4mK5jK fF+btPY/VEXKKHsveprS93dR3C4MpXfxsjumeHvYWyNGQmPcdiCB0Eq1vM+PVKJ9 Fp8n1+LuiVwmCUCrR+hdtUsQyLs8p2YACslBf5F2SLpEDSwOyUp9PrgllgH/qIir m6On0i8vVbg36NZGcUohbYti+WT8O89plJM6Nzk6ToQC8yhhK0bpcPaP2Y8u4MXf WehmzRewGHfiHPIQEu52ztbrOug5S+KGp645bLR5VjghDS5s1r2PP3MtK16fY4Z/ NQ9Yh8GelpspV1arh6cmf8tU2IHSDwvXrZVVBaAFsupmr1LcKInzSvAbzjxPcsMb 3U3XC5yCZeKogZ7d/9CWHQeu7ljtuBSOYcJnYSeAaxZhUP7YDb/aaGc1frt0M1iu IGVC+VS7nZ3VGOTd0FFNQVXy+XGkbIWUYtriR+JJtySk9ZFf/va3tWFghlFthaG3 9BHQ76ZIuh2HDMNDn6p95Rv8TZrsT1PxHJsvEWvyhbo4MjmuyMY= =AKYI -END PGP SIGNATURE-
[SECURITY] [DSA 4358-1] ruby-sanitize security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4358-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 27, 2018 https://www.debian.org/security/faq - - Package: ruby-sanitize CVE ID : CVE-2018-3740 Debian Bug : 893610 The Shopify Application Security Team discovered that ruby-sanitize, a whitelist-based HTML sanitizer, is prone to a HTML injection vulnerability. A specially crafted HTML fragment can cause to allow non- whitelisted attributes to be used on a whitelisted HTML element. For the stable distribution (stretch), this problem has been fixed in version 2.1.0-2+deb9u1. We recommend that you upgrade your ruby-sanitize packages. For the detailed security status of ruby-sanitize please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-sanitize Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwkw3FfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QjiQ/+Kl2eo3dK11Y89BWyA6ABCC0P+1kldIuz/G+o0aJ4LkdojUh0UjOP4zpo liqM84GeNs0YJn+ou6xtm4Tbesv5fm7PeMIlHE98AnuwwRXL/yFIC2X0FcJybQ/I xvPKdcxfKaJCljSreyPT4uMaHf27J5P4QEHH7cIrzoCFvtgIcONfE2MV9wmGwqak JGpKVsW9/U9zIDPrVFGKyWamqqJ2pAIyoAHV/bF2J7b5TGte6hGycpLP4ilwn20h M545+AByYky18UlKdnXJIOazowO463VGpa6/0oAoUH8hGdzkRKREEHGDuhA7CBgW 8Qagb3NM/Gq5tgcrsSoqiVgy4iM+4MEgF8Qy1HwpNXIGYd791xr1ecfelcDfckPb ExTcFPlhfANGsqoMTUyuR9bbgRf6kFipdl/9ApzRNN8dEFatbbfL0ccBr6B/RTBz RD4nhDLV9rEma1/z13Ua08gZqnVoKLQGr32vFjlrq7U33gDBZBr/LAD18j4rHoVw zodDnX4qD9OpUBKkH1tjm0dW4gyhc+jzwe2K+Zl2cdknYrUgBsRObcmSiuvCJsRW ntG6DUlksnpefXrvu4NGXzDs2VXuvvVc2jSPPrbu+fecSstOE/u3H0/06Sz5nRvo n6D5oB9v5I2BMtbZxBIVHF1KCfp52mE/TpqFxh19GJbkg1Jsdw4= =wojJ -END PGP SIGNATURE-
[SECURITY] [DSA 4367-2] systemd regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4367-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 15, 2019 https://www.debian.org/security/faq - - Package: systemd The Qualys Research Labs reported that the backported security fixes shipped in DSA 4367-1 contained a memory leak in systemd-journald. This and an unrelated bug in systemd-coredump are corrected in this update. Note that as the systemd-journald service is not restarted automatically a restart of the service or more safely a reboot is advised. For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u8. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw+CIxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TAOw/6AhNiQlXjFUuQojPreWohnhmdpDN+AWwT0xEL+f1mSxh1UXKCDjFYPqDT oCCOPoCHchrXzZR3xv5PqhOvFzWEQnmWpku5MgE2gJ/2UJvjQ2CUzObuQ5f4/WVx d+QMStfUhVCrzYdE/CECDg8HTJIb1ApqMTYRlS4NWQkZeBS6cLqfaNnn0++ZdU0O uEUN7GH+/oF2kbzXZe5/Y+CsdJ6/Sy2ipHrQLh6ABkSz9yyuKC6tQiLqznpumqpk nEejq5drLdAAEU2xC8hfbb485qvtxrFJMu3VXHY56aNnEY5kTjA/V7htN6gjIwE4 7xvUpFY2h6Rh5l46reQ7pigg5pQIyX8zd/PSCzpXkZY9ph3yr2OWCBGewa3LQfiN A/MCY58oZ86uVKokbPIdFdWHXu0P0Ghzvoag7Z+bksRKHTR6FWeGt74Fcg/5Wl/b hQhdrzJrf1mtI6HfV06NKyHjO3nWvzWgFvUAM8RX8yPU7J9ubf34vS5cWPU4MS2+ EQPmXWT72X/KolkalsvEOTsy54OdZmCIAiFbzLfQkVc26cu32Ka9YpIVRtv3WHxp NuDVC8fS2jivQJ3F88rA2NKer/1sGLpmDZGcqOxOPUO+ibCQ9pyL94KsL0k2oLqd t430+tu7AALHgLz/iW3v9dR1Qpvz7IRrXAPffVz+5ykIfRSDHpo= =yZ9m -END PGP SIGNATURE-
[SECURITY] [DSA 4357-1] libapache-mod-jk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4357-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 20, 2018 https://www.debian.org/security/faq - - Package: libapache-mod-jk CVE ID : CVE-2018-11759 Raphael Arrouas and Jean Lejeune discovered an access control bypass vulnerability in mod_jk, the Apache connector for the Tomcat Java servlet engine. The vulnerability is addressed by upgrading mod_jk to the new upstream version 1.2.46, which includes additional changes. https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.42_and_1.2.43 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.43_and_1.2.44 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.44_and_1.2.45 https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.45_and_1.2.46 For the stable distribution (stretch), this problem has been fixed in version 1:1.2.46-0+deb9u1. We recommend that you upgrade your libapache-mod-jk packages. For the detailed security status of libapache-mod-jk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache-mod-jk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwcFXJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qu7Q/6A6UGJsGJox6vlwjOso6/n0kSUW+Q/ojIL5O3BkDgxY4SkZ0Aw3OBWuj4 b4WimxndglxjA2/Lx5NPzthA82kSSYVJWkngjlhRCIX1eqFadpHrkXVPb1pBxvQ5 /JJsArO0X01qQQPlqsjSHtWQVDlRsELwycb48B+3u7Si9LUiyg5Z2kaBSanWvYNw zDwludKjJpvMg8XoqR1dvrycXPK5NDkfqAud22cquog8XCNpc/jDNPMFLHwXQp1H JJgLpIIJncHB9CPbi+7rMYpNsRBnAQNEcz6LGjsWY7fkgSfJfx/P8ezYjliDY7xf EzxFDNXj+LHs1xH/7cTkf5+EX+rjU8lonPEAxqXpsZ9OKqGZfUBUAM7dyUWoMAMI W0EB1Hr3ysa69V5EjGMdp2djH56OcMAAYB/uHu+R0p4YrE0Ivkx5XfUglnYLa9Wa X9+jVf5Unp4qRNuCVwaI2k9P2u60UZezYx6hjMG81nxkZLDg6CAzDcVqGYR+dS4D Z8wY0ya6NOMwnrkhuJfTX1LONbkwgzvNh/EvAZNduy6r8x62Sff7PVtaRWf2LjXq sjjs9IT9Tc7Ta96GcR/nXkLc+VVdefvf2hZ29BDhEWovYhnb9X4k8Wsd2e/x4NFW uz4nNmazB9Yyj1QD3G5DN7tfIoJ+iSuqIWtJqLIiOY7/VO+scPs= =CyjI -END PGP SIGNATURE-
[SECURITY] [DSA 4356-1] netatalk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4356-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 20, 2018 https://www.debian.org/security/faq - - Package: netatalk CVE ID : CVE-2018-1160 Debian Bug : 916930 Jacob Baines discovered a flaw in the handling of the DSI Opensession command in Netatalk, an implementation of the AppleTalk Protocol Suite, allowing an unauthenticated user to execute arbitrary code with root privileges. For the stable distribution (stretch), this problem has been fixed in version 2.2.5-2+deb9u1. We recommend that you upgrade your netatalk packages. For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwb2aFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TaWA/7BLosSUP7w9QtHSSXqZcQQ2S2SzVNbANKjK0E1VFb+P8yZYXmQTQIBcLI SvM8A8tewM7gil0d8Nl+5m1xPZeWZ9eLrwCkD9CvAbqS+6h1HiiIGAEyAFJ0wzL8 P49BUZtUmg/vFFecjhdwPW+D5ve31EKZlB/IJngGm4ETHnRUyGXvYtW6Y89KWKQL Fl2t3quM1zq6nIi8ovtHUvEMkenHfziT3I0WcEjqZp/YJb8WlckpQOBs/oIH9Cem m5FmQmYbQLFt40RPORjhsA+7vWOCofBFfW7caVY+9hkSL75USzhfZRHeIWS4LHrA 4tKmwS4ZDv/9FyT/KEOnA0qBjLltFUYoK3ZnWGvw0lGVVJE4ae9N5nsLYuVsbEey 6Q8MYn7H/Kks8/CXicb9Mg4pgCcRK8PdudY+BTo6BTZHE6oRT2fj1t8COYWJ7xWo 92CoIbuQ6E5fJwxyZ7aDOGbzQxUmuE1SL6QblK/xlIdUCdJ8qtyFBat8++KVNoAn mtYah1/VFfqUA2XqzRdQIq3O45Hks48jhKWhqIPjJaK9kJQaiRLkSkqZr/SBI2Vy ZIe4mHG/j5Ps4Y2Z9WiamvZCP2jlFRWFsaYKpS7Bj1auf9ekA3zOB7PH+3Lxq93N KDl9HJLTrKym1v4p3hAeuHpkbMDOxH4Bpf5K9Qys7/ce6cPOhVA= =VFiz -END PGP SIGNATURE-
[SECURITY] [DSA 4346-2] ghostscript regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4346-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 23, 2018 https://www.debian.org/security/faq - - Package: ghostscript Debian Bug : 915832 The update for ghostscript issued as DSA-4346-1 caused a regression when used with certain options (cf. Debian bug #915832). Updated packages are now available to correct this issue. For the stable distribution (stretch), this problem has been fixed in version 9.26~dfsg-0+deb9u2. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwfiEdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TLxxAAoQGRHJ9Fpxo4Rx0EDn4Qi9f6+4qR6uoYIhOfrmA2S+gRGkIRfye7r07f reJL6Ruo1WazlDk2M0qypIzZ6wXQXTXcTJN1XDo0k2cALKPSnse8G7tKQOqKUcgx 8Wj1Q9gBQv3HM7hcnIYPeALnveOGBIDlc0rChn1LnXtUZWpPJMlq0tbC45XJcBeU puHcKsURn2HI8wsFM6D0Nlnju3alC/OfkHPKLCRhwRZ/EwVS0zuFnLeFgeiEYx2/ dFBwfuWrRgMT1szwj6b3hIUlAmbwtopJeZG6BGio/FWiJ/4qaGVHEqEh1Bhq3ZpK yhrzqqTyFnQYXQaS94eUJXDnCWYX6Zd24FwUBeTa2C/Yob6nHg1rwAfzVo9vEyGO yAFZuYzO/V3P3wIi4+hAAyLLFj3rsBdS+RHynvKdJz7ql3vyxItXI/UZx1TtfI8P QQ4RIigY/IwAMCp71Eo/CHth7mflYOhOsFi4k1W+gc3GaqHsWb4iFKfMcDkqISkH TJhy72/EFMG7D1st6Cgr7CO4R8R/UjBB4R3YbH5ae9MXjXLpDKlUkaEB2HMx2RFg SWgk0wImCUnJiZRohbOd2Fe2KDGCBf7FdfQlCHi3DW+9SEFAiJxW9gzoH0082Cn+ 0zLAycxNnKr7jrbMfnNRLqUJdVC3t++CCpwQMyCkR2AoTWkl6L8= =T/3v -END PGP SIGNATURE-
[SECURITY] [DSA 4351-1] libphp-phpmailer security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4351-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 07, 2018 https://www.debian.org/security/faq - - Package: libphp-phpmailer CVE ID : CVE-2018-19296 Debian Bug : 913912 It was discovered that PHPMailer, a library to send email from PHP applications, is prone to a PHP object injection vulnerability, potentially allowing a remote attacker to execute arbitrary code. For the stable distribution (stretch), this problem has been fixed in version 5.2.14+dfsg-2.3+deb9u1. We recommend that you upgrade your libphp-phpmailer packages. For the detailed security status of libphp-phpmailer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libphp-phpmailer Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwKh31fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ThNg/+Id/B70l8gr5iLIvwYtVBiqRAD+ZZcjKGwqJxXkxjK3RU9za5BU4qRwMO usInjwMDiry+MpLvXAyMnH4WQFBY8EcziNiNMVhRiNhXwxHiwGJkxL2cizyqsZ8o U90RDQdspt351IUDN2pMa2FNirMPPoaCQ1Ix0Wmaesyep7zU/sQT+udtE97d7uUV Hjpx5JE2v5CygOavqUeK9RS1nxJ1qsRsv1E1okoKoTuYQWglgDWyWHOpDDgM6vBL Zlsm4S/SEEoU2iwY4JvJZVnUHNSmSjFtMj2V/z2S5pffyApwwz7L2N/L6ZkgI+9X qjJvNe285WF/zu4aKqsFUsdmF8QUIK+AHyuZawT0zxfHJbduGCQgL8jzCUBe9i7C 7RGQAfTVKou7uscOAPrWnPpsqFM6CGVZo0x11vAThHoamAZ6DbqzyjmaslpR7+xn /Sc1qveBLFo9vZ4nrZyguYm7bSjl5xLx4dHexYgIf6jwzc2WpAX1WthhF32hBu2k kWKqaFPd8dX4IpVGtaQzN4D34sMmcRGC7PEYRUhvO8rOmPxUIPsPc5OgWA7nhETR 5rGCGj6wFmltIbJSmaPew1SV/NsIm6gWrXUyl02sE6KXO2W9bNkeAocsQE93pwAP TLByPiua2O5TAFjPzu/QJeMkw23PseJOT1cgEArJdWH1mMxYSsg= =BKSR -END PGP SIGNATURE-
[SECURITY] [DSA 4347-1] perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4347-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 29, 2018 https://www.debian.org/security/faq - - Package: perl CVE ID : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-18311 Jayakrishna Menon and Christophe Hauser discovered an integer overflow vulnerability in Perl_my_setenv leading to a heap-based buffer overflow with attacker-controlled input. CVE-2018-18312 Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow write during compilation, potentially allowing arbitrary code execution. CVE-2018-18313 Eiichi Tsukata discovered that a crafted regular expression could cause a heap-based buffer overflow read during compilation which leads to information leak. CVE-2018-18314 Jakub Wilk discovered that a specially crafted regular expression could lead to a heap-based buffer overflow. For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u5. We recommend that you upgrade your perl packages. For the detailed security status of perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/perl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwAY45fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SexQ/+OyRsCOK4ZPjoe/mZD6nYcTZskjNu6o0XbV0dUwqGLz3+ztWAitThvLqw OdbVmhPD9OBPXEw/CEGG/AzCzy+TTuo4B6CEevTviEq2ACS6MHWpXYk98qSLE+4a 1S+MO+kmziz1NKDJ11/7mUcS+hAoeCSbKpwkcBztyMqgMrbNpzOnlsNcXwu7kiTc TMrTrTh8a/AWYN/IZITUN742STKODbdb86Zmypl6ecdOCY0kQLlrVbSH9SaEUr0v y0R8dvl0g87lq+ipxhU2IiDzBgymf5HagvCAKcnUKWylPg/Dgtj3f7VjaK1I9cr0 GMpTCFoxw6fHsi221JzTKCYLjRC+kd0eQ+XbJmT1Djw5MBnkToNAQrvne7otNu2r VM+pV8Iizze/UiGD33VOYCA9ukzExtQVk1aqXd7jb+s0GC3bThHwApkI2pWIH422 u8fZ4nlc4TBFXzKznT7GHiPMCLL3VxxAeOD0KPrL87Z+XIZTd2ZnuAtbTt3gpDY7 rmlKsCq7ovGYOMqzmT7sNrBG0dTUogDK+pqfsDw780kmlric5/lhpTROBIj1l/Sn XN3ja2TsEwQyyzHd+tjBVxyGygawsa662PeZoL9B6iWGdSeoOhGjDHFXgyNJR4/7 49pvIdcgt0AxftuwlfN4W0h+8rhRFxNggFpC2dtGLZPhXfYI++s= =tA1+ -END PGP SIGNATURE-
[SECURITY] [DSA 4341-1] mariadb-10.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4341-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 19, 2018 https://www.debian.org/security/faq - - Package: mariadb-10.1 CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-15365 CVE-2018-2562 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668 CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 CVE-2018-2767 CVE-2018-2771 CVE-2018-2781 CVE-2018-2782 CVE-2018-2784 CVE-2018-2787 CVE-2018-2813 CVE-2018-2817 CVE-2018-2819 CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066 CVE-2018-3081 CVE-2018-3143 CVE-2018-3156 CVE-2018-3174 CVE-2018-3251 CVE-2018-3282 Debian Bug : 885345 898444 898445 912848 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.1.37. Please see the MariaDB 10.1 Release Notes for further details: https://mariadb.com/kb/en/mariadb/mariadb-10127-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10128-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10129-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10130-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10131-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10132-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10133-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10134-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10135-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10136-release-notes/ https://mariadb.com/kb/en/mariadb/mariadb-10137-release-notes/ For the stable distribution (stretch), these problems have been fixed in version 10.1.37-0+deb9u1. We recommend that you upgrade your mariadb-10.1 packages. For the detailed security status of mariadb-10.1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mariadb-10.1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvzLpVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S3jA//U4w3WOfpHeLP54Hvw/N9/BhaJpBdG9zxTFSu1OJk2bjIY4vm5eGW7vVA yYQcaZ8zgNlnDgsmLzjVqMWFlt9FnQpi2YYt35CsvVjNGdkv/yKwVs//S/Ul6Sw7 a7m2QnxjpJxRAUpmbkonOOGZZ42lMd/Usxt8hKqk/TXyjkFQPv/M36/Y7JqL4Qjt UDRDEVbm196gMHtFU2qPBoT/XDI/Q+ymsNzQiNCUo4Y8Kl5Og0I7snXLmf2F7eeY qcUiqGm0bI0c1Be7tLUpQCD14ipvETKSBaLL2i7ksPMv6+IJYelRXYq4kh297xZW AOSdT9JkRWFODUHttA1wEuA8Rc7z6FbbOeh7/Aaf/E3VThziNnNnYSPh46PVNe3U m+nsev+aEbTBi8KkEkCjoWzO0p/UggVoYfC4wQ5zC5dmvnVDHUS5A1g7x9AoS8jT 0LJ7H5c/BbsV+wL5fNMG5W6EcuHui+ONbeukJIr29IxB0/iE/SFS1JRnCHq2oYaS z6/YhhsGgfsyjA6ZzCcLYRl/YI7g/w+0KXECJjgWRRfT2Xq66SWLRbccX/PAqJva +AZK8XuiMZrvCnLHvGXPQddQ25YPtWZ1c1Xy5cnwX4DlaZUL8NSoVzNvWqlu6udR 8fs1gR/YKQBQ6AuN6MeB37Yb0Fh1CChHUBv1ABMsQTaTVSie81Y= =YD7h -END PGP SIGNATURE-
[SECURITY] [DSA 4345-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4345-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 27, 2018 https://www.debian.org/security/faq - - Package: samba CVE ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-14629 Florian Stuelpner discovered that Samba is vulnerable to infinite query recursion caused by CNAME loops, resulting in denial of service. https://www.samba.org/samba/security/CVE-2018-14629.html CVE-2018-16841 Alex MacCuish discovered that a user with a valid certificate or smart card can crash the Samba AD DC's KDC when configured to accept smart-card authentication. https://www.samba.org/samba/security/CVE-2018-16841.html CVE-2018-16851 Garming Sam of the Samba Team and Catalyst discovered a NULL pointer dereference vulnerability in the Samba AD DC LDAP server allowing a user able to read more than 256MB of LDAP entries to crash the Samba AD DC's LDAP server. https://www.samba.org/samba/security/CVE-2018-16851.html For the stable distribution (stretch), these problems have been fixed in version 2:4.5.12+dfsg-2+deb9u4. We recommend that you upgrade your samba packages. For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv9KLpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qw+xAAnLGnQAqs45jCSDuVeKzjOGDZcz2/PQOtRDINDJ1AoBJz9YeIP83hqVb4 gJ3ZW/efuciS670xqRGFEkGHIIt8Wh+YtCsfblbY6xatmG/z5iNK7C12H0SH3A9+ 0k6GR9LHQ/uRTuBEtE+ggfx/uhhHw6zZWu+NIXHHIdK7c2j9/Wz1+CJjkfkbGfPa G9lk0uxuK6Yy+p4PhUtcMVdBHW1zbeODYj/qcSNULm9OSXCXy/L0zDdbblS8qAql OYAsNAnnVt3JMIG8eYfCaibX61xW//ViIRfbg0qLoe91Zn0rt3S2piY9003fkSD4 h+2PnmUSZ8EyBb5HUFTMuGdB6jSMVZBtmDH+A9dSVHKB663HlRGIP74Ro4T9yp8t 07+HCA15KRTisjCgHSeURUkRLKJYN1ceFitXhOFNa+Tg/EOxCh1uNLGqHIHL0g+5 w5VVf6HQNc+GoDy6xxTAAu3yI2HmiYwG3QWKvRTrzNNEWD4GMeKug3+RiP8Ipcc9 4PpCk9rsqzLl2LzFhfqEKC33pZ9go73zVkWzDkzhYA5pB+YWvJMWlDs6WD9L10qT jbjC1txBVfgEoM5zJuXXDAM9eSiIaQeW2399B5QnUqImMMGQQc+ci3YtkPFoRMIm pWTtSheRA/wnDQf4VU0o21Q8zOU0uc9EoIGZZiC1f5Q2ZPAkcEE= =GZz7 -END PGP SIGNATURE-
[SECURITY] [DSA 4346-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4346-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 27, 2018 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes. For the stable distribution (stretch), these problems have been fixed in version 9.26~dfsg-0+deb9u1. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv9yK5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sl8g/9GnHpR7PrP47xykdjn5kJnepTk3xCknUC9xSZol0MAJ+jfHf92BnxUhD2 kOQvFlFVoQGdxcoieQ8YFue+1k2MHSJyVi/oyngwRt41qxPj0Nua0UKk/eGfIlQ/ HsAWHcPgjJF1nMC84oiwFzEUPVoH+hY1yxIFATIAWFU9wdKD7IoUF4MTzbCpfuMp nhK9eTJA0PQoHYH9c3VHSkHPtcV6nLvgR4RUC9UPkJtKKvp8zGIaXObjr9DkrlDI pztcryAI/Hwoj99ZEpZXpuDGZArp4Ndm1FFqS0M+oPWezBFBd9Z4cWiLwjEeOtfR nR43jcY/vElIn6qsIHQSI4RRfpu3WUCPGZDtZn17CIzIA1v0ODfKD16zIR+tau5b j89frAABclSCFIAJn61OP8RqQE/fArG5EjL8uyEQDeiwdQh+ce717NKUX4YK9Z21 2pWSa022BxT490+pFKmKGPgdFdVEdz/uj/+qBaNKmt5YcWH3OyisyGv3Yn4QCcZf fZAbGQ4y+4A9LbHtD5R6e6g7tipUQWyHcKxsTrD+AIfIZcKIB7BTpAJhcEZJCDk6 QX2DFA+g6AwIQqIC+/0JW5amjU0SZM1N3fVVFc9hoiOqEGtAUzjMQ9deBapkbPon Nh7Z8HViCx6j1gfNjhPc2Wj+Fw1wkEC2fjG1Mrd00izIXtj7isI= =xNXq -END PGP SIGNATURE-
[SECURITY] [DSA 4339-2] ceph regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4339-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 21, 2018 https://www.debian.org/security/faq - - Package: ceph Debian Bug : 913909 The update for ceph issued as DSA-4339-1 caused a build regression for the i386 builds. Updated packages are now available to address this issue. For reference, the original advisory text follows. Multiple vulnerabilities were discovered in Ceph, a distributed storage and file system: The cephx authentication protocol was susceptible to replay attacks and calculated signatures incorrectly, "ceph mon" did not validate capabilities for pool operations (resulting in potential corruption or deletion of snapshot images) and a format string vulnerability in libradosstriper could result in denial of service. For the stable distribution (stretch), this problem has been fixed in version 10.2.11-2. We recommend that you upgrade your ceph packages. For the detailed security status of ceph please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ceph Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv10tNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TnSg/9EWpuEYFq8CqFXFKz0GQ7pvOvJXZzg8VRRdGtSqil/yOGLkia7X0C4aox C8zF62JXyALlRjyR7ti2U9RD7E5D+r2jSWjaxHzbHTDYPMQI0U7bww1T2cdj9yze zYl1pebLvWwhnhRF9c1mG1g2CcxHtjU8zxGRKjsjupjF0v/bFL+IN1OcyjEeCVG5 yDwjU8h9ux3FbLxxSGHLl8Yzk/Q0WAOo2KcxIva/0mTZ5zDxwJlltbkw0pC8gcKd RQFU+J88oOUbNF4n2HxK3OATJhiOmrQ8xBy4E50AE7GuRDoJYcDfSmEkBVBwxOTN QmTNxyd/vooUkF6eXhJHJ45cm8QWALoYH4MzPVrBTYLx985WVQ2Q4pa1vv7hPfz6 kllnsJO9ZjyT4POvGihfR3W0y2Cb8tTe/x0WHci/0uTEBvnhAIrUpjfTO30ajGXe QitdTxZA955O/JtpdwyqRGywZXJyrtjJTqaZeQA1G2bKC9e6h19kwi2WX8qYXTdQ N3gK//BeWkaE6EylB6c6aionmN5AuVEd5jmZ+GO1BfOq3/oRSKfQcDJly6JG7UaM 0jpT85eIYiNQc6JvZ+78NwxrqVgAnKq8F7ejsT4FQyQkZxcjljyyix+y6iAPhAut bunmOl3Q/U8JE8FzDuJA/rKXhXdSGCUMytTwuXo1pLY+m5JBz/c= =UHIj -END PGP SIGNATURE-
[SECURITY] [DSA 4344-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4344-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 24, 2018 https://www.debian.org/security/faq - - Package: roundcube CVE ID : CVE-2018-19206 Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability in handling invalid style tag content. For the stable distribution (stretch), this problem has been fixed in version 1.2.3+dfsg.1-4+deb9u3. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv5uYVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SU1w//YkLqGUCLGeFqjofgYMTNxoMQtcUwtqmBgX6tXv5Uu6mjFw8VWMw7rZhT F43NWzypKejgNRdpPhO9QUXskGXbXXwLHqfoNeOEhXpOD69kQ5uUPWTi0KCrtlRN rQMt8tOgscPNuxbk8FPE47ZmvfFHE9ASBKf6NRY5eu2/p87GDjMV6JgjloOcFDCE wCoosrXKxQO0AtiTJcWslIlBsxQtf1s7r+t4AIOUAxOZmyzKPcjQ5AtYviRWAdZM TRAjc4XXBKYMp6wCZh7ibUzWy/q6QRtfYbtEUtKmyhhn69x6fhoWBMZ4wWohvfhN ok+X6pd7djYA5wtFzj3n6jS9hxMGu5TNn5MgYh/gnX0ujPAfJvHaDprskdmyL0z0 gSzAmvQybkfWd9O2LSJVJ8+x9YM/CjchZ+8Q/jUmm8dykr8FnYwlA3ihB1zpYBdV 8BfzUL9MoTVZoBwtkiUBOVWnTzKyij+h/1WcQCADeTKoXIy5cO4X6vxAaies8b87 mGCJ2354UMPmr0RssIbTa3YikDeXVkbJbSD3V+jfuvs0/gDNsEopG6kHIiOV75/R Q93vfSx0u5UvrUSQLlCGlDoUxEIzFllrJnoZ0c6o6JKeRezp4kKzFFDDzjsaAeQ1 EbpMx91AaF5L/Qs/ERwxFHglyljl6XYs/JZGAgrcUDw1DZcLoKs= =qFzO -END PGP SIGNATURE-
[SECURITY] [DSA 4367-1] systemd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4367-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 13, 2019 https://www.debian.org/security/faq - - Package: systemd CVE ID : CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 Debian Bug : 918841 918848 The Qualys Research Labs discovered multiple vulnerabilities in systemd-journald. Two memory corruption flaws, via attacker-controlled alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw leading to an information leak (CVE-2018-16866), could allow an attacker to cause a denial of service or the execution of arbitrary code. Further details in the Qualys Security Advisory at https://www.qualys.com/2019/01/09/system-down/system-down.txt For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u7. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw7suFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QXMw//Vb6Fylrn7Ue3gJZYnwiBe5evNAsy/XagW00ppFcYJ8E/cwW//ulVmUZw DgKqboAy7BxZCA27rkcEwH4dnRldY6Y4Z3DU/dn1R5ujyKO67qnP/KfAPgm00ipy OEz3Qz/knEwTt8qoORPJEU4PIuWYhezKM+6o5+/I6Kg60Bvcxi12WhnVorMxko3r 0nZWt1eIjLFVem+wi8IDw1f3xsFOapB5TUB7TP/vBq6fOkq5DfdYLEwX0yYyWu5v OjCW6pXSekg7lJq8aNFZnkFu+JotOsYwyrhsqAnYQGZTgqFDpY0BEtdmgwZ6NcEj gZKysX2PZ4ePcUJlRu3FUkXrM2ziIEFn/VVKGQAi1ccBuTM8R7MB33OakvKBAfaM VeQBAuTLpJ32M5ryk2m2+Avs4/bZlXIALjc9ycMpVt8E/rcertLaBAFsAQZSJgKh sGMT+bIPoEq0Td08qoHU3R9ypYdsDBwTYbaaJaq+rJcaiSblN/8D0Qdbg2dgpHqk jl+nCePlyXI3nvQZQAGEeaz7fkwSzezYxuf+WZxbyVJZbvYk1IyD/DIb2utZ1RTz +Q0Zo3kpfHlEN4Zi4+sgtXGheH9PjRF79UmTZ5PQerRRF7PECD6skEEomqIbLWPf et70TC1a6l+N0iHChezmK6kAjmuwkFv+TAGWrZ58Se71MqHmD9s= =Ihyf -END PGP SIGNATURE-
[SECURITY] [DSA 4292-1] kamailio security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4292-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 11, 2018https://www.debian.org/security/faq - - Package: kamailio CVE ID : CVE-2018-16657 Debian Bug : 908324 Henning Westerholt discovered a flaw related to the Via header processing in kamailio, a very fast, dynamic and configurable SIP server. An unauthenticated attacker can take advantage of this flaw to mount a denial of service attack via a specially crafted SIP message with an invalid Via header. For the stable distribution (stretch), this problem has been fixed in version 4.4.4-2+deb9u3. We recommend that you upgrade your kamailio packages. For the detailed security status of kamailio please refer to its security tracker page at: https://security-tracker.debian.org/tracker/kamailio Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAluYH5xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QjPw/9HrB5M5SaEqLQCpYwT2HQBDezSFxq/VBx8dF61bbxfZxbbax0QsFKdq4V +a40CqKG9vx5zQ0+lgNPo+wihxYNl50Up5eWYiHS5ROiQxH11vHUsz81VLjF1eXk ayc3c8m1PtbMI1sssjQF54tZ+BBFTOrCXrn05OZCFejUSI686ApFdEBiRFUuwJV3 KpnIEcbZbcsjfoXJO5oq168Q8N4j9XCKyveL14ULinK5HlmVPOvmiWqgkJh3aroX RnU4axrard6QzI+Bf7cAuKo/16MjkdN+stmhs+MwKO/XDQkeFp31vObzzgV955/A eH9plGCpcamdkFKKclvnWXW4jrj4r0pAuXWmcPJQ9YcaaPEwbPXGOt8syFGaUToY bzKu0ol3zZp/Xez08cooz2j5c5fVC+v+kdtLFbxwEnQGxOMBGSOSEO6SPNyd2dxa t/3pCbXTVciAUtwFmKEKSP1LUG78PO67Dt6jMvqUrUXlb6WO1kWBodKSe0DnIzzz Id3ixBLl0kn96Q0HKRegvuDtwYcyjIaDTkGvjq4DCXXlD8xeCUe1nIWAlTwGuo+X z20dZ+0mhHizIex4uGXeCo/9Z4Nk+tJgm6errqqEpQjxw59uNud6gI8Fe5eZe7DH XYlKXWVtezEZ71qptiZWyOs6XSkUUEmiGD1bp4AcwEP2aMbcoaY= =obkn -END PGP SIGNATURE-
[SECURITY] [DSA 4372-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4372-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 26, 2019 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2019-6116 Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). For the stable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u1. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxMczFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q1MRAAlCetloIVfSnNj8TX8cRElftZYu8q1YY4XR8vH4Hv3gro2rvjdpy1j7qF ruj3tqVvnVN14m3FUpV6g3OSgqacZBtteffMeDJEhHVsD2cfEisApWMog+F7Fc4o rVz5kIXGC7tkLgGR2UVq+Tytdim/t7qZxdXgDavXJatiB7B53SHznFcEYfpUtOVe ZyfBlQsdu46xsxYU+hx/6XIoRjCwtgvlXvUecnRDmEYbcqCqjCCcd5cqw8yt2Gmy 2f3WzxNxkXrVH0ClW9Fu3045IjEzru4o9T9yBBZMUA4XSllHrAjvQ0ObysEyltwd 2xCiJMRfHdjg18ugT4Qj3J56KrfUMHS8k3sPj7TORNo12doMO5zVdZxSLzVxD1Mx xkKsGYomTUh0T93N9NGEres41FvRRgmq0lbzRXzn2QsvbMxGyxIMG05zgaehP93A Zae2dLJ3abWXV5snuRPuvXVrscDlXvpaz5iebVEPWEIXaI3tzQeqDmy87AzaMVv1 70m59E8UTiu6YIpm2NdbqMMA4SH9b1U6ym549PSZMnrO248uku7fk1Jtx5Qn1cH5 Ot//Jg4AXMF8DU3MaPvVYQlg5xfcJTJaUYvMiYVMHuUf/oMSPyKoKvPKMHPtC6oO u5lmXWV72u0q7nsgf8l+ONVQZUaaGQV3TYE12HM2sDWGv+y4qI4= =gkMQ -END PGP SIGNATURE-
[SECURITY] [DSA 4422-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian Security Advisory DSA-4422-1 secur...@debian.org
https://www.debian.org/security/ Stefan Fritsch
April 03, 2019https://www.debian.org/security/faq
- -
Package: apache2
CVE ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0196 CVE-2019-0211
CVE-2019-0217 CVE-2019-0220
Debian Bug : 920302 920303
Several vulnerabilities have been found in the Apache HTTP server.
CVE-2018-17189
Gal Goldshtein of F5 Networks discovered a denial of service
vulnerability in mod_http2. By sending malformed requests, the
http/2 stream for that request unnecessarily occupied a server
thread cleaning up incoming data, resulting in denial of service.
CVE-2018-17199
Diego Angulo from ImExHS discovered that mod_session_cookie does not
respect expiry time.
CVE-2019-0196
Craig Young discovered that the http/2 request handling in mod_http2
could be made to access freed memory in string comparison when
determining the method of a request and thus process the request
incorrectly.
CVE-2019-0211
Charles Fol discovered a privilege escalation from the
less-privileged child process to the parent process running as root.
CVE-2019-0217
A race condition in mod_auth_digest when running in a threaded
server could allow a user with valid credentials to authenticate
using another username, bypassing configured access control
restrictions. The issue was discovered by Simon Kappel.
CVE-2019-0220
Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL
normalizations were inconsistently handled. When the path component
of a request URL contains multiple consecutive slashes ('/'),
directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers
processing will implicitly collapse them.
For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u7.
This update also contains bug fixes that were scheduled for inclusion in the
next stable point release. This includes a fix for a regression caused by a
security fix in version 2.4.25-3+deb9u6.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/apache2
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
iQKSBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlykd6hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QbgQ/4iQf0raPpUGhb+xBt7cbh/l3dayLkH7WxB0uGVXeq9P1lrOVVLbehWJIR
6QalSyDCRYpJguby9OL3cV/FrldKWMamvQhO79vLiJ4OR6RXSFvK8w0fHg/Ep16e
XoQOw6yrYukLeJgJ3r4P0v61t0LgXG4sATBaeHXbhpddgiisZubOWMfn1/5gq+wu
TUqtoaskDISd20oKDnpsW3XY1V+6SSvXM7C1BUVt1fqm6g6eMbsWlelcC/NxCf5W
q+TvZidZGMTKtkVvuCuR+lkfsYQZMmbnNkwDES0VGh8D07GY1qOk8h/Oz93pspt6
R6DISqUMMflabwEdIKej5TD5Z91ufDBbX/ZAjfZgRnap2DS/3A+6mMwG5HEjjnJE
qJ2BvSq4dKpv2rgggab7l95OGPak0Pr1W6uBYqggUC//2//x2YnWvs3yKIP1fGLp
AiA33W0lnJ2ruivMPI05tuiybsRiUhbJesxGI0xn+i/g5umhrLV0TyvlUzz5nBsF
Ym4JQr9lPPJQghk5dxheys8GNtzCzpeEOGLl93HKHuok9dSBmpEe0hU6PZGoatxS
Id3Z2MrMNlOFm53scDEZtqPINyjDFKUZK46Eaa5qfSPadmiiadUw/8BIsewk0JCS
/dZnShvaVdifjH3Oh0Ym2HH5bg/GKF8nhZ8cY686SenZWh136w==
=SFa1
-END PGP SIGNATURE-
[SECURITY] [DSA 4416-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4416-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019https://www.debian.org/security/faq - - Package: wireshark CVE ID : CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 Debian Bug : 923611 It was discovered that Wireshark, a network traffic analyzer, contained several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE, ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of service. For the stable distribution (stretch), these problems have been fixed in version 2.6.7-1~deb9u1. We recommend that you upgrade your wireshark packages. For the detailed security status of wireshark please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyXfvVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ralw//YQ+Yq8jUMhu8aczj9gl84MLH/ddCC0LhUVbY9WjQgNasV4ZWa7n+ptxa GGYAU4uRNZCvuXsXeG5/oiF9tAF0YuZgKLdyDDmLqqa39jA+ngFpim+cId3lDNiY pNUY0wQrdrcREvJrssaiBUvZ7d5O9VYPa8RoSzGo/zuvKohRI41vW0p3YvgVXhiA eHGmGaijnfHPMa/nYyUCy1MrNf3+2o0eA7rDmeeWTtOk+Q7K4Q969cyFDeR4b7s7 jaMBHaRaNFdIya2OsK7D3dwa9xeZJDuR/MeZk2enC8BsB5Is/wMvDwh5k0OIjj6i W88dtPcKCq6KnmJOv9qy3uLt3QR4NMsBZElnbpYN9MBdnoTsG7TdMn6qQurUSw6c fHvbDEVOCPrQ1uEM6yG+oD4Gc8ql4maXeb8pBzaaxuqGzu2uBuYi/Hg+cKcqCNJe 0rs0Q2itkPHvlj02FsxmNXq44y4v1gev61cbblZPdDeK1EGbNCKI7/u0uuQqjaEN LmxozyblmfmDxJxLyg/cuwQSo1OQuAg5hwA3u9PGQ6bDYnenonWR0KCEv8qmThVB XZyAUqGQNK0mwIL3/IVLGzhmPKMtkUeolFg5chrb99wJtD8tyNoiED7xpfA4paoO WOMR1LygowgMedoWWE/akmpfTdneLjSOe9RneBl9t0iTp/IXg9w= =7sHL -END PGP SIGNATURE-
[SECURITY] [DSA 4415-1] passenger security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4415-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2019https://www.debian.org/security/faq - - Package: passenger CVE ID : CVE-2017-16355 Debian Bug : 884463 An arbitrary file read vulnerability was discovered in passenger, a web application server. A local user allowed to deploy an application to passenger, can take advantage of this flaw by creating a symlink from the REVISION file to an arbitrary file on the system and have its content displayed through passenger-status. For the stable distribution (stretch), this problem has been fixed in version 5.0.30-1+deb9u1. We recommend that you upgrade your passenger packages. For the detailed security status of passenger please refer to its security tracker page at: https://security-tracker.debian.org/tracker/passenger Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyXY69fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R70g//eQOENnft2PrdGs/wb3roVULaENGCw/TGuGHZXJzIf49xEJ2/+ad4WGt5 rVwB0hHtwI6bwH0bb7cZNHYpVNBNb2ze8T5euYleQqfKZM5VSfx7xscmAaiWhxiW W5p1P6doUISxD3W0uQ0Q/WNvEsERoHcHAmZF9VfW6j8gEqkEA6lizkUVxxmvKBdD EZQ0iOwJ2PtcLpWSJXJArbso2ImUaVCEIgjpI1wfVTV0aU7OpTqiUYpKEx0hnmR7 gSH+mOT6Y52Jd/puXzEFhbzTZwU5cTYXJvLIWiSlx67B7Mg4PYOUNRHoF9TJbFpE hapM1SnO7TYu4SuEs57uS3cWZqh/ZaayG7E4m69Jf/mYrwpoCeAq/DOTxybZpXtL fNX/jSv5Tuwa+L4DPmD0xGyl1PAah5bZ2cIisEK9LgwXdXaezy4IArT9hDSZFfaI z4qmV6LNIBmKNe93xEhSgPcD5B8NhM4WWcizdSNjBFgc2EF1pELa9MhlomEacR/f fuNqqptZ+VbgkmqAsGEeVJj94RvtZ5PeTfinVEbZmhsGT8QTl+0oRuMxnw6bo53e Za+ulSpv6s0UAlwTY/DqhNnzsPzUztnlDA5SeGWz2L2RZE5ZrrSMmDthC0brAjJS 3vqPc0XNXH6jDOV+SE6LJ68mIPrflV14ofuYa5cCzEGr+xKNCgg= =gsgD -END PGP SIGNATURE-
[SECURITY] [DSA 4418-1] dovecot security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4418-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 28, 2019https://www.debian.org/security/faq - - Package: dovecot CVE ID : CVE-2019-7524 A vulnerability was discovered in the Dovecot email server. When reading FTS or POP3-UIDL headers from the Dovecot index, the input buffer size is not bounds-checked. An attacker with the ability to modify dovecot indexes, can take advantage of this flaw for privilege escalation or the execution of arbitrary code with the permissions of the dovecot user. Only installations using the FTS or pop3 migration plugins are affected. For the stable distribution (stretch), this problem has been fixed in version 1:2.2.27-3+deb9u4. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlydJ2BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QeAxAAnrz+NqPivUYsdYgGYodb62w2/ofsuRu88KPaCUiGU/yGNG7kbrCD86D6 mYzdvrr9k2IO4vpDVj4CxEMUAVVEeoZB2SFw/8EoCjk+OlNT5prWcbIrnV3A9nGW IqHo39nBnwwSCq6ork4PtOJMWcoiHHvKSRt48qs0X56MJ/I+tUzbOhCTFNEal6/8 TtWnhJs5uJy/VyrjLfCK5NXdU8uxhN5i1kyKyjS60Ddtvsmx/mMM0dMXdCOzE83w zJ+ipPNlJmDHaWv7ZG3nJXo03Hn8Pm/cbZ2Le1RF3EiJ76jwx62K2JyBFDIkVxJc a0lwvCxTSlrpSFZj1ljwsotoJ1GCWyh9NbEvEl1teBESH/n+eUhAJ+rRw0yNUcED h8bT9zN1ijJiIHtkESChGy/7c+cTycrbSwodoa9eAYKi/RxfKJRdrAopMMa48RWT MoF2YaMvUFpcok7xdukt4PdFUSTkncP6yU/9j3IA9r18wbzWINl/Nmqzu3Vu53fE jJuUOeqHFXbOvYuwsvi/zE87ZIsnlZ1NLJv2hN7hvlespV+mXSBA30ccCkuFgShc PD43YjqZBi443LK8XbFCJ6G4f57yKm+IdlhDf1lm2vAwuBiGHcwwrMietLdpCMhN YPQRQZJz2XoiZnktxOzu7WG9inUNh00xkTygriExrN9m4Z8z3X0= =tQEW -END PGP SIGNATURE-
[SECURITY] [DSA 4425-1] wget security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4425-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 05, 2019https://www.debian.org/security/faq - - Package: wget CVE ID : CVE-2019-5953 Debian Bug : 926389 Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers (IRI) in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code or denial of service when recursively downloading from an untrusted server. For the stable distribution (stretch), this problem has been fixed in version 1.18-5+deb9u3. We recommend that you upgrade your wget packages. For the detailed security status of wget please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wget Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlynxeZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qhfg/6A0X8LF3leDrRWeVdRRmpDcFTenmnzjdhnnZce4KLddMPu6L0L91Nr9gA CVbyxqVporj4dtvEaAdZJLgpqTAGJFhwkCuFYoyI1AQINsbsOId6eEYntY/bWXyh JBQfQq1eurhB0QZHztyeybr2aGtFY7ONZQ1BXgehnTmaGN4qXEcmU5x/hYzjVNCt PO6fgN/ZvxSl6uPEAK2Q19+yLppT7wVv12Z4RYNUqrWwFn1snfWk/NiWXtbr5sTT oYa6CqlGgiI+9Y9BxA5Qo0oKU2JrnWSm2nSCzpxI9dMHvgdko2To/1PiGxSbTOPQ bit4siOk2W2hF85rv3LpDFMtqEC9VsuP1EWRIGE+7jr9fw8yJ8kS18OPF7aa1E6d f/mPA0NH2t09mFbMEcP3rvUdRkwwgTP9zENMs4TTWfDOThAuAqqldpDhrjTtqE14 5/FxqZ96NjmmI5CoYi7dUEsZ+yU+m7BeSvUr764/7tPi7UPD3TGW0a0Rk8ryRT0l 0X5JZo+D+H1kXhMO4Wnq92qAPtQ9ZPloRaYhhuakO9dY1HguzGjgjo7FlvuN7P4P j9F4o2dcV81vOan08zs4ZVdkNedAa05S35Uro80LUfKoQZeSfWFhTYQUrriojjKX VEo/3MQ2GHpJW6kmd2yJUrQlEKTOSzEoP0CpaTc1rL/9rUvRm50= =uXvM -END PGP SIGNATURE-
