from:"Adrian Bunk"

[SECURITY] [DLA 3809-1] libkf5ksieve security update

2024-05-05 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3809-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
May 05, 2024  https://wiki.debian.org/LTS
- -

Package: libkf5ksieve
Version: 4:18.08.3-2+deb10u1
CVE ID : CVE-2023-52723
Debian Bug : 1069163

A bug in libkf5ksieve, an email filtering library for KDE,
exposed the user password in plaintext server logs.

For Debian 10 buster, this problem has been fixed in version
4:18.08.3-2+deb10u1.

We recommend that you upgrade your libkf5ksieve packages.

For the detailed security status of libkf5ksieve please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libkf5ksieve

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmY38fIACgkQiNJCh6LY
mLHJtxAAneZwlfkC3B/xjtxgP5vccEcavRlM72J0vIzmel5dc0d+Uqtx8zeLNz2i
aptRV5OlP8FJrgrWhaG48qXgIoMLG1sAmcUXv6cY0l1mgymS+r63miAnmmFc0tiY
BOruGgxeDnnWfpiD9fPstFRufixZh5NjWc8JUg8JTHHfxcIydKuZeUneZ4fUvJru
15t1g4YDVI/pEcwBig4xa6ioRXP1VlF2WWLS+StRLjSkU1MrcKifOnJqNotHri9U
ydRpQOT8AmpJYlxEBczIP6z0NwOjk1OyPHwKVsLwK2S1Fmlgkk1cIzLQK+oUAKdY
5Wx+1xkgT1lsKazO7aYEGIwcS8fCk+Agj9tK0XcwKrBcz9LA0WnDwUxL21EU41eV
5f4HznOg/0QjSmxJyXn2ngoOjX0PM3p3fEZ9YxSJQS9JlC7zOMf7n0fwKgKzG/lM
TGiFx5wJWyo+QM3cyCdc+5Qh72Ty5OO1K28SbTeCdyo5dSF4/s9MblyegyJ957ri
qCDj5s4IN9+T/1tw26OruLEU42un30CKIPTpKWQSzyq87/b+zSoHlrl7S1bXtXZ5
ZNlyp1ZPtJRconQ2NYbtgGpGz71KEyycestyV8xzpqnVgEAj1IzE8NF3w9kxKnn7
j59tk7EOQKGanbA9stAX5Gac9XAsQCKcL3tz+m5prBlkPCg6des=
=+Y3G
-END PGP SIGNATURE-

[SECURITY] [DLA 3807-1] glibc security update

2024-05-03 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3807-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
May 04, 2024  https://wiki.debian.org/LTS
- -

Package: glibc
Version: 2.28-10+deb10u3
CVE ID : CVE-2024-2961
Debian Bug : 1069191

Out-of-bounds write in the iconv ISO-2022-CN-EXT module has been fixed 
in the GNU C library.

For Debian 10 buster, this problem has been fixed in version
2.28-10+deb10u3.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmY1aigACgkQiNJCh6LY
mLGjcxAAxBL18otZwuVuVB34Erd8NEPjiBRL5fGubQ5y2T3Amo8g/SY32KUR6Ud/
r/HZh3JYcYtwKLwRcMPszVCAAxB0dhSg4hwXgvh0LYEWL+Qdwccv1EjEDxxgYVCH
ecDGYjl7dYoGrNlsf2R3IMhpX9W8fn08vdbvheSgIkFSIRwccvswftH/CFn06UBd
TQxtyX0pbWljvHYUB/BxcOViHkrF1p7MS6XDG078d54EBzB0g7wwUyUzXN41myKN
N1/2AWH7fVFbpp+zoiuw5cr1QspiOxWuqse3W0nzisGMMDIStjAFQol51eVrY2M0
DUmOYFETep/9Q9cwFTKz0czwChFgazCmKiVAnuV3pg3DAlSa8IBjKTy0VSLcBlcT
Qaoh8nI67/aFKvzNKY1InuwHeokSJyPl8raWFpX1z7gDgvbthWJ9cHghdAQdIh22
7W2AAHw1l5ZHpbPacy5x9hWjQSxBo08AlqWFGWSFf+UXqo2y66PLa4aqlham7/Yj
Umr2wyQGpmACV3RHVTEYhbjfZDAcYqdo/L0W6vrQU+AIl1kpIMZyHj23rSkmwdAC
V+A8gUa33su6AQ6axSTEq1/JembE8bv/pqaJtYyBgjMX8cJ04UdNV1Z7NsPwelaK
a2Qm312fOHDZ4AnfhYBZLC4QE01Z9J2fN4+kCUsJfPzqKA3qpiM=
=Sg1j
-END PGP SIGNATURE-

[SECURITY] [DLA 3800-1] ruby-rack security update

2024-04-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3800-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 29, 2024https://wiki.debian.org/LTS
- -

Package: ruby-rack
Version: 2.0.6-3+deb10u4
CVE ID : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146
Debian Bug : 1064516

Multiple vulnerabilities were fixed in ruby-rack,
an interface for developing web applications in Ruby.

CVE-2024-25126

ReDoS in Content Type header parsing

CVE-2024-26141

Reject Range headers which are too large

CVE-2024-26146

ReDoS in Accept header parsing

For Debian 10 buster, these problems have been fixed in version
2.0.6-3+deb10u4.

We recommend that you upgrade your ruby-rack packages.

For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYva/kACgkQiNJCh6LY
mLHSPA/+I1ISd2y2JCz2jF7TqDA0MayRFxDWvaIMqT9fkhuQ0hsFD6CTHOYdttcI
lQALes8XodZowqsI47wIUNxRwDTJ1jnOc0c7fSFWCstGC11St13GvVvOGoUYKuSX
9nL9cePVjyM8ETRbYrVmuNzdPAOCKPOFLWPHJBOQx/c6GEnPH1HJ+1rcrqgs1CNA
0JyozwyGwjkcxp0Q3dIFy91CJ1u6gl9VR0faDzF3vJiz0q7T9dU1Kb3MvjX1VtLO
SKWYfCKNsKRvQ2oz89VEotK75bKT6+YrIkMcH4oTkT5E4ZLKw1m7pOWXr5Fn6tao
oxt5pxBoiG65vsL5oHUdUGSQnP86udH4KQ2PjZELKqzjTzOZn3xPLu3WPi8p1Vrg
KUtkcG+VAvEqHLsuwIHypgo6VmXbWBqH9G8IPa5D2oFT2B7J/bTQzbWaQC/K1cvt
nnahHgAJuS3tCwb/nifbZnDyldmPWfH5+2z9elx3S3P7digtFJiw2qqqb94dN+Sc
X8YTS8qfmH7rxopbGCn235SVJUnlthzpw35blueZiDIe1269uFZ7rMkeyQs92gt8
V3DHMqHR7RHnUu4Yq2GXNbcLLuZz9Dwe4Ey+Pgfdj+vybBasn81cJQIKxYXG80KN
IpbYFFbovljJcGt2N00mrlkbe0vRuZvrX/foSGqsnQWSGFo0KwQ=
=SpLy
-END PGP SIGNATURE-

[SECURITY] [DLA 3799-1] trafficserver security update

2024-04-28 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3799-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 28, 2024https://wiki.debian.org/LTS
- -

Package: trafficserver
Version: 8.1.7-0+deb10u4
CVE ID : CVE-2024-31309
Debian Bug : 1068417

Potential DoS attacks have been fixed by rate limiting
HTTP/2 CONTINUATION frames in Apache Traffic Server,
an HTTP/1.1 and HTTP/2 compliant caching proxy server.

For Debian 10 buster, this problem has been fixed in version
8.1.7-0+deb10u4.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYut80ACgkQiNJCh6LY
mLFovhAAzymlGS/QkzER/awJHZgw4h4KqpQwvUJ3kPAtwG55/NPcFnpRdQ2tVRMj
uMQpjm1XC5pC26gJRIrRDzr/KYFfU/OIYUXaQFb0OCSMxUT522KrWMxjH4ejaHle
uqU7iKtSxe7Rxc/Mkug3bwLzB482KnjpvYNJ5EXJHTDsTD9PSlPGelv0jOEL3ufz
KfFZR5dEnuMdRGXl6hUG2/TbqnYfPwSLU5fAz1cuF6haSRvf9FPKPi3+EP7T75y8
bqIRwzX954ujmrjRYpKS79JbOu+Av3U9mJrqVsidFSD1CgLTocO0CkN7P5WbON3p
ruvgyIXVPsISJcYZNe7kuboflOdm1y0eU3ZC2/xOTcIuVdNeUDsZzhxXJ9yZZK/5
/LE0kFBzi4A+Oi0YZxJzPa/dOc28JtWc+LLsgh02qGttdcOo4+PDHoC6KxI8m+hO
Nhg3l8ElKPSh+RN0yarpa30T0/9qGt52TSqcaqqsCv3ZREIuF7Gg3GhpKDYod0vn
Rk3JKnN38RWdw5gBNwtZLmA0k00HyWFQvzsJtp1qfHWEh4DevW95WlKflaDfZ6Y0
aHZN3NxlQAmi9OdORUA/owXJx6UX4D0oy4hUNpPKoPhDtNorFyOL2x8NF7tZeo0U
uBnL5oqkiXdnShd73ShkE/jiGlSqNt1SSwXeo5uEhWTxaFecmJQ=
=TLeM
-END PGP SIGNATURE-

[SECURITY] [DLA 3798-1] zabbix security update

2024-04-28 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3798-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 28, 2024https://wiki.debian.org/LTS
- -

Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u5
CVE ID : CVE-2024-22119

Improper form input field validation has been fixed in Zabbix,
a network monitoring solution.

For Debian 10 buster, this problem has been fixed in version
1:4.0.4+dfsg-1+deb10u5.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYumJgACgkQiNJCh6LY
mLHKUxAAqacLtwifnlnGmiucaTB1Ri5L6k9HPvaIz+sOA4taIJ/K88COvIF+UWXc
0IjGRcd6ejuUCszhe5a/muhA9NUCKTNdiupB+3da1OnAu6C//XUnaQJneaOBlvxR
xQekZFu1javh50HrC0Wpywfq5VThHUkH1mbxoxAOhzPcbeOIgpuu7mCFSbpPOcGi
DOXm+lKfoloqgJRwD6Oo2tUjvMvnGZOLYfb6O0jvDhAO5W1hbSF0ORUOmTbxFdk1
3eHyxykh35ezfIYbkhJ5B2oWmJ27DNpcU9V93PT0t0bO1TmsClb85wFAzI/ei5Np
kc3bg8RvumwtI/8oLoAkSF7ghV/25+ghLbwaRNUq5TxpLZxDi51NQkceoWm0Nc8m
xparljCgBDwDMpKtHNKRzkOF9c6UgVd4PfsdBwuRN0TLkyZuLQIbYe4dB6GLnCVL
/5HBehLm3T1e5l2j7qHbpB2XIz6YHjdRcoiC2uBVeBBUQP8JprVNgvFGhMdJ63I3
/cz34Z7QhYW8Ck+nQ7Ffd10QYxfi7dzJX3tUSz6VOK8+3HQMC2RIBaUOSgKcdPVq
ndmpTviXrIG/DccINvFpNpyIznjEgO55IzQUtLhZDDyDFqzkHLFfYwKCQHbOtwHK
2azur9ZC5u7lAertgaTIsMS59LTDeOb7Otp2OQNKe/6yn9YWFHo=
=Mhpd
-END PGP SIGNATURE-

[SECURITY] [DLA 3787-1] xorg-server security update

2024-04-15 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3787-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 15, 2024https://wiki.debian.org/LTS
- -

Package: xorg-server
Version: 2:1.20.4-1+deb10u14
CVE ID : CVE-2024-31080 CVE-2024-31081 CVE-2024-31083

Multiple vulnerabilities have been fixed in the Xorg X server.

CVE-2024-31080

Heap buffer overread in ProcXIGetSelectedEvents()

CVE-2024-31081

Heap buffer overread in ProcXIPassiveGrabDevice()

CVE-2024-31083

Use-after-free in ProcRenderAddGlyphs()

For Debian 10 buster, these problems have been fixed in version
2:1.20.4-1+deb10u14.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYdKiUACgkQiNJCh6LY
mLEthBAAwekWU9GEvzW/hg14rAudN4FmDe31jh4QVqPpeZKcOLJfEhLyvLn/H+ae
QqvK6DdCTlsxdihJJDwhyge8gjoEU6qgpifEnoE0/udcJZoqZ9VdvFzVioI2VQVj
rsVmbreKlOmgpomFRtyI2VjxRRTjiqAZUpgd47AAxpHFYO1aNgBrJSkuB71lEA6Z
oxBhFjJv7tDSC5bdXSqJxAeyg2Qs9W1PNF/G46+xvnWavtqe00304yphf83tA4Fa
zjDy10bo1qnZP1rdOC546xD7hjInVy4nJ94DvkGZQB6MnbT/mT0AlqUgabd2R676
5DFawXphdRKQ2meSNjhvSKTKfXFImeNxhvAAFZTwtaDByTvWTXqztPe96mIjmCST
NZRTol9M2xEfdBQRDaQIVmNwoKmLeOuxGfSXVGCwqBYUDtVntRFnCXJk4xrbrwmr
Glz8y1D55QJQUdYqOk9yUJb/GCJrRRQAYi7HB0EMNubMhVMPY+mrZ/GCo5thCF7e
q33n9AXdkkYghHIesNcz6hAyMablOmnWXZMGrzEqMQQNr3cYZ/gCz9ifH+ZW/y/q
iQg7mA5tBytIk0CyztRuLkU8IrV6dW/AkrqeR9Nrad2p43LjJvVLzbqUmy94mGAd
nCfpg0bu/N3C2RAWRyjDN76D5BEOPBEfYevbu3E8NS4tx3dC9yg=
=Bs15
-END PGP SIGNATURE-

[SECURITY] [DLA 3786-1] pillow security update

2024-04-10 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3786-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 10, 2024https://wiki.debian.org/LTS
- -

Package: pillow
Version: 5.4.1-2+deb10u6
CVE ID : CVE-2024-28219

A buffer overflow in _imagingcms.c was fixed in Pillow,
an image processing library for Python.

For Debian 10 buster, this problem has been fixed in version
5.4.1-2+deb10u6.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pillow

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYW/JIACgkQiNJCh6LY
mLGV4g/+Mjsiv7qkJ3Q+itDho3j0CChxqNdk/nzeodIDVIOJKiJS3vDyIl+qO2Qd
RHC4JRCh71stGIJzqs16bcScUFcq1QOxq3Y9x/4rxpZuwzbAaltjYkbu/CReGxCC
KRZmYKbxVwUeQjCNZ/gzRA+YPT51CI1vavYH2ml/Pdh1VTkHY2xDm0fCBnFO6Y8g
idjHOc5+b9tVjV0wX/aMMpocU87EJGUTwu8gLl5eHyuFzzPYzOviz2ZHV514nRgr
2I2Bjkiu1az2l/OjJLGVCgRKjGxcPL6xxENGcofIEFyKZNWxuNSNO1dWYl9N/7pk
6u0u3f8L8VeogsafLVMAAK4M39nBIyl5cSvLgz8qgWSUvNwHRLvEB2pN5elvPxqH
y1ZtnQjmV7/MOyvGAIjxAz+VDF+X382yaQDxT2+qeOIPessTIytyeVsC0cs6/vmN
o8PjE1b4KWFwmVcCJH7xJnxIBFWWuYSN/N4hfxh7JRLW0okrEfCxzBM9H2mh654x
oQLkmITlSH7wd3NCUn7/EQVvqVfWCy+jC0fMyTfPzSaViUmGCvW44AlyDcMdx41E
huPKV9RvXuW57zrEk9fUAZS4nowPFMI9/URlh5eWTLkcPcqjaTMkGjGw3wwL8t0y
bFVZc3oxNY0Ug7pun+jW9gVsrOmZD192XjbKUjczgcPsSt09BpU=
=8ogI
-END PGP SIGNATURE-

[SECURITY] [DLA 3785-1] gtkwave security update

2024-04-09 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3785-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 09, 2024https://wiki.debian.org/LTS
- -

Package: gtkwave
Version: 3.3.98+really3.3.118-0+deb10u1
CVE ID : CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 
 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 
 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 
 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 
 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 
 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 
 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 
 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 
 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 
 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 
 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 
 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 
 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 
 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 
 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 
 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 
 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 
 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 
 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 
 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 
 CVE-2023-39443 CVE-2023-39444
Debian Bug : 1060407

Multiple security issues have been fixed in the waveform viewer GTKWave
by upgrading to a more recent upstream version.

For Debian 10 buster, these problems have been fixed in version
3.3.98+really3.3.118-0+deb10u1.

We recommend that you upgrade your gtkwave packages.

For the detailed security status of gtkwave please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gtkwave

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYVo/gACgkQiNJCh6LY
mLEsGg/9H3b0Nz25biz7BeN8mR7+qT2VLJ/W/y34CIXm5dpa7E8WiB6M7D1pGvLT
+S6VnuR0+nHIPEsMG6gBi+Uv9wdvDAJm1FDesLRFa2TJmzQvhZ4JB6cXbRT+qZh/
Z51Qojvps+p1aY+BtanckR9Dk2V1kYiIqHOfUEjwYKrIeCPAyKXpTKu5U3N/Mz8n
DE59xfnjiTyuRpR8lFY4418MywRNr2tya6OU/YcS1Ym9VbRyevOrSISPDqZi1vRR
dVaRqCWDGjSzFwQ32d8AYsNwglzB3gHZjafFsi8OfgTNvO2H08Gld3COzh3R9YKw
luBM9wH+Vysh2W4mQyJSibM8ZuKyX/Pyj8uGnrNuYnvYpF/2mr2EmvKtnP2CKFQI
A1qqajFVtih/gNi6Y1iGjyRPI888ySIoxVuv13x1c3yS0MaY4ZPK/qplV4WfHnwl
uSSEwOk68Ux+4YkNQeH01paie/2a6XBhtsNuvIl1SEVH4XY4Ngv7GRjbu6O25Cvs
u8eSslfqUINF2pJiN35dMYeUMvjPnXgUMyre629MuWcxFElzT95b6qR5TLa9ENxa
pM07aVY4zd4qDVVn1sjSrvOG/8Q2UEm+9WRFwhlieAUin8t0dwfWonhj9Oi3ZXXP
FrEdG5ErxCsSwHlYdE7O07GulmkSd4ne7D2qHECzEMEfXRyGE6g=
=MDlv
-END PGP SIGNATURE-

[SECURITY] [DLA 3774-1] gross security update

2024-03-25 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3774-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 25, 2024https://wiki.debian.org/LTS
- -

Package: gross
Version: 1.0.2-4.1~deb10u1
CVE ID : CVE-2023-52159
Debian Bug : 1067115

Stack-based buffer overflow has been fixed in gross,
a server for greylisting emails.

For Debian 10 buster, this problem has been fixed in version
1.0.2-4.1~deb10u1.

We recommend that you upgrade your gross packages.

For the detailed security status of gross please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gross

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYBfMIACgkQiNJCh6LY
mLEwqBAAu8CmSpBQmV2hn6+hYVgd1thR2JxTFgbkjVlW13cT4J5SwV2u2LJtU1Mi
dN5QUz6FN60BZSVk+JKh1k9aIKR/4zM3wbiT4AfI/DxYHL9duJ8oE4dHuhYPJOlj
7it89jdDvuNkDlRSP5uOuEr0CckYQ77PVBX7VSHrzEmLHOTcL00hGtIKI8qDwWiS
Dey3LTDh5mE9HKFapLZMFUgKjqF1TGX6FLppuymjqwpz/boDgzt3UmkWV7bEzSWE
IY5LSi95O0GvDpa1WJGspimQIPdvNjZ65uWQ9jNe3tm1QM5fMqk8vv9VyNqOHTTg
EQkF7yiDJ3BLAfLTCB6Ra7zu4/3k6l+T7lQSp2QSKiNXg8fboSiAKv/7p3QWlvII
ik/eCdSVXaFD1NS65P7IJUeE9oNe8g850+fziBJNN5sGjDtTviLu5vms43spD0OS
2yRC2hNhj3RaOWZfOsLd734y0mIxx8TctUR9eDgRd/o1pERBxi0e/fZSLkyaqBZQ
YwYmIsqrPoPOVPMUdSv0mLw+VdIZaELtywCxNfdcvSPhPkmlfxApj11/sQCjFgoT
Svhk5/3shww+GB91rEdUciIv4bAtHytbJX0ey7SAHJYOpM7klX9bP8G+SCwyGzo8
aNk0IhHR6UYuhOq3vI5bsmep1WUCxjxk3U7ZAm5+X8zDwrTtJqA=
=S4nf
-END PGP SIGNATURE-

[SECURITY] [DLA 3772-1] python3.7 security update

2024-03-24 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3772-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 24, 2024https://wiki.debian.org/LTS
- -

Package: python3.7
Version: 3.7.3-2+deb10u7
CVE ID : CVE-2023-6597 CVE-2024-0450

Two vulnerabilities have been fixed in the Python 3 interpreter.

CVE-2023-6597

tempfile.TemporaryDirectory failure to remove dir

CVE-2024-0450

quoted-overlap zipbomb DoS


For Debian 10 buster, these problems have been fixed in version
3.7.3-2+deb10u7.

We recommend that you upgrade your python3.7 packages.

For the detailed security status of python3.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYAoHIACgkQiNJCh6LY
mLFLBhAAl4hp5bxyoVUX5ju/DYAHCEunfTCk9qImA+EyyU/miBXht+l2gO+9SKwc
krPDAZICfTLISNDWUvhM+E6OCCB4rcivc+wRAMU4xkYb0RqtX/FGockRRZOiul2O
GFPy96vpY5A3y8dVW/n7vIQG9Flys1ktdYAVIzd7qitcb5W54+PikauTK89Ph4Tk
xl6wuni24BU2zcxRiqr/F3GOi1H+j29uoPJh9XFCcUHz1DzJKxDHg5DF0M+jbi1U
cebugv5xMFsGe0uRkQfAZ0OHtusLKqrO7rOFQteWk0oq9mDqfPQnRLdnCPUW4sEm
X/3ohOk+57ZmrNKSXzy2LA1nmQWQThQyeQM44A5LQ3mFgQc9UFvzwuO5bjvWDp5x
SdjkOtSO97PfrvEY3Vu161f8dEk3UcckjnxKGghL5b0Mklc8szgdDbYvZ2pvv1N9
X9xlc+Cej26fQQnUOjnzRwnWm3o7KpKVkbJlzc9a5uOuJfFyty5/ATyLqFTX/CXF
KPLxo6Y7QduyVVUBJuLvZnR5Gweolm3nFwjck+DZ/8ZjoczKeF0wwqduMeVUiLTr
X7FGzA90gdEXoj8UOzvGxQY9f2dMfHU8vT74PLyYsgV2ur2WNefowhlyYh7MRrLm
/Ce8barFNPip0d4s7di1GufKB9aDN+RN6+9JFpBtYZVo5qnWW3g=
=jMmp
-END PGP SIGNATURE-

[SECURITY] [DLA 3771-1] python2.7 security update

2024-03-24 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3771-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 24, 2024https://wiki.debian.org/LTS
- -

Package: python2.7
Version: 2.7.16-2+deb10u4
CVE ID : CVE-2024-0450

The zipfile module was vulnerable to “quoted-overlap” zip-bombs
in the Python 2 interpreter.

For Debian 10 buster, this problem has been fixed in version
2.7.16-2+deb10u4.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmYAnrkACgkQiNJCh6LY
mLHrCxAAmKn7dXeyFszkXoJ2sORjLQ/Y4qJb0C5Qg5JRCqRaAh0UcNNgxjX2/Ptl
26GcGdmE3BRKBhGblTn5LD23gGV8ppFXRfGmhTk1A6yGv+pFz6dRleQXutcFv5Jp
dWVteB6Zv9bs3ed5EI4SojK9MmJJ/76d0AjFTjy0cT+CVitkGuDb6PMrZNaiPuvx
sM/1P+mYrJY5SKVi8lM8ANYHEckmsnFTn5wVIp9oXzS+OP2ctilXlth9wH0optcH
VZhMWwme/WwplVtcYGC1Jo1D+x3G/ruON/WgforaLaCWtozawVJJ8TH/c7aX+Oo/
LfPiwzdP6sOXIxMU7ttuoXUk/M/m2VVI3ECB5QSNBd7Uw00glc0vsOXFVn/DCxbL
eQGRQRFoKlb2ZmqBu97UnBcns2L0spD/MA/BkVZmQfwxD3KevGtDhLloZGBGwLSZ
amqBtQKFqCw9B7ZxKw06//1NI8gGCCubcHCCtZKPqWWJqG07jT3/A7IyeOMnmwEf
oJTPK/XfGzBY/w8obz6dDJDoWwNp6DG6YyyDa40KbhNdy6HRPlgL3eRq6k7XOsTk
4c8qsLgK8OCL42zP7WGH5diwsxgrj0pQwuCwM2IJaKGUjZUpOja4j9x25ay4Y0Td
hYnk7qMNp9EL4GfjoJc4EKc5AOwVfIqHrm6lXcwICTDba3TKRTk=
=icBc
-END PGP SIGNATURE-

[SECURITY] [DLA 3764-1] postgresql-11 security update

2024-03-18 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3764-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 18, 2024https://wiki.debian.org/LTS
- -

Package: postgresql-11
Version: 11.22-0+deb10u2
CVE ID : CVE-2024-0985

In the PostgreSQL database server, a late privilege drop in the
REFRESH MATERIALIZED VIEW CONCURRENTLY command could allow an
attacker to trick a user with higher privileges to run SQL commands.

For Debian 10 buster, this problem has been fixed in version
11.22-0+deb10u2.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmX4Yg4ACgkQiNJCh6LY
mLEIJg/+OfExJJZecgBVJtTu1n+D9sGUALx7+R6pcQrWSzXQR+7S5LePTPVuk7gS
EliV7Dled3K09h2RxgmNTsjOR7GjPt44Hp4F64R8OgeWJmmFrdu+ZYq/YfdBzhL4
eZS6fvwJgF2IuGfpYPCtk2oyrLtTggx9xQvzY/97G0X7MbK+C6gHZNswlU0l3OBk
XpC6KpqM+YDXQa95/YKzocNE24GW0bwyZXL0FBjfQooS1XxBb4rMPPCJpbX4E+6e
+RNkiWy0Pt/s04UvkzsL7iQ3Jfddq1Slhgl3NlSl/232/t3yGPaNysoMTtwr1YpI
ZvCRPntQFDff9tyI22N++0FSEhY7Z+vhKKXtNJq9ZtYz/4mX7rgY13bUZt9SF6EV
SypTdXNJf9C+/cIHNM0wCPIo0Nx6170phjrVEuVTRQETZVHAMJ6O6kDgKvfpkV3k
1kzvYTIfByHFfmvaZjrfdAi1v4D5MHlRMy78PYGVt1kbrk0sxGMlWWr2TcKol0j9
4d1hokCoWLTCewfXehLxYNMHUZ7CiXJ9m1wm5WzUa1ONPHiIu3PqS1rPzR5HiQNl
yYcDSe1a8CEKJtalSU7o1bYzBruZ0G6YGjnPsLxXBpq313BvrKxMyvQmoHFWSGnV
BTH5pFvhlkk0LUBOI3FColt22iq85Xdseuy0z3K+Lv4mHxjsOyM=
=btd4
-END PGP SIGNATURE-

[SECURITY] [DLA 3762-1] unadf security update

2024-03-15 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3762-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 15, 2024https://wiki.debian.org/LTS
- -

Package: unadf
Version: 0.7.11a-4+deb11u1~deb10u1
CVE ID : CVE-2016-1243 CVE-2016-1244
Debian Bug : 838248

Two vulnerabilities have been fixed in unADF, a tool to extract
files from an Amiga Disk File dump.

CVE-2016-1243

arbitrary code execution via long pathname

CVE-2016-1244

arbitrary code execution via shell metacharacters in directory names

For Debian 10 buster, these problems have been fixed in version
0.7.11a-4+deb11u1~deb10u1.

We recommend that you upgrade your unadf packages.

For the detailed security status of unadf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unadf

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmX0iesACgkQiNJCh6LY
mLEa5A//dCcRQ/F3RSGxGnTYA+jEBts+ScHNFoQ7vypF48L8j2lehek8bnlonCIj
Wx9otRF+HCnWOWxriGw/h9E1vfIizU2mNZF9eGqjy5nGeAcRmziiX64mzCViuQyp
79YoWwNVqe0CfZDnsCJh7Pajmv9RPAAhwiOzYZ2neZzEBNrsawejA7s8pE4pw3Yw
QrSV12ZWh/XhiFVy1k/UHXhXRhiarz5z8ViBPY17gsfB3M4tDMNofOV/sVajt7NS
awKLemJMIevWt8a4+cIDder0UhXJRcElUy69DYL9X9XxFdaOWl4nTwpC6X1iyEd/
avnDJK22P9KsMPqGGOBpQX6WJunVfw2N3ygfmEXcxITqdYCSMRQECK011Atu7ceC
bka0CurZSeDa8rGRebjqLEfyWPaukj/xRyJzQk/8VYq8PADQix2Hn/3/1q0GyP6F
yfZCbYT7Wr+kOKHD7uQMeI9b6OrpNZ7ZxHcFq1kP9Nuhsjz9DQgo6RPkEAo5vbJo
AdhW0dMBWqZ8rKXt0dXYZUUTV9O1zzoP4slKeDXstNHHqZTIm0aiBcqGDp6SsLZi
Vq6hb9L8u1qhfsPK/VgiPef58QvjCYUVEFAc1/pcXw4MCQBc7bcmaVgsHNR32rSO
ZFY6fHkNND5weYuktNK5wjWRsA6I2PKMX9/zaAQM0qaKYB3BYnY=
=3U3n
-END PGP SIGNATURE-

[SECURITY] [DLA 3760-1] node-xml2js security update

2024-03-14 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3760-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 14, 2024https://wiki.debian.org/LTS
- -

Package: node-xml2js
Version: 0.2.8-1.1+deb11u1~deb10u1
CVE ID : CVE-2023-0842
Debian Bug : 1034148

Prototype pollution has been fixed in node-xml2js, an XML to JavaScript 
object converter.

For Debian 10 buster, this problem has been fixed in version
0.2.8-1.1+deb11u1~deb10u1.

We recommend that you upgrade your node-xml2js packages.

For the detailed security status of node-xml2js please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-xml2js

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXzWLYACgkQiNJCh6LY
mLGCXQ/+OGOGr54c9cTgUSbvQ7owfIcFUG5xpvIAWa2NdKXMyOiANMBNOu9Ugod6
gZdyDhXGw8hlhF5EnSIXVUEo8a9SoJcL47eCXW+rgV7q8+TkOBUDn2UI+fw55Zca
oADxq3lfsG01PrRVRpr+DoGpNV0wzt+uZP3Z3c+AHKaKmdiavVzUc07ebFq99NUg
9teJwhNODx/NIeZBBkWetR0XRaLWmzOtKLB4X/nt4k6lvBmbH9ZqftoNxAwbFn3a
6LsBHhS3OGiIJqdaSuUAFO+hMeU1Bka0ia1QBM8j5tqSAPn7t0Q3Rz7OQP1dOq3V
dnJHLI3TEhr2j48ZJMLRgpA87bEK50rSjhxumqyqCqtNLuKq/PHXQ8mYcPFrYO9a
JhOF7vHiA+4QsDOICHebGsvNxRLiWFjObqcW34UnyyeC5m3lNPKEeNE3gZRXPpqD
zZ01UzMkmP/BoI1TnxqMdCd4gCwYEY1jJAo6EaNkdxe2DHDBvvh9/mvIPIxVr2Kc
FPZtNEVUB7QV5TsZdnJPBn4RmqQ/xyydcfXiREcCA5r01UFXhqqv3zhdGBwly5uy
jGD+YGmXt6LZvkQhDo8VWfESvR7KX4iq1ACNtNj7EkCBqC/TP4ewgZ/QmvY8wvHI
/uETBCZODFZ+nUsjjZ4srU7dlAlReoGoh6tNeiGU1qmgYCMoxjk=
=aSei
-END PGP SIGNATURE-

[SECURITY] [DLA 3759-1] qemu security update

2024-03-11 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3759-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 11, 2024https://wiki.debian.org/LTS
- -

Package: qemu
Version: 1:3.1+dfsg-8+deb10u12
CVE ID : CVE-2023-2861 CVE-2023-3354 CVE-2023-5088

Multiple vulnerabilities have been fixed in the machine emulator 
and virtualizer QEMU.

CVE-2023-2861

9pfs did not prohibit opening special files on the host side

CVE-2023-3354

remote unauthenticated clients could cause denial of service in VNC server

CVE-2023-5088

IDE guest I/O operation addressed to an arbitrary disk offset might 
get targeted to offset 0 instead

For Debian 10 buster, these problems have been fixed in version
1:3.1+dfsg-8+deb10u12.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXvPusACgkQiNJCh6LY
mLEpLQ//aGHe1oAqi/qNG1F16/1bA9DJ5jhVr+OmRhNSddCIrelqsOBlBo+l09vV
UxbWFSOheTfOj9QZS2q9WG3I2rA8EGz7lliMX9wOoPg2K/hxWMuhbvjmz2ZkFAOX
QhuSH6dqUf7F0AqiHWTcIoMzJp7yXwh7S0kPjsIS34sdclTu4+gTGJSQoG0jR5Jz
/jaNr8wMVNKpAWnSEuoEnUXwS3E5GoEJ6P/BUprCVKG5QEdn9IwCIkObELZi6K06
HG5b/r8WsWoF7THte6TfJp7MI0T8xCUGmAavUXtjCe5WenEAOfzzMjzVQuQYIyae
fAr4zk/Y0quph9G/BlnMx2rI+7KQcm0SXE+KKz8qCMffA8dP8GAiEcZkJl/QjpGZ
KgTYwaXXhcXOTDsTD7i3guHT2wQdxvSO39ScOHssxsz3+ijoMhl036mG2QN/Y8vf
3CZg4F4uJ2q7N4q6viZC+TR06rpq227uvJEYGSPiUtOkSDX28GbLDBPNcHept3SM
/BkaDvcPqA+tkIRw2GBeX/SKNMZ0WNo3RUI1SL+9MiPoi+AcI0ZoIZRNdht1IIeb
Uh8t0YYOnNL9K6hqrmp3ikNxNavX85RPqcPdEGdITi+1mWnZ+x+gs6zdIjOn9Pb0
EigLFMck+BB3IzVjoSe4rl9yqedlpbDZ/+gPC1PhvxB6lVXRjy4=
=4xcX
-END PGP SIGNATURE-

[SECURITY] [DLA 3755-1] tar security update

2024-03-09 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3755-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 09, 2024https://wiki.debian.org/LTS
- -

Package: tar
Version: 1.30+dfsg-6+deb10u1
CVE ID : CVE-2023-39804
Debian Bug : 1058079

Incorrect handling of extension attributes in PAX archives has been 
fixed in the GNU tar archiving utility.

For Debian 10 buster, this problem has been fixed in version
1.30+dfsg-6+deb10u1.

We recommend that you upgrade your tar packages.

For the detailed security status of tar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXs0w0ACgkQiNJCh6LY
mLGTSxAAkExlVbFmIvkgQaHazTxhgdtC0cFwQVw+GfhR21bnG2Xu628nf6ELJkYJ
WD+JUofSkPI1CskzITV77SGE3T2Cd5NHcW92qCNAMlV363jT43ezAIxNgk8nUQco
M3yme6X+OHsRyqSlemosfm3BnbPvp9qegGYS9vmgh+GkfLPkbVpPAtUH1rVkaMUB
54XOjxmuB9DvN9lhFYfmgX41WiLmlRfMcBkDUrf7fpcQSrpkpNSuy8fwzTNF/XZ9
znW9Wf7TNLDI5eZyKInneeYYY46I7eq6YEmHXKxoKOMU4SOc4al7rkyB4ER8LtxH
kGrG9qmLWrt2NfYOUzOMXU8IL71ua54jkofFkp7koZlyAu4OwFft1r8Xbosdnfm6
MnSKjaNTeHZEkabhwmr/vJhqpTU0Oy8Cd+HaR4FdwtFPZyNfbiqrHESeego33K8u
vPH+ZLDOdRUQcrZ3tD2oozX2FzLfx0DlOf5ssmAFfEvubezFpJWwylo4IZLpv5Ot
/J0bXQgdFqLfRif2acYLK2Y41cheQqdCxVrry5kgrZkN+mEQSHOUb5zt7QLSNSqn
p4tWxlAeIqZgSQebW6OLmRmJOJM8Og1rYWRDNbjA5x5V94fr0BvAJzjav7TkaoEB
itWh65wYK+YvxIaX005wVzxepcZZVsUKvbrz1kTQc8/QzuhrMAk=
=4LDX
-END PGP SIGNATURE-

[SECURITY] [DLA 3754-1] fontforge security update

2024-03-07 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3754-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 08, 2024https://wiki.debian.org/LTS
- -

Package: fontforge
Version: 1:20170731~dfsg-1+deb10u1
CVE ID : CVE-2020-5395 CVE-2020-5496 CVE-2024-25081 CVE-2024-25082
Debian Bug : 948231 1064967

Multiple vulnerabilities have been fixed in the font editor FontForge.

CVE-2020-5395

Use-after-free in SFD_GetFontMetaData()

CVE-2020-5496

Buffer overflow in Type2NotDefSplines()

CVE-2024-25081

Spline Font command injection via crafted filenames

CVE-2024-25082

Spline Font command injection via crafted archives or compressed files


For Debian 10 buster, these problems have been fixed in version
1:20170731~dfsg-1+deb10u1.

We recommend that you upgrade your fontforge packages.

For the detailed security status of fontforge please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fontforge

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXqScIACgkQiNJCh6LY
mLGnbxAAjqsbQsra6fVc4VcatB/sNeM6/Ox7oK79y3TKKasq0/rcyY3eB47Jf+//
8nz3Uz+aM/NNCBXTdtVcJ8gws78dfvwlBacwZ8NcA0ZhSrw4NyW6neWHGpqoKwbh
0s2+PdI257mg47C/72hJj/L/S+QGwk7oS5Y0tsjIV0r/wKowxJX39qkg29AqzaWX
CIXdNp/QhkKekAkQhksNPr7om4BqoAxrpjq6NrPATsOhFhFScKUenINgBqoI2nT3
5meC1Ctp3zFVZSNJZxfigDyNCxUKadYGpovpXPZrbUEV5FJrOlU9Y3CsDNAM6ojg
tSOIe/ityqxxd20/MklZakRdAGzmOKuGkEgjR0+vm+w64XDblGCkV1UVG9WPnFV+
VcPPUalX0J/2gimT1YmXoNgrJ/5SqXFNks2FcYtH6fUCyx5WIQHZWxevNe2zhmtS
lj3u6cuh3FcZkzewJMcx6CykIh4p9yDEiKTmx2V2ZCJ/BwJ5PVJ5hkUPwFdWUlJh
Al/zZxvJdbeB4Aab6Ai5DosLBtHxiIYmK4HtcVXm7iJ5u34ZIAtZ35uRPmtwpDLi
JxqU12QzPnYtwbBX1WdBhoGCQ/jwLy7N2gIWQlqU5n9rI1R4os+pVQ0/RLp7vlZ8
IzMGfWxKXU3ld/uoAGMQTfZdtJUXz0Xff10V2NK9oEkZqDCnm44=
=eNmN
-END PGP SIGNATURE-

[SECURITY] [DLA 3753-1] yard security update

2024-03-06 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3753-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 06, 2024https://wiki.debian.org/LTS
- -

Package: yard
Version: 0.9.16-1+deb10u1
CVE ID : CVE-2019-1020001 CVE-2024-27285
Debian Bug : 945369 1065118

Two vulnerabilities were fixed in YARD, a documentation tool for the 
Ruby programming laguage.

CVE-2019-1020001

Arbitrary path traversal and file access in yard server

CVE-2024-27285

Cross-Site Scripting in generated frames.html

For Debian 10 buster, these problems have been fixed in version
0.9.16-1+deb10u1.

We recommend that you upgrade your yard packages.

For the detailed security status of yard please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/yard

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXo49MACgkQiNJCh6LY
mLEyTg/+PNYSVvH+2sniZv0cTA8bCYdKZ4esv21v3LjfoXkV8eQUzsGFxj/wCRfs
MG/roq1v+VV9eFrnEZXFZbQUloECK1TgSGL3z7uHBzgVIyKaE2Mcwm4HeoALG+03
9A5ZkRG7OsCpVHL6RB2bGQsHfZYS4n8CEYGIfGXHA2jLEsYwMNMKyMlkVENLH9f3
YMfodhZZVG4sv2CrxFBEUHC5SOhoKYaascYC8BI3gwoQZIHTwLkBA+c8ml3Fh39p
i+cppcug1BdacJJUO7Jn0TxXn9gz1u4/6C7LAxKEADiLpMGB9AfDMO4ggSBLWr2U
n6A8EnGiXm8OOVR+0XIO18QcgQIZrFS/GBzJtE5bGXAlmtTuBRxlOqliJo7aSCVl
BgGVg/CdfpEgjVqemCSPArUPQQ05jxfyaZk2YMIwb24DSMrx+83faezsktIRh0pj
zdeM+VejGGVLt+Z+u0Bdj7K4crGIJlVIHxFLDSmxPsIhlxix4xpTna8TyXb77k/X
72/AmXTtXp4lBoGuPQOMYvAYYuxXyowhxs3rnz8KmKxiL/U0el/pJQ64rfe6TGEz
nLa3Np6V46OaI6n1Um1QB66IU2rdM0XRO/yLP1RvaEEynlTBFxEyPEc6fVFok5FA
eyuARTCam9EnaFD1oHY4HmwYiORO99POnA0WTZzWtTaTYb6Bf00=
=CRhG
-END PGP SIGNATURE-

[SECURITY] [DLA 3752-1] libuv1 security update

2024-03-05 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3752-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 05, 2024https://wiki.debian.org/LTS
- -

Package: libuv1
Version: 1.24.1-1+deb10u2
CVE ID : CVE-2024-24806
Debian Bug : 1063484

Improper Domain Lookup in uv_getaddrinfo() has been fixed in libuv,
an asynchronous event notification library.

For Debian 10 buster, this problem has been fixed in version
1.24.1-1+deb10u2.

We recommend that you upgrade your libuv1 packages.

For the detailed security status of libuv1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libuv1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXnlLAACgkQiNJCh6LY
mLGafRAAiEqTBLP40PAuRrN6nF1NU6XrpH1amKTGMt4kWuMUAsjyC3pn62rAMjJV
Ec15GbBoTgJ2Oq7BeO/RAKTCIoPNhRwpfH6egQPyhvU8Q/GlPrukO3JKTMw+54Al
IAcZuQW9CiAP9t3ohZ5COpzHT13EcvNvhNJijB000w1B650u/f2J5bJNkZF5xVNU
4ZVCuPacFc8k6WCzY5VpjlTGU4QRaG8yOfEUc6roYI3+860Nek1PoBwKGrxgIwr/
m7WwfB4OS826fxIOjzq7/W4it7pTdKbhQEfj+YjbyTYakpXnxaqC33km+JECV7PS
BNK4nZ12FaBrC9x1hhSV85JBAEMQA6BkvaOZjGSjzmeovNqGXyTwzGDvF3Cy7VSP
t1+7oihLEddElJ27Aw4p5vsT8NBF1CaEEfHLQZkSFaD/vdLHVRJd/l7N0cz5NC/6
txNKhETv+z+AD3xrF75RcbUOMcrGCGSCwR1OvOvcncQAVUUh2JD5QmoxfxqyUX3E
wxBYrodXmyIIUX8jwLpDf4kR84qFfTpAYXQYzyNdE35W1XNlUAFwr0WhhkcJIf+6
yQpzWUIm43Ink9Izbx1k9PuooQWA0DUI7Z9ZZY56fNy9Qg5CiVLKA4BqAfVmQr0K
AyERRnMC7fTm2D7r9mas8sGSXDIlszupGUCRxaF50HwHAdS6eDE=
=DQHZ
-END PGP SIGNATURE-

[SECURITY] [DLA 3746-1] wireshark security update

2024-02-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3746-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 29, 2024 https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.20-0+deb10u8
CVE ID : CVE-2023-4511 CVE-2023-4513 CVE-2023-6175 CVE-2024-0208

Multiple vulnerabilities hav been  fixed in the network traffic analyzer 
Wireshark.

CVE-2023-4511

BT SDP dissector infinite loop

CVE-2023-4513

BT SDP dissector memory leak

CVE-2023-6175

NetScreen file parser crash

CVE-2024-0208

GVCP dissector crash

For Debian 10 buster, these problems have been fixed in version
2.6.20-0+deb10u8.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXhGmYACgkQiNJCh6LY
mLG0OA/8DAFLm55Zi1CXqeQ6UE17XW8+RF1zqWgLV0RyghH5AK7vOVdGmynQ8rXV
UoIc86ONvl5KooQOzUVQRSdY60g0Vd+PYf6KLd/yeiDoYNjuPcRdWWQ8UwC59FMr
Ndkt4SBxiZzwOD29p4X6S7resXOVeMUEn4wGEfBzTd6SSwraRZIj1SBJ319wK51r
GfWfPvX2bO3FAr50PiGoJHa7NKo/y4xnKAzgsSmottqMAKFFA2rIweR/GnrnyCJQ
/7fRb2ExJgWk0IjzZ/m0OrqladGnQv1jjjKUxQD3kQjOYXVnSTzwL6ffBJS9PbeE
Pmjmu9tPcMnzM9gGjZZqPszEbtbV2AuImBEbgIZKIgBBSafzqNBrrXbjC8oEa5vp
Lsf6++rj+L+X7LivLwJ30UeLnR6hH9OcauxAp3uuWcUELdXVrT3lrKBYAPuB0gbi
OhiiqtzCzljQ2rGpcWiwcQtvicuKlUClbPf0k9CYEmFRVLgc1WqdYY8fnctreQLG
DuawYlEH7WVVfpstjmHkdBfFdy3PAPw+pI09X2moF6cMXk9//4AtEs1P9Si8wqwH
2HHO6cIXqeIDlC7PmlWgTl1O1fl+sKml5KMd5NR6WERIp1rryB/Rw8Yj4/v+P91q
ZqKRplpbI3BQ01mPuK2j5W8vAbNG5k2dK+nfrCyKAfiPYv7/oFc=
=tkiZ
-END PGP SIGNATURE-

[SECURITY] [DLA 3745-1] gsoap security update

2024-02-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3745-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 29, 2024 https://wiki.debian.org/LTS
- -

Package: gsoap
Version: 2.8.75-1+deb10u1
CVE ID : CVE-2020-13574 CVE-2020-13575 CVE-2020-13576 CVE-2020-13577 
 CVE-2020-13578
Debian Bug : 983596

Multiple vulnerabilities have been fixed in the gSOAP toolkit for 
developing Web services.

CVE-2020-13574

WS-Security plugin denial-of-service

CVE-2020-13575

WS-Addressing plugin denial-of-service

CVE-2020-13576

WS-Addressing plugin code execution

CVE-2020-13577

WS-Security plugin denial-of-service

CVE-2020-13578

WS-Security plugin denial-of-service

For Debian 10 buster, these problems have been fixed in version
2.8.75-1+deb10u1.

We recommend that you upgrade your gsoap packages.

For the detailed security status of gsoap please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gsoap

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXhGQEACgkQiNJCh6LY
mLHMNhAAkUh9ib9q4bSBG8Z61dPTBx2y6/D8EY9YhpllW7FsTEYdM1LfprUCRg+M
mY307xjP036dykdVHjKjwJl3LnlohRGkJmcAUIfwsMgouwUFDHryzHGaxkhgnMmb
nh+tKL7JfBQlWMYc6xaQ/DHBlLVnsXHGQnQp1KN28tO/EZReK7YMPkl7G5M//RkG
XQVBbg+fiPUpI/y9SQuw+aCKfx3sJF6yzjOWKC2WPEwrMkwTQqsTQkaYhXchio7b
H5VjmSraboHub5CKzmLrpS/eljGyRQIYT83eMZ0H/JhWbXPw8BaiAN/ZDAUN+Wri
xAejJiXDtnLT5affkj0ruZY/q3P2ScoLzDhcxFKEwu4wgFaLqqxaNS1G8fI/cRkq
xT8jpCFYZXu1pBhiM8Q6SgeZs6B0JnNKT7xcYDMKqVITc4td+ZVuZ5Zf/VMo6FqH
XvM/rjK3WY4upTzcfxAeY7SPb++pXgvuC491tfegPRiIUROnS/aYcEyeRbm1arRX
uDfTxqWb9XS+keZrHyI/L8woRyRkMS/m6H3s25fiWorw6K27OGrYe6ZjCE6KhiDQ
5IEXHtGkO9wmav7TtsDOmJx/tKE5h0PtD2MJJRi+R04qaZiEpXtNSmV/26jSYe1Q
1PjkUZ050zMxpmDip9HAmE1hNGSk3n/E3fncnBPcEnLBvufdFsY=
=ho6t
-END PGP SIGNATURE-

[SECURITY] [DLA 3692-1] curl security update

2023-12-22 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3692-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 19, 2023 https://wiki.debian.org/LTS
- -

Package: curl
Version: 7.64.0-4+deb10u8
CVE ID : CVE-2023-28322 CVE-2023-46218
Debian Bug : 926148 1036239 1057646

Two security issues were found in Curl, an easy-to-use client-side URL
transfer library and command line tool.

Additionally, the command line tool does now:
- - display the Debian revision in "curl --version", and
- - does no longer output verbose "Expire in" messsages with "curl -v"

CVE-2023-28322

POST-after-PUT confusion.

CVE-2023-46218

Cookie mixed case PSL bypass.

For Debian 10 buster, these problems have been fixed in version
7.64.0-4+deb10u8.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmWFnOgACgkQiNJCh6LY
mLGLNg//dymkoaezjlABzQ7FL2puQquo/2kJE4VBzMYyLVdBahT6CKN4rR8Bnc0v
rkmX1KWAQ6GaBaznr+tg2BjpfBjJEypC+6E5xWBYrOkslFfEHx2V20UzOTLaoe24
Ybh52AFEkCLDim3fZpBFAX1Altd/j+9DIZ4xLnIx5gdrTqsSfhJaTJso/hPQeXzR
gyCwJ8mATeEusA2IVWksGUEC59QgZExO+uLdX+UIxVBorDwUYrnJYkLuRpoR0Y1q
XfkqtEJDfhRkdSrvYL9N8KIfzgbPTnyLVgmDQK4frQk8ngE1LG9mBS/uegPWMo6a
OBRux9kFEHJh9hwlZ8xC96yMOxliC9/AwIHQNJhzsE6szL/x6eq7YBSfqywqobXM
HGwzf0wiScC776pR03u7QxKZ3FEv6n0GJoiqzYiaacbJtSBqSQlaOGCHHbzwbljh
7ASYr4/lZ/+dhb4Y3RQeUpB9sfoG60CN2v9uGBoH04L7wHLb+F7v2kg7020wmQ6A
wQOL4pMvT9sMzYuCdmVwcqeK5G9pKhfHW4dEBjouK8TP2nAb9uTBK5nqHHdyBn75
s7Jt8bQAoI2399RV6e+d9hOEIPRyhW1SbbPw2Cl06pCNou1JijyDuJozu9bvlB4n
maDYfUEFcxiD+tf5TkxC/4O3DU8enPHJS6u41oyeuTiKXCBHvIg=
=WAy/
-END PGP SIGNATURE-

[SECURITY] [DLA 3679-1] vlc security update

2023-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3679-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2023 https://wiki.debian.org/LTS
- -

Package: vlc
Version: 3.0.20-0+deb10u1
CVE ID : CVE-2023-47359 CVE-2023-47360

Two vulnerabilities in the MMS over HTTP protocol have been fixed in the
VLC media player, which has also been upgraded to the latest upstream version.

CVE-2023-47359

Heap buffer overflow in the MMSH module.

CVE-2023-47360

Integer underflow in the MMSH module.

For Debian 10 buster, these problems have been fixed in version
3.0.20-0+deb10u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmVpIQ4ACgkQiNJCh6LY
mLGHLg/9GBSxTXHx2fj1c5Nqa9pFsMwLVgEt1YBUnsbHHlQFvbJT+MnjswrBZR/2
PjsiCCqqN0Yf0803h8Bf2JGxZRq/e+yBn0wfWke1mIl8Gb2o/IGmAW5xsUq1klZA
0n8/8Rdyych4XqiGIrdnhaxDwRH7ASFuRArFPXggtQEBFRxn5NMdRlxlq8Ks+Oy5
CSAfybAbF8Pyr7B08wr5KyI71BC+3UZZoMMqvuGqqNQvwX9aZX9MkBCJHz8WgwC3
CDHzXhhCjDYqvEOC8aaJRe4sI9TJ+yv6Tz1HFVqlbig9fzlb+kiY1hOSR0yVSQf2
dJyIRCmRDdh5VYDwhSEGh12LuF5TXSJ168chOabrp0TWp0s4rlq4AQhfRwSTMv5O
MGCaMuNpjQhg8sxJ5HYnklbGe39+x/Es4kFSkcMzf1V86OpiEIdXdj8NFRvEf1tk
h+b1UrIX9nWhuI02IHSx8J56Oa/8qZLjgDDnSds4/IMmJNYX35RNYxaY3melN8AD
UNuSk9YI1arrfFqmB7fNQpwzG26usrUibDcf5lgxQiZoBgF/dzHAxjdjYbLQd6vq
681S5+BXeTXfqge5SqFlWrxVXSOjofmE5yWLVBbKKlwasNDfqYkxJZCsAMSmwQKq
4tfFPcbhV8x29lCDJbK9WMYI2P80tpWG853w+X0nf9Q5G+c+NkE=
=aEDz
-END PGP SIGNATURE-

[SECURITY] [DLA 3677-1] gimp-dds security update

2023-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3677-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2023 https://wiki.debian.org/LTS
- -

Package: gimp-dds
Version: 3.0.1-1+deb10u1
CVE ID : CVE-2023-1

File parsing heap buffer overflow was fixed in gimp-dds,
a DDS (DirectDraw Surface) plugin for GIMP.

For Debian 10 buster, this problem has been fixed in version
3.0.1-1+deb10u1.

We recommend that you upgrade your gimp-dds packages.

For the detailed security status of gimp-dds please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp-dds

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmVow0gACgkQiNJCh6LY
mLEOJBAAvqpSjn6g4ulfjlIA4sePAHiJVmCK/wmVNV0O/2toAATaD1z0toOAGKVL
X5zejwN6GPrc+u2n3SGuadaQNf7/82GJQwMoQ3znIglFq9JYSrXQoSlC4L9cn5ta
tghVqU2ghcDUmmNHxsqmDqmD3llAUnQsi+R99Y+4utczez3QuTKqPyutZ3ORaXZ0
4b2odzUX+Sk8vNC/3WAl2Nky10SjgH+v9EAJ6vw8ZzthU024S9Oz5FRd1pn5kSzq
jxTHjSGMii56lKl9DMjMImX6yt+/eAJFSn94BCSrNcTwXHBw9ryg+ZyyCPno4YU2
xXgQQT3bxdlHPNalRLYKtKzO9voPehFJ+YwcREzDcD1gB0A/sKa4MhPQGjfeEPHH
MJaraHZH1ZdCMGvgNF/2rA6zG9K/Fj2o0qilE5rcab/Mdsfvmqko+ExQNkrZbifc
IqB2Ij4/Iwec7oAXIBof83RRpE6X6aqeYIyl5iLRWt0K19KewKlsDfTKy1Mev563
Lk1rL8dTA1Od6w9SeEn+sSVw4uPeHpFB1cGQsHG9oleERM73g5dJPPtrerS/jJy0
STPiY+QvK+S9lmXvnoqjtwJalhsWm57iCdYibA55gx77TCH6wh5oOc8EILaK+uBa
xQ2YluoHZeg8EMrAG3wbskIZ4KXQN9OPUwBc4f0fRMrK7Nr9woA=
=S3D+
-END PGP SIGNATURE-

[SECURITY] [DLA 3659-1] gimp security update

2023-11-21 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3659-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 21, 2023 https://wiki.debian.org/LTS
- -

Package: gimp
Version: 2.10.8-2+deb10u1
CVE ID : CVE-2022-30067 CVE-2023-2 CVE-2023-4
Debian Bug : 1055984

Multiple vulnerabilities were fixed in GIMP,
the GNU Image Manipulation Program.

CVE-2022-30067

Out-of-memory with crafted XCF file.

CVE-2023-2

PSD file parsing buffer overflow.

CVE-2023-4

PSP file parsing buffer overflow.

For Debian 10 buster, these problems have been fixed in version
2.10.8-2+deb10u1.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gimp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmVcy2IACgkQiNJCh6LY
mLHQ8A//W7sJPAeccuOZV7eB7TDmg+fFHX0qjD/VafZHYwu/0PTHR9DMSbvrX/ca
HObdHU6uRz9QWYKqPGQfroSuNsrO2qQ1pVqRPAcEK2ISBeVvhad9UHx35sx9hpjQ
QaLk4bLjV0BmeVCYL0mm62YbonMY+toBQMcSpP0z3+JpDIt3y6mfFH6WH6tjDrqU
0FpoNCc/GswYzQm4qvH6cZYE65vbfMesDkQXHEVIrt/QioVoGPSZMI3pmNoefL4G
W8/sgrPMTNcK69qT73IvLoAItfPd5scYQ6sIn0JRnfcJqODa3FWhJuvTs4GKVhwZ
yjmTBabVUJzDZAOJvtEEe8xtsk9Ew8vnDA57YfRSHBWl+9i8FPwD+UD36ntl+C1m
LWNJzkyfLe2Kwz6rnLr+ktNDvdeFRyj6nJIfBc0XgbEOsoCRvTcuhMoyWJXwmYCK
FLDjQhkApQxidsiWNxzL4Sun/K8Nsasd8IrPCnXXAcjR1YEF2II1yzcTyvZ9+ZFR
UM34q2uj9/eOR9jMwsMUF8yk6NOx5n3FXXPFTAGLbIGvHMsjU8QH3iAjy1dlFLrL
F/FcUWfz7Hf7nJ0VhWq1M2f0W9WLZs3o2xqdXb3ZaKYOVO7FfDQYTb0/euw9+Rbo
o5Hy+Nugy0RV1uwMgWnyumWRncUPiuJQAS8rfsdrxGcr3/4Bvpg=
=iWr4
-END PGP SIGNATURE-

[SECURITY] [DLA 3645-1] trafficserver security update

2023-11-05 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3645-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 05, 2023 https://wiki.debian.org/LTS
- -

Package: trafficserver
Version: 8.1.7-0+deb10u3
CVE ID : CVE-2023-41752 CVE-2023-44487
Debian Bug : 1054427

Two vulnerabilities were fixed in Apache Traffic Server,
a reverse and forward proxy server.

CVE-2023-41752

s3_auth plugin exposes AWSAccessKeyId

CVE-2023-44487

HTTP/2 Rapid Reset denial of service

For Debian 10 buster, these problems have been fixed in version 8.1.7-0+deb10u3.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmVIDjkACgkQiNJCh6LY
mLEKohAAtx3YoqeYkdky8CbG4ugl6ToAqEF9EuoKa7IgCIKZL2qUZKrg+DYcweNS
yiRN1nV57xXUH1qHLQC9HUrWJSyOrZZsNToSDS67PZ7kyAoYBmc8REK0x8HhKTTW
3e93vVZd30N2F03WvLEpUHE612FkDjeQDivcxZosV0ku4ssnAWM14nEPoHJlT45G
V4gptaAGPgrpj6cBDpS2Rdgc6xwt383PXav8saUoaFnG+NZI4CYmy8tvHu14X6fD
R64thdudmrYk2mKnT6SBFrDAoseBDJs6L8YxBu0CCFGF5lOiYKmkZUBNxxeY+uW7
smjds4URS5A1jG4+NBH+U0ZcKGUP880sLWBHBdeyAFFXwn7InhzJEjkPi37d2Yge
bOOFHj+kD6gbMm+SgRg6QZvdiZIxmavFnQPUPGKi9y3xufelQ6gdCV8kXRt/wR4b
ZnaPK2HNrzcNKquLlznn81G3ESbuHZXCmpPDZ0mha10nPe7xDTw60dHUe0Azg1if
J5gAW0Q7QKocuk2kGFRiH6gszMx8CKVIzA2aJfide+a08M0+nXEyHYSp9o/kP9FQ
EGDIwC5TtM+qnlzRDjoNjN1sa2sMMXgOpC47gvXW4LA23ps3mFMS30Te7VIdnRK/
vA4SbzWBl2R/OXuBNZv28ENL1uGwVCtaN6wqKaBKt9HusqRxUUA=
=pSKR
-END PGP SIGNATURE-

[SECURITY] [DLA 3626-1] krb5 security update

2023-10-22 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3626-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 22, 2023  https://wiki.debian.org/LTS
- -

Package: krb5
Version: 1.17-3+deb10u6
CVE ID : CVE-2023-36054
Debian Bug : 1043431

Potential freeing of an uninitialized pointer in kadm_rpc_xdr.c
was fixed in krb5, the MIT implementation of the Kerberos network 
authentication protocol.

For Debian 10 buster, this problem has been fixed in version
1.17-3+deb10u6.

We recommend that you upgrade your krb5 packages.

For the detailed security status of krb5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/krb5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmU1iw4ACgkQiNJCh6LY
mLGWpg//edsxfJgl+SQnNIY1p1jr05MJBQ/y0YQ9Gh44AM6BvkwOdrZK5haCx83z
VzYyJ3f95rY3fkdoC6E0uh5Q68mVfLpN7+gMiYRQ9QOj59hFrxr6d/b13AnnE5GG
+YvP1lWXianKKxg0AI6mLbRBKYsrPXv+UyIT49fRycJX+Ia9VJc4xAzT5nQQ5jUe
T1FpypluuIBoHAl+dHB1HHEaeBkUmgPtK+Lx3ZcDUgXqlxhcAGYRDTya38lbkT6p
pa2C18t23GNwaGi6HzfFn7Fk5o+Uf/q7hkS0msW17yKN5/vA00QcV5uIL7auDrHL
JHdmnCmFCAtgK6pop4U3UXWY12ybaj0kgO+ELTPpo7+LQ1sdDQcpZwfpWiDRhWYM
htxaUROjjkfLW2JVt/Nj7dfHCyiZCIRsMvhUpI0O/cRW7Rp9Ar9oKw6RGfwELloj
G6XDIhY/E6jUwJEkVVDDWtHy0BtgUBhYSOgpjnMy7ududVEJHJc/5JT0XHZHPyvb
A3W3fzVvpXEKZULbnbbVrLAUC9v37w27Ywx0B8Po5FpYnyLCzA81Ol+Ci1rq6o0l
Qm/Ljh0kMrdUZ0Nrz6uLc6pf4pT942aQba/tMHkjZ473nokiC/E8qevhQOaf0jxM
Wv6sd9vg+/WhD8u2VsTMt3ZfzFp7nERkXBiHuOPdf1NaRABP0l4=
=ufsH
-END PGP SIGNATURE-

[SECURITY] [DLA 3620-1] poppler security update

2023-10-16 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3620-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 16, 2023  https://wiki.debian.org/LTS
- -

Package: poppler
Version: 0.71.0-5+deb10u3
CVE ID : CVE-2020-23804 CVE-2022-37050 CVE-2022-37051

Several vulnerabilities have been fixed in poppler,
a PDF rendering library.

CVE-2020-23804

Stack overflow in XRef::readXRefTable()

CVE-2022-37050

Crash in PDFDoc::savePageAs()

CVE-2022-37051

Crash in the pdfunite tool

For Debian 10 buster, these problems have been fixed in version
0.71.0-5+deb10u3.

We recommend that you upgrade your poppler packages.

For the detailed security status of poppler please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/poppler

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmUtIVUACgkQiNJCh6LY
mLFCbg/9EeMkqDSl+BeHiGlhEdIoJzs2HTah8PhXqbsEzzJnyig+JlEn3d4oe404
y+nrhA2LhrkJFFdElAtWynNL0xk3DWbKZ5FNL9CrdQvJhRshKNumlupAqk4xbvpn
pt2ukISdCrdtEIRKRtyceXmGCYEJsUjvNMkiQ+8MzdwhOO0dgKjO4hmSbEwlMAPy
4L7sZA3lxS8OHBJh0fymTG2Oo2rV7fZoy0Kw/JuJglE7mn/4acYYJUHS9BDr3T44
EHy6STxY9lva4dtsx1svDQjhIf4L2pDtP99kyEPzNOEJPQnaT6QJbuYPGSEVeE8D
tbUiRNG35efjccYZLnULKmxSFYT2XzBaazFNCUQhzZeeuZH9BwDn4nALSARaXwuO
2jO7yI13E6fye8L4StphnVJYSZbMg8O56ZDMBuozQG9uHica2YoldA3Rvnz10w8k
bdXY/4c9SF7D1KdMHy45CcWEdLHDrOoZF7OcZ9fcwzhRsPCRz4xhjmmIaMycoCCH
4WuzLPXnG8WwbkYDpuHAMW+hixzvWNJIdarkgpzhhxoL8KZBFhUsOaUq9K3tcO7d
AZGzWEtfhlFNh1fFtRb0UFkrdF5ooWJ7GRCZbAHaE6Tvl1YhxeGU+B7S8EX79GIO
YNtIPSRMhSg35+hVMy1YNGIId8ma4CauOs3rCGfeDacq2iSjg3Y=
=m81V
-END PGP SIGNATURE-

[SECURITY] [DLA 3595-1] trafficserver security update

2023-09-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3595-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
September 30, 2023https://wiki.debian.org/LTS
- -

Package: trafficserver
Version: 8.1.7-0+deb10u2
CVE ID : CVE-2022-47185 CVE-2023-33934
Debian Bug : 1043430

Several cases of improper input validation were fixed in Apache Traffic Server,
a reverse and forward proxy server.

For Debian 10 buster, these problems have been fixed in version
8.1.7-0+deb10u2.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmUYaBMACgkQiNJCh6LY
mLHAIA//UN20KxnJ9FEB1WIeCCkt1fFmijDsY+4pK0KMhwMfOArKt3Ji29tuYODL
KiO0JKmbeZN02ihyBGPLNqo/cf4+Y+gkcE2znM4CSsYOJOnWl3P7Y8N1mUpnfTC1
n7lGvEWxcfVDhe6TKRzeKI3LiMj6+tMgjEMTUFZDw0x9HPCrHTK6Hc0D+rFM1WHX
ApvDDqx7cSEf22nvWYuLNrs0rC+bsmwf5UvPi6PbSmAhR/8p9fA7zqYDJ7CSBKfx
lUsKa1VErF2/0mq8UovSb5q7K1nOnUIcCDZ97lBsnbLJnLvGOqC/e+jl6z2uHB9j
bv4+2pdW3vLpun7cNA0WXYOOsmajj8HOO1WUHb2JL8+30czoGc1rGD4Wx0sLjL5p
e9rJS3p0p7gQF3ssEq0maIE0g/evm3NQuR+9xbs0JwF1dAjDtkIJvsxspioGqAnm
zB8v57s4HARSzDI20jejYYTLmOpWvtCjLlTAwYDql1uL5QG58fyt5LyNzc3PXikk
FuaawI9JKPb6sJYFypMMMv/e8jkEy5PI56vzQY7ebbhIvoHA77gAFTalRl9DUSdm
heA7+uegO4VWN9uLdOwRpTLKk0hfL5Ussq7C/KUmqn77ES6nG/8gwGSbJgbAO/vc
444vmN5HYW2mG8ZldEoLFvpVH3KGYXAEnrG07bMLig9ws3cUZiQ=
=p+mB
-END PGP SIGNATURE-

[SECURITY] [DLA 3593-1] gerbv security update

2023-09-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3593-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
September 30, 2023https://wiki.debian.org/LTS
- -

Package: gerbv
Version: 2.7.0-1+deb10u3
CVE ID : CVE-2021-40393 CVE-2021-40394 CVE-2023-4508
Debian Bug : 1050560

Several vulnerabilities were fixed in gerbv, a viewer for the Gerber 
format for printed circuit board (PCB) design.

CVE-2021-40393

RS-274X format aperture macro variables out-of-bounds write

CVE-2021-40394

RS-274X aperture macro outline primitive integer overflow

CVE-2023-4508

Out-of-bounds memory access when referencing external files

For Debian 10 buster, these problems have been fixed in version
2.7.0-1+deb10u3.

We recommend that you upgrade your gerbv packages.

For the detailed security status of gerbv please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gerbv

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmUYLdkACgkQiNJCh6LY
mLEQTw/+OU03D+zLa18vxE9nniphfE9ZU9vKBuS6OykOwF13U4gN8TQJr7uDUe9U
zL57Tb6KsnVWDR0cCCaHiAMlIWYK4zAbTeJfTaZ6w7UzVwj6R0bmuG/jfpCB5Q0o
0BiRukZSo5RVZXuStHZoo7b7kfhzkVcN8muBiQssWEIL2KGKMd7gwcULTWRkiWUS
ztov1wJIuvgd6o75zARUyE2fepykIqluocG+Nvri0rPjO/xdOqLjfJscYJzLKQvJ
7tuM04V39FRGUplL5GOiM3cN5UVfaYQjm7pPYYIZPG2jZJsbVu9eF4sPpbt/5AhB
+95XWNi91M+ZBDuLB1g4qLuoD4CQyVICjdXRSErEH6SyktBuoqkIAJ+GMjcVN4eP
Gy7nSZ/d5VIf8Um4G+fSBgzUlRrWaS2Mkq88Y7SlFwsBn6C7xJp63Qab0jrGylxy
68Blcl0UtBVZb5SBzQXmVilX0q+cjqoeyP5TcWku0+jlls6s4k7LiBCRkR9V/3ub
4LTwZCZvGdhmtOQGUcYz4nbRa29w6gw684n5QJLiEmqTxy5HLNTuSQmHIwm82cQs
okgOWptJ2RipJDMXJrJljIBzardT2BDR2CUrqUA4ZcrPj8OiSAzUHz/UhOfyo7oi
9fCjMK3F9jleiomNXYkUYDCCE4WH4TF1KwGd+LQBROpO2jZpXME=
=ioTb
-END PGP SIGNATURE-

[SECURITY] [DLA 3552-1] gst-plugins-ugly1.0 security update

2023-08-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3552-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
August 31, 2023   https://wiki.debian.org/LTS
- -

Package: gst-plugins-ugly1.0
Version: 1.14.4-1+deb10u2
Debian Bug : 1043501

Demuxer vulnerabilities have been fixed in the RealMedia demuxers for 
the GStreamer media framework.

For Debian 10 buster, this problem has been fixed in version
1.14.4-1+deb10u2.

We recommend that you upgrade your gst-plugins-ugly1.0 packages.

For the detailed security status of gst-plugins-ugly1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmTxC7EACgkQiNJCh6LY
mLHG3hAAza80y6Q9Lbl4j9OUoOJnY3+cRQ9egM/c/2PIO+qY5IAuqO0gcOfhqZiU
VYV2vyRDlm15CKJndyobVlRa7NHpZgMPcLQKbML942uz1+RvoHtwNZFyg5+9JYiI
o8CE3qVe6bHEHb75zqBhABbiy2dm5KgiStrB4tibi7eNbBpmT0CAkV8px2Qkzefu
wIYrxCT8Xt/LRHXL+fQ5/tkfxCsaTB9SZXu1jp4oPAeYVXhEsfR4GptRVBfN/6Ho
9ex4R3AMdsEI5WCGSXJ4oFEp18z6tHlZ9kJrWQJCST4vbXaQ3KZelmkN6LKVBLJv
z6yt8FL0TtMKl6oN0QYWznJnYP8kmRQui59pANvFsgdf7EBMAWgf8f7fJxnOn+b3
NpiSSnzYsM18OPsNK9EZ2K4JLepIGNIgaDQgx/SUbSv9Q4IxTmPQ7p5LbYS7bnDX
x9lGse741m3T7HQ56E5BKpJ7uN16Xor3LBbBAQKVP6InpKEqAVRR/88EfO6ydF3J
W3RYDgVNReE7zKqB7N4vTGCeC1HjeH/10QPKN3RKTWQfDwn68Kr7vpqvLaf8Zi0M
wbU+tp0wQWQL4VgCF6gY83e0z+4dqVxGsZ/eM9dXVsLBs4PP3+8vbjRRunl9P11f
deIANaMYM+gVTpQIxGDIZ8p7qbg6rSi9HwbZtVlPrYSm5PGFebs=
=n25n
-END PGP SIGNATURE-

[SECURITY] [DLA 3528-1] poppler security update

2023-08-14 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3528-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
August 14, 2023   https://wiki.debian.org/LTS
- -

Package: poppler
Version: 0.71.0-5+deb10u2
CVE ID : CVE-2020-36023 CVE-2020-36024

Two vulnerabilities have been fixed in poppler,
a PDF rendering library.

CVE-2020-36023

Infinite loop in FoFiType1C::cvtGlyph()

CVE-2020-36024

NULL dereference in FoFiType1C::convertToType1()

For Debian 10 buster, these problems have been fixed in version
0.71.0-5+deb10u2.

We recommend that you upgrade your poppler packages.

For the detailed security status of poppler please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/poppler

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmTaIEIACgkQiNJCh6LY
mLGoyA//a8PphFLZov5tqkW/iEW5HOWahoXKfxJts3nV7WcbyeRHG9YoqGVJftuN
1G4bLMIaL4IkD9LumOlzt08a9ABi93gozlpIdmcbTPc+j4RBYifEMcIHbtu1+ZEk
isgeIgNepMeD6+2WtGvcD5U94KolmFeLzxgMnYEn++8WME4FRbnReA0rnM/oc4Wh
h5zNI3EVv/A2Zdlf+N3Q8BBCzV/heDiAfHZkPszdOC0q0H7qwyqAPmDNj9R51WoU
tVO1I1C9mz6uDUIF9FMdaof8e3H5BqhDZ7Vp6sv1bDyxOgD35cX+C+uE5S6httQT
espwdel2I3Yx50XhDII0luljZh4oarMAOWwhKVWDICfa1E20dBrdvTQ/6/OSKqWW
j8sjXIv3VK9RYMF7cUi2kOWZktmGqDJ2MIjepNyDKgoCNyhvpHhdKicCdx5YQLVe
NkZ0e1vKwos/r8Z0I31qtXA2Vdc/jy9WfZFIMwiQjXtVQ1uiA7KE4qNw25pnOW43
q/b/8JIsIM70sMlkeQRvMLDVRqdvGWy63Ll1dE28q64F1PB9jTovoZyBJRVMSphH
uOkOpfY2Z2TnkWyAY8NJDPRC90n9Z0gcsUhSLIEtS/tAMQJo6kzCslIGiLD0yKvn
mE8D6F/ZUTRCrT2Bl72+eXmxlYoLgQr3zT1ZvUSZkF4qW1xFhjA=
=Etbr
-END PGP SIGNATURE-

[SECURITY] [DLA 3519-1] ghostscript security update

2023-08-07 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3519-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
August 07, 2023   https://wiki.debian.org/LTS
- -

Package: ghostscript
Version: 9.27~dfsg-2+deb10u8
CVE ID : CVE-2023-38559
Debian Bug : 1043033

A buffer overflow in devn_pcx_write_rle() has been fixed in Ghostsciprt,
an interpreter for the PostScript language and PDF files.

For Debian 10 buster, this problem has been fixed in version
9.27~dfsg-2+deb10u8.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmTQ+k4ACgkQiNJCh6LY
mLHlERAAkaqbJpuy0NwqH2wgGu36XLgI7rLmKonC0MaSIFp9GmrQ2kGKnpbOPKeT
EBCUyYUmMt56VGCXgE8ajvCVzJpyzVIVjATiYRj5lNK/stNw5Af3dNFAmnjah8Kx
58i7Hrk8tjhdGMxS4il1e1nFpIUTvKSqZ3PaNXP0Ue/r8NeN67VGddG+9xX/YLt+
/cVksGOhQhyBQ+SqwXMDuQSgL+lhq7Ys9uc/eZRhk5QVY3nErodVS2cOG6go4vPj
Wg1eeu4rCyWCZfIkS/EDTcROLKvEIGktZ2QXnqbsmXGTRbKI80Uvil4CBLaQfFJK
40mWs/YB/7fdFtWlUf8I6YfH5fGv3PBIt1hAn7VobjuqSlFIxN2xhjFtrkY2lAFg
NnCxXTtTbnKRjZqcVHZy7rlm/WkTEz7LONgOHrky5VYG/Mbwk1i/fA7SB7IaiQKi
gIZWdHGeMEq+yGf/Hjv8/KVc1PbLCzgeKeeJMsg8G9qJr+8XpSabxUBx0GCg2lke
5iy2MFlGHezGpVbE0cfi7wDozcgkS9e8C2W7babnD5H4cMife4QD6GYQFZ69K5GE
2doNA/FM+cr1dGZuQYdklngOKVh+VuYtB4umqjvmZ/wXoYe0HhNpEjcozrIeZqX7
7kJ3iMRwoxwUsETVM0fG4wpPPCS8JnaOVkjm6mINLsfaU1GLwVI=
=LtjG
-END PGP SIGNATURE-

[SECURITY] [DLA 3517-1] pdfcrack security update

2023-08-06 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3517-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
August 06, 2023   https://wiki.debian.org/LTS
- -

Package: pdfcrack
Version: 0.16-3+deb10u1
CVE ID : CVE-2020-22336

A stack overflow in the MD5 function has been fixed in pdfcrack,
a tool for recovering passwords and content from PDF files.

For Debian 10 buster, this problem has been fixed in version 0.16-3+deb10u1.

We recommend that you upgrade your pdfcrack packages.

For the detailed security status of pdfcrack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdfcrack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmTPifQACgkQiNJCh6LY
mLHyfw/8D099jKTHK8Xy1DzYlbxbRg/lklNG20W2x2OylicTkMqjwDda1h5w51Gv
j+nP0Pgl+/AEP2DNo3blnA+14M2uAmjvy02wfT75nwTF+TvKBTx3iuWC2jFYk2RD
aLeJlHWR8FpDjbpldAFpbxAEiJZDvg2BZYEQILp3ihTSwqcYgNzAWqUPgvwlQClc
iGAivW9tsb5h6VUAkIuDUtASyozRRwinsVlyNXxcZGEK1keR2QBGzfb8WgHNsDgN
H/CBfMrA9mvRulmUUy1T+PuUfegSusSd8nyX1e4lCnroP1wPYGNgJ3Mw8wtPUN+U
NdIEQsurw0efGxyZWrj6wHaBwaAs16WV+qVhgLchN9tM31JSvOJB+a0Gh+3uqLeZ
RY6HjSSRVtSlu1vsj5SCj2ifHaQJknb+45mIkr5jwZlcOMHSVwMLp5kYTdE/uadY
UW5BnnFYJiE2pEoER6I2UFB3ljQQQZxMg4ExmU5GPZSupvDNj9L+m0Wzw8Tdhj1a
6ld2hWTCLOA0BvFJksOs21UhFhVA8xFXtKkX5UUGuATPzTg0Pgi0kwjKNFb5QRV5
v1AOPH3fsoyvxGmvhFvM7+t1g0J0+F9AjVYzTDP/ry5w7rbmTr6bFli2Il2sdR2b
J50dELJsFKWIDxJEVnLBSH0pzT+g5tjAitsicSolFeMM9qmQPc8=
=fPYG
-END PGP SIGNATURE-

[SECURITY] [DLA 3513-1] tiff security update

2023-07-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3513-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
July 31, 2023 https://wiki.debian.org/LTS
- -

Package: tiff
Version: 4.1.0+git191117-2~deb10u8
CVE ID : CVE-2023-2908 CVE-2023-3316 CVE-2023-3618 CVE-2023-25433 
 CVE-2023-26965 CVE-2023-26966 CVE-2023-38288 CVE-2023-38289
Debian Bug : 1040945

Multiple vulnerabilities were found in tiff, a library and tools
providing support for the Tag Image File Format (TIFF).


CVE-2023-2908

NULL pointer dereference in tif_dir.c

CVE-2023-3316

NULL pointer dereference in TIFFClose()

CVE-2023-3618

Buffer overflow in tiffcrop

CVE-2023-25433

Buffer overflow in tiffcrop

CVE-2023-26965

Use after free in tiffcrop

CVE-2023-26966

Buffer overflow in uv_encode()

CVE-2023-38288

Integer overflow in tiffcp

CVE-2023-38289

Integer overflow in raw2tiff

For Debian 10 buster, these problems have been fixed in version
4.1.0+git191117-2~deb10u8.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmTISiQACgkQiNJCh6LY
mLE4oxAAsLoU6HtnZqYIurv0h/+D1aJ1AkSSlp9pfLvJiuPl5nWa5h5E+jYEGkK1
O39SOJNVXoDqixLv4LfCqhyGWffY8NZB+d9fidV5lHml7PwOjsLECAN2to4WJW7m
tsCzG0STEwGn9W1kS12zGBKJt8La+h8V4T4ZrCZIW41RzkOhmUhFYIpKCrB1Z0qs
Z2wGLR2zBnMBr9RiwGVEHKiogZgOYr0VS0g0pZasDFGR++ra/JZfjotzIxmWTt4v
Nkued+JWymGMmieiM93SHPA6BRbWI3fU0bQ4mKXuJppMBy0wDL3DXdu9HG+NlU9T
U9WVWLoY5xqUGBaYaMirDcVslPTjYAuTyCiUtHIlkv8EV+6Eafl1CBZnzNPdyGId
wuMxCHPQjAScUue3WpYX8hd2xSpgC1M0q+CLUde1sav7v9idOJFNe4jZ656cMcKY
6NS5ZxIwHEj8GnbN15qvkpuvIfsrOfXQhkNr9TLE4iOs2V4bSBWumGK7FsML7uMR
HfHtZk1CYojq59yQFNIbV58oqLghsmDuJBgQOEOTnS9Kau0Bbjum5+I/LSlmdweF
Qjpv1ARfc5SMoDYSA6/Yl0Zwx0j58hWopK2wDyzY6HQduTCNk4XkRWHROCEaSmiC
G2wKf9KsM6lgruHhHNB1r817J5bwNZ42X6ClGvP5Je+WHBJffyY=
=GGoQ
-END PGP SIGNATURE-

[SECURITY] [DLA 3497-1] pypdf2 security update

2023-07-14 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3497-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
July 14, 2023 https://wiki.debian.org/LTS
- -

Package: pypdf2
Version: 1.26.0-2+deb10u2
CVE ID : CVE-2023-36810

Quadratic runtime with malformed PDFs missing xref marker has been fixed 
in PyPDF2, a pure Python PDF library.

For Debian 10 buster, this problem has been fixed in version
1.26.0-2+deb10u2.

We recommend that you upgrade your pypdf2 packages.

For the detailed security status of pypdf2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pypdf2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSxthkACgkQiNJCh6LY
mLFjvRAApnyrNsqRi2+tFb1HJgqgMj8nmFk+HFleyWTZjP/z6iR1h917B/vQnHz1
byT+IYMknVhXKduf+mOiYItWE5tNGpXMwZtgX3yXnnvYLNcKR/SuN900vWx3OSf/
fIbe2hLJtHuo9CEopv6GxFo4k2aZFD5dqRxXPeyq1BGHL0/T6b6PiZ6bLGIkATiq
ZWcWOMWZuaMX/t1wrJs0EC5LlgbowKs2acvxUsjcKYqX+SyDxHgdSgRvmnCfHlIu
dnW1HtqxozRjgx7uMtCvh6yYsVHr3rozSrS4hODiYmxSJnoe5uSILL7bFni3wWYK
YE13xtlZrVemqEZ1PHojZ3oZ4KSSW2jaBkc06ybI1C6LGoJwmYiJuC6RqaceVtaQ
ZyHWm4d6T8OozEIL48pmHsM+05/DQOcaaTEnJlLQH8d+xELYdd75ZYSJUkDIUPbc
zt/Q9S+dkkDDscqp8o+OgvjAmIeGrIMvIsKB2UDjq43LLUM28zk3fnY0OsoFlUxY
jHCn1JTz4Y1HojgmTbQ2UN2UDZITWTrwJG1m+JhP/Z4YEwT2JQSXQAIQs6zUik5i
QfORKXZ7UyB08FMXQ6yndtyRbbqogjVuZC9ctzm+RzxImE7/vDpkQOne3PPk8oaM
uF13GQBRyRrMj9pIQszHo4JQwkNWWDQoM96wuuVYIlf659G7eZk=
=sBpG
-END PGP SIGNATURE-

[SECURITY] [DLA 3477-1] python3.7 security update

2023-06-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3477-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 30, 2023 https://wiki.debian.org/LTS
- -

Package: python3.7
Version: 3.7.3-2+deb10u5
CVE ID : CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733 
 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061

Several vulnerabilities were fixed in the Python3 interpreter.

CVE-2015-20107

The mailcap module did not add escape characters into commands 
discovered in the system mailcap file.

CVE-2020-10735

Prevent DoS with very large int.

CVE-2021-3426

Remove the pydoc getfile feature which could be abused to read 
arbitrary files on the disk.

CVE-2021-3733

Regular Expression Denial of Service in urllib's AbstractBasicAuthHandler 
class.

CVE-2021-3737

Infinite loop in the HTTP client code.

CVE-2021-4189

Make ftplib not trust the PASV response.

CVE-2022-45061

Quadratic time in the IDNA decoder.

For Debian 10 buster, these problems have been fixed in version
3.7.3-2+deb10u5.

We recommend that you upgrade your python3.7 packages.

For the detailed security status of python3.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSfQHAACgkQiNJCh6LY
mLFENA/9GmRVfnKG5p47RlAX2dibE+2fBguKS9U9CnvRcal/2UdxZ+viFNQfzAlH
mHpNcd3btQujxjeXba5BFiIJlVCL4osKItRuMRyfipj08W2+GQBoy/lNYbROAJ9r
HziNN0ixV9HKymcKwIpiFp7pE2wM+xMjhlITIFiojZ5VAGDncXWL40tHcjJ3hEqY
p3wDLflPqncp/Te83BooXGgkDVh1xycacrpvSRRdqgLC2cahODLy5t8WiU7jdQsI
84TPOMFvAqyH9JWGBMt+scejm912tuCkNP+BYr7jn/5wU+M+Bb2VZqlI1c9f723o
D9idXWgka0ArMaIQI3sog1PehXL/01ZUD2vFWFYIccXeCuTT3tgM/JROYGvK3Ftn
gEJiaZfr2J5Z0F8S8mcy59E9vNmIkIqD4QIjOk7/B2Wnn/WcoNs70GjybDLURD5a
JwxQrDY5kf9WgeuiTWVhwRVtfy54eXHPKWMJ5bDbT2DztxQZ2jPDeZW204SP1M+9
5uokvXfEfYyEtr6s77xfJVf2zhKLkVflokgeOjDJh3hhz/ypRXVJ9GVaYNkPnvwj
nU23kvCVCBGcGYt72dvcH1Xx5UEpAqw/IEwq1C2CRSxaz7B/SrmppeDEkE8E6ZL4
g3lmJWtuPS7iMCOucA2szaYDVuOuWxIozCaTHT4vn42LKuVWQ6k=
=we+R
-END PGP SIGNATURE-

[SECURITY] [DLA 3475-1] trafficserver security update

2023-06-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3475-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 30, 2023 https://wiki.debian.org/LTS
- -

Package: trafficserver
Version: 8.1.7-0+deb10u1
CVE ID : CVE-2022-47184 CVE-2023-30631 CVE-2023-33933
Debian Bug : 1038248

Several vulnerabilities were discovered in Apache Traffic Server,
a reverse and forward proxy server.

CVE-2022-47184

The TRACE method can be used to disclose network information.

CVE-2023-30631

Configuration option to block the PUSH method in ATS didn't work.<

CVE-2023-33933

s3_auth plugin problem with hash calculation.

For Debian 10 buster, these problems have been fixed in version
8.1.7-0+deb10u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSeEncACgkQiNJCh6LY
mLEplg/7BHuPeRC3Bd32PVvFLE9saV4LJpXVUBNH9RYT6cHbByzFMkrxZ8xAbZQD
X7aKZAMQ6/v00fKl9YkPt2qh0D9t3WdFH8Pf1sCy0CP4JzbDItgYaqNtWUTOAgkb
ikeckqwpxLth3PyL7yCzkrQfIQrUs1eoHMwGfTxinvadC3uXW3FvUzzBGuHQfp5/
wPlx4yVl/q5yS+Ylu8Vrb6tyTeTHx+/ihrzX5VM1HL+FEhHjob28l2ywKXfca0eX
GYjJVH6Q5umFI1aOOGAHtA1Vz+DsjGmw2JxjbVOsOpm2z9TuZMyIxoUd7fLhptdg
oCar3nlVPUbOzSrsuiLKy9sHH8Mj0CeczeRIAq4knrndaafRPrRNqhpdmMAJbwXU
jvNZHSp4Q0Gc5mU+2SYCuUY3MToAiwqt6F1bn7LyT4MUhBnfORm4hS+55ELdIySH
MsVllqRoMcWaNebzyufcmRTJbW/CXpAab4gak1NKMQoVCDnqY8495zkNh1EX1j7g
vIgBCU0XWhyt/n6tpPYnFpSdyU90FaeuQbw1v/jFOYjvlcVARmpa09Z9iidrnE4T
KbEX9euckCVMvPPJt+GVLM2oEVK8XqP0dUc/5rHGkOuedFYOnqQYqLUI8OJ0EGdY
nTvgFctIk9decFqJre/Z3O63H0tm27kIupcmnOQUlnF228+4Qk8=
=Y4Ee
-END PGP SIGNATURE-

[SECURITY] [DLA 3474-1] systemd security update

2023-06-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3474-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 29, 2023 https://wiki.debian.org/LTS
- -

Package: systemd
Version: 241-7~deb10u10
CVE ID : CVE-2022-3821
Debian Bug : 1021644

A buffer overrun in format_timespan() has been fixed
in systemd, the default init system in Debian.

Additionally, fixes for getting property OnExternalPower via D-Bus
and a memory leak on daemon-reload are also included.

For Debian 10 buster, this problem has been fixed in version
241-7~deb10u10.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSd8CwACgkQiNJCh6LY
mLGm0A/+NXdEY8of4q94EDuk4W7N4GzHQ4LX7FjGZ7gwg0/pHJitrOfnc39sOv+B
KV0zwU8azBQ5x1bM1wcId+pNmCC57dszJJIlqNIP9tmJR3niPXfyyGE59TqlJfXq
y1ltcN7sV40rTcSpjHeqGq8Pf1BTOFWncv28Lu/FIRqjpsBO0jaCJMBzgeMteaAz
JHrYx5uN8dp/hwKKgF6GqKW1/1oGErEBwDNiRMjEaZQFTcs/F6ns1E+zE9P/ppaT
lByYFbxVqq9g9iwbRLPEh+UJlmHxf7V541OQ5ViViGdIwysVe49IOf3hcu85PE8J
c596UFzikMotdcGOZUvFK2R1HvosVUqMlScQZiqGHZAZSdTLLt/P/NckGrIms2Xt
X/nzQwpM6+Cb4VMOhK/1DxkztCrcGK4/5BIwJCI030RxVpEg3S2JidX399Solivu
WAiu7BNl4Go3guVTT3+CwHmvNmSx2INrkahSnk2nzwK7uZuZeu6/w34cghROLjg0
hr1Fzp0MvtrS27JVHK3KCfvKod33ZBkNNEIthbAqR4wzVXCWvuW9hVJ7V4YluRwj
4OqyUR1ulMLyeRXbBjsa4NnKdKpBVHH1P+RO+T2lebSVGBjcYo7y79qZt8XQPsow
nxf4ngPlR3GdMGpOxgPji/QBY0NamyDJLEnnPyLp+tg0wI/xYtI=
=nig5
-END PGP SIGNATURE-

[SECURITY] [DLA 3472-1] libx11 security update

2023-06-26 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3472-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 26, 2023 https://wiki.debian.org/LTS
- -

Package: libx11
Version: 2:1.6.7-1+deb10u3
CVE ID : CVE-2023-3138
Debian Bug : 1038133

Missing input validation in various functions may have resulted in 
denial of service in various functions provided by libx11, the X11 
client-side library.

For Debian 10 buster, this problem has been fixed in version
2:1.6.7-1+deb10u3.

We recommend that you upgrade your libx11 packages.

For the detailed security status of libx11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libx11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSZuvYACgkQiNJCh6LY
mLEUWw//T4+UW57/SKvFsQ8Dvb8Q85KOM4qCiIKRyNbCLy4kswHYTZWraIEZqU33
4EtKzyqbP9t1k8oQkqJqwk97SDjcQ8JsL7kXihYIR7AgeuoZB6kp0hBqJXmMt1JV
OVOmyAq+E97ntAKrUrSD5068YoSfDOv9uVBAY/2TABbng+Z+tW5p7l0ubknfCDJi
mHfHboencPU0wIz3eP/vBCY/8AEuH/f4o6EAGb40y3VH4tBnwmd0jzj7jb+x6cE3
I7Kb9m3BowKZ37sySd6BPg9An/AlPs30erHVr5Kzfh/1gBQVRMZ2NWCiI7/8EFqE
pXAcTmdKGXvGvGdp6E1TSXf52RBuBZRN41Q9N4Be6uu7Pi1mYr3pFbIhGYQEaSO5
IHD5E0cfkQclcLNOEwBLJmyt+YT5fVNZNUDw773Rz1U7IHKPqZJZwU59i5IYH6ah
xWmHwdnkz94/wQbbZ/hLxC0zGA5wl2FabZ3YztImf3X9zNqeiZ3EU/BybTk2gauy
djIf9ciFHjwGx2dg38jpiY0Fy4E40HKaGn7Kg5WtSbzC1BpRleT/+O5lopBFjtFr
upqTyhPl8jKtgWKVxUY0gP67p0kvw66av+m3ibzpZwMEuXOZgDHP2ZU0oX+LE486
To5dxlZePJ5kxPt6tGF6QEeM31OoSA1VkpykaghQJOZ41/gwCZo=
=5P6t
-END PGP SIGNATURE-

[SECURITY] [DLA 3470-1] owslib security update

2023-06-25 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3470-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 25, 2023 https://wiki.debian.org/LTS
- -

Package: owslib
Version: 0.17.1-1+deb10u1
CVE ID : CVE-2023-27476
Debian Bug : 1034182

In OWSLib, a Python client library for Open Geospatial web services,
the XML parser did not disable entity resolution which could lead to 
arbitrary file reads from an attacker-controlled XML payload.

For Debian 10 buster, this problem has been fixed in version
0.17.1-1+deb10u1.

We recommend that you upgrade your owslib packages.

For the detailed security status of owslib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/owslib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSYiM0ACgkQiNJCh6LY
mLELOg/+Keop2FuqZy4UyyYsa3f6EZDUn3Nucc5cUIMppbzUC1CchtBW3QPaBaDI
q+iNwFOShjFeSzGTvmlsXVEG8t4AARoM4Kt/sjaseMTxoP5GQI/QS2eRTFUJBpJg
uVqKF7gcUCrEjDvxX9oQ6nx+kPMFIwmCLALDiKoE1s59t9t8i4yyh0UrfE8jvNDT
+pd6PEZFuzEdZJghJvi8qZhaWv27vlOVKmZE1A9Kgn+5cQ1H0jZ8pv3cQd8ju1ss
/E0fExwenWd4niBg1sG9V71FgZKM6r3iPXIAqKpbDFvREJlhMGKUDvWrfQC/gHIq
P8qhjCiZsbii3T6hiSfRnGy5BT9p4Z81GMR0UIR3K7xU4Em5nOUUliQnT8yJhPaq
1crGQiI4YEhCZTeRdWeNQaaRKSDfBzTIDBrA76cyre9ZHQoy85ea+uKLOm5fVf/C
cN3bKlZxs+ceaH6qNz9cs8RsEpznHUC6YgdPZqGUG2hbdyjN6bJIiKP0oyXb6nuW
ZlsxkZQ8ZmTFY/DUu5njj//itKhHBoukmakAD5lpaV3WOGxDgOpIlFhjluQJqkDN
BepJYT6gcZIL0z/SK5sAWtl2i3fSui1dhcW0x5rfkYohVGKQdxdpOvt3ps6hWz7X
axTOr5EeOXwyoiCrLnnJlEW8ZdNtnkLZ5GoHD5Uv6p/QQ7s86jQ=
=AjNS
-END PGP SIGNATURE-

[SECURITY] [DLA 3445-1] cpio security update

2023-06-04 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3445-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 04, 2023 https://wiki.debian.org/LTS
- -

Package: cpio
Version: 2.12+dfsg-9+deb10u1
CVE ID : CVE-2019-14866 CVE-2021-38185
Debian Bug : 941412 992045

Two vulnerabilities were fixed in GNU cpio, a program to manage 
archives of files.

CVE-2019-14866

Improper validation of input files when generatingtar archives.

CVE-2021-38185

Arbitrary code via crafted pattern file.

For Debian 10 buster, these problems have been fixed in version
2.12+dfsg-9+deb10u1.

We recommend that you upgrade your cpio packages.

For the detailed security status of cpio please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cpio

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmR88CIACgkQiNJCh6LY
mLFEnw//dJUPmrc9TF3gc0O8DcOf7y1dre2POsQzNm3NVBFsewVro5EM61s3pQAE
dt6k3wY5fxEzlu63ul8/ADPhKDWFhmOY2lUznxG9svjC/yVFFeFQXPLc/PAyqsrm
DezOIsi/WCCCtOLjrdeRera19urF9/lc70ANdIEgN4MmH1YG2tOk/c2Jd3SQMHpF
8RzYcPCCQB3+7YcMtei++WSxNaFT8ELWxIE6B6rDnpTps3whFQhDAfkNWmId+yUG
6UB6fO0HsqY3oRyEx4oatpYM+ua9xPDf6ydV3mIbOwV6TgcwjglVgeoP08Rzpwto
w7dNQoM9WKrzPxXgB8hiRXzPPW70/vtQ7kd+J1ygDVhSl4QXEtPoTyva5eXb4KMR
WWAbi0uG7nznI6iJ0Z/3egS3yY5Jh7s+BH14t74wnZ8zVp6HCO16Lpyyo48F30em
CkBXxbpfzBFdRv1anK0GdIcB/Kt2poPYiCjZxvlyzvwMYwJfVnKEH5hwekbvxrnc
EEEHiDRU2vIZs5vHikYQDWenTRqX7XnuzIvFJYV/lYKvtwPuUZS4cC+F1a3SDSZV
OKmiCr+GLtjbngYQUZKasibYd3a6ePH89loOWA9e/jbkG2LpJwhy7e74SqrGsVLS
qHzOeW5su6Nn+ETBIoZ6CRrsF5p5ZprAjofnOkS0lRjFh/pXw8c=
=j8tT
-END PGP SIGNATURE-

[SECURITY] [DLA 3443-1] wireshark security update

2023-06-03 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3443-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 03, 2023 https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.20-0+deb10u7
CVE ID : CVE-2023-2856 CVE-2023-2858 CVE-2023-2879 CVE-2023-2952

Several vulnerabilities were fixed in the network traffic analyzer Wireshark.

CVE-2023-2856

VMS TCPIPtrace file parser crash

CVE-2023-2858

NetScaler file parser crash

CVE-2023-2879

GDSDB infinite loop

CVE-2023-2952

XRA dissector infinite loop

For Debian 10 buster, these problems have been fixed in version
2.6.20-0+deb10u7.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmR7al4ACgkQiNJCh6LY
mLFJAA/9ExrJ3MmOC50fnlIppkSDpLkd8Zgw4aYZgnl5bndRFidextFF2rAuCYdD
H0kGmBRaOUFl0saNdsUoMARgWTV+K8uY8pBy6xasTbDZhPxSPOfzTXAQUNlgtvg5
04BbiFHqkyn3KG8od2iMDLQz0SRJJCuQLLOMupS494hCm9S7YFPXJQIXR1V2ukaG
P9NFe84rGVbO7+5E5WkUDil1yhuy6uTXl3ja9mk26b6PUXL6W0Fp8iEE0yo/jz/h
5H6qS4t57x/NnKizUiPJNRhNE0rYGiSVumL3mn9U8KFtbUd3NpGVJlNfsTVQFqK9
WygUYg+YbdN7c8w3M1HBF+OKTj1o3h5/8yqbLQbDWjM+RxkOoXcmJKOFV/a/k8PN
Yet+YQHBAy5aJVftwJbTQGBGmelmgYBjt0rmQhYAjWLYC4ZIHA59PeSa5FlI4f7b
NzOB39Q0CrEws2tlK/pOVGjsPRCtG85FAI6ACD97VGRAqjdUPvkMRreQw1y1Ks+K
7BqeTUSoKwMYTHDk2+xc/J4iYE7C5kLGUeMrmGqqOaodP4MzuvJl4rowkTn/FWyX
3NowQuU+0famaLB0oaR0f+n47NzUqVySYsS32CYNbM3e5KA0xeHJLuHEbT+n1tLv
Ab8vAp4Gtm5YuxLxhZ1nD3WyR7hITYej7OGVt1UL/Oinl+dgkRo=
=0K2X
-END PGP SIGNATURE-

[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update

2023-04-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3409-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 30, 2023https://wiki.debian.org/LTS
- -

Package: libapache2-mod-auth-openidc
Version: 2.3.10.2-1+deb10u2
CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 
 CVE-2021-32792 CVE-2023-28625
Debian Bug : 991580 991581 991582 991583 1033916

Several vulnerabilities were fixed in libapache2-mod-auth-openidc,
an OpenID Connect Relying Party implementation for Apache.

CVE-2019-20479

Insufficient validatation of URLs beginning with a slash and backslash.

CVE-2021-32785

Crash when using an unencrypted Redis cache.

CVE-2021-32786

Open Redirect vulnerability in the logout functionality.

CVE-2021-32791

AES GCM encryption in used static IV and AAD.

CVE-2021-32792

XSS vulnerability when using OIDCPreservePost.

CVE-2023-28625

NULL pointer dereference with OIDCStripCookies.

For Debian 10 buster, these problems have been fixed in version
2.3.10.2-1+deb10u2.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO2icACgkQiNJCh6LY
mLGkPhAAg1hWzk52AhdbiwRuEj9zyyZKJd7ZQYDjbBMgOlgSXG28XtS8tTEp8oKP
/hyWoyyczyqkdVwv3UAoOwOcuXa8Fr9bcCdF/KWZsONFtAXaf1+IOvQmyg+orf5P
G4xG7EtMIXKb/JF0zNEov7dAr2TP1bAlE1lIdDbsNje+0lV7irXumnx8BVAoDJ0j
3Ea8ptrtDknTXNf8hEx7TNR5XoSi8soeaAZw0ckHVK7t9P+YLvd4HWBt1xwU4w5q
SryyVRgYe0s68AA2aIQYj205Zx4f5auLwkR+GPvW0cpoqUAbiy27JqBW2AysB5qO
GsFwUfUn9nVj6ViJxhEbW9KnrMRb2Xy2FqfGVqU9rMuEkTUjAbsUzTYWa2RccULJ
q4QskZrhowYqw7JhhOOyAbM0pU6RW9y0PWte7uQzfbw0mtK9vPLtnpPIBI0tPjg+
veko0oRGwS3FU4oAa3jWS8VOJhlR//lB5RpgMRqhd/Dm68+81UQ8+2lBSLRbfuXg
Le7CmV33DIuwixr6HCfSCrvSk4PpQm/GQDKgYo+LuVr+LNZ0J+NDdvbFfLRhV5NX
TvliSq3nfnfxSjQ/s8DdF+8StSVW2nOjPwfPQ3TK1VtFUpwWFl+d93vcr/uoh9yb
GJaFLbWVYjNu6EavWs/pqb+W7Qq5G7XTeE9Mdxq2KgE07ePuOwc=
=Tb3N
-END PGP SIGNATURE-

[SECURITY] [DLA 3408-1] jruby security update

2023-04-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3408-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 30, 2023https://wiki.debian.org/LTS
- -

Package: jruby
Version: 9.1.17.0-3+deb10u1
CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 
 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 
 CVE-2023-28756
Debian Bug : 972230 1014818

Several vulnerabilities were fixed in JRuby, a Java implementation of 
the Ruby programming language.

CVE-2017-17742
CVE-2019-16254

HTTP Response Splitting attacks in the HTTP server of WEBrick.

CVE-2019-16201

Regular Expression Denial of Service vulnerability of WEBrick's 
Digest access authentication.

CVE-2019-16255

Code injection vulnerability of Shell#[] and Shell#test.

CVE-2020-25613

HTTP Request Smuggling attack in WEBrick.

CVE-2021-31810

Trusting FTP PASV responses vulnerability in Net::FTP.

CVE-2021-32066

Net::IMAP did not raise an exception when StartTLS fails with an an 
unknown response.

CVE-2023-28755

Quadratic backtracking on invalid URI.

CVE-2023-28756

The Time parser mishandled invalid strings that have specific characters.

For Debian 10 buster, these problems have been fixed in version
9.1.17.0-3+deb10u1.

We recommend that you upgrade your jruby packages.

For the detailed security status of jruby please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jruby

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO1mAACgkQiNJCh6LY
mLEQLRAAvxLEfO+mmRT5U57RfK6OG6r9lrHwkR1wjSkBhuvnQpoNs6npgT47xVdt
avPQYwwu9wL3Tb02NmlBKRmv1UWDo1xQTL8ows++4V1QakLnUsv1K84VSQkFCmBN
cWSQwIbXHYgL0HU/LqadlCmn8+NwAJJZLZ8/TCtokgAfiuEXKJIaywzHmA9iDwK3
SFvGA1lxKZo+xbNqJhsyIUxmi0ukn43dMiqxqoeMSuZPlaG9EBvyIXNN7ayktjfR
cnZDr7EaB/W+CjHWECXJkx2gPoRYNjb3CtxsVP7kBXxYyUZQ0dcDxJi+N2wabYic
GAsv8YPPqCzIYXjXsDI9IZop1zQ86XM2hu+64XN9eI56k+gev45376vFjlXIFeYA
P9JwmYS9h6Ru1kvqShFxHULpPMIOMFMakDmxtFuW3NyjG5GYlWvnYs7jTC7OYP0Y
vvBP3f35EtBsP+/ksVfLxH5e1jbk43lnD1poiJe8UzCB5maYRUSZ1/A8BgQN3lFc
AuZWnKwOcXrjtnD0wki1h6864Hte3BpvoLGa4DwQu6RJGrOuJoHy++aRI87UIcHZ
hRd3VDdXABGT3pZp+D2b5QDUrS1TtOaATfmQxAaAghV+i2JNrwT2PF477m3ecJ5c
pSGPmcH+5zF+9tVjQ+FmbmBs1r5nB8+U7gizq9D1ubvxuE0EuRs=
=6QoI
-END PGP SIGNATURE-

[SECURITY] [DLA 3407-1] jackson-databind security update

2023-04-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3407-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 30, 2023https://wiki.debian.org/LTS
- -

Package: jackson-databind
Version: 2.9.8-3+deb10u5
CVE ID : CVE-2020-10650

One more gadget type (ignite-jta) is being blocked in the Jackson Data 
Processor library for processing JSON and other data formats in Java.

For Debian 10 buster, this problem has been fixed in version
2.9.8-3+deb10u5.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmROmXgACgkQiNJCh6LY
mLE29g//UkSshHJf5MIW1qHrx8eGnWhLjOy6BrY3LiIRqvl0+7lQxZ8h5z5Q6PQR
XeBvQG1b6TEPM7U61RJRZxRT2BtEUaEeLKOGblzlGPhWibJIgrQ1s9+vN7/aKETv
VEJXgyivxYdLL8KeXGlo9NWJj3lvF1RxyG0gpcKS7PawOBT+Wngx7RtWauv5HZL7
huu9KzmBoW5uaANTeaiYgn6Q22q11w9mf5G+83Km+cYRw60Ge8TOkPaqvcJVe9J8
Bj4GUIHBPjZ3c5Uj/ALCrNjq+TfdxVsIDNKNIF3koIvAOiz6O9k+BHM09Muu3t0I
5K/1RYAMbXBlgUjVa1eHVUa3b9OJPy0ZOK8cFxtEaxQR5cmOxA9KvCI4FhTiS5SM
Rgl3licyjhx5V8onk2/CdYSN7K32SKFdXSkJZJXHv1E/43i7kXcqK2r6Prr/rc5X
6IN4Wv09HLKSCEDLtvQNfIW2Xo+3S3M4M3hJ5v+oeexJvZIKlHOL6QEbZkGfTabz
5EerV4X1IT7ysYS5/18iiTQlg/S3ywH/SaN+6sH9o28j+3enIXmO2JKStFa0grMh
HTMDG37lQT0wl4dlO+rPUVof4pT4O6NkkODXpyBEm4D4HNtD3rwqv5URqBGtZHwf
uN0ByVNMyWZ45bi2jRoGyBMoBmdrBO8QQMOTSYaJeV91c0e5/VY=
=uaw3
-END PGP SIGNATURE-

[SECURITY] [DLA 3402-1] wireshark security update

2023-04-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3402-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
April 29, 2023https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.20-0+deb10u6
CVE ID : CVE-2023-1161 CVE-2023-1992 CVE-2023-1993 CVE-2023-1994
Debian Bug : 1033756 1034721

Several vulnerabilities were fixed in the network traffic analyzer Wireshark.

CVE-2023-1161

ISO 15765 dissector crash

CVE-2023-1992

RPCoRDMA dissector crash

CVE-2023-1993

LISP dissector large loop vulnerability

CVE-2023-1994

GQUIC dissector crash

For Debian 10 buster, these problems have been fixed in version
2.6.20-0+deb10u6.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRNaOIACgkQiNJCh6LY
mLH5tQ//bLVYAnS45mCE2ByQjh84oCzM8RMnv97jt3h0Qx6VZ0MjI7qbvxgwme7y
DPBsgleP5agbj/EC/8HnLkz4HDgqdjxHc/E/eWrSllWq+H8hnu/lGd+f3Pt5sAsT
VD4O48ILCPKBNlsd5ifUv/2H4ntxu2b1lF+sTjsBxzaAbM94F/XV/8YRZdjvTq7I
1MlTS7GfrjW9Bg0EqxTrzwudZotEKqY/PSgyVOgeBXGz864H5Uz8LUB0DWWixQeO
Ykq6T5B5kDqYM4VMurj9ah7FzliN80KJMBJ9DvLV44qo4IXOuk84UNaEZ+GSOu+o
J3sp8rMQBHxlWOT5vt4nYsx7vp4AlYf6VOqOryGZ0vQxltQzpcjo2xZl+BCtXJ3O
YbVFOdhSg8WotwbK01e1TQokBWb54ilzBN29sUJFBp60Xs1b63TasVorOBUSbFGp
iUiSDVr3WqnZQ9TIHpiotb99StWWpIK74nKbTyHs9YRjpJHZ4glab68j8Ut0DqSU
drEDlu82bAallFPzSUoBVNfPBD0pJpIMrf8pVjpJHePLTRw24MgRWHgnbUxF362C
PSmrJ2Eq30InBpWvawghsWmA9Z4yeQiL5/kTavGLtEpjS7UD/W3kVHzxPU1X7+gP
VNUbG2rwXEQHjYhgwAlTsnzUtltE3ocAcMCqfDU5bIO+qdSGFQs=
=ORXr
-END PGP SIGNATURE-

[SECURITY] [DLA 3377-1] systemd security update

2023-03-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3377-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
March 31, 2023https://wiki.debian.org/LTS
- -

Package: systemd
Version: 241-7~deb10u9
CVE ID : CVE-2023-26604

Local privilege escalation for some sudo configurations has been fixed 
in systemd, the default init system in Debian.

For Debian 10 buster, this problem has been fixed in version 241-7~deb10u9.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmQnSOQACgkQiNJCh6LY
mLHN4BAAqkkjvOaVNrQf4yvcK/nzdi2b/BB1vHfLxUNzaMjZDYDQcWuE7xl7fuOV
PnEEEnxOCJCbUfYuo/rEBRpFPQuBmeTbFvqKeoZibHhp3YXKrYOUan5PJBsUZVML
RkULZXX+LwJZo+cTJC/lhNgnzlbeGS5ylgTCVPMpzb52+usA5HgAv7fOfhy7ZqwH
fW33iq3ybRYmAPtjZiM2W427VuEDGJN4q8tyiTyLyg/oC+Od/yLvku5lJBqsXJvj
yuSXpn1QPnmRjDmOOjn2ZUzdF+lkiDqFpe1iKPWiZ7ShRZwBLj78kOKf+PF3IPnp
OPTiWIJvfZ4rMQk3pnrhG3APn0YmVe83mQf23LMXPYRkjTfRQgyiuzEZb0+/DWbX
fodOcvR7CP/VAt7wtE3vutnWeTSHlQibgroJMt8ylnK7iM+USAPcDZVQh4eTFyIw
IZ912HvPEG29UbIjyRmsXoLiv+iYfSJhnCBB0LI6ja8FaWEMKwgL390leEywROOD
WcCo4yu9KxbZR4m4lQFEaU0PNB6bjy/IN0JKFXYmmpeBzPnTDL0rFDyOWcpAC9Q1
O5Kw8TOpJ06zodJrZD0skDaDVkxheD9Lq9CRicIfhuRsejiluxa/GLS1quqtIa91
OUEFJhkCs3d3x0tWKyIZXLkRF3Q5AJJefjgvuNylyr2SYw8gG3c=
=WI01
-END PGP SIGNATURE-

[SECURITY] [DLA 3343-1] mono security update

2023-02-25 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3343-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 24, 2023 https://wiki.debian.org/LTS
- -

Package: mono
Version: 5.18.0.240+dfsg-3+deb10u1
CVE ID : CVE-2023-26314
Debian Bug : 972146

Triggering arbitrary code execution was possible due to .desktop files 
registered as application/x-ms-dos-executable MIME handlers in the open 
source .NET framework Mono.

For Debian 10 buster, this problem has been fixed in version
5.18.0.240+dfsg-3+deb10u1.

We recommend that you upgrade your mono packages.

For the detailed security status of mono please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mono

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP51+cACgkQiNJCh6LY
mLEVUg//SxvSPQUHmgCUSDx48KWq4dvQ/HdQsyKmo/3uUOhoU9+BmeK+dj0Spv+7
YVPMfKe+9aYG29ufKIh3O1Yk07eRtii4z3b0WnffUnhIbV58AziqutlKzhr6k4r/
NIB0zzg1+7XLUlViBJW3TV9JpytR+hObvRQnsSTEA70EEYPoRqmjql5RbC5gS+wU
ed6ZamPQoVvgbAng6j3rzsjYsfAkMM1rRukAeyPnJ6BRKUEsUsluLBsCX6OrBCRR
CaebbNo4d7sxUy2GoRMKNd+NJV0Tr0JjZ4oZpXD2sdxmkJ2UGaXVheOY428UDHNW
zeEFSq3dNu1GFSrjJE2YNcuIxJnB6J6k1/CaJbDLP/pls+5bgANcPiw089gRm1tq
WxjXEn3FAqQCwawGWJe5NTNXRRLZFC+CoHlS8YGzjWJI51n3LECJSbGxnWXfS7Nz
Rt/qbuCY6RtdJJOkTsI+itEdJEer8txfqAakEVFs6TWCX9MXMVy+f6N3V8BN9wHZ
nCc7GyL1h27Zx+p8Ie1QkfA588B8LDkfuPRQrHZKrr/aTJlkUUYm6e0uBRc55pDG
G5ZrsIuIC67hmrLa8T0EJsoh5GoJ5xixTR7kFbI2dc4Wu+HQIO6Rf7AdxKZPVmSO
tbCQF+g20q7yBW3iJi2mDxqidrH4/wIxIBpF+O0wLTDKF2CP1kY=
=A9BJ
-END PGP SIGNATURE-

[SECURITY] [DLA 3341-1] curl security update

2023-02-24 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3341-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 24, 2023 https://wiki.debian.org/LTS
- -

Package: curl
Version: 7.64.0-4+deb10u5
CVE ID : CVE-2023-23916
Debian Bug : 1031371

HTTP multi-header compression denial of service has been fixed in curl,
a command line tool and library for transferring data with URLs.

For Debian 10 buster, this problem has been fixed in version
7.64.0-4+deb10u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP4nKwACgkQiNJCh6LY
mLHRPhAArz0793ekL6VwFNcpFbPfRmM0YracDoKoF/6p3zrJ5QVNiFEGuAn1p5gB
Gx8dk718Jdu4Ph+sMed48a5B1k1z8Qp4v9xNlt2B+aHFFQez5fkyP8ZyUAyhUaiu
nzEbm2eAT5LsoI8URdwRpjDYnZj0IBYJu1jt38tqQoBzUikWV6eC3yeh9NYFUNYB
ZYFqJi+bOOpsptLvUAfRXHXToC+7nmsBLQdWr3lrELWfwhhJD+HAU/YI5FaP6Fa5
f8AiVgvYAugoF1IQHuPpBepUwZOynYgTBTBffG3ca4NRsbfDt1Z9GL7Z0/q4rNNB
J53eihMmPRzxVoODsuHtwRjGkMQXO/7YeVAfHbYCUwGut2haWRcW3SDf82kI36cF
mFojO6cV7n37ylZ2C1XHFM23599DnTvGtVESBY5mpKkhrI7redTWl+BC8n8vuwfW
7bdvXr/0iO0UKBpdnPTyEqEhZ/y9gFnBTk1f0LezpJxa7DHvXmSSJ1c2FJWzRPsn
fEPB16KG8x1qMoiDQgzp8KMDH1QCbRbO1phSnOGkDQH5eFmLdiOHADvIi0OwFttO
kfupn4rhurXdaB8DHpkRfhlzOyFLGoPZ08FFoJcPBbqDm+IcSr3RSyiYN+FJD+SE
PBv582qxKfboCkW99jcHIWfYg0P2rC12HkNpP2hemXhpzsQjI/s=
=JgEq
-END PGP SIGNATURE-

[SECURITY] [DLA 3339-1] binwalk security update

2023-02-23 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3339-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 23, 2023 https://wiki.debian.org/LTS
- -

Package: binwalk
Version: 2.1.2~git20180830+dfsg1-1+deb10u1
CVE ID : CVE-2022-4510

Code execution through crafted PFS filesystems was fixed in binwalk,
a tool and Python module for analyzing binary blobs and executable code.

For Debian 10 buster, this problem has been fixed in version
2.1.2~git20180830+dfsg1-1+deb10u1.

We recommend that you upgrade your binwalk packages.

For the detailed security status of binwalk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/binwalk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP3wl0ACgkQiNJCh6LY
mLFL5Q/+Pgv+fZRt1RDImeWKoQv/Di0bCIiMkHP7hLSFMV/oui4rajQECxIZD4As
d0lP4UbR0WYozwHZVXTcd5eydh2zoLr58+LsPuwqI++zW5FvctLpG4St3Y/oe6Mf
1ZYviCyttsPERsq7q5nMNsyFsC7aGhzjUTC+CDtKcH+RJEHiX0xw8QKLM3FrgR67
NuFaKN5vv4Wqq5FikQS8+Fbo4kzRT8onJigflgZ6rLNor3ZBzXHK3a4j2EduLKCS
LF1AjFHCEg/oUQpnamPu+2dCnQkQQAwploamW52LrDBVRgM6vjNY9vXoaeuJNCqe
76BXfExx4GIDGC3+LCkcNIYCooNc4rY/ur8RiTJtzw21Y+JDGe7+umklfq82SV1y
/zRHl0agtj5NxIQED53RsvyvObHyMaBkOpLv+45pHSD0daAx4wY8yG0fT8wKOPiR
5+1e9x+Wq53DPB3YSDiJSrduOvBSWwXlh2wEdLwaootOJYuU3Iy6FosuGN0tvKWk
NKuTJpMoJ3K9u48DaZX7osZTLzNQZz0bybxAlBVXeCrhPJk4ujnbycykoPZlorfk
VfPAadl6w/3h5+bl6eDOIoxjJXqCiQzhOJIgMi1HN8dgxvTx+DPxkEnRAsWMtLrK
/vAznJejVidjvhnonye0x5epgLAnxsPNmEZMwPgruRTIf88+P20=
=7W0c
-END PGP SIGNATURE-

[SECURITY] [DLA 3334-1] sofia-sip security update

2023-02-22 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3334-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 22, 2023 https://wiki.debian.org/LTS
- -

Package: sofia-sip
Version: 1.12.11+20110422.1-2.1+deb10u3
CVE ID : CVE-2022-47516
Debian Bug : 1031792

Denial of service (crash) via a crafted UDP message that leads to 
internal assert was fixed in sofia-sip, a SIP (Session Initiation 
Protocol) User-Agent library.

For Debian 10 buster, this problem has been fixed in version
1.12.11+20110422.1-2.1+deb10u3.

We recommend that you upgrade your sofia-sip packages.

For the detailed security status of sofia-sip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sofia-sip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP2jAcACgkQiNJCh6LY
mLEFOBAAkvG34l8lF2GQghUJ0XB6Bfk2RaYl3d2kkawzgtpSDzL/Bdefuen1RZG+
KkQupgUyvdCLkYNSQjDQLli4Pxzr3A4iud47eeBlk9IGzTPpx4NNSPITeQSOoqLT
UvP9Pjx5Car/ivM1Mr47VxYIh5uNPeq0djtHs6hp3u7sZOcN7V/saX0UidfVXO+F
uozkss2bBb4XqTHaepDiqMItViDQfzBcusPMUFXQ6L3wPmGhdxZRNvhfp+J6Qn9o
L/a/ncrjJGb0dYgWIQPFDFjV8qQvOVxAS1jPkzm6QuEhDjDJT7z9vY5/VSNxyDx/
euHrwoa6S3mfLjkGkZjoWXWEwzxUBBtexU89nsLJqKnqoPICs7hh0YVsFrGx0Td6
Mfbq4KcLjNE0Llbz8zdNu0DMHtifbvFu0e5XnyvUyWGjDit7HNLVeEs+5Z++S5ir
tK3hJJ8yhNfMwVaU+/9115jayRvBkroOnGarRm5ttle/fraGtw7+JVaZ1CqtxSIT
2hP7APSA8Ngy7RtrgwDQ3JuShSdjk2zLt26/b6ZtmxOxHYkBhFo+iZwRreEWRlr1
BLyd2YZ/sfoYYXsf5GaitNJ9mnU+2TvlQ3d4OSO48GcP7BZSul12OWQgF4j/SmsU
GDW4wI/xGrb7osWKdNxE0CqWNpZ7ZUbOPsiIWXObTyWFF8dzMWA=
=juJl
-END PGP SIGNATURE-

[SECURITY] [DLA 3332-1] apr-util security update

2023-02-21 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3332-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 21, 2023 https://wiki.debian.org/LTS
- -

Package: apr-util
Version: 1.6.1-4+deb10u1
CVE ID : CVE-2022-25147

An Integer Overflow or Wraparound vulnerability was fixed in 
apr_base64() in the Apache Portable Runtime Utility Library.

For Debian 10 buster, this problem has been fixed in version
1.6.1-4+deb10u1.

We recommend that you upgrade your apr-util packages.

For the detailed security status of apr-util please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apr-util

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP1IskACgkQiNJCh6LY
mLELfw//SC753I6+9XM8DBZhNZCA2g8YaQOK+lrZTdd1tKelcgMKEANtlltZKq9j
okWf8aC5X5Fkti6Sb6A0HoMYxKhAVCxSRu4JNZOyrY3zsWjmom294mWWgh6R7m5b
M6D8V+u3S1tauaM1nGudteslUsXTjkntW2bUhlI/kHZUxTHxposcL9zDCYyXwWPR
XIadaxfX4uPgnSeHa13CZoRHdydBALQZxz+7+A4Y8BvqXTHdouqSYSondR9t3SaJ
NB2QDn+GQoeF/biIdV7bCruHCWGiKNvNI8vBg8OS521XtaOiQe+UECKDWjfp+Iut
DetQya+PwGUYrsNPzKtIFHD+s8jQWq/fyH9ztpI8O8nzDg2gjh8EMnQ8BXeeE8sv
mcEmF3VzZlxlkcB6Pv0ytAerkXO6SL2kZYalMcptQ9Uh6uwZbnVpobsickcdbT5R
uGJAcFY5ditPoP+OAQihqzzNI8DkrBlDOoH8lxOlwG1EOoM1xZKjrz9UEMdo5cib
BnLFbN4UOV4SD3kG7nxAb7/3R0tjHRS8CIefESO7TIuwi4oIPw03AlEaeAO8zZ38
hsLgFLVRM9/zxMj4flWKcAegCW5PYaGiFj5aC9IpNfX9qpc3luH2ET+gKFP29FgJ
8KSD9UKjRSpCVQ4pMmeaJrSezxbnJqBm1Q4lShsLW5tzXLRMjs0=
=HFVp
-END PGP SIGNATURE-

[SECURITY] [DLA 3305-1] libstb security update

2023-01-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3305-1debian-...@lists.debian.org
https://www.debian.org/lts/security/Adrian Bunk 
January 31, 2023  https://wiki.debian.org/LTS
- -

Package: libstb
Version: 0.0~git20180212.15.e6afb9c-1+deb10u1
CVE ID : CVE-2018-16981 CVE-2019-13217 CVE-2019-13218 CVE-2019-13219 
 CVE-2019-13220 CVE-2019-13221 CVE-2019-13222 CVE-2019-13223 
 CVE-2021-28021 CVE-2021-37789 CVE-2021-42715 CVE-2022-28041 
 CVE-2022-28042
Debian Bug : 934966 1014530 1023693 1014531 1014532

Several vulnerabilities have been fixed in the libstb library.

CVE-2018-16981

Heap-based buffer overflow in stbi__out_gif_code().

CVE-2019-13217

Heap buffer overflow in the Vorbis start_decoder().

CVE-2019-13218

Division by zero in the Vorbis predict_point().

CVE-2019-13219

NULL pointer dereference in the Vorbis get_window().

CVE-2019-13220

Uninitialized stack variables in the Vorbis start_decoder().

CVE-2019-13221

Buffer overflow in the Vorbis compute_codewords().

CVE-2019-13222

Out-of-bounds read of a global buffer in the Vorbis draw_line().

CVE-2019-13223

Reachable assertion in the Vorbis lookup1_values().

CVE-2021-28021

Buffer overflow in stbi__extend_receive().

CVE-2021-37789

Heap-based buffer overflow in stbi__jpeg_load().

CVE-2021-42715

The HDR loader parsed truncated end-of-file RLE scanlines as an 
infinite sequence of zero-length runs.

CVE-2022-28041

Integer overflow in stbi__jpeg_decode_block_prog_dc().

CVE-2022-28042

Heap-based use-after-free in stbi__jpeg_huff_decode().

For Debian 10 buster, these problems have been fixed in version
0.0~git20180212.15.e6afb9c-1+deb10u1.

We recommend that you upgrade your libstb packages.

For the detailed security status of libstb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libstb

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmPZj1IACgkQiNJCh6LY
mLH+lA/8DtWLi71FsiGFnOVokrZsHnR8eVDQiK5ldjmLgiynRzEeZfNMwYjG86xH
hsmk6SVeFI8CEKeXzJq36BOcP2VCpq/lR4WYfPkl7U2txnheTQTUjIn7mXG4GQOB
M5XtW2EZTKyh5E/ei51cVRQBOCssKMPGpV1VkPSA1DmWZjPN9c0OOJEwsJzq3tHZ
2HqtNzyzFruk8oHDRfATJCko1N+6LtKVMEu8sgJTrwVNSetY2YjBikoJP4BvCxFb
gHB90EBh7ezvvgCQ2152YRtTTuLcK0C1cUgVu+47JRPVBkciVj49hHN6QgoHZPpa
EvJr7tFKkAW9oKVF2N8bM+NH4GIRtNpwpWXCiQn7TXLXEPAtJzr2HE7TLX4hQcry
i04SfrPXiTlvHjNXx7h81B5q7ZmWncNsIXAr9f2nmrEMP8s4zUtujJ3d7qs94bFp
Rf09VPlWfw/ZVBMvSd3xz8u/igKvKC1GlVz8nrcRdWYeyUWSIKSnJP/f4coTPmXI
6zweAyWRVYQgh7Em7fKXRw1Q9w8JqBMPVXRqfRMjodgKG3gKA2OafIgMOhERr0CQ
aiVj0v4Ln9guDTkJpfSI4nmfmU6EGldfE5K7SMB8NrExWiebjN3y5JBM7hzB3aKe
4TKx3dppa0hHd5e4jdlY/AepKtjSBgWgSc38OqA8C1/fGk1qNzc=
=Qh3l
-END PGP SIGNATURE-

[SECURITY] [DLA 3304-1] fig2dev security update

2023-01-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3304-1debian-...@lists.debian.org
https://www.debian.org/lts/security/Adrian Bunk 
January 31, 2023  https://wiki.debian.org/LTS
- -

Package: fig2dev
Version: 1:3.2.7a-5+deb10u5
CVE ID : CVE-2020-21529 CVE-2020-21531 CVE-2020-21532 CVE-2020-21676 
 CVE-2021-32280
Debian Bug : 960736

Brief introduction 

CVE-2020-21529

Stack buffer overflow in bezier_spline().

CVE-2020-21531

Global buffer overflow in conv_pattern_index().

CVE-2020-21532

Global buffer overflow in setfigfont().

CVE-2020-21676

Stack-based buffer overflow in genpstrx_text().

CVE-2021-32280

NULL pointer dereference in compute_closed_spline().

For Debian 10 buster, these problems have been fixed in version
1:3.2.7a-5+deb10u5.

We recommend that you upgrade your fig2dev packages.

For the detailed security status of fig2dev please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fig2dev

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmPZfasACgkQiNJCh6LY
mLEk/Q//T02qlyAq+Twq3plI4lm1DvzTm7L6pj/ZxSgs1uKPdG29S/HRktCeyDCP
ZkSPMeWqiV9XSPP2YcFpegX1V4GbFoX4N42OiuLzHE/ErMzeCBEhq7aySx5bx8Qn
58kFoDJh+JU1F1VGzqzMN/oGVJREEt5CTzminjWFKixr1ajF+XIFtuQW7Z2gSs0F
NOjEVTHM7xKQMa17LKHMB3migMXd1zHlsb87uBc73TJfQNQSYvUuyUzWHFtPcPGO
DDiy4oFe3hnQvap6+WE9+F2Ly+Cuvk3SMcc1SsnLFOGpDvYd/2L2GrD8Z8BJPmDm
sAyMuXW3sgj7ApI4Ay+6z9T+m1JYhOyeEuQ4wXRaijLS/hPzRoRS8hRx5aKX2KVp
HDRx/1oGgC+O4YlDRzQJ1kg81Fm3p8B/WefW/s1b+kfo0g4R9Winhcq+h4jtTUwQ
NQNSG9JbbZt/vxZlba7McX4qiobtvD14E1JooQc3HNMIcWOPZ/cNnmqAuiDb0W/K
9cdj0FxDEQcZvyEk08Atk0xMuJ+cxD/9NSgDsCKya+yXTcyuzmZ4N9i1uBkAzw42
uXhrJWGHTOOhY5nLfNynkO/sbK+LDM77DCrxY10TgqevkXLTINkjmx3Fuot6iGMi
ys6my+7YaQ1itnZlVJBd8i3Sj2HX0CI8Hirp3WT864kVMSBFT+E=
=xKq8
-END PGP SIGNATURE-

[SECURITY] [DLA 3292-1] sofia-sip security update

2023-01-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3292-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk 
January 29, 2023  https://wiki.debian.org/LTS
- -

Package: sofia-sip
Version: 1.12.11+20110422.1-2.1+deb10u2
CVE ID : CVE-2023-22741
Debian Bug : 1029654

Missing message length and attributes length checks when handling STUN 
packages have been fixed in sofia-sip, a SIP (Session Initiation Protocol)
User-Agent library.

For Debian 10 buster, this problem has been fixed in version
1.12.11+20110422.1-2.1+deb10u2.

We recommend that you upgrade your sofia-sip packages.

For the detailed security status of sofia-sip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sofia-sip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmPW35QACgkQiNJCh6LY
mLEZTRAArYLhMDrxRQ7OFWIhUP7EAk74GGRvVk+qn7D6EAPOLsYxFWaTjQhdAwha
absf8/YiQOwEAOrEeOYGvOwH0QPN7NGwrkrfl7MnZAwyMUuIhmt1fxptdcvfCMI2
VTo8iONYgVHooY5VSPUUWbMp1O409vrzoCpcsiVRQvhrjJefg4wq5Va28YA9IpVp
kzTmLhNMocFc+qEKyfHWgIKS2AZECoWczmagi8AQC2wWzVfiNcUmQI7sJzn70Clr
+CwlI+RIIEkeZ/MRni7MBJavnJ0XdIlv+4sHjhl4ok1VOIpxdDojFjfNE2cUF2XB
bnY8tN3NmLVi7X0xdbzsOgaznRTE80I3Y8oHjMlbPBtCH9D+viqYiumqdiDYLCCa
72RTh38YlxoD/0C1iTzQ6/TylZ2wCMHZgCVA/53TojHcFC6hHOPADI7oH54t0z/H
SzP4OEtkL+SY+7ipMpepi6WT33QcuUPnhlQKvfV6avUPbe6AsMPsUpZKw/2hO1Fb
PQseIQRqpyT7cc6n5T6Jt5sN4x35W3DdJ7fGWSBVF+VaQTgYHRo78TFlX9HzZ8wO
2ooX+FHt9oEITZvAMctq/fYU7B7aQvZznrO/EPTXGd8fmOaxt05uFRwsm/lEZ9Rc
f5TEQsA6pXT/qipgmG46YhYwqCnBV9V8axoIG+HWH7gjqAPecgI=
=cyF1
-END PGP SIGNATURE-

[SECURITY] [DLA 2873-1] aria2 security update

2021-12-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2873-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 31, 2021 https://wiki.debian.org/LTS
- -

Package: aria2
Version: 1.30.0-2+deb9u1
CVE ID : CVE-2019-3500
Debian Bug : 918058

In the download utility aria2, --log was leaking HTTP user credentials 
in local log file.

For Debian 9 stretch, this problem has been fixed in version
1.30.0-2+deb9u1.

We recommend that you upgrade your aria2 packages.

For the detailed security status of aria2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/aria2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHON5sACgkQiNJCh6LY
mLGcIQ//XnKdaUg3sADTTp+2yGSw5hsB4nzoQfM8YN4NU8NbCky1xxZ5ZoQciw7K
vE65ULgJ7hiWBR/GEDMJdmAhwyHewsOWDojotYdNqLpf3gQy7t1sAyx4zkN+Fvqp
jS2J/xSlqRgNPf5mYqUS5Rg5IhRI96QKTtUvwWWpYXbC5Z3Rd4eHfxpU2BzCmizI
LSbjNiTDIwp+e54mnZNxhEHHDzzMAMUQ6UWi2fs2j1enXhhche4cJOvqs2MstF3U
yZLnVNqaq7E5v4OcTtQxTqDZ2lt0rZLpfBpdBC1N0nUtrwcGBOlNpnP/huzAygHJ
stnmIHhFmwMOwXi8dSaIfDUk8YkYEZi08PMCUm+B3w0CyzsjRnKdVL28oRmFevTC
hgdkWIQYrVf/aRIMdPKJLkQaqZVglDjTWXZFRJXwUEWYzlLhQrAXpdQsq7Sqg6vJ
wV1eoHBpuFvfu0+JLfGSJCPngj4POYjT0Fqul5sdvlQHT0BW5AAPNrJnd53KAlAK
tArQ3yFiMRww6yLJBd6LUCmzlzU2BIzgn0bLyIXvwj7JFF9e9iCcaS8kb6y9SJAl
b54YTsqaNlNkTLcgpOnojpxlsTH2HoAAuR8pm2zJaex262mYUNmbYQoF0cD3F7Uf
r/aBaPVxDe0iOgRmM0o/Bd5PtLwqNbQ35FsuHElVaFjqbzuhLcU=
=kGn2
-END PGP SIGNATURE-

[SECURITY] [DLA 2872-1] agg security update

2021-12-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2872-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 31, 2021 https://wiki.debian.org/LTS
- -

Package: agg
Version: 2.5+dfsg1-11+deb9u1
CVE ID : CVE-2019-6245
Debian Bug : 919322

Stack overflow due to infinite recursion was fixed in agg,
the Anti-Grain Geometry graphical toolkit.

For Debian 9 stretch, this problem has been fixed in version
2.5+dfsg1-11+deb9u1.

We recommend that you upgrade your agg packages.

For the detailed security status of agg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/agg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHOMFwACgkQiNJCh6LY
mLEiNxAAljmjwxAahZFf7RJQnmNJbi2vqnqvaibTNEnsUXBb+NEl34Ih5WuReAAx
VBLtCjOBdQ2JY6JV30hO/zroC/YgFXAo8m4IXTIOUtAxwQZnzpHT26bfMoDvQr9y
MSnroh53ZCQbfmkjTkIG4nmrqKuy1HJd5qXHsgORKb86GSFaCY6u8zGg5ODjC0rS
seWVMPIMGJ3aCc1LYtEBBatn9nIFLG0nLkwW/2NsExTqWsc6mO4oFyeocIcewgPs
fT4tPIWYWRWC5mbiY1wXPGiB8CThAZa6C0HhCe4VFTRvn2TJtG+rL60mKYp8YDfB
KQVGRWAcBuGi2riBrO6kDbev3mCmZC1LSXdmWO0sIQqjwFcZoeJ24v8AVet3Hw/y
+S4+c2Xqqp0B8647lIsQgbrxUelxGRDPNM+D3n8mIGMz4tBt2792eGsNgMyK+bg0
LJuvZTZuD8roMW7s5oczxEco8l3Yd6iP6iXZACmklx5v0ZRJ+gZtcbOck4qgPSnW
i6Kt/S/U37awT1Y323Hj10MWJjgTiqY0MACxf4vm/PtUKOWypDu9/IO94POJThuM
ODUXQOudo1DKN/GPI0WD5Ucqe7iToFEgiXYt58pHphZal4WFIDo+BE33yh4scjmP
lePgjXtUJ3fxVh8onTd+T36EH8ZsRJM3VTLNwlNlhD4YwBhUkUI=
=m0lz
-END PGP SIGNATURE-

[SECURITY] [DLA 2868-1] advancecomp security update

2021-12-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2868-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 29, 2021 https://wiki.debian.org/LTS
- -

Package: advancecomp
Version: 1.20-1+deb9u1
CVE ID : CVE-2018-1056 CVE-2019-8379 CVE-2019-8383 CVE-2019-9210
Debian Bug : 889270 923416 928729 928730

Several vulnerabilities have been fixed in the AdvanceCOMP recompression 
utilities.

CVE-2018-1056

Out-of-bounds heap buffer read in advzip.

CVE-2019-8379

NULL pointer dereference in be_uint32_read().

CVE-2019-8383

Invalid memory access in adv_png_unfilter_8().

CVE-2019-9210

Integer overflow in advpng with invalid PNG size.

For Debian 9 stretch, these problems have been fixed in version
1.20-1+deb9u1.

We recommend that you upgrade your advancecomp packages.

For the detailed security status of advancecomp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/advancecomp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHM1kgACgkQiNJCh6LY
mLGJlBAAswPtPEg2XbjxgdH6NaMi68OB2rx5/GbSMMAoWMscFA39DdbJnRupRvXR
Q3yq6EzgcUBhFvvGku6hqiLz7f8eaavYKlDHeTye+cWdRxb5xYUmEnu+FEacDSRs
aWmSxYimMi33Mtpc3F01TWMAmyOjSAZHja+Je2FqpJ8IRL6GQHqt/e0qeYLzolUL
1hd0OpsTNKIzhcFILeH9D0w70/JAVDb91Oi8D6cukOKDnuUWK/gjyll60odOB0CH
oy5ua/ArRggTMC0be8w18NafD6wOaG9r4jVAM075FW6XP3EjxnsLD50nTIY2XhGB
UMQhx29P8QRs12E20soycMIUxkiksoBLarSbq+tRLCRo303bXY8IvO5INw1tFHuK
1xe/N7OeVLQl82p6QvxMexymYvtUB/xp/OXWn50ARgPbKTlMrsdYcvFwqjRthlsl
On6m4EnkItMFZLCCOTqaV1RdNSFLQpij1BU501nY8SdGX/Gb4ttA4nrGlLeT7q5Z
QuZ8a+9JMSI89cK1xrd2MA1u3DEhLj9jmsV2jG3yWUZRxJHYIWJ6nx/7/C0M7z1L
LGuiqQd4XMcbxeoDqb8Gab9hivxfpLKUIqD0jR0UCY60P4WbbQmcQ923qljonGZR
ew151zJv2wOHtAfCyNRpXCmN/ExyCK3/b2LRUO82zVXZK3wzDV4=
=qhuc
-END PGP SIGNATURE-

[SECURITY] [DLA 2857-2] postgis regression update

2021-12-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2857-2debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 29, 2021 https://wiki.debian.org/LTS
- -

Package: postgis
Version: 2.3.1+dfsg-2+deb9u2

The regression of postgresql-9.6-postgis-2.3-scripts being empty in 
2.3.1+dfsg-2+deb9u1 has been fixed.

For Debian 9 stretch, this problem has been fixed in version
2.3.1+dfsg-2+deb9u2.

We recommend that you upgrade your postgis packages.

For the detailed security status of postgis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHM1K8ACgkQiNJCh6LY
mLGTmRAAk5GtFnRkQyZq9FDdbPVd/412jxAatE0T+e2fxeUp4EwoEHHg64cwsRVx
YnUBEfmdA+EyaECceMvJRggyjETl8YF8KM2MMoBxPC7bpVKU0JfCtCGfwrJ1J9SP
bM2jmiNc0nG9ZnwvxxZt+kolxGjUaKQWIFpoEcGD4pmphxTVaJIN/WtKt0FRjBrL
VbINNBFhnz5ys1R0CvTYco6zWL/Y8EcnZ7a60lGMLZD5mBpJkNNDsda6nzHmP1Ft
l5t7gUqZIDwCGCJ43ROyRp1wGEstCBlDL1vAiqkR/CO1TLxGUd5HBCoqN6qSxwVh
2pr6unfWfz8gYRFURJK6u1Tz7qxeSqKjWfjWBcFc56To13Hu1wHF//VPBfnDU/K6
yDV7gYlPKSzA83t9lKByUTj2Z5kbY+493UVlRFpyCP4mMFfn1vxAUjLS5zGlwkRr
c5SWKRaFe+2yDCXAr7ZPKS7y/bjsML7fb1GoRmYOJ0wZ+0jXkpcocpcxtFFU7BT2
SaF4Sel035dFzFfJDzO+N4iMGzGZTFYWjwSnuj6sJHvFIlZWuKwK5blaD8zTzN9J
w6Z5pOWCOATG/SS06CPTvjWX1mVrTd3t8LeD+NzrZQ9XupSOS8uRU03QAoULmeB4
xGV/XDAJO5OUHpLS+DKuYsXOiQEb2YIWyvtgbRuyfrpYBsBAI2E=
=9xL7
-END PGP SIGNATURE-

[SECURITY] [DLA 2866-1] uw-imap security update

2021-12-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2866-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 29, 2021 https://wiki.debian.org/LTS
- -

Package: uw-imap
Version: 8:2007f~dfsg-5+deb9u1
CVE ID : CVE-2018-19518
Debian Bug : 914632

Access to IMAP mailboxes through running imapd over rsh and ssh is
now disabled by default in uw-imap, the University of Washington IMAP 
Toolkit. Code using the library can enable it with tcp_parameters() 
after making sure that the IMAP server name is sanitized.

For Debian 9 stretch, this problem has been fixed in version
8:2007f~dfsg-5+deb9u1.

We recommend that you upgrade your uw-imap packages.

For the detailed security status of uw-imap please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/uw-imap

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHMlvEACgkQiNJCh6LY
mLFUfw/9H/LAGXUhspgih47P8cNXQfRjooTEmrR3Y5zWx1zqJn4rWd6GMsOKtKeD
hgaG3aGmLU6+mrdsvElmRn3uFzbzIffQmTeOkpKZTwEKCWikaAP6qo004V4tONVb
6NDG+kacIlqOcSBCioq/rXohz2WFCU8gEoxytCVCYCn0yeeKpuJI9T0hTRRAT72/
FXrlL3OLsy3j/2yMFAN8nGLprx+hxSeL8fOx4FXejza2/OIM+m9n31v2t5uNj0kx
ohTfw9f059hALN2XTNuBIL7GDotlAhCB+goxKvLZsSadLolxg9bj27d3FHAjIylg
zkN+DSLIWcDt5oVmvHNc7LaASnQIb3GJJpB/Qw7sKjoXMsrer97LIGLgVX6Zc3Bi
QcI0wBJMw+trgHTcyM+kW2gWOrbkmnchfUb++ZGr1+UugbopRzU/rtxzGc65BLq3
Mqtndc002h3QXc9ra+0NsWLzxLWCuybROCQykw0DkO6DA5wx+lYNvRb9yQt6ul+E
fsqLAEFpellIEVntOq3dxxfOvE9lDBh72fmG7d0dv1YHNTpnJOXr0jf+jBKzZ7+X
Pu69dkjSbzHmvGtm2dFcUrOA951x+NPzu4TxiYZXaDTWh+Y3Ei6fu2TKmsWOWDQJ
iYt01xc0RNv9Uqp2HQvvZqY9Ey3DufUi8y/eedznrSS7iQ0M1fY=
=5uuh
-END PGP SIGNATURE-

[SECURITY] [DLA 2865-1] resiprocate security update

2021-12-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2865-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 29, 2021 https://wiki.debian.org/LTS
- -

Package: resiprocate
Version: 1:1.11.0~beta1-3+deb9u2
CVE ID : CVE-2017-11521 CVE-2018-12584
Debian Bug : 869404 905495

Two vulnerabilities were fixed in the reSIProcate SIP stack.

CVE-2017-11521

The SdpContents::Session::Medium::parse function allowed remote 
attackers to cause a denial of service.

CVE-2018-12584

The ConnectionBase::preparseNewBytes function allowed remote 
attackers to cause a denial of service or possibly execute arbitrary 
code when TLS communication is enabled.

For Debian 9 stretch, these problems have been fixed in version
1:1.11.0~beta1-3+deb9u2.

We recommend that you upgrade your resiprocate packages.

For the detailed security status of resiprocate please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/resiprocate

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHMaVgACgkQiNJCh6LY
mLFOUhAAtfuH7ymIjfJOtlgw0Z3ivQ3t/4QD2wE0/DNhsdKLrvuwlNcljz+QO/Va
ux86u72ATrvNUj9w3hu7OnXlgvzCSMNii8/21z0v0ENnXokDoVm0f3kJm3AQBavm
PaYHfhORHYphP4y+fs11RYtDmGyWF5W0uqYa3jC9Vso1/4Kd0PuekcOJt06JZA5W
C1qkOmgWzUN7vRoGRrDRnLS8uNZ95CVCbAtq5dQBwCJ7KO8yNdTZBcjugivLDV82
ipxENbERaTODSIsDx3XMzB1zYb+9NPsStzqsDNPX53ay6HAQ6T+ZGdrQRcwNtKgp
NoYwnVb19YOiebkQd/NvoUCJuoZ1ttJ5MIQ/GzJF3aG/CirZu2VZwire+jXHyCgO
G/lvvRXifjzYaULGpT15G4J9S9GFx78bWtM53aVDHwAZ9nJxl/2XVvyDgFz0ECQz
6cPxaVUO13AV3xgaBZDvG4P0xKGSX1eSQGQtJto+pK4JuvA1fbFfeuwLEQW5MD/w
HzN0WGKnAbku0a4VQDw6rMnZp8glBpoUqNlfECuMVomd6w4zyIwqNhlIf0mJlL1U
2fQbC/RrgwUV6ESfotO4+w5CSqaYAOj63WkLP00nNV17F7K1X7GztKbUfB3I+RfJ
22KJg/XAbLSCmwhGZQY2MggsBSDrztO97WXMZtHftyPEi9J2FKQ=
=uuTe
-END PGP SIGNATURE-

[SECURITY] [DLA 2861-1] rdflib security update

2021-12-28 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2861-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 28, 2021 https://wiki.debian.org/LTS
- -

Package: rdflib
Version: 4.2.1-2+deb9u1
CVE ID : CVE-2019-7653
Debian Bug : 921751

The python-rdflib-tools package (tools for converting to and from RDF) 
had wrappers that could load Python modules from the current working 
directory, allowing code injection.

For Debian 9 stretch, this problem has been fixed in version
4.2.1-2+deb9u1.

We recommend that you upgrade your rdflib packages.

For the detailed security status of rdflib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rdflib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHLDykACgkQiNJCh6LY
mLF50g//TKenyICoR8VH6nTWHsY5rg1p21HXNEmQ+CpleWPPbgY1yATUj4UQmj2K
jOOVZ/dyzFJ6CcAx8ocHEOcIa67KHIMLWqogDMJ33kMJdUDGmPi79sZBGI7ZL94T
g09uGPdOxpIhv8lijpdKiIx0JxCUYUilm+V2IKliJEjlBo7ZS452FM7ynIEWO6Fo
hJHvKtJhrvBtPHFDuYS2x/toOyavJI1mKlsRq2518v06ii29a0cWuM3zyAr5yHs6
Xhv9VPZOXOoRvbXm34RJdAxvMlQ5aJ1LeU7sJhJLaBHhGYnJZ82S9D1GefKdu49u
BIdn1SKFonap9n+CJyytpiKL/CE8McpmmPjQaQyAu756g7YK35oPwJ3OfCheyDbS
7qEECoNbu5/M6amCiZjyXdBSD+AYTbhzI42dTmMHfJcBmt/+7lGyI2GUBH9aLAGp
ZgJ6jsoluD3Aj4lMAyBNZHSoU+xb6fmohChMoateJiVaaDc27duI+d6weZfqWrzq
vZseHwXPPvhauH/MRnRe7wKMnEU5jIBQK/hQGbX6dH9lhkB+94qLNi8HFc43s52I
3942nnjQHt7afLlXRPHL58GPN+Hx+TvWZyMikewkdYKcbhn4jAglwP/1QFpeLIda
d0XNsYutfovs74QP9jb01pWouasqDMGKD0jYzAM8yp1eDZL07Yg=
=r7t7
-END PGP SIGNATURE-

[SECURITY] [DLA 2857-1] postgis security update

2021-12-27 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2857-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 28, 2021 https://wiki.debian.org/LTS
- -

Package: postgis
Version: 2.3.1+dfsg-2+deb9u1
CVE ID : CVE-2017-18359

In PostGIS, which adds support for geographic objects to the PostgreSQL
database, denial of service via crafted ST_AsX3D function input was 
fixed.

For Debian 9 stretch, this problem has been fixed in version
2.3.1+dfsg-2+deb9u1.

We recommend that you upgrade your postgis packages.

For the detailed security status of postgis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHKOLIACgkQiNJCh6LY
mLGyFQ/9Hn/I6qKpYOawYcBOTyypvRvXfQbqBvfTqReteexTNcQIsfWYUiIVK2nD
Dl7N4v2pbARUb83C/q7uR0AcRj43QMTEUPJBhPTianvcTqFt5QYNhLRqNm9n2LVw
VYDU5z9r8pDV+8T7jI7NrSBBfnXBcWWl2ApTUCCWWeyqfh1Zh46JiZSFiFUtlvhr
gjC8WmEriBt8pD/nCGvt/XjE6k5KO6aKxY/Wnr+kisy9ACWep8HJXGFDorN/br/R
LIMn/yTbpInDLOb2uvYJrsZ/fuLbegxq4h93ZhzW7j+w4Ktx9Ct7LqH+DTPscwG4
USFsWHW1xyrwn1TXsnJTH5FjrR63ow0d9mclzT7aop4h4qzj7rklOTtUS5t3b4kC
aI2DrPM1vsabeNER2M2AlGvivy9i+60XbANZTswYAYppyxGjfHqfW3UABupTOW2Q
zsaf619/UG1hu1XTP6lZSxQuhr+l4RrrwKeZdj0PDEWn5q9+QhGpttoScZ4vE2sa
NtsQfkDHAIe2ePJMPQaNeMQDnehLEdboMVH0i8D5kpv9gHB2CGvDzSgeOAhxlVoX
KEB9dTaFqhtpI6BzHY1PDnxBerhjMpFgkkI3RcOYbXdlf+ghxxyjOYzg4RJM5f0T
Dql9VYQ/bdN6hY81YV9HMUzrOSOAK7BrJDzdZfRp6ZeR6yIn3as=
=8wL9
-END PGP SIGNATURE-

[SECURITY] [DLA 2856-1] okular security update

2021-12-27 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2856-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 27, 2021 https://wiki.debian.org/LTS
- -

Package: okular
Version: 4:16.08.2-1+deb9u2
CVE ID : CVE-2020-9359
Debian Bug : 954891

Code execution via an action link in a PDF document was fixed in the
KDE document viewer Okular.

For Debian 9 stretch, this problem has been fixed in version
4:16.08.2-1+deb9u2.

We recommend that you upgrade your okular packages.

For the detailed security status of okular please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/okular

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHKI1UACgkQiNJCh6LY
mLGu8A//U5qqPeqPtdtTFGNpiPuuMtXVhZOTuzTWZGPM8MVQewoT59Wl2twilCTq
xdHV0EOP6V6ADAkIVjeqCU2SgHSvT6RujHpIfQ+PPalSPuw8URQ3phiO4UYb85nM
gr8RcfYVNYnTZY0fRtrsviuFxReD9Lu2K5D0y8wF5vEmDLZiCNVosmj+J+SS8iWL
Y0qHaG3/dQCtARjGT9i8JqXbNaV4SLs2w4yRzGTofL2ycxVHsbKviemwqUymhdMs
FQOg1yoEU0wXHszRVTOLxIlxQ4Un8FDDk+va/Mzl36fWP256R+aBlCMavS3XD+1z
0MaAPgsC3kBWhz+g+42iqAAgxSe7E8C+eLwrce+6cOWNE1UkTB01GckaHQJjs6oO
xlhkB/qOkTo+TJ6VxIcSwgKlKSrSVUNPxXMLqcRYYOAFz2socktBq1n3c3SDOEFQ
lw0ttv/f+mVoZKKEcEsAftS16rgGAtm9/cqOucqHv2fIDDc94oasCyotBUM6VDF9
TqC9vw0+2WHrJbUjRcAOr2sIQ+8ve3QZ8YxSu71AygbEPyuKOdZmGhnxYBvwjJpU
peAMs5Lafh4Z3EI1SLTDaHonIt1I+Ev7Syjqykd8tdXNdN57+AJTaWOK8S7TAbuy
4psGJbmh8SQV7OT2EJlaQioyyGZ4xc4vYqLc/LzuKdyr5Ys2V6g=
=0jin
-END PGP SIGNATURE-

[SECURITY] [DLA 2855-1] monit security update

2021-12-27 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2855-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 27, 2021 https://wiki.debian.org/LTS
- -

Package: monit
Version: 1:5.20.0-6+deb9u2
CVE ID : CVE-2019-11454 CVE-2019-11455
Debian Bug : 927775

Two vulnerabilities were fixed in monit, a utility for monitoring and 
managing Unix systems.

CVE-2019-11454

Persistent cross-site scripting in http/cervlet.c

CVE-2019-11455

Buffer over-read in Util_urlDecode in util.c

For Debian 9 stretch, these problems have been fixed in version
1:5.20.0-6+deb9u2.

We recommend that you upgrade your monit packages.

For the detailed security status of monit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/monit

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHKEYQACgkQiNJCh6LY
mLHZRA/8CeDnL7MklFtIaYe/gle1v3d+uepa8qflBP+ev7/uKu6I6yo6k6oYBfiZ
rICvlwJvxBhQl0svaCEzdKzB3tOq/9TYfY8pbGFsmkUjJ7uNVtEAUPjV/EQjQRyf
050PjNNTTzLaGih1/JOE/EpZIUYr3dcGoDgPtOzZvG8FUPz5PkpxOX24yqg1LP5l
cJHCJLiI5MPgpyqNKRrJrtEbcY7Dwgp44UGhRblWAVD27IEitMIRlVfQIcjr09zG
zf5eGaXf5Pyjn6NE04RaHkyZhoW37w4o09AND4pU2phcnaTuCkm1c9KntYbRGgEd
HYOGml1uaJxJ/qxiqrdpCEUQcdfGPcwuySSHDsiOTpJ+NKUQcpCuzY8YYUvBpciG
x1JAdYoi0Slxo3lNxUdIf8Htnfn+lF0OryyNOZi6i8ijX4XKzJ+cEtMsCxQ0qXcJ
sIMrzN4GH0k8tWI6s/pxqgTQfzPC8FRYG/nidhUOkJl8L7T1urPfvJVir4KVeuBA
9G5d9rtHPXS2d6sEmL6MtRX06Cz7R915ujR0VlUAaHPVvOdYGBcMKH/CXZwtSk1n
aEzs2ClHmvDTLP8yrJxIxMT4fbhVLKnv/4ehBWBAE84qIhTuZwNordhn2aa4tajZ
DTd6sH6B15n3FHZnZxr109BVGco5+dHcVTtx8xRGOagUvVOtUMY=
=x7Im
-END PGP SIGNATURE-

[SECURITY] [DLA 2851-1] libextractor security update

2021-12-26 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2851-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 26, 2021 https://wiki.debian.org/LTS
- -

Package: libextractor
Version: 1:1.3-4+deb9u4
CVE ID : CVE-2019-15531
Debian Bug : 935553

Invalid read for malformed DVI files was fixed in GNU libextractor,
a library that extracts meta-data from files of arbitrary type.

For Debian 9 stretch, this problem has been fixed in version
1:1.3-4+deb9u4.

We recommend that you upgrade your libextractor packages.

For the detailed security status of libextractor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libextractor

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHIxbkACgkQiNJCh6LY
mLF6eRAAlRIutXMZIvGM67b1xFnKqLMSrMw8YtErELWFNi25x8qV0fELQJbGQQJw
ycdm6Nb1BMSbMOzlkKbhJ9pF7U3WSvD9JVlmRPs0BHAB8AiDAbZEk5EaSU6nE1bI
U/J57XYXU9+LZnuC31EXP3YYaTzr9RHw9OkbRf66SfVF79wT0Pya/iBvBjfI0qmV
10k8JqIwDyileioDbFALqU+J5L9MeQoJ/aJO3OsJB8h13+KwB3+TbJjQTC/3yI5h
0Wa6390fbd3jOtVBJ74ViG6Ep1cNnERX38Aa6DN+88PeYBS4CMlxQ7Gzxk/iBpP8
Tx9QOMkNWoh7I9oZo3eOJ3eksseCzKQOuzDgZ5yQv/C9sXCt5EFIOrkUB/S71wuX
Ae/h6OyGQwnjnZJZLg32Zr5AK+YKvLPb/l7fZANI7/c0ADXAH2oMyDTSJ74FDQZ4
7uTI4wHqjX9RYYz18vZTTSaI4/oan6ee19B7dMmH1X1DTxZvG+7TJKDyjJgou7Mv
wmwTl+/O4Bavq4G+D5YOFkJA7jIRH9lZfYG5jJcom72mHBn0DpBtklUApNGqbns5
sq+J1JwC1TmhWFPysQMSHngyfCBe1dNE2pgUaP8tIraMwWpK7IzQdjx3Q317kghl
EcfJzd9foBSuDnlNAGdLqtl8lN95bCFRYVk2VFb4gdfudGfV6/A=
=IkFl
-END PGP SIGNATURE-

[SECURITY] [DLA 2849-1] wireshark security update

2021-12-26 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2849-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 26, 2021 https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.20-0+deb9u2
CVE ID : CVE-2021-22207 CVE-2021-22235 CVE-2021-39921 CVE-2021-39922 
 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39928 
 CVE-2021-39929
Debian Bug : 987853

Several vulnerabilities were fixed in the network traffic analyzer Wireshark.

CVE-2021-22207

Excessive memory consumption in the MS-WSP dissector.

CVE-2021-22235

Crash in the DNP dissector.

CVE-2021-39921

NULL pointer exception in the Modbus dissector.

CVE-2021-39922

Buffer overflow in the C12.22 dissector.

CVE-2021-39923

Large loop in the PNRP dissector.

CVE-2021-39924

Large loop in the Bluetooth DHT dissector.

CVE-2021-39925

Buffer overflow in the Bluetooth SDP dissector.

CVE-2021-39928

NULL pointer exception in the IEEE 802.11 dissector.

CVE-2021-39929

Uncontrolled Recursion in the Bluetooth DHT dissector.

For Debian 9 stretch, these problems have been fixed in version
2.6.20-0+deb9u2.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHIwmAACgkQiNJCh6LY
mLHgMg/+Kd1wRS3kNX5Qxvf3Zi/+kAWLOcLGeTzsuXG6Gxvokyh957PV6TiCe+N2
J3m1h0oZQECWrPf/4l/m2I3adA6P7xlOX2ozO5PbtRPju1+FmqY8fs4mEDEgrR5d
z608Cvyl32Y+vffze9/rpSK6UzLzW7QnKX5SKRNt6q03q2pnAOjT7ED79AAZXPL0
b3mTHQsiAQO93t+6D0dXf8oUjZ/FFM2anTDPbRcGQu5f32pFv+KCLWEMDUwdA8Nx
iVbVk/FL+tMKtd/kABUFwa3gpYDbm/1fH9kHFEamElOsv+R9qFzITgnZr+tKRb6P
1AP8FJhLwcNMSk8FXK7BEIOIfxOTh3I/9eC4KLOznKIfGqPYSrQmFJIqJ/l5xyej
PXyo/Ygf58OQbeLSZkOiTlq5yhJmxOj/G81sDx0VxBgnt6JStBo3Vhqlz2Tj0nYp
WuOLFUW+k74NpG0rtfFU8hJjdrKzvvqGhS6XBmDuH9RThKwi/xyPEhZI+DQxL06n
l1qaJ1tfGiOS0mLWP+ZU8cOLdmc2jiQvdOdAe9onFyQPkJ8Knsa+ik+OuVC3VMXK
X0NwdVPpb+p5DcIV4cE8yei0YXZ2CZDugA8s4I92HwIQ/Gn6tYq1lmYpG44pigGI
i6ZJczH9UYzOXpJIiHlqg6OsorE0mJxynLbWdYo0lXnbqNOWcAk=
=b+J5
-END PGP SIGNATURE-

[SECURITY] [DLA 2850-1] libpcap security update

2021-12-26 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2850-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 26, 2021 https://wiki.debian.org/LTS
- -

Package: libpcap
Version: 1.8.1-3+deb9u1
CVE ID : CVE-2019-15165
Debian Bug : 941697

Improper PHB header length validation was fixed in libpcap,
a library for capturing network traffic.

For Debian 9 stretch, this problem has been fixed in version
1.8.1-3+deb9u1.

We recommend that you upgrade your libpcap packages.

For the detailed security status of libpcap please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libpcap

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHIxJEACgkQiNJCh6LY
mLETvg/8CK9+TXruBN5nlo7xikNd+K6x1ukuMwar5VlJ75tlnpPkZjxqH+Tu3U9k
OLgSelTTFB6qME1DP+q5dxGbUB7SZMgVJMGkwIzy3c8DJRYY9BBHA+Qi/oxN4j3R
JFC6+SJDFfEzoNh5QT6+QNHv8AEtIZb7HoCxkS32hVTcMSkYFixKCqXrgyAu7QKs
NJ/qvi6yOnxmdu7d5TR0Fn27ZUi8mnQQdXnaDCXc2q/UX1+XB8C40IJP0RE6IXKI
Xa+EqH1PJrokfzgfkmYsi578Kj5Q32PdjUh6VRLmPR2Y2qzjunNU9+PBz/4GuN9p
BqWxWlFerHTLQdVQyShorzl16qKVbwKuSrtoogF3e9gJ568ELVXkD6uiJlJHqaEW
GJuYPybrokHAhq0qjCNfjlwIwlAv6/eYJnjQ23ffN2KX7FQFNQxZWUj9+WJx9VyD
YF1qMTemVRlgtJCnfkK+neg1Hb8Bc7tAl8/sVR2ry5sAOCMwWYSYgqno0f3XxTNW
UcYf4GzVGEdr5YhiqK3bBa9DHKb4HkPtfB23lC5xzrMiN54jlMMVG3H2iWyUpReZ
z2F6J4OWyjsOApyHHlWvKyAWSIuLpsasfHoIN4orhVB4rbrVWhbtLBaTCAhzlJTd
99lRdq514wClUqOWggy3sp1pVqqNXCvcREVicUJzo3utGn16ems=
=5bpO
-END PGP SIGNATURE-

[SECURITY] [DLA 2835-1] rsyslog security update

2021-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2835-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2021 https://wiki.debian.org/LTS
- -

Package: rsyslog
Version: 8.24.0-1+deb9u1
CVE ID : CVE-2019-17041 CVE-2019-17042
Debian Bug : 942065 942067

Two heap overflows were fixed in the rsyslog logging daemon.

CVE-2019-17041

Heap overflow in the AIX message parser.

CVE-2019-17042

Heap overflow in the Cisco log message parser.

For Debian 9 stretch, these problems have been fixed in version
8.24.0-1+deb9u1.

We recommend that you upgrade your rsyslog packages.

For the detailed security status of rsyslog please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rsyslog

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGmtX4ACgkQiNJCh6LY
mLGOPw/+PkypU3T30ABLp5VTzxH7BvYSDrHL5ASm7YFBLd013KEDcRQ/IeVglGgU
9u3qAqPIsupzg0KXRw5gg3HJlmBX6oPMamH/90iEbBGlumunMcxyqoO42H9HIIag
UQ7wTRamcZUfDo2BgQdZG8tiEFcQDkfkCC/v4Sm8vF/+/ib53vgviDs1ANGWBIHZ
lV7m835DkOcASYO42s/yDw7+rjJsMOg/PIGYaPHdHmSacDq8vGShRVij5p8f0tvO
RDHebqD9DbzyVhAYXPMvD5KfUOZleloD9tnLgNJ5yTI1xdbQYP5Juzww4Npi3qx9
Ze3fSKGRZvmx9FrwAqlcBPG/ApSUZ1PINbpMkkg2bR+CWpgXbUXegswIgSH0Rw/M
Q/7Q3k7LBK3GJfBKjxxoecBkXXvriLvdAiYGCf7bmfK/+55kK7hSDazrArsYO7bC
jszlksT4NaD7cTUbW5mwE+TaTi+4e26ect7oiyT8bSrSGru8YeJNTaVhl2cV6TUD
BKppnt6+Fxl+348Q6DlHhSEpho1pnKPtpxJEdE2tMG9TSToJXw8HNgMsNrzpM268
GGFeQYL7Tgd9rQveoXb/DtV+SjLqu3Z+Ko3RP/nOfAaU0sVt0Hs4qvGWwn81nK5/
rOCkbsDYLNk5XUletPsmXN//6gnOt58sFTA569ijwUzGRKKdAu4=
=Lkge
-END PGP SIGNATURE-

[SECURITY] [DLA 2834-1] uriparser security update

2021-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2834-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2021 https://wiki.debian.org/LTS
- -

Package: uriparser
Version: 0.8.4-1+deb9u2
CVE ID : CVE-2018-20721

Out-of-bounds read for an incomplete URI with an IPv6 address containing 
an embedded IPv4 address has been fixed in uriparser, a library to parse 
Uniform Resource Identifiers (URIs).

For Debian 9 stretch, this problem has been fixed in version
0.8.4-1+deb9u2.

We recommend that you upgrade your uriparser packages.

For the detailed security status of uriparser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/uriparser

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGmtEUACgkQiNJCh6LY
mLFaQw/8Dfsub+UELRyi0tgxDNvYapQndWI/fFK0TLYhaKWZfRI+lXDmlneJcmq5
ZjWn42rliO0t+yq3homx9CbinMhDPDaSANXep9GfDICTvf6XWJU1Ku6WQkSnPoDU
W+PLdLe7DQClOVPkNlgSwl2+6Gj99SQyl2u0+BnWchN/9I11DudfMYfyaBxlI5je
8lt4kBvv/QMwr9f/CqvQoovYwWGuv8kDGDxHhM8BJ/c7XJRWkLccDxsPpbAQ5/Y/
csFqlKGh5NAgF6/mPEgo+sv4TuJQfuxZoRlmZvhyWZ1fJ8q14HVFYqrEVAmJNMRT
s0hVg8K6rdcJbrnmGWNei+KKYTU8hXmSwrmaFyNNug7Fn3NzgoeXQ41ohl2VUkio
cM9ZNHzm5v6wka/LkSq9agtxyzdQrMTgXTvYawGjF121X7pyDYboyu0Ydheo2TEl
dvuMH0vJQdC3lQSH9jh3C0OqzJJ0xWWJZUiBC0W4dJy4TdBYT7ye6s8wPgEOmvOg
+/rZ8CX5HwPM+92DXTnkVhfX/GfVJj3fvWwrgSu0QMNeMF1zHiEI7Q2ie4ULtDgy
imqlYCpXjKKrJpuRiES/JkhcZf3pWluzhzlg9F7QP0dcBbewIjnMCqBFohum2BD4
v/VrsZsktda/l3ikQ5rzf0TEptFAdRsr4MMbFk6OR9pQR0iLjWE=
=AuK+
-END PGP SIGNATURE-

[SECURITY] [DLA 2833-1] rsync security update

2021-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2833-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2021 https://wiki.debian.org/LTS
- -

Package: rsync
Version: 3.1.2-1+deb9u3
CVE ID : CVE-2018-5764
Debian Bug : 887588

In rsync, a remote file-copying tool, remote attackers were able to 
bypass the argument-sanitization protection mechanism by passing 
additional --protect-args.

For Debian 9 stretch, this problem has been fixed in version
3.1.2-1+deb9u3.

We recommend that you upgrade your rsync packages.

For the detailed security status of rsync please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rsync

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGmlc4ACgkQiNJCh6LY
mLFpsRAAu5epYQvH4sagJ7/94XaromONK2uzHEjh18xZ1b9uA7yz7oM7AFDMl9QL
av0+rF4ObXUicdYxVSeKJVLQhN5jwUQccpd2XTZC7LkZ51/odDMu4JNkiBO29UvW
9gMRK712HMjbXfw97Z6KwD/Nsvj8bOa10kqgibbvSBw/GT98aR5qPqr4CJ5kNsbc
8O88iYSbHI/aABzuibGIpk+mPYeXlyNPZ6KWdnTqWQAr7r4KvuQz4f+W5Ymwq/yr
Kov6BZjhTwT/TjdwBJL5o6+yRBm81ZDG9ULP+SEunC89FM+uYa75pqSVTrH+pkg9
FoH0eCx1GSeXYpzCgT9yqKzwNvHo5xqlqPImIYFJX1ar1lpNCeH5d5ClPVQ4IpKn
sGq1aEhojynYoAQobBBRIehbAg+I5ZsDTJ2iabYkDzTaVbA5uQ7kd1sqBqdn7GPO
cgw3wfog/ownbsvfiffXVAV+OnDt5LL+yqNxbNFnxqSf+J8578RdTs9Mh8By2N4R
p4O8UoP/gebbQiwrCLjv6eJm3AGlZoCCfgjPTWXC9Qgs19MMZP0ZTHA6+TtB7Yq3
78323YqmrUbK+5SN8wB2W449A0Lg5k7Y/blJLyRH4TcHiX4RGxPP6yMVP8RVKSLp
QnizEkkBBwg0w9P8hY85plHwCQBO4GRQ8l2izYST2lp2nslTeEk=
=4ZSg
-END PGP SIGNATURE-

[SECURITY] [DLA 2832-1] opensc security update

2021-11-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2832-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 29, 2021 https://wiki.debian.org/LTS
- -

Package: opensc
Version: 0.16.0-3+deb9u2
CVE ID : CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2020-26570 
 CVE-2020-26571 CVE-2020-26572
Debian Bug : 939668 939669 947383 972035 972036 972037

Several vulnerabilities were fixed in the OpenSC smart card utilities.

CVE-2019-15945

Out-of-bounds access of an ASN.1 Bitstring.

CVE-2019-15946

Out-of-bounds access of an ASN.1 Octet string.

CVE-2019-19479

Incorrect read operation in the Setec driver.

CVE-2020-26570

Heap-based buffer overflow in the Oberthur driver.

CVE-2020-26571

Stack-based buffer overflow in the GPK driver.

CVE-2020-26572

Stack-based buffer overflow in the TCOS driver.

For Debian 9 stretch, these problems have been fixed in version
0.16.0-3+deb9u2.

We recommend that you upgrade your opensc packages.

For the detailed security status of opensc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opensc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGkmcMACgkQiNJCh6LY
mLGB8A/+PHkvaXLUjC9VshwFhM6BrR02OO7S46zbFQvtgN+mr+G0XfdPTQW+7m78
SJhe4khp33ldT8ldfrsqh3adwR5nVH6W2QXS3c9HgmV8BU+Mu2Er8g/tH9Y35gf9
NoaUNWL7PMOgxZvqGG8HJbJ2xLddPaDV0GMPDj7I/wBx68HUP7jxWlRKZxU8v5VB
geu2CP44fq9veV2sucubxpkASyIogAUeXPaAucdnwklh5qdXZdYqq7+o97OqChFe
x633ud2UNc/pRjLMPaFpODZU2wr5CYbM5b6HSqrLU34VuBUfVagt/ZtTr2FU1LHE
z/3aoVZ3qKVVknrrnNRjkJRbm+dRnZDjWBpBVrOUtbXo5WrUS9ajvV1zhKVYv1sA
3d3TT+69MFjmeu0BtpgWx0e8StPKnNStipQQ40ACSb6EgglenMxhpCw0qnJlyMaP
xRTrgEOvRLywqpjAzz+o1l8ULjaSJ5ZsGemVk0l88ZaKZbyQiOwz0sxb86ZcYA/a
DenustQzfRXWJWnxZFkPXYc6KR4v83OEZ0/jXEd7Y2EYLmThL2NJB5/qTVCG45LF
xS9zyc7/aLWchM5yhaNQqzV+jLA/5tWhxUQL+gZfhwJE+Gm7Lc4Uy2zshPjvEPPK
XY3alj2C7134Q8CCxNxo+1Fx9941v3t2y7RntHoCQpKYtzUhzQg=
=AJ5L
-END PGP SIGNATURE-

[SECURITY] [DLA 2831-1] libntlm security update

2021-11-28 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2831-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 28, 2021 https://wiki.debian.org/LTS
- -

Package: libntlm
Version: 1.4-8+deb9u1
CVE ID : CVE-2019-17455
Debian Bug : 942145

Stack-based buffer over-reads for crafted NTLM requests were fixed in 
libntlm, a library that implements Microsoft's NTLM authentication.

For Debian 9 stretch, this problem has been fixed in version
1.4-8+deb9u1.

We recommend that you upgrade your libntlm packages.

For the detailed security status of libntlm please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libntlm

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGj1IoACgkQiNJCh6LY
mLHQBhAAl02afNlTzguUk/Nsg0T7VplmnKPKmUWhtNaawtjmuhFPNYDpmoyPT0TG
+Y5eY2CU7I9752FDCGGVrzG8OQKiUeDNFhAsd/oAFlquDS9CP7Gg0YRAMXU7FApZ
CUGOQnLn2XDUWWuvqzoN9DF4g1iRpZ/KWD4iIR8w55olHJT7KufgCeI6lvj+WYot
DxYLVa98I8q12mVgYmso8+2gO+hRs1Fn1pWdrOzkgfUYQW+PiYVq40TMjRADEoTB
XHXTk1VS9wMeyBFozUWB1ZQWkkIZ83BuTnOHJsVrSL0Qfjmwm+dGRRt7fs9NBX65
uxFQlcv7auIWKvhF7wY2WomPC+2xDk8CeZMf1KU4k9+CTT0C/K5V3YXaRF+FksJR
rhBL1x7xzBTHl47GLYWkFKH8XusVJyDGMbM5YddJtUQ/EgN1W6VEcaOtzDv28EH0
ot0ZN/CsVvrUGbBdaSzN4nvfYYN2UtXpQuiHKYi4qy7yAjC4jJwfAQCOrOX2MHDq
IcA0fzorryokVFsiIRIeVx7E9kCEO9d8jqcGMNjYL7CS39HKDEsQhoJ14tbjShyj
aEGvNhTFBamLtaQFYOG5TtsSKFG+i85gicVz+JFGxezS3aC51RF5328qAs8CG/ii
E6rV5AA8AlEY2aXBHEvObmBr98FgTVjMkFW6W7IrFT4Kx7d70Ok=
=H+Gs
-END PGP SIGNATURE-

[SECURITY] [DLA 2830-1] tar security update

2021-11-28 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2830-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 28, 2021 https://wiki.debian.org/LTS
- -

Package: tar
Version: 1.29b-1.1+deb9u1
CVE ID : CVE-2018-20482
Debian Bug : 917377

An infinite loop when --sparse is used with file shrinkage during read 
access was fixed in the GNU tar archiving utility.

For Debian 9 stretch, this problem has been fixed in version
1.29b-1.1+deb9u1.

We recommend that you upgrade your tar packages.

For the detailed security status of tar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGjeGcACgkQiNJCh6LY
mLHSHg/5AXIjprt17Hm8R1Wf6x+jDa70VI2AJjz0lXqIYIPAnipPtpcshz9UJL3L
ut8/Jg/W9gcCUNzj9WcQcJ3n3sPGvgUZCfeAsCr/bA8ISaXHmxrNIpJoJ3wiitNn
zn3gaEWxLL4puONrZagUiYIKJz/938STCxnV/aqViIgDFwPKyrrYGkoW5+o6PZ41
2Cfk1y4uVwz0CP5rhEDDsq2W5RaR8kCCansIkdKpTDemHibPelpT172X3tynRA7E
sWHGNrrkCuWKI0kD9NQB43smWAioQHlLBIaMVDGo/WyeFq0on6Jx6p5FJF22yxNK
MInn/IC6tsFpaE+RQjfmUk81CZ8dB5diMjVFfkjt8cWqKchETIeW6oosjy1m4+WW
2uy+TzmfRtwYDfL6ceP0MOVCKCz8BDvftEjTcO3iTXhxxtPNMF4oeuM493TQ7PeQ
KUef9mYTNa6ICcSLcxNUUQFMb8OflDOXOiz0Ie6RampkxMofQ/FkYkzWbjPsAu4G
0nmaTgrBNuwfzguoIqCYHJIq49SMwOt/c5dOeAZp1xxa98SaJt2xJ3C7gKJn78AW
B7Eg1SnGZzovp2Eg5/ogoW4K9l4n+s+yzLZhdqkr4sPEKvFlkYuNGDqdDapQLMyT
BMbDysNKFdeo7fYdS6nB7tDq1zX/9PJrUh4cg5oveD2fPJAcv5c=
=YlwR
-END PGP SIGNATURE-

[SECURITY] [DLA 2829-1] libvpx security update

2021-11-27 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2829-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 27, 2021 https://wiki.debian.org/LTS
- -

Package: libvpx
Version: 1.6.1-3+deb9u3
CVE ID : CVE-2020-0034

An out-of-bounds buffer read on truncated key frames in vp8_decode_frame 
has been fixed in libvpx, a popular library for the VP8 and VP9 video codecs.

For Debian 9 stretch, this problem has been fixed in version
1.6.1-3+deb9u3.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGioPkACgkQiNJCh6LY
mLGdAw/9GvAA175hBpQ87186u6qe1rm62IDaixyba/LSPf14yWJznKqZzw/g8ZVp
whStu5edJUVhNYcwJf2Utc5EVNgxaBfaz4WQ4jjWKVHrKPkN9CwFLAC1M7ZL33I0
jRxOi0aihgj1IWUMgxxHdPG206Z9D/xpdxXDS2RBLQA15uMDvRM6NAo4HToivyzk
Y/jRuFxYx08lwCq5mHWpe1rA8iWTjp48z+iAe3kapui39Q3ZijNIDW6RLXMUqb6l
/1Aw/S+82oj5A0WdH43KZa9U88PmX8qs3hQOVxScvTO3nckELUI3Xj82ejrLQdyD
El+o3KmmlgsACFKmDy6+lsKFBkPKySEAU12KJ9BMZQdl2CIX3CMGdvHnOfkwTZub
j9C7ySJLGUXUeyw6DNOiAf8M/bXVE4wV8KjKZ3gfEX1nkI2+6BKtGKmwTsPXuWOe
SBVuf5wMSpQ8DwXhXTLfCuH78UkQYX+eO855eAcmDDlJt+YjuZHkBiFkNl2+LvHm
6u5V6F6r7+lkFjlYZ4EPK1mq6ELXvedxNYBUFJmWE/wioXRKRyLcAZwhTgv3Gzh+
yXhRX4gcQQkdh81IQCoD9QP9YokgIhkXYvRfFWHqkqsuvXg1le1dUsh8lqGR9xhm
xYZJ5CcNGFL3EoJhOjj05wWYOHhr/ibtNEAOXFty1rIn+Ik0P34=
=TZzB
-END PGP SIGNATURE-

[SECURITY] [DLA 2828-1] libvorbis security update

2021-11-27 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2828-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 27, 2021 https://wiki.debian.org/LTS
- -

Package: libvorbis
Version: 1.3.5-4+deb9u3
CVE ID : CVE-2017-14160 CVE-2018-10392 CVE-2018-10393
Debian Bug : 876780

Several vulnerabilities were fixed in libvorbis, a popular library for 
the Vorbis audio codec.

CVE-2017-14160
CVE-2018-10393

Improve bound checking for very low sample rates.

CVE-2018-10392

Validate the number of channels in vorbisenc.c

For Debian 9 stretch, these problems have been fixed in version
1.3.5-4+deb9u3.

We recommend that you upgrade your libvorbis packages.

For the detailed security status of libvorbis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvorbis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmGiiVIACgkQiNJCh6LY
mLFPyg//XZOyldaUQzxMyIOZ8J4a+rre0UWSxbpPAjZ7jk8q+iu+OhS/w/zDfZ/1
FhKr1q+9fIwqAQUjXGyI7g1Nx5cL5LstvHn21JmhlqkpJuBpoxIHW7vQ6Dmm47qo
SRSf3qQyHTQBPbLZeGJQgXRGcHE4Wqgdr0IAjlOjlsC1I/9lUOlhlZgvayPWXDTO
yfyrOSQhlAYC8lnJXkHm3z6N8F+lBA9Hr+gGjvhuwncj6qHEPMfo7+ZuroJBgQrH
4p21vN3Y1GmGEMo1w9Jm6OaOBd6h9wAkxRuwhMa0/mTzIQH2RDdSp+7V7Nlq+XOp
Ww36BwX6D5t8oD+zWA0dS8mV5yqoYbetHMnJ+9wA6QrWMrt73wb2VXJJZ0S558Jf
of2ij5oiTJOWsbwDpZ4xMxOup2szEn+sOt+6hnlckmeoHm0E3tmYkEVLIgaEqLR7
Xut/lsBw+YxpJXbUYeXUATAlcgkdrCm+zdZZsNXI1JXNUkwUkoWz3EBqXGlHWW36
Koh1dVC+Mo+bCPGOKdXssBGzqrAT0g4BSgmPS7jzjMD0j4wkJBsGbX2MAUBzp0di
NNUMGCJ0mWfysPOdyEK8rydgeHA+9dWYYcdwC10xPDH8QTw5wVVNbEDcqRbedJ3l
kvGXWOy/Fisyeyb0vTKsBNaP6SHtx1lIug9GWjYsxZSaClcr934=
=Z2K3
-END PGP SIGNATURE-

[SECURITY] [DLA 2805-1] libmspack security update

2021-10-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2805-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 31, 2021  https://wiki.debian.org/LTS
- -

Package: libmspack
Version: 0.5-1+deb9u4
CVE ID : CVE-2019-1010305

Opening a crafted chm file could result in a buffer overflow in libmspack,
a library for Microsoft compression formats.

For Debian 9 stretch, this problem has been fixed in version
0.5-1+deb9u4.

We recommend that you upgrade your libmspack packages.

For the detailed security status of libmspack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libmspack

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmF+758ACgkQiNJCh6LY
mLEk/w//a6FKht7C8I8vCBEp9/9fRlbqxBVKp/mETrCkSGvXu25Wbfm5LF1sIMYM
vI58IjuYoDOpcEecX9tW1xJRpI2Qgi4vYTYrm8vM2hcBn5ZQIwRrBad9sx1+DBzm
VegddghkdyNG7rJX1tfZMyt3rugKyiLfFGtbETNf66Amp0SyMihAi+xj3DvZYC47
aJep0TZeLlwLPSrb5TS42hcCA65LQEwsqMWVJ79BpRAdqS70xrlGYoEZhtec3CwG
GydueP8U0/xhGzmOXJiVp44b7bbXMb6ip8oJclpbqTrR8WUBDjCN3mgRkJo/FA2Z
X/W6G3Ez17mTDw7nLJN3HOb2NuLgzuPBFnT4MQTwk+H7prOIP0XgS+fbWiOSABpF
kznzl2oS7QTYIY9jYc4+EPTGl6Wr3BbkmEH8xrX9d59hQk9CIeK7j0p2irtwt0E7
aYg6dJcat4VB7SHyiWns0ay2Zeuyg2Td8q1K4J3T81okLFu0fDfrIxOZ5H4P3eHu
t1dmgsscGwCXBzAuA0ZTmBDyad38lmmikr2JqChPh8U7tHFVarEKERhb45BSWnyF
glYdkyC6MR7CMGy12QUh11DkhOawLYNbNn1QlWDdfv+k0YBz3At1I8UE/HSPI8/a
phmGJ2+NBXzycFVc5+c9iyh62Uw7VBidiEdaxKDpkXaTuWiTkeY=
=D6kO
-END PGP SIGNATURE-

[SECURITY] [DLA 2804-1] libsdl1.2 security update

2021-10-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2804-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 31, 2021  https://wiki.debian.org/LTS
- -

Package: libsdl1.2
Version: 1.2.15+dfsg1-4+deb9u1
CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 
 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 
 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 CVE-2019-13616
Debian Bug : 924609 

Several vulnerability have been fixed in libsdl2, the older version of 
the Simple DirectMedia Layer library that provides low level access to 
audio, keyboard, mouse, joystick, and graphics hardware.

CVE-2019-7572

Buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c

CVE-2019-7573

Heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c

CVE-2019-7574

Heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c

CVE-2019-7575

Heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c

CVE-2019-7576

Heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c

CVE-2019-7577

Buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c

CVE-2019-7578

Heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c

CVE-2019-7635

Heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c

CVE-2019-7636

Heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c

CVE-2019-7637

Heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c

CVE-2019-7638

Heap-based buffer over-read in Map1toN in video/SDL_pixels.c

CVE-2019-13616

Heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c

For Debian 9 stretch, these problems have been fixed in version
1.2.15+dfsg1-4+deb9u1.

We recommend that you upgrade your libsdl1.2 packages.

For the detailed security status of libsdl1.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsdl1.2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmF+xwsACgkQiNJCh6LY
mLHd+Q//S/CMhnqRWYXaHhzAwq+2zh3MHHFEagULag5+sTtNJD6clgHmfgqRUegm
16nHfQbuhfek6tSvm6zK/vU9q8WzBUOc+e+8cUl78MJoWtTIFZdXwCmkRaAn58t7
4CtG+DHh4N4vQTbuHD8Kgz3nY4d18zL2yT4GsWfuECu/YC7Mv+foHFclQ0qIF8o5
fZKtz79blTdyglqzYerAeCEAaAepru1BfFHBbv2Sa+v8vEz3gLkWb61ZX/S7DTNe
ydCGfeyzpZCD7JOgVlGdK4SRi0vTchyMi9bVWOQbp7rTpbEj/L0QVRkh6WLpo41f
MYMJn9c6fIG9ADz68kk63Pg9KOE6BFVayjzAPqd7/66cFu5o0KfWUHJhx+1faNbw
johK5fbqFlsirc2GdJ48XUZtyJpB5c9i7/ueS0uIDWpvwZ9a4hsiMDv/CLpO36mh
MZUbOkiXWmjIVfe7POSAjkVLhnsmb722ikC1LtfSPxjh7S19kEpEIfoIgsYzLoT8
2B34VGSWzBrDO0yoiq6UXpKX4PpQ+wf5yN717L1G4nhCtOlXn0ZK/4KBycG3Bsb6
Oy/CNkODO8tgyTvq+BwDaajaku7aoAEhUs3iuLA9qEo6FDaawVhpjyvIsIkWzRI+
MdYlnCa3G7kvkVWQ0DWeJGUdKwNyf22JRLPacjPkAn6x0TNT3S4=
=tZLf
-END PGP SIGNATURE-

[SECURITY] [DLA 2803-1] libsdl2 security update

2021-10-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2803-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 31, 2021  https://wiki.debian.org/LTS
- -

Package: libsdl2
Version: 2.0.5+dfsg1-2+deb9u2
CVE ID : CVE-2017-2888 CVE-2019-7637
Debian Bug : 878264

A vulnerability has been fixed in libsdl2, the newer version of the 
Simple DirectMedia Layer library that provides low level access to 
audio, keyboard, mouse, joystick, and graphics hardware.

CVE-2017-2888
CVE-2019-7637

Potential overflow in surface allocation was fixed.

For Debian 9 stretch, these problems have been fixed in version
2.0.5+dfsg1-2+deb9u2.

We recommend that you upgrade your libsdl2 packages.

For the detailed security status of libsdl2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsdl2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmF+XIkACgkQiNJCh6LY
mLHSSxAAh8LPTfSlAtbvJJjaD6r1XLZZ9gDkG8+0FNzGpXFrIwbdGGpqcSXTy69b
KuUOGStjy8+JCRJappBXVlOSJrRERJhGlEZ4VCPNG3b3czsDdTImlNfhO0xBvLON
uYlOwE8oH8eZC/z2Biw68LXBwxbZeBRlxwjxDChKkeyGUZKKqkhV7M+S6oKADjnA
X5YlZ3ZKcXNSAg7Zi4rIIA4xT3In0sFEkvAy5We6HqASNz8+Taoq+lDK+Y7F3NQN
kjHxvUFwV6Cffq0r8/V471MfyWTmeF6u5u7eSBRbvPFPvgLgBzoub01a2iqXfCUL
6ytdZn8nO5wm4ntrNY3P0sbBe2IxIXoX9DzOs/sgv/Nf6T+EGc2zF2lub6fDZB1q
mFalUwqEiR3fbFTvJkkkUnyG2+PH5ZGmFU3n6n0ItYxxHOSksV6J+dGGVcRpnwAg
vWKNbct6Kw8EmKkBU8S52G4aVOmcvrqc6G/u6vWfmJS0M8BZC+vABpbk+oDoNQBB
QZjfc0BmjLC8pfRMguQ8O3KAUJy7g8dc/gjYRzPjKjkW1ZUPHFriX5MzD7pw1PcK
TNgWir+4GjNPVR8wra28ng+fYaNkv1xKC49PJQVy5c3FoV7Up0wDVwuULPjgKHEw
xQKZudhi1GexWcsASmCWdlnAfW2GhZZqUjFM0DorB71jqNDzyFw=
=B6G/
-END PGP SIGNATURE-

[SECURITY] [DLA 2802-1] elfutils security update

2021-10-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2802-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 30, 2021  https://wiki.debian.org/LTS
- -

Package: elfutils
Version: 0.168-1+deb9u1
CVE ID : CVE-2018-16062 CVE-2018-16402 CVE-2018-18310 CVE-2018-18520 
 CVE-2018-18521 CVE-2019-7150 CVE-2019-7665
Debian Bug : 907562 911083 911413 911414 920909 921880

Several vulnerabilities were fixed in elfutils, a collection of 
utilities and libraries to handle ELF objects.

CVE-2018-16062

dwarf_getaranges in dwarf_getaranges.c in libdw allowed a denial of 
service (heap-based buffer over-read) via a crafted file.

CVE-2018-16402

libelf/elf_end.c in allowed to cause a denial of service (double 
free and application crash) because it tried to decompress twice.

CVE-2018-18310

An invalid memory address dereference libdwfl allowed a denial of 
service (application crash) via a crafted file.

CVE-2018-18520

A use-after-free in recursive ELF ar files allowed a denial of 
service (application crash) via a crafted file.

CVE-2018-18521

A divide-by-zero in arlib_add_symbols() allowed a denial of service 
(application crash) via a crafted file.

CVE-2019-7150

A segmentation fault could occur due to dwfl_segment_report_module() 
not checking whether the dyn data read from a core file is truncated.

CVE-2019-7665

NT_PLATFORM core notes contain a zero terminated string allowed a 
denial of service (application crash) via a crafted file.

For Debian 9 stretch, these problems have been fixed in version
0.168-1+deb9u1.

We recommend that you upgrade your elfutils packages.

For the detailed security status of elfutils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/elfutils

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmF9vtQACgkQiNJCh6LY
mLHAEBAAwwivTd/8/95a5Qx23D8BmAcxIdld6HXKw6XWqsidCFyj4ZebGXJfSN33
V8PHzRmIaXNNAxJktLZDjNzKBSMWv1ztTDaHJg95vyHxLenS1Eck+4Z7Swg0NGwE
M4CNC1j9f9CKtFOspxVcOxvkEL6zUt45lSK6V2frHnBSJICed/imLnmytagxKrXY
w68JDvmXzNpE+fF4DqlS3bTmzUD5LMh1zrzSbYVH2koaX/5sMPAZ6sr7Lm5W6Psz
24agaZXFNsBR8DPHEjE3D7Emy1mIlO97TN5wofS+Due3OgUNK3k/d39pnFbZiaL2
mHlC5HVGa7jJvd3F/08UPgfwUdnOu/Om9ozjlAeo58qG4Nv0YQpHvim0HATy2zl5
Wldi37cpLYfr5JVV3ry6BfzwdMvERvImOrO4jJJDIkzXCVC8bAiecyj5ybsKHPYM
TnbdqAn4vKjhaSeV1a8iZBe89l62xfEK56k1KT2HvJyWu55PRAZThUxza7dIpfyo
HerS5H274A+AseGjS+9ErQ3Uz+sWgLIIAubleDeaiGsu5BbeDQNW4VRhfL8vCdXR
ZPk1jwhCCDSsJ/bfi3I/1nvcs0bYKYAkmaXtjiqJ2Ru1BmCsS2j1doqqd6jMQkpI
2P9AsX5tMZWv2m0Jey1rQWOLXa7ASS33uGPq3NZp7Q1qCUEheR8=
=wPI4
-END PGP SIGNATURE-

[SECURITY] [DLA 2795-1] gpsd security update

2021-10-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2795-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 29, 2021  https://wiki.debian.org/LTS
- -

Package: gpsd
Version: 3.16-4+deb9u1
CVE ID : CVE-2018-17937
Debian Bug : 925327

A security vulnerability was discovered in gpsd, the Global Positioning
System daemon. A stack-based buffer overflow may allow remote attackers
to execute arbitrary code via traffic on port 2947/TCP or crafted JSON
inputs.

For Debian 9 stretch, this problem has been fixed in version
3.16-4+deb9u1.

We recommend that you upgrade your gpsd packages.

For the detailed security status of gpsd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gpsd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmF7qtIACgkQiNJCh6LY
mLHbiA/+OQ0sO2C7Kw3+6DrZ3YGnORgeHrj3WuZ3I1T1RyuLbOUB8i9dqZpP9ZQH
7Hsv64/IF/60bsnUsVqmkLLQhrq0Fs+eeFr+nujhsrtXdUzD3V8/6QdXEq+Ll7qG
BrFsbrT/jpEd5JjYeZszYOAEeYI4aUe7AqGD7Ig0/rh33L+wFaQwuEdUfL3qzEi3
y/e+W8rRsVXOAk2zpZ6cUUajsRqb/uxszmjV+q8Nc8hNib7dKjXcnLll1y12FjHa
zapX9j+r110nJMXy9h/5G9tH2pElJwVzevZGO4++4xw5bo1HAD5yThOAGJ7miqxE
xy2Y+3SAS35j3eKEJ76JDt1aBOSx6zYatBVCk+ojBNrAH77r9bAfoN/Vmrtqhq4K
+9nM+CUvIfxFpPN9nF2Sbr/DMtuaJCLl+lqtrphVVkmVaipD+JivGEJO8fTtmKDN
9IA5Xq0PyIDqDAwL+Qtlxq9az0PnzHVp4cIkCKYy7dFRnIfxqKbqaCT/Ph3NB1yF
Pfj2wjNgNsLFEG9ZN091IA9Xlaq88GvPLSWDOEP1Qq1uST8sA2M12NmLjWQK1+fD
EgcaR6J0lCEI42JpTBTQ+08mYMbaWGp1TNf5s68h+yYnszZusm/KdEJwbTJHFrAc
jEaFlFP8VrxgNhlplxvJascfa0j2IW7cDD2VuZodSDdPJk43PXU=
=QfLe
-END PGP SIGNATURE-

[SECURITY] [DLA 2772-1] taglib security update

2021-09-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2772-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
September 30, 2021https://wiki.debian.org/LTS
- -

Package: taglib
Version: 1.11.1+dfsg.1-0.3+deb9u1
CVE ID : CVE-2017-12678 CVE-2018-11439
Debian Bug : 871511 903847 915281

Several problems were corrected in TagLib,
a library for reading and editing audio meta data.

CVE-2017-12678

A crafted audio file could result in a crash.

CVE-2018-11439

A crafted audio file could result in information disclosure.

Additionally, a bug that can lead to corruption of ogg files
has been fixed.

For Debian 9 stretch, these problems have been fixed in version
1.11.1+dfsg.1-0.3+deb9u1.

We recommend that you upgrade your taglib packages.

For the detailed security status of taglib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/taglib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmFWIdoACgkQiNJCh6LY
mLHWjw//VdPaAw1mTEYLnfkkskexeWE0W3B4p5YO4zMR2UBBZ8Wbp5ngot6T9bQG
9QnFvoJIa1ihL9t+SIDr4NxslF2nYqQzeYSrKKuTIIMEqEy7KkiSPqYfbQZ3Az7V
t4yS+3JToBIx5Ym0I+CCh5FG8GjNtm37ps02dLL72mPSisrf5ggts7kqPzLEvT5W
KeKiWRZamDPK9lZ35TbhNE2m3JkeHQOM7VFqzfrPfQGaEI2sJFWOl+XVkpo1a/rS
AEV9EMApwTiv1wGwkIBz6bIFVfCEjCWxYEkGoD/Qj3OP6Af15ktyUzQQeVzQKo6z
H9Hv9843XYlRl+n7GgjUswZswSvCBfvrqzlyjUdfthdIthPlsL6jOHgyOQ3xgPvG
0fLlQw2xkFcn1pWmq95WZL83jnboxFBx5+E4oWyDUzOr8zHxWgI+4NiCsazpyklf
rkYtg6wKnn77jpnGeZpiq0PjaNxRoS3LFHQNGwCnSfimb8B16FW2+P3zQs96bzZf
S0rnFkgKsa9hK8G11qRhn5Az9KF+OhYkYMA0C3yDqngWnXe7ZD+s6DXRLcgKf2vD
Nu6AoNo4/CEYTr4BiZCmVf3S/UFeKrX0n5AQdP32DyPwlRXnlOrFLiXpJ2hT7b7c
Ql2PZ0WRWh2ApBCczqkjmtgDCd1kpXdwjtDtNp1WKYfuucEImdo=
=9R2L
-END PGP SIGNATURE-

[SECURITY] [DLA 2771-1] krb5 security update

2021-09-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2771-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
September 30, 2021https://wiki.debian.org/LTS
- -

Package: krb5
Version: 1.15-1+deb9u3
CVE ID : CVE-2018-5729 CVE-2018-5730 CVE-2018-20217 CVE-2021-37750
Debian Bug : 891869 917387 992607

Several vulnerabilities were fixed in MIT Kerberos,
a system for authenticating users and services on a network.

CVE-2018-5729
CVE-2018-5730

Fix flaws in LDAP DN checking.

CVE-2018-20217

Ignore password attributes for S4U2Self requests.

CVE-2021-37750

Fix KDC null deref on TGS inner body null server.

For Debian 9 stretch, these problems have been fixed in version
1.15-1+deb9u3.

We recommend that you upgrade your krb5 packages.

For the detailed security status of krb5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/krb5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmFWGVoACgkQiNJCh6LY
mLEiThAAsZQTq7EOPbbtlMOzT91Totl+DP83/BpJiiza6TUn6DQjs70kCwkfLz/s
sAVtb0IZOksoVE3cD4aJXxxmZ/BlMDVUpa8a0Rl6TVDsBnYZP5lPiFluT4mek9dL
UKpX8cU2vwe8acAxZt+B5AbnNSolWfzaW/xCX6Vdc8ueuzT5iTkPxQdZ9yhdyPWp
FxAZLXO5ju/MiqQqKDp7oMDpFsN7asRzP5KKr+cjMIeAp9dso/htsA6fQZSkjWBf
QOn1G9yVAMHCa89zxaKHnEi2R5GjpNICHnWxaxFTpmv9LPw27YOp032FvOoTvnFU
um1Yvojm0jtSoTkhsOGJ1EXWyARCcdMTmttcrCtWEzmATSAaD8ERldzFDc9BT1Hm
UGAelxfgMDexqa4nyoYTY7O4WotnXPD1nUZQVks+Ar0qRxPAgFBQf37pH4xMmUQJ
KxPZRQAqGGqHwXcQnA/MnBu6uw1fL+BGRMVbx+ngsOnrlSB2RejLjLxyxnDUGEV5
kSRQ1ENOrdSYRkY9bp7SergS2HngDl/Bb7UgoosQcJSHUX/XSQzsxAG2Ei08b10n
sS61RiNHbmp9PbDrPDMAnB3E7vroayXr8EEovFT2B08vT/i6YKj2BbAv5JhrlwVt
BfrQSlJQ5YxUbubltRe7IMERrDeb5BjIvr9TNJx2hBJhbMfMLQA=
=hDAP
-END PGP SIGNATURE-

[SECURITY] [DLA 2770-1] weechat security update

2021-09-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2770-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
September 30, 2021https://wiki.debian.org/LTS
- -

Package: weechat
Version: 1.6-1+deb9u3
CVE ID : CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 CVE-2021-40516
Debian Bug : 951289 993803

Several vulnerabilities were fixed in the chat client WeeChat.

CVE-2020-8955

A crafted irc message 324 (channel mode) could result in a crash.

CVE-2020-9759

A crafted irc message 352 (who) could result in a crash.

CVE-2020-9760

A crafted irc message 005 (setting a new mode for a nick) could 
result in a crash.

CVE-2021-40516

A crafted WebSocket frame could result in a crash in the Relay plugin.

For Debian 9 stretch, these problems have been fixed in version
1.6-1+deb9u3.

We recommend that you upgrade your weechat packages.

For the detailed security status of weechat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/weechat

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmFVqGIACgkQiNJCh6LY
mLFY8A/8DkcAHSFWnHcz1AtjmDqO4jAYR4/lkDXG8tik3OQG9TPdxv/trCPgmI40
7J/Bs4gB7gDPPkbuIA4EHKAM9Vh1w4uP2uWnu/cbYHDnK3ELlBLNOgpdGX+01bQa
0m8Iujyg126/oElKeosEC9TG4NcyFgLBfkeGpAsNFCHu9mDCeKZiuqG/iI07IHu9
DxEo2+8nSFsbyqP6bPuBcTRUm66ZdnJcxoIDfT85xx7PEeSc8tNCqz5PeUAgvxBU
qZeJyRQkyj/ED170bdySvdDCbAxr3vwPs1lCjsClZCmHS7UNiYSFvduRt7U3wt1C
NEBaNHKzbZQZATcuS27XCecjqv0vn7INhzQis9nAafIpjajBjTV0ytNAKheM/xdJ
Q/WtLZuoNL0v0zyihPNgBzp1jTYiM76+gbSLT8YxF9FN/YDdV33uQ7DcK7PS2+9/
yVxtqMofF87Yxg4CeCEgZSYmyqBFf0HJyu+9UFSNyg4FdhjPE4QC4+y7gPjZWlLt
jTY7QpAU21jA+sSRbm5Bznhns67sZhE+AaFjC9SM0DvJBpNFLB0SIi/IWeo3ZLUJ
MduWosNHHPQdTyMn600qJlBa2yO+HSmV4Rfa1CGHLF07TA3tGgLviEsoXG9SbmdE
2CKN+CMBhWGJOi9iym+++x3HZTQ9DciUxuvo6u31Tq1RqZIrYog=
=ZSvB
-END PGP SIGNATURE-

[SECURITY] [DLA 2734-1] curl security update

2021-08-12 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2734-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
August 09, 2021   https://wiki.debian.org/LTS
- -

Package: curl
Version: 7.52.1-5+deb9u15
CVE ID : CVE-2021-22898 CVE-2021-22924
Debian Bug : 989228 991492

Several vulnerabilities were fixed in curl,
a client-side URL transfer library.

CVE-2021-22898

Information disclosure in connection to telnet servers.

CVE-2021-22924

Bad connection reuse due to flawed path name checks.

For Debian 9 stretch, these problems have been fixed in version
7.52.1-5+deb9u15.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmEV9c8ACgkQiNJCh6LY
mLFELQ/+OjSngsdTi3UaNHxt94qCdCUhfSCtiN5650n5do1kouZgMYPESuwxcCoc
b8w1nYwoABjYICY0H1ogDHSpi0svdEDqXlHVAVIQLRGt4Ms7uG60/mSOFWcDsEJM
7onA/bCwTL1bPSvBciA5ESbB+Me2Wf7WkyBjtR2UBTCno/mgqHPM/H1UIthir3Al
Z/mp1E1PvxknKAX3kGuRz61P8Qn8/2YGuEtuBjZ0L7OPNZcVyIdjR8ikeZZIduEG
XOdx04rF0maaSn8KPzFXMLrd7X04SA3/5RuTjLGiS0PRfMjfi8VwlIhe42h2f+mv
RtHyRaegGL/AO6eBN/H/LcbFfPKw0TSqRAP0MOh9wLSPx1/vu8icl4qLwUxAReQX
sm/qpI2RFJgHg6N6H0ksEwtkYwNqWrSZZ0Dc3aNsYb1plRcEppAV+qyiOgJyxSMJ
MH6GvWNxG1tsWESeNmHQ9bFHQ08uZTN7j3zd6Q5P/eGwwM/JiVaX+HI5GRY9rlO7
v5d/R4F7phtLBrJ6+dOWZP2xEY4l0TFktCflX9FI+X95QL7ilWs7YKoB765roW3c
dSx7xFs2qfd9PTETStOPYiqHRFUD4aqrIP8j/2IqFkWL7YP4ffx3N3tu/FfPK14G
zR+vFWXVlMkaZ6yFS2c4l5n6+VJY1h/VeLff/ivoXABOIzZpsKA=
=ZKWS
-END PGP SIGNATURE-

[SECURITY] [DLA 2547-1] wireshark security update

2021-02-06 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2547-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
February 06, 2021 https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.20-0+deb9u1
CVE ID : CVE-2019-13619 CVE-2019-16319 CVE-2019-19553 CVE-2020-7045
 CVE-2020-9428 CVE-2020-9430 CVE-2020-9431 CVE-2020-11647
 CVE-2020-13164 CVE-2020-15466 CVE-2020-25862 CVE-2020-25863
 CVE-2020-26418 CVE-2020-26421 CVE-2020-26575 CVE-2020-28030
Debian Bug : 958213 974688 974689

Several vulnerabilities were fixed in Wireshark, a network sniffer.

CVE-2019-13619

ASN.1 BER and related dissectors crash.

CVE-2019-16319

The Gryphon dissector could go into an infinite loop.

CVE-2019-19553

The CMS dissector could crash.

CVE-2020-7045

The BT ATT dissector could crash.

CVE-2020-9428

The EAP dissector could crash.

CVE-2020-9430

The WiMax DLMAP dissector could crash.

CVE-2020-9431

The LTE RRC dissector could leak memory.

CVE-2020-11647

The BACapp dissector could crash.

CVE-2020-13164

The NFS dissector could crash.

CVE-2020-15466

The GVCP dissector could go into an infinite loop.

CVE-2020-25862

The TCP dissector could crash.

CVE-2020-25863

The MIME Multipart dissector could crash.

CVE-2020-26418

Memory leak in the Kafka protocol dissector.

CVE-2020-26421

Crash in USB HID protocol dissector.

CVE-2020-26575

The Facebook Zero Protocol (aka FBZERO) dissector
could enter an infinite loop.

CVE-2020-28030

The GQUIC dissector could crash.

For Debian 9 stretch, these problems have been fixed in version
2.6.20-0+deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmAe/OcACgkQiNJCh6LY
mLHeUxAAprtNtAcO4sZ1bVL6OCpLZyd0HxQ5lFPFpvZWaCzXXDcngk9419kfVDFI
/tbgssx0HKVhcyrqTyb9JJ+WIkTYLt01aR9JmGZX4TBzu2n3el/qyp66iPRhAibn
AtEGIy6FVvqoTXEGTJseRVMssPXjdNKTlYI9qCdZd/UbGS6yhjvjz3BEWTb66C9A
dBpZrOIEO5kMotL2tahWmySvqbxfL7W14XNks3o1d8IK2hJg0YZi8+1InrIYFmRl
FF+nNTswxHfEerR4r893MTFc7mbX+B8ehYfFBQpOSKquvP04f/k0sJGOuatg0z5s
XGQ9PDKEbW0dSH9MGghw4UsUEvhpkGhf1z/iEFbffY8bf0Yq18j/+27zTmg+arV7
10NGXnn4qSg6MZ0wQFxo1noTerhXIAW/6+Uf1KrG5SrAEH+Pp8sJsrALRog7lPa7
bQJaqWsQdyfNBTuoPmKjQMkJtr5Lw0N5v+ro4SB0g4I2KGRYTaTD9bWq4es7jHD6
IpcLx6HO2uZX6osTiErZVcTDDYy23EDe/Tu9p9PF1TN3ACybMQfaUcov3zfRTnlI
ZeWJOMOTx47X+b11uVKETp1eGlovYRuSnfukjp5amVFITcn8lB5rmzhqp5Dgo14p
Zcr2ahh4LDTO9NFliKf0Dh4wQstehE6f94/mkqqxOfakIMMZLJw=
=ds+T
-END PGP SIGNATURE-

[SECURITY] [DLA 2538-1] mariadb-10.1 security update

2021-01-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2538-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
January 31, 2021  https://wiki.debian.org/LTS
- -

Package: mariadb-10.1
Version: 10.1.48-0+deb9u1
CVE ID : CVE-2020-14765 CVE-2020-14812

Two vulnerabilities were fixed by upgrading the MariaDB database server
packages to the latest version on the 10.1 branch.

For Debian 9 stretch, these problems have been fixed in version
10.1.48-0+deb9u1.

We recommend that you upgrade your mariadb-10.1 packages.

For the detailed security status of mariadb-10.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mariadb-10.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmAXJxkACgkQiNJCh6LY
mLE/Zw/9GBX601InOmWcVYl/f5Z2CqevkGmMwBjDIr4Si2COYmYWNFWsdrDHj+gL
BTx9B+n5BRtQz12oZxKlAqRl27D8eScyvfuTe0ZBk/YDLCgtn2Oo+LlJmuc825RL
XGToX0RgGU6Apcmc2otprDVPAW/Wm4BjTKuOWmXhLsoHOddPuC8SEWHbebhJhZYd
CaVxSWR7OjPzcm0Y+JRu8p/LxYK/iEKWP/DKoCGUxW3pfTEvmeO31tDAHcS0CphB
2+WGxW+D/qITdiDsAGwS43UdWtbjkas1N4Y7VA2rymMGJS9NLd5y9G6+198jre8Z
6fcxbZ4GzaAYwG5iDLVPca6a3I0ux3r6p6pblS/TSTH4nZPfI3slNtFMszzS4PXf
hiPzwC6NekwyxzZ6AGfKYvA/+ASSPcoEueP+oeob31Rmov5Chjw9uhz9jBdy7QkR
Q0psDfczt8z93brXBN2u3Gwx7bgiuRJFYLxzAa0B3xmFF2Lp+4Ygw8LAu86Qug5P
wu23omp0CS4euWCe6ZEmQCVeGPc/PL3vexbjwsww7mnAHAVDwUJ2v8YY/TK+v/Od
Hbi4xYpkvWMeNTAoyegZSD+ocC0W5qjUepldreygcoJS2CS6zs7fCebfQVqbxAlJ
GgDE27hHJZfUlQuc+EoWzwox2andQrcupyt1/yOrPqMcOu9o29k=
=84hm
-END PGP SIGNATURE-

[SECURITY] [DLA 2513-1] p11-kit security update

2021-01-03 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2513-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
January 04, 2021  https://wiki.debian.org/LTS
- -

Package: p11-kit
Version: 0.23.3-2+deb9u1
CVE ID : CVE-2020-29361 CVE-2020-29362

Several memory safety issues affecting the RPC protocol were fixed in 
p11-kit, a library providing a way to load and enumerate PKCS#11 
modules.

CVE-2020-29361

Multiple integer overflows

CVE-2020-29362

Heap-based buffer over-read

For Debian 9 stretch, these problems have been fixed in version
0.23.3-2+deb9u1.

We recommend that you upgrade your p11-kit packages.

For the detailed security status of p11-kit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/p11-kit

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/yvcAACgkQiNJCh6LY
mLHQXQ//YDgTayEeMTasveCEOlR8dV4EougKZjLYohWCDGlFUVIWPVSqtumYfRUy
DtpHbpKRaKYTv8Kd2+hKzYAvRCWoMM5zx6Bqam8w/LaOT140zeRqI1gAo4XTn9zk
vyXczZaXnGbuaMbyIe4h3kZNfuyJDg3OGwOH3Ygb3UxKJIbsN1EiqD+/DfrtQws0
LakKLTwPjI6oO8ZxM9SCAUAB3QS/eKSnDxGrcElnzU3Mq7dRhiilIuD6DVWRlHmz
7ZWizhF0nCvr8agUnrygJwaBblckA9PghmTm0B7dP8GIK7nC2X/FofM1NWGJTnvG
ORcKFqd4GInSuJ59KKs32FTN9GzhMPmEUWkv22bQkquktRBxi4b/5D0CoqRPJmfp
m11nyzQhXQWe0fgpLCRhM2PFOT6g0esaMkSGXRYvEf0TF3zhbp3zC7XReg6oXUkd
eX5393su0tURg2xIHTxtxv6B8xv1ins27mCLxkGL9a6BHQtleSvYV/80fFjU2Q6j
izp3olcPBjJfyCUTxm90YujVo8xfB0AkXJHu3IQ23E9GmdLmKOtu3osZeYbNgvip
99WcxgmyYv1iuo8u7dj3TvZdKEuga4MWTufd+HVuuYtCLpvzOc7q1sZxBsjq8O9D
dtoLFzZ4T2J0e08rWVk8lQeZSj45/Knp2oIkYJChgCAOYNiW/kI=
=BZW4
-END PGP SIGNATURE-

[SECURITY] [DLA 2514-1] flac security update

2021-01-03 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2514-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
January 04, 2021  https://wiki.debian.org/LTS
- -

Package: flac
Version: 1.3.2-2+deb9u1
CVE ID : CVE-2017-6888 CVE-2020-0499
Debian Bug : 897015 977764

Two vulnerabilities were fixed in flac, the library for the
Free Lossless Audio Codec.

CVE-2017-6888

Memory leak via a specially crafted FLAC file

CVE-2020-0499

Out of bounds read due to a heap buffer overflow

For Debian 9 stretch, these problems have been fixed in version
1.3.2-2+deb9u1.

We recommend that you upgrade your flac packages.

For the detailed security status of flac please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flac

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/yvxQACgkQiNJCh6LY
mLHBSQ//cODr3VnDq7p/H/g3KP3F4fzZBEhCGDsz79vklKvlIyod+YsELDoWixM1
Yt7VJRFdoeWL0D2Y6ftEocs6ttiSBnN5FHVDMroQUd+MG98/Cw4QvIWI0ZXvWYIn
5/dI78zNvVcCllpp2DolC9Ozjc0LgCha0o1cja5Pej3ybf5hSMFKdjvZp6L2Y5YO
68jWVoutY07wcTk1/q/AhxTB9RyYn6kpxUzGWNT0quqky93MaUf023R1eHXUsATv
QCiBbfCTBLMRzF9ueSDL5xC9Pvo51ugSoJNKIc/6Vt/g9wKFlshodO38aN3+iEZj
0RdVqqR7BHsc0CPsk4gVIsvmLamFJDuZDw/Cwwl5djWlj2BgGpwGc0aw2fIkG28O
yzNUck4Wwt9Tg261qot3LW29wgeKVryBhi6570XVRJT3HmJmAURib31zOSxr8Hfb
hr1dmXd3uwmXg5cSsTwJ6ICBOJ/GhWCRefei9paRVGaNLsf1i6XRv1HNbcDYJTnH
Vq2DYq3tbgQV7gwuEAo/nzY9AIlFlKgAWdA/BhZ74QV/+x1QKElA39VUBIlXChQe
Oh1w/h07EP9+RISJ8gSsID0tLXIcX7aQADtGHAqKuOJZWbT5FcGZOmufxAkxm+eo
y9GVJIhtHo3eDGxH2eNZO/XHE39kRY5llz6yhU67hPFjEEW5O5U=
=KOLi
-END PGP SIGNATURE-

[SECURITY] [DLA 2502-1] postsrsd security update

2020-12-20 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2502-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
December 20, 2020 https://wiki.debian.org/LTS
- -

Package: postsrsd
Version: 1.4-1+deb9u1
CVE ID : CVE-2020-35573
Debian Bug : 

A potential denial-of-service attack through malicious timestamp tags
was fixed in PostSRSd, a Sender Rewriting Scheme (SRS) lookup table for 
Postfix.

For Debian 9 stretch, this problem has been fixed in version
1.4-1+deb9u1.

We recommend that you upgrade your postsrsd packages.

For the detailed security status of postsrsd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postsrsd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/fzUsACgkQiNJCh6LY
mLFMlRAAvxnfM0p39b4NE0v6hGPnH5F2kn08joV+SvPeHeqtNwXu/LI1EvZwhPa2
U1wfHeqCP7iilCAzVUblKgrn3oE7pkBaEaZckNKv1P8Jol6Tj4QROk7f1u8EsA3/
MamttW5JN7SbHDg64x21SVaav3CJvon6NlN0o1WXELggYrP42LxKh+9+Hj0ocjIJ
zNhlvxi2uDOQEHBn1t17Yc4axeGSd2ZPt7mz7hfawjm7RItRo3xHsAFTk+6Dz/4D
/DT59mavNW5g/yH+9pFlrCD3a93WPORT2PL/lY2kk63Mym9PY8XloejJQ+rccwMx
7Wq1yhv7woNBNC0kkUaW2/iAVetannTBNVENxSuaVNm++p2yMkqnkUVqCswXd+y1
RaIL4afASBjzsIRlvGTpbmdq3ORsqvCCTIfaKXm+k0oFFaaGhg/9I7TgARoMex6N
YE5nJMdiVdqF4jv10NcVpasCkHW/yK0ksBmr5u52ytZhXoIm0rnXB116O7Vz1YB2
/lTVOiJ4Au0E9Vr6n98udhZD3I7dmkGBZE5F93sMkz3hRA57bV4dBy2jBd/ITqS4
Z/d7Apmxd/sEj2+WbFe0xnCaUHw5HpCMqVJEyU/08xUNDJiKji5JUKnAKq3pw8yl
TIk8yriyINpLsiCQeuRd1ixcAShib6mPR7O97rLcKTt/5BZKomE=
=Y8u6
-END PGP SIGNATURE-

[SECURITY] [DLA 2473-1] vips security update

2020-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2473-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2020 https://wiki.debian.org/LTS
- -

Package: vips
Version: 8.4.5-1+deb9u2
CVE ID : CVE-2020-20739

In VIPS, an image processing system, an uninitialized variable which may 
cause the leakage of remote server path or stack address was fixed.

For Debian 9 stretch, this problem has been fixed in version
8.4.5-1+deb9u2.

We recommend that you upgrade your vips packages.

For the detailed security status of vips please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vips

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/Fbb8ACgkQiNJCh6LY
mLHuzw/+OU+Nvq8rqDr/eczlE29Mn4HmX0OYuvhJ4Gbl/nTFtU0s/Q2W3QVJ6VUq
dSXXPUZjtWVGTaR3TVbjUB7HBK5dNmOQ79mzfb5sMYfX9rUbDL8JQutapeLIzHR5
uyUU85R5blEXG2ZcOb+OCfXlBgJKuFXPTRy1O+/V8GC14K/LY437cap7en267e9K
giIrHTj9AMhKyokWfTXZS8o8CKEhvagtSVimZNn/vyYL6pv5/gGBbU77iiWLG6pv
GmHqdABERLt6RNjgxESTrcJSnDIU3hzwZltq7m4+8yXiDXJUbKkefam/Xmgs/H8x
yQJAEKoKeTGXSYqSg3mHcgoGQWoKSZUeE3HnScppiW9AAwQNtKovmjet3HTrfg/T
S4gAbAcp4K/J9gFvD0fmadZoIWvNE971Y5t1pwKEgxZApBmMY2ycbSweEx/tQGYM
BuhILM/2xYcALznKBy7afTk/4Qm8ErtYs1XpVYeglXb4622ax/wnfdRdE+aTVwvM
xH2gHOK8zJNIqv3cCqqGA3IQbC9TL+OlWjYgDw1EsftIsl4VsNfmcy3CRHkDVmD1
cXM9GSdxE+0c6q883ebNHRdmE3+lU4YOkpb8Tcb7/CqE2Crq/4svhTgbynXg1quk
8NJvQXpIHQBmLNgQbJEzwIuA0j88HCuDTvJM/wLczrAJwwdGRzM=
=EJnf
-END PGP SIGNATURE-

[SECURITY] [DLA 2472-1] mutt security update

2020-11-30 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2472-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 30, 2020 https://wiki.debian.org/LTS
- -

Package: mutt
Version: 1.7.2-1+deb9u4
CVE ID : CVE-2020-28896
Debian Bug : 

In Mutt, a text-based Mail User Agent, invalid IMAP server responses 
were not properly handled, potentially resulting in authentication 
credentials being exposed or man-in-the-middle attacks.

For Debian 9 stretch, this problem has been fixed in version
1.7.2-1+deb9u4.

We recommend that you upgrade your mutt packages.

For the detailed security status of mutt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mutt

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/FZQgACgkQiNJCh6LY
mLFbURAAkGibSQNfpunKZ2lmJH7YBcw2BkL2MDvCaVfYy9/vel8tzIUVn1WoEZxS
1ZCvjvC+Yhg4rrwXkiCt3/WXOHOxghYUH9D+LQNOzrkh071wXR9Y/D2AFCOD2kYb
48fVgx83IdMM6ooQh2z2+fmWkS6R4SoBaJZu9f5amNq2ODTwUxCGXqGJRLOOwVDs
7D16zAKA5G/51fn2LxOqCGl/e++n8o8zUtC8EicuZUiWZeVGWx/NFUuDEqSl1ABE
9+7K4VrZhrI8GxOC/9yKpPqGNMSpq4Uxm9C+xmlyQOldU6Nyws2x30JJ/sWToajC
wgp7qXj2uCB6HDoIG7nPfhKTK2QH/SHY1GLSQvqElLoMFENBHJSrgV+nr45229L1
UDYkfWe+/zFf1J3azdU9nrm9br1X/KZAgPk+K8SkjtbDRRKxX/dUl4oAciCWWzQ+
jLRFhwiRFbT++g6UBBMq/wxxg8f0Df2sUDDApd+Fylww8oonvb+IPqUo9P/GAYjq
dmzg8PAGd7tlujT1/2U0FjPfMmVbwoH801NuTdYf+xbM62EMRSW8QJFFUdWFjeK6
XpqjIsQda4Jldz0iJuzYv0nDhS96IC11wlT+f0TBIRq+5fEkaWfZr0hxyCCpiVUa
d4UCod6UbAKcoGwKZPgOba9bwy4jvLH3f6D0FRpdgok1GjeWNpA=
=jMhg
-END PGP SIGNATURE-

[SECURITY] [DLA 2462-1] cimg security update

2020-11-22 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2462-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 23, 2020 https://wiki.debian.org/LTS
- -

Package: cimg
Version: 1.7.9+dfsg-1+deb9u2
CVE ID : CVE-2020-25693
Debian Bug : 973770

Multiple heap buffer overflows have been fixed in CImg,
a C++ toolkit to load, save, process and display images.

For Debian 9 stretch, this problem has been fixed in version
1.7.9+dfsg-1+deb9u2.

We recommend that you upgrade your cimg packages.

For the detailed security status of cimg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cimg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+66K0ACgkQiNJCh6LY
mLFTwQ/6AkEv5OClNuTMLjhBNzznFOrGYcKnLKP7FcWy6+tk1Xialxxg/4dT+reF
PFMn1Qd6ohY/q6NK+QhLBl4kOF9rlza5xYJoJ+0oj2zqYDuc+kHlLGmzrmBkPgip
nvyFE1WbJFryXs1W2Qm15c40QYT3KJcdEdSyJ7W/h8ZyFq1okSumtYfBRFzE1wza
vkoNQUgx8keOEuSylLU841k/rFU2ZGjeU+dcQmp704gF2imsE/NJNHDSA4dQKNlQ
a9DMyK4TaY9YdwQs8ixfaHBZI375OfDAAIkN/TLhTc4mb2A/5I5p+h9Z5MeSnpxq
PEz2y7gfuXZfKmq6HtfZf6jVIp217xg0pclFFvQYt+z+hjkpegTv1X5IkHrbNDxd
RoHEiYXdEpPhMSdzYSKkvwpw1MJ64gOohJljzKCxTmCVfWH1/+E0qXt7G2nGSKuA
o2fSLCBUwlXi1pmvX7H3hAmoloo90Ix+lM2/o8AuTBXMBez5QKyW9TRKt4IVNYDC
o/8V5QRFh7G34/yrGKXMojoKteOCZiTefYyABp8oH99K9SXJFNCKk0sxsDJ/TzYN
nhWAEPXpCTbyIimfYj+bEiLDFQIJAlqupjnvE15IkjCigNdbrfgRYup1pWDM78p1
hMU9krVtoY5qSrGkOuvF8lBxp/nBeAx36gW585L+NmMlEHshwu0=
=M2yT
-END PGP SIGNATURE-

[SECURITY] [DLA 2452-2] libdatetime-timezone-perl regression update

2020-11-16 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2452-2debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 17, 2020 https://wiki.debian.org/LTS
- -

Package: libdatetime-timezone-perl
Version: 2.09-1+2020d+1
Debian Bug : 974899

2.09-1+2020d accidentally did omit changes to some files,
resulting in warnings.

For Debian 9 stretch, this problem has been fixed in version
2.09-1+2020d+1.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+y/10ACgkQiNJCh6LY
mLGG/g/+JI792cq+qWhZxM9fvEfnb+I1kjpbg6n0B2uYQDsZ5ofh1/S5lws3hmN3
prAi1DCF5eLtLc6YRp29mKxQEDvXaPdyyFIYeb2JzYsxpmKe/Aky7wKiWrFBDUb7
DlPBENR0U22grxDFsORJ2B3Pw5fXodQuU6RhLCraur4Nh0tyKdBvVgBlxrZbpHUb
t1/GNdJa5eTLqLMKeai30aXZcRHc/hl4tlKyVdWkjrphyg2s9tDOm6idqVBFhkpw
YVhAg13uIv1xTyiF12t/2+bb1+IHB/0200ApIam7VMCdZIYlWG0DPqpwtK1Joh32
5fotdeweDvaBL1ljQkxhAlBOK6dXCQ2NQZb47V9TUAHlQTufHQ9yZfVwzV80AtCl
s3gybTwPz8dB472AC2ST5PtnlyE0S7q6IWgSYKKzqyzPrUISQtcDELJCt0agZ2OL
pD9s6tn0siZTdRY9xpFqMXoF7xzj5ZpnGmtNklmFpfa6Vz3Np35oJqGu49w+zChT
Ggj9NUsR4pWik52EdYY8oOhFojsdcD8VfX6wv/QfVN6dbQ2bGla+mZA1iPkdnsHW
xb0G1ifpyqLOqQhdhoq8z611KN3e6ZCJpnCZg0Wo/RXpyHM5ET4n6OQnlyoVK6sf
lDn0CI8YY/CqQUCu47nFWwpnBYogTnxhEalipMbTw+xwrJzSjeI=
=XeVd
-END PGP SIGNATURE-

[SECURITY] [DLA 2452-1] libdatetime-timezone-perl new upstream version

2020-11-15 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2452-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
November 16, 2020 https://wiki.debian.org/LTS
- -

Package: libdatetime-timezone-perl
Version: 1:2.09-1+2020d

This update includes the changes in tzdata 2020d for the
Perl bindings. For the list of changes, see DLA-2424-1.

For Debian 9 stretch, this problem has been fixed in version
1:2.09-1+2020d.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+xt80ACgkQiNJCh6LY
mLHaKBAAi2FwVxbZ1cwZ6MbngPNkwDARXU7h0awjFCH1igyy+zFB9L1Kbrw6zkHx
V88yss4gbnsbHWozM9wWzn/qFvP+jgSkAD5Z8MmS3SL11Wxo0eC7S2WQQ0mdk88W
j9rMIwqTzYMRtKHuPBfrMo2ek3IJlNvY0ew3HC7fF8x1YDVzO2CqEEQF2slSt/qC
LiUsIm7JU28yJYr2GnvGG9uhaMA3TCqA+4nN/rCTvl7FdtQ/dbdFFQpxCYCk2Eye
R7sNCiJGHxxKlTDAj/ESdZDTINmUy06gE8eUwwTmd0md2wr1aETs1X+kOcWsyjW5
VWWdkouo6ksOg845j2KTCcZlEte6NzKZSBSf/mc66+wGCqKq1IeWiG4oaJ51WelA
963q3094oxiqsd7mViKLAYgQqmJ/atLaotgQiyQhLE3miryK1QnXzVEsQ7QFu08Y
fKN1zM4P78hPTGC9aqu/y5He3u+v0snNQD7lGHN/4WtsX3L1tPtGLJDv+4GLWbEV
Zs/jDHZixuWOKSRBlIveX8AVQzDglbqW2eTOy4vlasSJLEJFI6uaBi61PNbOHhob
SAcDPLOg/y83HMhiWebhLrBdbA07h6MmTOiiJ/EnOSMbnU77JbkEUpqd925xHau9
m4LFT4kg6tFYSfb7eJhWboCVFT8uhvTgAG6zs1midJHBCh9xrTY=
=kNXS
-END PGP SIGNATURE-

[SECURITY] [DLA 2424-1] tzdata new upstream version

2020-10-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2424-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 31, 2020  https://wiki.debian.org/LTS
- -

Package: tzdata
Version: 2020d-0+deb9u1

tzdata, the time zone and daylight-saving time data,
has been updated to the latest version.

 - Revised predictions for Morocco's changes starting in 2023.
 - Macquarie Island has stayed in sync with Tasmania since 2011.
 - Casey, Antarctica is at +08 in winter and +11 in summer since 2018.
 - Palestine ends DST earlier than predicted, on 2020-10-24.
 - Fiji starts DST later than usual, on 2020-12-20.

For Debian 9 stretch, this problem has been fixed in version
2020d-0+deb9u1.

We recommend that you upgrade your tzdata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+d2bYACgkQiNJCh6LY
mLFlChAAxw1rzC9Z1b5QbW43e/II/jp/6vfH+2KMLZO0ph+N44t+wW8BLMWELQBK
3b2Oeb5V16yeG4Qfyp0ZkoDtgzPxLaaSHDJQsDGyJqMy96qwAGdpFwjZIj995BI0
BXMkMqXiAfXHrMgilGJPSVXODePG8ZYQqF8ySFhphKmr8Kpr1F5poTTx0TbXY0qt
qt5NATX0d0bJwP4140ONOOgMrBOBrt2H174IxgSwS3ag9WwrYiynaUbJC8y49s/6
UGwY96oHym8e7ZACMB4zhP+kutFW7hBLv7bIijdPX0Zytn1irV2Ecsk7CysFNKdF
wIGDILaRW+A1LDyFy+H+vtf21qUWSAf3fFaNI6r0c/c9BCuopKdc/xqroSm2rSQa
9Nwe6CJVg75uTomaSE/0vi4cT4XoGbuM/vW5y6F4CvHtwVjkr7u/ie5grV3/YA16
DFgRghBCPVwzMxydHr3+KBaG9p1Iq7PpGQDdgs1o6r4Rh87codH40MEMurB/rd8C
Vj/MSUal/DKWYQKaUIVxIsIzDingI9KVAVQYp5J8iTaM3Zs7pQ6J0msF34Z0yNP/
7BGmDgXWJ/tSGTp/UGL+sFApIQRAeC8+5tZcLI4IARBlQKJZN2R5LIquUYYqpuSC
9ZRXQJ8IIawy4VLZ8+D4cZ/CcGO2aWpYrrMUUPSoDq8EC94wcGY=
=c069
-END PGP SIGNATURE-

[SECURITY] [DLA 2423-1] wireshark security update

2020-10-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2423-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 31, 2020  https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.8-1.1~deb9u1
CVE ID : CVE-2019-10894 CVE-2019-10895 CVE-2019-10896 CVE-2019-10899 
 CVE-2019-10901 CVE-2019-10903 CVE-2019-12295
Debian Bug : 926718 929446

Several vulnerabilities were fixed in the Wireshark network
protocol analyzer.

CVE-2019-10894

GSS-API dissector crash

CVE-2019-10895

NetScaler file parser crash

CVE-2019-10896

DOF dissector crash

CVE-2019-10899

SRVLOC dissector crash

CVE-2019-10901

LDSS dissector crash

CVE-2019-10903

DCERPC SPOOLSS dissector crash

CVE-2019-12295

Dissection engine could crash

For Debian 9 stretch, these problems have been fixed in version
2.6.8-1.1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+d0bQACgkQiNJCh6LY
mLFSTRAAhG8eQHwfoIkgR5pCsNrqp+9/AI1KoPPb831KYJjXxxKxaN/kE4JSYpKm
yxcRoryuBGAbCJUWaVPuWkztIWnStJW+ERZ0V6laKJpP65uVtY8Hm5359m6mrnG3
dpfOIVlfPE6yYu0l08olnVlOBwFu6SIhHCI/51KeiXEK0hwRb0dYYgpicar1qMJM
tJO4P92IA0kskXBIR8DirlHYUwV0BZo5KAkazFHdrsneWzlSBwbXVcqXVqfusAj2
OUJSKqJViVI/a38KgF+qvTA1s02fCiU73IWQBjBqtF2cQh62ddm07dovTIO9Jj67
iUyNZUqf/26LfD8dGrdAqvlo9SrPEZoyabO3yXWMof0g2EaWlhGuxGQd+uo97Svv
FzYKKaJtnOXFiM5YE7bZHZc3N7F1dtQSkK6S2kXRJG00Nw9Tm0LBjEOhWZHmyvw/
zf1cpHRD6X48d2RLVadylERkDASz5c4aSuhk1t7eOCqhKI4SQv9uh5dgXAoc3lNM
N+ltiE5YOP0muApdvOjp7ahs/dLcrIzTCJG6C3dygAWLoYWPOVMI/k+rWdS2bzQI
blJRE/jvjhTXI4vQ9jQjIvbf880Xt4tJPFGQuA5DfNwsOj0OvK+l0cmVMUzbHXde
ZmBHTh0+MXqCiVmZEy1j4l+upvf0G30/4mZ4Kclw+/eIA/C2alw=
=k3kL
-END PGP SIGNATURE-

[SECURITY] [DLA 2422-1] qtsvg-opensource-src security update

2020-10-31 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2422-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
October 31, 2020  https://wiki.debian.org/LTS
- -

Package: qtsvg-opensource-src
Version: 5.7.1~20161021-2.1
CVE ID : CVE-2018-19869
Debian Bug : 

Malformed SVG images were able to cause a segmentation fault
in qtsvg-opensource-src, the QtSvg module for displaying the
contents of SVG files in Qt.

For Debian 9 stretch, this problem has been fixed in version
5.7.1~20161021-2.1.

We recommend that you upgrade your qtsvg-opensource-src packages.

For the detailed security status of qtsvg-opensource-src please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qtsvg-opensource-src

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl+dxcsACgkQiNJCh6LY
mLG5chAAhttxchFhyPpQZaAnamgdSsXwNgfpMWQG0nz/YBuOiOceo24PpJImrMLq
j6r507IcfqZeX28AtwuiMSMoW1hUvW53BCK5C7GArJXe2iHtDKeb36S8uf4+kskR
12rj3yHnkAFmc+4JadaYyosxwxj1ciCHtikAcNrCbC4jbKS2txotou7Rjht/NCL5
WmmGamsZ6RQbZrqzL0rGpk9jNsuSigA2QEpi2hOpHbNtbJjlyv1vcc2dKIXDPJjq
06wB2XQKKBmQT1zoEERHHBt/2hRnAEiYtxvFkk6B+Vwfpmhnn4MYWroEkltYNE6K
YeHMTlpUOXFCsHCyrPqa5u8YlKjDPLs+UBuwdzcFCri1D46Bhh7Hq3GVlqDIrYRQ
ICfliKULhFqUbNDPZYG5GSa7OO6swr/ZU7FYJM2MfNUimebtvGMv/dKi0BdGm+zF
MZMoWsn0cu6xsSFZ1q7UrYaIkfM+2Wvzpy/rAPG3KxowLRMEMq5N5MU5VLKvQnnv
I6aX+6FSh3B1tyEZqenYI6JSCCpg1/qY2aoTTOPwKgVoR4c0CWMzRDxsrMD4oXJE
KnYqipercdlKJfGWVsQq0shWaejwarhcXCEtl8IOaHI/dTsDOXKv38hYtR7RUSqM
mPXaysECmB9UWjjbSAuMx0aIiR5l70Iccaf1wq1ixvEJrMJb5ic=
=HLXE
-END PGP SIGNATURE-

[SECURITY] [DLA 2388-1] nss security update

2020-09-29 Thread Adrian Bunk

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2388-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
September 29, 2020https://wiki.debian.org/LTS
- -

Package: nss
Version: 2:3.26.2-1.1+deb9u2
CVE ID : CVE-2018-12404 CVE-2018-18508 CVE-2019-11719 CVE-2019-11729 
 CVE-2019-11745 CVE-2019-17006 CVE-2019-17007 CVE-2020-6829 
 CVE-2020-12399 CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 
 CVE-2020-12403
Debian Bug : 921614 961752 963152

Various vulnerabilities were fixed in nss,
the Network Security Service libraries.

CVE-2018-12404

Cache side-channel variant of the Bleichenbacher attack.

CVE-2018-18508

NULL pointer dereference in several CMS functions resulting in a 
denial of service.

CVE-2019-11719

Out-of-bounds read when importing curve25519 private key.

CVE-2019-11729

Empty or malformed p256-ECDH public keys may trigger a segmentation 
fault.

CVE-2019-11745

Out-of-bounds write when encrypting with a block cipher.

CVE-2019-17006

Some cryptographic primitives did not check the length of the input 
text, potentially resulting in overflows.

CVE-2019-17007

Handling of Netscape Certificate Sequences may crash with a NULL 
dereference leading to a denial of service.

CVE-2020-12399

Force a fixed length for DSA exponentiation.

CVE-2020-6829
CVE-2020-12400

Side channel attack on ECDSA signature generation.

CVE-2020-12401

ECDSA timing attack mitigation bypass.

CVE-2020-12402

Side channel vulnerabilities during RSA key generation.

CVE-2020-12403

CHACHA20-POLY1305 decryption with undersized tag leads to 
out-of-bounds read.

For Debian 9 stretch, these problems have been fixed in version
2:3.26.2-1.1+deb9u2.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9zh9AACgkQiNJCh6LY
mLECsBAAwG1ooIYlA1tctSKDyDWOAZ/eXED+xSc2ybze888ttYQkCCPwKo9kC75o
x7gexxkQ1re4kw7J/D9LFW/fSiCEtiU2HYgvsSjk9broRBAFzwKT5+RcQf4939rb
KdQu0n5CqbSybdCq12Q6RNOj1n6SuthYYDxy58DvnU6OK+6fzFR1Av3/cVyNxCvr
QiGLW23ZvWwiui3UjP2ZgPhqSMu3V+bsDcbcu1698kQitPLp34VyqU7MJZyyMT4H
NZh/wbPANZyi2i4O6i6KxA7zu/O7hfdxY75svCa8/YKe+4oK2j85QtkQhKlL7d1g
lW7m2OU3wMeSfjvYnRgtt+Yubl4obHptD/oS1qy7sImq849eNyD7vVcS78vVRFh8
V7q6+2viEkkta/jpw5u7ELRrjIo6lprMd0rddaDzNMiKmzumR6zUqjxuIPGNnE1+
rQ7JLl0oRZvKFBKYPzE2oo1fG77K7qIBV2qATZ6QE9bGEhApnTqKen7x1UU0n6xK
UO4IfETtsYwyKvlwb1FY3nfEF/0T3tDw/wLajSjTj7eZui1bbuwthIopdKYYUbLw
vSsedvKfH5c3mL3u5lCJxwp8XUMioJ8Pw9yAZgxYI8a/cZOy0Cxix2ROgIcbIq8L
WZ5++RMIEJ+B0GMa8RONTcD7WGAF8Ns1LyxOohAPWau2oEfsXr0=
=VSGn
-END PGP SIGNATURE-

1 2 >

1 - 100 of 127 matches

Mail list logo