[SECURITY] [DSA 4383-1] libvncserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4383-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 03, 2019 https://www.debian.org/security/faq - - Package: libvncserver CVE ID : CVE-2018-6307 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 Debian Bug : 916941 Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (stretch), these problems have been fixed in version 0.9.11+dfsg-1.3~deb9u1. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxXVEVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QnFA/+OdqSdVFFyBtT3WnOMUez7pBsk3wx0rzbCZ5uBJHYzr0ogMgDInL4GwdW RrTvSQtpKiUjmN4tfocXxKiWq6/KVZ5wgfYCeIjzzSr8qQHqYnV9NH2A8bUpVFAp M04zpV/zqPd2vlUPkppigHCyemV7sRuaXikGyUYm4Y6zBEhSg2vfyqfFmoggKoq8 aD6cWtKgCW3aSALA52JlVn5cPz17xvrk1zfStgtLPjHZTMHW19fDXq1hubxfR3q1 66LEfcs+13BFZW+09/eYSsC5vM96s4AfshErjtwpMxtVnc9MEIRNfRM9kfteaRvi s60EmM7xFvbx9acIQgKnLNNyjExzjySmgO0Bq7GNBu0gK1wNVpnOHI9EtBLfjOE7 YrYOxvwyTI5jFS0Txl846/dXwxy6gcX/bTlO6mqQFUicJcr7DU4GflHrt/t15VcK e7DBeWlhzV7yBoxC5yjS37dug0Ab9A9+TpCRxD5jwMWHZ3g+/8oXybCEqpuFwrqb kS1L4op0CHvouGbRldEtFookQud5deuqbEGxScGvOr8buENpnQmc6fzDh3jMH2wZ BNUHPzIYJHKqMXCK41jUB40/0v5iz5z5gHvRYfo8+ZOoLIFCp7zER3RDxwR8fGiK tqycmFiHaax09jHvqffRbwARfVrrrNbh4u/F7n3WWpbIsCjPOC4= =6dI2 -END PGP SIGNATURE-
[SECURITY] [DSA 4381-1] libreoffice security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4381-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 02, 2019 https://www.debian.org/security/faq - - Package: libreoffice CVE ID : CVE-2018-16858 Alex Infuehr discovered a directory traversal vulnerability which could result in the execution of Python script code when opening a malformed document. For the stable distribution (stretch), this problem has been fixed in version 1:5.2.7-1+deb9u5. In addition this update fixes a bug in the validation of signed PDFs; it would display an incomplete status message when dealing with a partial signature. We recommend that you upgrade your libreoffice packages. For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxV4EAACgkQEMKTtsN8 TjY8zBAAv3BTtQQd45PZUuAbP1d6pYJpt378uEtOKVZAjA8k5o/MPxkCYRsK6hss xozyO4Yk/X78BlnDhIqi3YW8k9WdjUylcCrm68nRDYXB5LFa/FOLnUfAiNeXmdJS 8WF6xm1DtGuzX0698c2h1GGLyiONNamnkoVCnBNcfYt+KERcMOwby91cYtTdfLd9 I+TQEzwRoWfhfW+v/+J9ly2MukCqDyqOXJit7wNQXUtT13dt+6SLL7r00Ld24n6e PpFAeTuiPuM9yxOyKOn/RK8DdlgVK/RXZFbxkMj6k5YitbRCE2x48nRaRxa3iAAV EKYWjNteQXfl7msompHYjNfDqCCfUyO5t0NqZus7aDJCyXnzPQ/7XKVDU8ZKALbc hWLrfzVr6pNnQmHav/dNv+g+22fM6idOkMXjCDFskD16Ust/h7Jw08lBHBW2YGa0 ++s5DCrhPcX9ZoNQBmGTmftL22tn5X4P12i+rGRE897BAxrI/ZGmDLXDKxLLiGUQ Gjq70xQn+KYRpMqO8bsXSLNKq6xMK4GJFvcvRkePbiw+Ex2RwwlxwX6a0cVE+pvu Xr4hEMiFUNwI/Cl25wxOI4J01IjYrJFu56olXyJdzRG2YQxcM9zxiQaZo/TqxbQi wK0frJQmdIbSkoFf5g33/yEHNKeHZgC65Ppazd8udXxsOvhAcxc= =uRgA -END PGP SIGNATURE-
[SECURITY] [DSA 4382-1] rssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4382-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 02, 2019 https://www.debian.org/security/faq - - Package: rssh CVE ID : CVE-2019-3463 CVE-2019-3464 Nick Cleaton discovered two vulnerabilities in rssh, a restricted shell that allows users to perform only scp, sftp, cvs, svnserve (Subversion), rdist and/or rsync operations. Missing validation in the rsync support could result in the bypass of this restriction, allowing the execution of arbitrary shell commands. For the stable distribution (stretch), these problems have been fixed in version 2.3.4-5+deb9u2. We recommend that you upgrade your rssh packages. For the detailed security status of rssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rssh Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxV34gACgkQEMKTtsN8 TjZgHRAAu7jy6hVuWk3DodhFTZnIp2jjrd6rZv1BDVJISrdlh2mnQx0ywPt9aI21 /tdcyd3Iwq7QM9LwtLWCE4YR90AGJDMlcG1mXbOuhMeMpyyyiA7N/2B2y8GB9uWI EqkiGSvdNkwHqCgrTXkuxwY3t6yDixlrBuIjwvQobsm6HZqUCPNgq5DQmg/CqQkj RZnaKIfzUvdwW7oVW7NORbJUoRTj6IoYLd8ETgaHlSErvCEONENRQGUAKWRk9dFO XyWsLpphXkxqvzjpIv+T8UYnZkV5+BK2Zn2rN8KcQMcGLQw3GK1D3VNzip+ucz3x OyEGveM5uHOL9LubBGGmq8TqshUxvrZDYRkyhLqTwZ7+S4WBuED/aFolCcnQiXEE z/o92KPDScFGoLm/HhYUT0KpeoiD91UZl8geTvepJ/Vx86j/Izb0Kw+RbVBRPSt2 GFX2Y3jdMeMXLj+LARJt2U8IKupovm2TzKmPw5WURblv5n8KhTrloUQeQja+Yav7 dEqYV8Wwmqo8XQt+UsSJ03kVeBzTWOGH4KfZKK4JHBfubPSW7/ALz23qNKRfqJDT ySjWU2wJO5RuhlFC/bHv2EeOeALW3SkGfKAJlP/ZXLuNJqsjN4jSVJTdMKK+v7fo sGQrV3nInXDXlxZQLhO40FJ6WPLyx+fHi5I4vj39VBNlpTQJXuc= =Sira -END PGP SIGNATURE-
[slackware-security] mariadb (SSA:2019-032-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mariadb (SSA:2019-032-01) New mariadb packages are available for Slackware 14.1 and 14.2 to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/mariadb-10.0.38-i586-1_slack14.2.txz: Upgraded. This update fixes bugs and security issues. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2529 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/mariadb-5.5.63-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/mariadb-5.5.63-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mariadb-10.0.38-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mariadb-10.0.38-x86_64-1_slack14.2.txz MD5 signatures: +-+ Slackware 14.1 package: a81564cdf4f9efa0cc4c0f47babcf5bf mariadb-5.5.63-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 399bfb1dc4a85ce86986fdaf87d8e9fb mariadb-5.5.63-x86_64-1_slack14.1.txz Slackware 14.2 package: 2d9ece0b78c612d7dd222a30dda414e9 mariadb-10.0.38-i586-1_slack14.2.txz Slackware x86_64 14.2 package: bc12313467c7aba5dda4e224f41062da mariadb-10.0.38-x86_64-1_slack14.2.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mariadb-10.0.38-i586-1_slack14.2.txz Then, restart the database server: # sh /etc/rc.d/rc.mysqld restart +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAlxU+EIACgkQakRjwEAQIjMs0gCeKlMKqbj2dqNubmIYHeflniR2 bqYAn26RrmxONmKo2HdwqO+ATVGGVGXT =jySD -END PGP SIGNATURE-
[SECURITY] [DSA 4380-1] golang-1.8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4380-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 01, 2019 https://www.debian.org/security/faq - - Package: golang-1.8 CVE ID : CVE-2018-6574 CVE-2018-7187 CVE-2019-6486 A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in "go get", which could result in the execution of arbitrary shell commands. For the stable distribution (stretch), these problems have been fixed in version 1.8.1-1+deb9u1. We recommend that you upgrade your golang-1.8 packages. For the detailed security status of golang-1.8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-1.8 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxUWSkACgkQEMKTtsN8 TjZLZRAAuAumJFuqfu85HiG13ZicNAvPhvVR/xd3EPJmdYwIgRtx5WZApJGO8pHK TWYA13EvcqEg2e+iPJ1K1LFig+TueLEv5X1PB3HSyEr8Vkha1qgSxe3hSSUQrkkz H8k5GYIBgWvNioSP+/6KH4MJhM3A7zCZHYdLwX1fTmyG4Fpo618XWVZLbJ4NnaO1 Pp8/7wBJeWBEQx0kyNk4C6VxTE22TV6W4f8wav2gtGTA4ZRS3+6Lkq9Ucqk0gQaa rZ0qXgqApBxBs4up2XkdrTcQcYimToxCuEVDNJ4260VlevTduC5Wc5QD8Wje8a9C 7ghb8Y093Ir5B9EZf+q9X80EkTBLpk+/3x50HnsoSZ2ez/3b9URI+nSCGZviMU7V Ha6F6dBj9MokQ+QezvqikUmo7I8nZR+i2xIULG2q9VS4HR4gLvS1hb5ctfUrLsfn unxz/+/u1u7a+gJ5lJBYZY/q2AYwMH6Yyd1jrHFGKfdBredTPmptNQ8vE6hG/tbY +lLcudW5hO6FWf7rOqMqdLn2LZMEOCuftyakfmnT057aw6EdmcIqHZDiD1ngauzz r9hxnkmGiM9CToaj9XC6czvoheDLj/reemdph98BvU5oXw1zF43nCkV0I6HksxMX 5Wo/ntLA+ZwDqwDbyMrKbg7VkjWPdA1zfOc7DpMCPsD+rUa5MX8= =UpGP -END PGP SIGNATURE-
[SECURITY] [DSA 4379-1] golang-1.7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4379-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 01, 2019 https://www.debian.org/security/faq - - Package: golang-1.7 CVE ID : CVE-2018-7187 CVE-2019-6486 A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes a vulnerability in "go get", which could result in the execution of arbitrary shell commands. For the stable distribution (stretch), these problems have been fixed in version 1.7.4-2+deb9u1. We recommend that you upgrade your golang-1.7 packages. For the detailed security status of golang-1.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-1.7 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlxUWR4ACgkQEMKTtsN8 TjZ/0BAApdfVPQqB+u41M8kB6OB3t5960fj3kMwSzSzaWI459Wbm6s38ebgAUGoY 805Hua4BEhPok+Ck23s7G/oanHXtzu9WewifXvJFvbQCTvanAiRpTARU1DiFaSRp 19fNeOev8Ngs84NfyNvAycTBSMhLSrjLDragO+oWxpR7SpWVd6FBoFJuPZULAdvR 8rBX23W+1AnES6aHDPmgSmz1DuuP4ZYaN+Zq1r9OFlUoP/SOMVfmUEvXY+B8/+L8 mkxkvzEbghnyM6uMBgiWyD4S0EyS2op4JvhvdSgjQexvpLBVNPAcpLMLGML0mv+d U7bqnFFnU+NH6a8IxQoNwP2LYcWHqGG3eD3PXIaHn5Eq9yNI/6hdVEdJ4S89Tk7S G58kZoT8wSuE1pGnepQA2dfdVdkYe9VhHeQ7kn0d2bNoq+Jk68RWdGB8ltEsQf0J TUSslzlnD9r692dz8s4SAAyDAtW0L1ldROetR6rjfThx3vHfRIEhMVPLo+rcYY/l gQVANVVogIma7jLa0uUm4dIlycQZGOb9HXJpN6ENayhxdqJ2htzvsSJbrgUrBfAS drWs2loi8eC8uc302/+9v3BS8oUNWWhydH6TCBiTcR6W2k82/GQZV2hndJ+yEZOH I0SGJSdXXeZvpte4qr0rimkgw56kTebcJ0/GMsQwp88Ri0kgVAw= =zOod -END PGP SIGNATURE-
