[SECURITY] [DLA 2424-1] tzdata new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2424-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk October 31, 2020 https://wiki.debian.org/LTS - - Package: tzdata Version: 2020d-0+deb9u1 tzdata, the time zone and daylight-saving time data, has been updated to the latest version. - Revised predictions for Morocco's changes starting in 2023. - Macquarie Island has stayed in sync with Tasmania since 2011. - Casey, Antarctica is at +08 in winter and +11 in summer since 2018. - Palestine ends DST earlier than predicted, on 2020-10-24. - Fiji starts DST later than usual, on 2020-12-20. For Debian 9 stretch, this problem has been fixed in version 2020d-0+deb9u1. We recommend that you upgrade your tzdata packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+d2bYACgkQiNJCh6LY mLFlChAAxw1rzC9Z1b5QbW43e/II/jp/6vfH+2KMLZO0ph+N44t+wW8BLMWELQBK 3b2Oeb5V16yeG4Qfyp0ZkoDtgzPxLaaSHDJQsDGyJqMy96qwAGdpFwjZIj995BI0 BXMkMqXiAfXHrMgilGJPSVXODePG8ZYQqF8ySFhphKmr8Kpr1F5poTTx0TbXY0qt qt5NATX0d0bJwP4140ONOOgMrBOBrt2H174IxgSwS3ag9WwrYiynaUbJC8y49s/6 UGwY96oHym8e7ZACMB4zhP+kutFW7hBLv7bIijdPX0Zytn1irV2Ecsk7CysFNKdF wIGDILaRW+A1LDyFy+H+vtf21qUWSAf3fFaNI6r0c/c9BCuopKdc/xqroSm2rSQa 9Nwe6CJVg75uTomaSE/0vi4cT4XoGbuM/vW5y6F4CvHtwVjkr7u/ie5grV3/YA16 DFgRghBCPVwzMxydHr3+KBaG9p1Iq7PpGQDdgs1o6r4Rh87codH40MEMurB/rd8C Vj/MSUal/DKWYQKaUIVxIsIzDingI9KVAVQYp5J8iTaM3Zs7pQ6J0msF34Z0yNP/ 7BGmDgXWJ/tSGTp/UGL+sFApIQRAeC8+5tZcLI4IARBlQKJZN2R5LIquUYYqpuSC 9ZRXQJ8IIawy4VLZ8+D4cZ/CcGO2aWpYrrMUUPSoDq8EC94wcGY= =c069 -END PGP SIGNATURE-
[SECURITY] [DLA 2423-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2423-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk October 31, 2020 https://wiki.debian.org/LTS - - Package: wireshark Version: 2.6.8-1.1~deb9u1 CVE ID : CVE-2019-10894 CVE-2019-10895 CVE-2019-10896 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 CVE-2019-12295 Debian Bug : 926718 929446 Several vulnerabilities were fixed in the Wireshark network protocol analyzer. CVE-2019-10894 GSS-API dissector crash CVE-2019-10895 NetScaler file parser crash CVE-2019-10896 DOF dissector crash CVE-2019-10899 SRVLOC dissector crash CVE-2019-10901 LDSS dissector crash CVE-2019-10903 DCERPC SPOOLSS dissector crash CVE-2019-12295 Dissection engine could crash For Debian 9 stretch, these problems have been fixed in version 2.6.8-1.1~deb9u1. We recommend that you upgrade your wireshark packages. For the detailed security status of wireshark please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+d0bQACgkQiNJCh6LY mLFSTRAAhG8eQHwfoIkgR5pCsNrqp+9/AI1KoPPb831KYJjXxxKxaN/kE4JSYpKm yxcRoryuBGAbCJUWaVPuWkztIWnStJW+ERZ0V6laKJpP65uVtY8Hm5359m6mrnG3 dpfOIVlfPE6yYu0l08olnVlOBwFu6SIhHCI/51KeiXEK0hwRb0dYYgpicar1qMJM tJO4P92IA0kskXBIR8DirlHYUwV0BZo5KAkazFHdrsneWzlSBwbXVcqXVqfusAj2 OUJSKqJViVI/a38KgF+qvTA1s02fCiU73IWQBjBqtF2cQh62ddm07dovTIO9Jj67 iUyNZUqf/26LfD8dGrdAqvlo9SrPEZoyabO3yXWMof0g2EaWlhGuxGQd+uo97Svv FzYKKaJtnOXFiM5YE7bZHZc3N7F1dtQSkK6S2kXRJG00Nw9Tm0LBjEOhWZHmyvw/ zf1cpHRD6X48d2RLVadylERkDASz5c4aSuhk1t7eOCqhKI4SQv9uh5dgXAoc3lNM N+ltiE5YOP0muApdvOjp7ahs/dLcrIzTCJG6C3dygAWLoYWPOVMI/k+rWdS2bzQI blJRE/jvjhTXI4vQ9jQjIvbf880Xt4tJPFGQuA5DfNwsOj0OvK+l0cmVMUzbHXde ZmBHTh0+MXqCiVmZEy1j4l+upvf0G30/4mZ4Kclw+/eIA/C2alw= =k3kL -END PGP SIGNATURE-
[SECURITY] [DLA 2422-1] qtsvg-opensource-src security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2422-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk October 31, 2020 https://wiki.debian.org/LTS - - Package: qtsvg-opensource-src Version: 5.7.1~20161021-2.1 CVE ID : CVE-2018-19869 Debian Bug : Malformed SVG images were able to cause a segmentation fault in qtsvg-opensource-src, the QtSvg module for displaying the contents of SVG files in Qt. For Debian 9 stretch, this problem has been fixed in version 5.7.1~20161021-2.1. We recommend that you upgrade your qtsvg-opensource-src packages. For the detailed security status of qtsvg-opensource-src please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qtsvg-opensource-src Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+dxcsACgkQiNJCh6LY mLG5chAAhttxchFhyPpQZaAnamgdSsXwNgfpMWQG0nz/YBuOiOceo24PpJImrMLq j6r507IcfqZeX28AtwuiMSMoW1hUvW53BCK5C7GArJXe2iHtDKeb36S8uf4+kskR 12rj3yHnkAFmc+4JadaYyosxwxj1ciCHtikAcNrCbC4jbKS2txotou7Rjht/NCL5 WmmGamsZ6RQbZrqzL0rGpk9jNsuSigA2QEpi2hOpHbNtbJjlyv1vcc2dKIXDPJjq 06wB2XQKKBmQT1zoEERHHBt/2hRnAEiYtxvFkk6B+Vwfpmhnn4MYWroEkltYNE6K YeHMTlpUOXFCsHCyrPqa5u8YlKjDPLs+UBuwdzcFCri1D46Bhh7Hq3GVlqDIrYRQ ICfliKULhFqUbNDPZYG5GSa7OO6swr/ZU7FYJM2MfNUimebtvGMv/dKi0BdGm+zF MZMoWsn0cu6xsSFZ1q7UrYaIkfM+2Wvzpy/rAPG3KxowLRMEMq5N5MU5VLKvQnnv I6aX+6FSh3B1tyEZqenYI6JSCCpg1/qY2aoTTOPwKgVoR4c0CWMzRDxsrMD4oXJE KnYqipercdlKJfGWVsQq0shWaejwarhcXCEtl8IOaHI/dTsDOXKv38hYtR7RUSqM mPXaysECmB9UWjjbSAuMx0aIiR5l70Iccaf1wq1ixvEJrMJb5ic= =HLXE -END PGP SIGNATURE-
[SECURITY] [DLA 2420-2] linux regression update
- Debian LTS Advisory DLA-2420-2debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings October 31, 2020 https://wiki.debian.org/LTS - Package: linux Version: 4.9.240-2 CVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448 CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771 CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331 CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393 CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212 CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-26088 This update corrects a regression in some Xen virtual machine environments. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2019-9445 A potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information. CVE-2019-19073, CVE-2019-19074 Navid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear. CVE-2019-19448 "Team bobfuzzer" reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-12351 Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges. CVE-2020-12352 Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets. A remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information. CVE-2020-12655 Zheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service. CVE-2020-12771 Zhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear. CVE-2020-12888 It was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash). CVE-2020-14305 Vasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege. CVE-2020-14314 A bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash). CVE-2020-14331 A bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-14356, CVE-2020-25220 A bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. The original fix for this bug introudced a new security issue, which is also addressed in this update. CVE-2020-14386 Or Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could