[SECURITY] [DLA 2040-1] harfbuzz security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: harfbuzz Version: 0.9.35-2+deb8u1 CVE ID : CVE-2015-8947 An issue has been found in harfbuzz, an OpenType text shaping engine. Due to a buffer over-read, remote attackers are able to cause a denial of service or possibly have other impact via crafted data. For Debian 8 "Jessie", this problem has been fixed in version 0.9.35-2+deb8u1. We recommend that you upgrade your harfbuzz packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl35HuhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfaZg/+PPCNmzFWJjcl+OqLENdArtezv8OB7GQ1PA8F0X9RDyV7idftbX+jlzh1 dR7nPK5+mECmrimDzX2ZadxCmBMfjITZrT9ZsH1V5leEigdi33rUBHKiQT0wlpgn BGmLjcMwjxTqiS6YWYdWblT2gACb49cQFdT3HOEbCoDbccoOAD8lfRrOF769Dg67 G346jO8W+W21wUUgWZhvp6DqIL+K7P6zNedoyMo+HlXPNDoHPDtPHYGfkEWQZEpM B67PUYw3wERbLQVxpp54hQK6/CbXG75YOVtCDz8jAspXTjTWTaNp7ea6V7K2Il1/ //CQFBgVbW5gEp86qkbiB7clkmsZ2uLNE+2P4tnwhTfFpZaS0Qny8L9K3KGYeaef S3d9ZVXSlT6fNf7ZcqQMFZlFAthT+K6ciBctDf9ONLaK6BjaEqBfcnCYW73WQDBc qAupEolbcZxYUJ+E+wHcS9LdqHNcpRxAGqnubWCJ+f7wH8x5a/vFAe0IFeDWjA1L ksvujLlB55u+WMWQ/nFuYLJWRLaa4/Z9oycyR2c9jmKb062cpXA/2JtPuIZXH7zr tv26YNV39/xOaM2HejCs5q9JgPOFHZMmGzhYnN5X13ObYJ2IxnOQsvQY/LT+sLFh puW22zQiSk2hFxhyyo+hswQzcLE/lgz0E8e1+HBmqedJPnCsAPM= =Wpo4 -END PGP SIGNATURE-
[SECURITY] [DLA 2039-1] libvorbis security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libvorbis Version: 1.3.4-2+deb8u3 CVE ID : CVE-2017-11333 CVE-2017-14633 Two issues have been found in libvorbis, a decoder library for Vorbis General Audio Compression Codec. 2017-14633 In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). 2017-11333 The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (OOM) via a crafted wav file. For Debian 8 "Jessie", these problems have been fixed in version 1.3.4-2+deb8u3. We recommend that you upgrade your libvorbis packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl35HflfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdbkBAAknZTSvwoaUD6ITtS9v9lnauD2s33Y/pSI3dxcSY/Nulbc3xNyMspve0T 08pbTSWKb1b0SZWw08vr7cAFdu7xusmq2h978AdiAhwtf/htPn2rRZ3mMJNzkBOe Ltmbllq5R2OFqlOmyelsIyozoyAmayYVJUirR7MwkNv40Fb1/J8r1c9G2M+2lbJZ NKtjPyxnFq1WMgOCLXo8gFf4l/mvf0eAM8+ScbaSZkeYNJsauQH+RNwkx0W1S0Jx bZgIZYsrsXku7UlZJpMu0TKLJX1quTHwOlqQOidvaP5Z7j5e28r2Jyjq8OyVE/JY JvX9YHHvIEFRTFRevarRfbgz3W76GCle5PSFvcqILe+pS9KEGxFDdjMOHg4aBvQG LoJSoon1T/VOHzUhHRu8/FDWlkes80m6QHikX2Mw+LshpS8vuO6r97yr15UZ7Z6m fgqYScumxGKIH6l3J6GNM+zolaVNz9/m2FYqrnVDoDAszYDIvJlOg8iHARPF96f0 mkymp1CZpWtFL6etGQdXkx3TbA6CzQfY38idSI+aHsbCcvadMOPDKnm5MXMoV/Th T/ou0lmePEiaQvR2549EFLSwChJxbmNkSZttyXBqKGi35F1dXVATz9Ll+E0jt8wJ c2d6LEzbVVh4A7S9nzCvA/JchxLY38c6SZ2AMTW1L+rjOMLqgRM= =V+B7 -END PGP SIGNATURE-
[SECURITY] [DLA 2038-1] libssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libssh Version: 0.6.3-4+deb8u4 CVE ID : CVE-2019-14889 Debian Bug : 946548 It was found that libssh, a tiny C SSH library, does not sufficiently sanitize path parameters provided to the server, allowing an attacker with only SCP file access to execute arbitrary commands on the server. For Debian 8 "Jessie", this problem has been fixed in version 0.6.3-4+deb8u4. We recommend that you upgrade your libssh packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl34zT4ACgkQnUbEiOQ2 gwJIUA/+PXXlcXZb5KgXPkz3vc2C9ZgvXsZAJXGI/+T+mbjeYeVhK80U/QSfaGQ+ wSMdfvXvw/yBOqhql6acRlYdvvxYrHF2jGUuaf0YD39hFCfoGKLDsrzi7qUtYMN5 vaP1XttiXKz3+/iMatVKD0VGZ+HueBz2ovDwlC9bNS06DfzknIszRI+KS3OlHPc+ BGjtJ9psMxiXkloF7b9+3SkZqqJ+J6XnaHBzcVh/vfsC8kxmfn/Yy8jkc1Ul0s+o 74H+uQJftJZL2doVljOteDNj7h2ljGbY63W5ZPm4mUBk5vy8Bj+P0sY2h9v+Yuey +bx6P+YNojtlwU89n3elpHhudB+zqHOa9accDqSyAvw7FsB7M0E9PM9oEjDdswI1 pd4FBkIEWdIpcoXBWPplKESt+Cz9Y4DiV0mPgYpp73jfH37B7C1afxbOxSn+/J8o 7QLg11NbcoLEnMbnjRa9jyYZG6c5PBPPXksaQP2LrqLuCBQDtSHcsEHkXmG8KGf2 5/Y/n+SwQf/HMozyoybAzhO6Q9K8qL64fz5gONxLZBakS6qKFE1RD9+sCHZBr/dM AKBUIp+8n0F/aNo6zRL+NVtSN7VShc25gxk80pfH/LjzGVeMgWkyQZ9Etb6Fbv6+ LfLvqKbjLC9kkQTr3sYH/Nv2aABtu2MAIB3D5EGpb2HpzKN0yec= =LgUv -END PGP SIGNATURE-
