[SECURITY] [DSA 4624-1] evince security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4624-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 14, 2020 https://www.debian.org/security/faq
- -

Package: evince
CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006
Debian Bug : 927820

Several vulnerabilities were discovered in evince, a simple multi-page
document viewer.

CVE-2017-1000159

Tobias Mueller reported that the DVI exporter in evince is
susceptible to a command injection vulnerability via specially
crafted filenames.

CVE-2019-11459

Andy Nguyen reported that the tiff_document_render() and
tiff_document_get_thumbnail() functions in the TIFF document backend
did not handle errors from TIFFReadRGBAImageOriented(), leading to
disclosure of uninitialized memory when processing TIFF image files.

CVE-2019-1010006

A buffer overflow vulnerability in the tiff backend could lead to
denial of service, or potentially the execution of arbitrary code if
a specially crafted PDF file is opened.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.22.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 3.30.2-3+deb10u1. The stable distribution is only affected by
CVE-2019-11459.

We recommend that you upgrade your evince packages.

For the detailed security status of evince please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/evince

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl5HJltfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TDaRAAmBX8fGuGLGCkCa7bZSdnOknK+SbsWBDP+S9WrPI4I/RgScv42gNb3TtB
JNxZBmD4pWkmHbADErn6/aPiJpaysZKBfHQQ7Qlib2nlGFvUWdww1IMhMFVvPs5I
9NgekbqI3C4/LylcpMs/ri9viMZoio1omovlB66t3mLSRmcEU9/bra9mA3iZ7wGB
gW83jzoMXHbcrcyV4Fpv6yJrIE8huIZtooKzxkNReQiuqJo7DandByAEw1q3ivlj
x3f6atTfni76yoUsoHQ23f4G9PgVnl3r2lit9bsE8PudUUjKMd/a4o4awahbvwbL
v9Yq8ybq1SieoVE+MB2mNUa1KOTpCkkQki89ftLTxwbI5wksPw72Qpd7qewvIPJy
RhBS7Ca3BFfMvSkAgyL3sVtCPT+KAS47At9gNpQ+4IqqEvWlAoVoXx/eXpxP2174
qo2s4TT9LTJRkBpDFwueWof0PBoOgubXtvSE9es4kFJXJITeOJtbArE8qTmQcOQy
8Ve4TZCbA3lvzBLxmKhetnFarSZm+6Fc+caINYh26WxG8aFKtG0nfRow6Y6tNMrK
/l3KWU+nO18bezPt1yxVdfB1urnggMxRbP055CfR9JaTP5wYPF8FA/9h5UzzAAvC
Y0EfdRXNbEkUZWY0iAUlKrgQyvXMZAP0r/OOkVKeoqFljWvaeQU=
=yY0k
-END PGP SIGNATURE-

[SECURITY] [DSA 4618-1] libexif security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4618-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 06, 2020 https://www.debian.org/security/faq
- -

Package: libexif
CVE ID : CVE-2019-9278
Debian Bug : 945948

An out-of-bounds write vulnerability due to an integer overflow was
reported in libexif, a library to parse EXIF files, which could result
in denial of service, or potentially the execution of arbitrary code if
specially crafted image files are processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 0.6.21-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 0.6.21-5.1+deb10u1.

We recommend that you upgrade your libexif packages.

For the detailed security status of libexif please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libexif

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl48gb9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RaQQ/+Ks1VwBoS6ylCfSseCTvrq4bsq3QCPJXWZ6YV2TkFZOHc4D6l52KKFvlZ
aenjHIC7HJ6XgasxeBq/RUnmLvF3h0wVh4Ej2RZPYqrZKv43coJmpYYyT9RiRpQt
CDWNLhRcvOzFx0HiQrVR16KJxYMIPDmhDR8jbCC9dGAPgSX8CmGNUCkiNFbSAbEu
iFjQmAyhaAPMp/8LIkAQ3vT1TqH4bxRqXkQdoi+UiD8DJS/KN9DX1AopPCsLTdGH
Bry+hIgkbhuEqW1sLNcXTjFYmA3UQvfQrtV0O+i30z03W0Ae64QiIZxyd/vuBpJh
yeZxMVjmKhtOdSnh111l9PN3R232lw+3I3RMzapcXh+uj3kBrKKdOtuPrEoZbNU9
6GuzsxRaeLGWwqldCYKfHrlIBdFboCgcxSadmTSK+27rLsd6kMbIRb3tAcN9QVWT
LNwNjMnddYo9bMfKls1kxT2ExsV4Uo8gynp1pUJk4twmYqbn690vDGWXGXpkZqpQ
dkLoBYJzOig/4KzxA/T7CQ+W8hRfvov50VqRrnIp909VXHKktABXfwvkPgOBRC7a
vChKdUajFO0ktUhkWWvUlua8iIPKOStWXA+HP9+cb3Svi2zk6ZSodgA12l+/SviJ
2FE5b+hzkxX2y3+mSFATqeURtCkur/4yEOA+eqeXrRBTIQ3Mskg=
=q4iv
-END PGP SIGNATURE-

[SECURITY] [DSA 4619-1] libxmlrpc3-java security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4619-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 06, 2020 https://www.debian.org/security/faq
- -

Package: libxmlrpc3-java
CVE ID : CVE-2019-17570
Debian Bug : 949089

Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java,
an XML-RPC implementation in Java, does perform deserialization of the
server-side exception serialized in the faultCause attribute of XMLRPC
error response messages. A malicious XMLRPC server can take advantage of
this flaw to execute arbitrary code with the privileges of an
application using the Apache XMLRPC client library.

Note that a client that expects to get server-side exceptions need to
set explicitly the enabledForExceptions property.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.1.3-8+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 3.1.3-9+deb10u1.

We recommend that you upgrade your libxmlrpc3-java packages.

For the detailed security status of libxmlrpc3-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxmlrpc3-java

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl48hNhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TKMQ//VAIMT+y/PGlPLV5C2P82ZxHCNwKYwkPT7s9nI/jvqVH5CkL0kGjvW5Ng
eFpZTW6hPMboDrUkSltRTawlYlwlMP1am8whOEL7EwZXYi5s3iixSZCI8lafDDT7
VyQ+ELFu0y5Y+WZtECvdZDLDVzWggCW+ZeQFK9WRFT32GrevAb/BFyDlHMGKREFq
m9iQQ8D4+dPqOnF/RecCiohITV2++AECr8x4WzOHq/QCkYl/5PbQlZ9JGA1unDTC
dt5wsjWLUGmwEW0Iy9h0AzlvuMfGnQ/5KkOu1ZfYwf2c5V7FXEg+Jj7M3ai+X+9f
6pcj+FyAUBD2dgS8psKSO4LbtGYDt826HZ/KxAp7W6gd5v1l3kEzKQsAsvQwaaxi
X68AgwkXs94X1yiAAjAdAFc7js1aJr+1/aSzN0JP7jWX1SjWmLquEolKuOQF2pH2
enFo/TQixaLGrs3h5Oh41+a0i4kSBqxV1LiNMLaI9k8lOMlMaadJtkCF6umHh7SX
bACOeVlVS25vnk/Bn9xgr5JyPTQdeR8VfZVgld2N5vOlfNIrRJcy/mqJfv5OmuG8
kTIsFP/ON/NMuyvDy6xfY3B+cVZzw9K2hmD41k6oRcaKjvYqWToDXZSaNT+wzHcc
aqbVSHlL/jS7+1gRFsCX50p/JmtLGhlZtCF0FXhLamM7glyhLXk=
=lpO+
-END PGP SIGNATURE-

[SECURITY] [DSA 4613-1] libidn2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4613-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 01, 2020 https://www.debian.org/security/faq
- -

Package: libidn2
CVE ID : CVE-2019-18224
Debian Bug : 942895

A heap-based buffer overflow vulnerability was discovered in the
idn2_to_ascii_4i() function in libidn2, the GNU library for
Internationalized Domain Names (IDNs), which could result in denial of
service, or the execution of arbitrary code when processing a long
domain string.

For the stable distribution (buster), this problem has been fixed in
version 2.0.5-1+deb10u1.

We recommend that you upgrade your libidn2 packages.

For the detailed security status of libidn2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libidn2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl40uPpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S/gw/9GW1HtnA4GMzDtDp5SMs8IvzKTzBuxwF+NfuO6TJAF1rZhkjylvhR24zm
24zclQQ/MUF3/j7wa8ududelVNCE69DejrG1a1cFZvHDru38EE5oPBhZUtsk9H6G
Ohxo+Yu1WDD7tHVWqjK5A05W4m/e9wBH5S9HwuznDRJ2c2dniNmCaQG5AFo7Xbdh
QgNKfqyveNSqV/hwns7QXsECg0Md+1sjP022kI7jy6g4oUis1vRS85ptYAZW9zZL
7A/xAMEfnXI4LP5c85axCfjPHcv43u1rC/h4c45siEuq0BttqcPDRDvNpceibxQj
VtujfKWAVlTPWeLiEjzEzRXBdJLigJPZjCyDlT5lK8D/CUE/oLpoMAxEOFufk3wk
vgHlD5nNVJMXEFL1vDo8RGoiNOBavO1pXuxCHZDEo5leOBI3YLoWm04AF5KWHdJB
nDEfsO0rXix28yhmWhu2YfazbkINcxU0gKPOz6Le+vIy88/0EcrFATyyrpl9aEaj
VX6PYZxJ6JtwUvwruEBWiciJV5KxR7HHUZ6eGd7HKcSYIUz889QjLApiuzhjieMp
WbumsmAXpXKUq03ro/F7c6rH7rli/AP+HHytH2XL2mOzXAItT4kcThXXvxf1g6md
sfeB2hLUKTdbujHzHU8vB1Wn2yVtCA7XiI2BGJRa/WG//zhkAT8=
=aq9M
-END PGP SIGNATURE-

[SECURITY] [DSA 4614-1] sudo security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4614-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 01, 2020 https://www.debian.org/security/faq
- -

Package: sudo
CVE ID : CVE-2019-18634
Debian Bug : 950371

Joe Vennix discovered a stack-based buffer overflow vulnerability in
sudo, a program designed to provide limited super user privileges to
specific users, triggerable when configured with the "pwfeedback" option
enabled. An unprivileged user can take advantage of this flaw to obtain
full root privileges.

Details can be found in the upstream advisory at
https://www.sudo.ws/alerts/pwfeedback.html .

For the oldstable distribution (stretch), this problem has been fixed
in version 1.8.19p1-2.1+deb9u2.

For the stable distribution (buster), exploitation of the bug is
prevented due to a change in EOF handling introduced in 1.8.26.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/sudo

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl41cVhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QaKg//TnJPVomILAWCWCSHNUuzuH9c0tBli4KtTw+5QeFwcAeareJbleatZqJh
CHi9WI8Dl7nnE0V1mKOgE1pXhrV1WJQrMHidocDo7Aejiyn4EU31HxHsAYv+RvqN
E4nNRckP1PEoL9JpGHUMOI3O8mvB+2Nnds0ihy8P+WcZxlxVw+CQuK2omFBhdlwr
pgdfBq3khgz5mBx5pzdxIrs9fgJA5Txr+LaOHm06ZL9cP1FTcBK31t1RllKy4bjK
bg+igCLVTTqU/8Sydc65UM+rHgx4ljG7bCFWJ3GuRJeeXm1vavfjmCXh8x2ezd3K
EsB+FxHDdGpKqwi4bFqWUjijOqaElqAAu/q+xZYzzXZSfIynB5YNfL8tVuq4fsL3
MQdUU/0fZZD5RJW5B2uxppVoHZ15IhG2kRqZK4unCzCcwmXdgKTM+eA6wEp0ib7o
Ol3mAWIdUcYzDuKFZU1Ry+62Przm9NX0XXh86Hrigk1oEWcq0iusgGiPPgp4j0mF
JjTXAU2fdR5abzLCxkMDKiv+2UnU93/V+4JBLrTijWal2zl9DwD0i+OQVK9ZNxW1
mgj+n7D5iyDNF9ptkP3/0hiL1ITHpWhcbEBAYaNFLD1kv3brNGMNsZzpIXVC6NU9
2KK/2DNyetqnZkmNOt0JQ+G0JFyfouauXi1qr0qCc8PK/f5mLBQ=
=d97L
-END PGP SIGNATURE-

[SECURITY] [DSA 4615-1] spamassassin security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4615-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 01, 2020 https://www.debian.org/security/faq
- -

Package: spamassassin
CVE ID : CVE-2020-1930 CVE-2020-1931
Debian Bug : 950258

Two vulnerabilities were discovered in spamassassin, a Perl-based spam
filter using text analysis. Malicious rule or configuration files,
possibly downloaded from an updates server, could execute arbitrary
commands under multiple scenarios.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.4.2-1~deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 3.4.2-1+deb10u2.

We recommend that you upgrade your spamassassin packages.

For the detailed security status of spamassassin please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/spamassassin

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4105NfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RZdQ//YC1bNKYMg+iNpCWvleaAOwtrXPvCC08wUbDb2GVcr14Hsj9/23mUiaN5
XnWSk4v7iT0ZAc9SNkeHx8Jasy7m6z581eFcQoorZTfZG63a0iLsOh5bsJ45OLKL
OKu6jPtcNOZ12OtKVUCltbA375juyApSOQIiCn25jKA1wrcn0ATYEVpOC0Rr47rN
dkW+YMGqTV169XRGRktUgD38UFODxsOw3fTMT/HVXSfawBOF1rnOgUUwo1prjRUB
mjIHAmPKoej9trdQuLWxvmVzJ0tXRgnISy+evrktpceAIuRBbMPpklkVA0yk31dE
egIhPyIQDDAs2MuKaK4L8uVZLcUfqtAiwW70phi8aNmDxz8IgTOGCQqLJKdfuUl+
x2ltBmyLkHZNTlW32PDqysVxjRfwxsWQ8yLetuXEYlnkc5CiVaPj5tSyGHBHQInX
5KTZNBtxCdPLDxwg7JdON5Me1cmmx+Ad1PiHHYUy4qSrmXGTakMKsAboUitmN3ws
yBQIqiieqLjpI7aJEs+LfDO0KPuPOQd+rf9vNo5TiYLEfgmuu1wvs8kRUikQgneD
uNy+fNpZjp3ZYNMUHP3NdciiFu+TQ0nXx/6XPjAN/t4F/DEePyqv2SULWbEGEEI+
EZobZBmW5BpVAI4FNzthEpQiZool+05TC8zWR/wfJJcbCEXW+nI=
=1DOD
-END PGP SIGNATURE-

[SECURITY] [DSA 4607-1] openconnect security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4607-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 20, 2020  https://www.debian.org/security/faq
- -

Package: openconnect
CVE ID : CVE-2019-16239
Debian Bug : 940871

Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP
in openconnect, an open client for Cisco AnyConnect, Pulse and
GlobalProtect VPN. A malicious HTTP server (after having accepted its
identity certificate), can provide bogus chunk lengths for chunked HTTP
encoding and cause a heap-based buffer overflow.

For the oldstable distribution (stretch), this problem has been fixed
in version 7.08-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 8.02-1+deb10u1.

We recommend that you upgrade your openconnect packages.

For the detailed security status of openconnect please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/openconnect

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4mD45fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TviA/7B/Swa1wkHZ7JPPdBeCHkzuiGAlXmlxhM7vh7fPrjFZfAICMdjC5c2CGB
Scwxpi72wWVSTVpDlttcOC13MM4lw6GH0x8bMHZh+yulVofsisvdxjor6fpK83RH
f/Lab86N6nJfQiiNNm2rehl6rBcTamnPxQda941cy4qghMRXi+eifyqvLlTl+cWi
zXVjx8tebbZpmvI8mrKgmSE5iXHmUMhORHx/yXVHvCTDVL8FNUfGnq4WmNaKReIp
zHT5x2xOq9IQtGJMY1o9CjU4bHnvjqXT2bM+G5/hhLI4Y7a8vboxA5F0R5grxY/Y
bsOPEXrB3Dm8ve927h21EMvaeAvB/FI6ATy8MxHgUYsCMHQfLdH8bGjeboa3W3XU
HDTCcjzmElfdGvQCfxLm6p4odC2Skz0xWf02x3xEe+xwR6OpueFwkHotPjd/iEeh
9yoWVmmpuBRHo9qWGOpd38gDiqrhs4Pdi4ZIhsalYjCF94kc4zYuGgVtnLwRnSb5
54TWApD1zqi+bf1i+3qa3eSmkt3aXB0ctGlTTRA6l9icn+8vKorzdngH20+O0jc5
ewBvlGpvuW2eSoqD9xiRKYd7fejZbcwCgHrTGzDguLp+zZ7KGUt6fSNO6dR/IIXg
TdJdHuB/eGWflC6F6cp07POFTIypb4kPgqfD0/AF6ggHLD7fBp8=
=NhhO
-END PGP SIGNATURE-

[SECURITY] [DSA 4598-1] python-django security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4598-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 07, 2020  https://www.debian.org/security/faq
- -

Package: python-django
CVE ID : CVE-2019-19844
Debian Bug : 946937

Simon Charette reported that the password reset functionality in Django,
a high-level Python web development framework, uses a Unicode
case-insensitive query to retrieve accounts matching the email address
requesting the password reset. An attacker can take advantage of this
flaw to potentially retrieve password reset tokens and hijack accounts.

For details please refer to
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

For the oldstable distribution (stretch), this problem has been fixed
in version 1:1.10.7-2+deb9u7.

For the stable distribution (buster), this problem has been fixed in
version 1:1.11.27-1~deb10u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4U+UxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qeww/9F55/oT62Df9KCNLDPOio+Kdc5Rz7I4a88D4eIbDBuOUWFu8TBsFFgoO0
P7cSxjZMrJ9GgmwoDeWj/80EhNhyCjMGkZWsPwaUp1/aJ2zHcY9dw/2UWLVTz9+K
Lb9lItAWnuBf6hxRhtSeZK9LKYgJfQvj5yGJATI6LJ6/UlT8m0of3YH0TeaFf/Z2
Q5NmV6AcWwmRvBNuWcaje1a0rpJUgxBTUQ+fczgORDc9kICmx6WVx1lB2Yact9SF
diqnXpXPE9BWnCf647yISYkBOtIE24oEia0iFxRnuq7ZHpzysisPLgUmXjnhdlu7
u/r8kE503IqA79fb2aDfeqHpk6fkc7CmFEL5qSyoJZL3cw3k5D6n+BS1U4Ov1801
mzQCtzVrhnc4LCGVI32lEwmqVgcGpTen4xXeEaikWzbZCoK8+OenXu4Dr3eNvrIV
9Xqy9Xh4HM0Lgwa1aDPBhL1DmTDN8i4fs8r14Jik0LSm5W2cJHct3s5kD8DTNbhA
V0ebsM621RFIFFuyg9//ZYp2gVgYkl4mALD6mJF+sAJGFauVx9tr5AfVFtOsgSLV
eHToqcnYBa8nNKeQJ2XZI62H4pXw/BDCxysfaDjBLiwrSVFHLkvcOx/o15vJ00Kf
tY9Edmc7BWj73942jaIHnw2GZ5fQynSgNTwircg+s7Ri5yFsL2I=
=fBAg
-END PGP SIGNATURE-

[SECURITY] [DSA 4597-1] netty security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4597-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 03, 2020  https://www.debian.org/security/faq
- -

Package: netty
CVE ID : CVE-2019-16869
Debian Bug : 941266

It was reported that Netty, a Java NIO client/server framework, is prone
to a HTTP request smuggling vulnerability due to mishandling whitespace
before the colon in HTTP headers.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:4.1.7-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1:4.1.33-1+deb10u1.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/netty

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4PVeFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Rvvg/5AcQaA29qcRnnjCiATy7h7EenrJ1/K7KQ897hOa954t/meMp+QfeoEQnm
N8iGlCZYZEnkiZNGODcr7H9G9yzHK9IginFT3IXBQtRgOl7+Xbh1FqVDdTDvS+KE
+Ybl8uwJXK7gTAdz8GULE7e4AT4XXZRwMlGzlnQJwz4MugqPx63VAAL0esKlEChn
QnoFoyN2NtgXBAatNhyTCPOOCd3e3Z2xLcdEGvPFwJ6cPocCR1yny+apR/KYyrE1
HbWrYTE0zbDth07byyQreRcs+2WAwH5xpKlTtoJb0SpAv2YtOfFe4hSrTkWkQRzB
kkcEwJSKv27ouFUE8W9IipLjDG+BEnm+GMPxSl70Cc4Qk8L5qFbyzAFYy86RXi+x
oCE1jTFYrLidwoAuHre0z3d6ftRQNNuPuCWM5UImf0oK8NnZDm5eSIkRudC5lVru
0VUyK4SPyFEgsUVCg9y1uh4gmKRkCzAa6HQsQaE1/sKcR+XuZysd6XY+egvbUVnP
Ux+akAbkHvDf2972ukN/M737j1YpH5eYBemBPZico5haYibTC2/GMXGXhfoNubRG
/RKN6jlyUOCToB3C8R2C+dhCb3j3+tDOlMVFL4SjslUg3C2ZW/u8ng3Rl679Lm5N
oD95oVpvnn2rrQxelCgzM/tS799yKQ7/gFdQJnHKEUx+8T9n/EU=
=reXs
-END PGP SIGNATURE-

[SECURITY] [DSA 4591-1] cyrus-sasl2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4591-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2019 https://www.debian.org/security/faq
- -

Package: cyrus-sasl2
CVE ID : CVE-2019-19906
Debian Bug : 947043

Stephan Zeisberg reported an out-of-bounds write vulnerability in the
_sasl_add_string() function in cyrus-sasl2, a library implementing the
Simple Authentication and Security Layer. A remote attacker can take
advantage of this issue to cause denial-of-service conditions for
applications using the library.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.1.27~101-g0780600+dfsg-3+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 2.1.27+dfsg-1+deb10u1.

We recommend that you upgrade your cyrus-sasl2 packages.

For the detailed security status of cyrus-sasl2 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/cyrus-sasl2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl39OA1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q0kA//dEij3BH9LlmpcsH9zjny8P0DjsykncN+4w4hJHAzHi6dJfStBEH7cDy+
YdeMJQP5g3ckTL6hT+MDY3TX38jjDoUM/DHJX+d/B28dFyhyrTK3SUccjUBCn5XK
KSr8nspBgCuLAjXoN+u5roewz5/XGh9YCOQO3ZsVHeBRw4xrYyGqFTk/3mLw5hnn
2K3T7QgFCJzQgM4h0y/4CRfAR6pLLdworDtOrw8s40bIQ6ZJGEw8fDUqGjRwbHJC
rxlWPEkgbTl/I8N4Z8Ns/HPa8PF1/qWUvhcT0MFAxm/9F6cMK6Xp1roDyhcXAvNC
JpW1ieecHA7lB2FRs1/AHovbHQUre9MUmPNA2wGI11rJe68YciTdR289DQ0tvvxs
2r13vohK86Q+AEMvCWnSGyTTKM7Hj18HDZgMYCdvm4K0U4W/oGhCxNSUYIUxBVv3
Z/Jou12LwwKlASbuqtfIaSxUUQLagOVKy85WP9O4+gSWApCmlULNT4rz3iVIjIjp
1T5vTnlobUREQJYtxofQ4g1SWEFCQirw5iekbPHqOnfbfmOXd4dJd93rgQMyhLAr
+TFqUQBqqJyp3bS3di719taL39vNDiEmBbhT9jPAqYOVB9Kx+dK+GXXKs3XgEJPp
38x8B+ufRQdX/U/wlkspkTEWEiILHPiv+uS2FWGfNQIjcNLl8Rg=
=GOx0
-END PGP SIGNATURE-

[SECURITY] [DSA 4586-1] ruby2.5 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4586-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2019 https://www.debian.org/security/faq
- -

Package: ruby2.5
CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255

Several vulnerabilities have been discovered in the interpreter for the
Ruby language, which could result in unauthorized access by bypassing
intended path matchings, denial of service, or the execution of
arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 2.5.5-3+deb10u1.

We recommend that you upgrade your ruby2.5 packages.

For the detailed security status of ruby2.5 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ruby2.5

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl34oDxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SixA//RivjIrvziyMZKMS30716X1kgB3M1eXpL/oKCISu59wU3/dyrO4r2pwUj
fcqmZs7PQp1iFKCiRr7ZijS2V4efeK9UxmuwxRzQYNXnVhgkngbMc5j4LG56T6sG
uf1Mu2bsAOWEWBEDHLOFwoNmza12VTgBwAHMaVgl7tIdJeu1iit7Xryz5XY6xSHB
IReUiafIidLQAy5621pARmRNPhgxrwsNeSbpm3Cf8BiPcZi0pDYssJWx89JnVYU2
f9nHkHrTOPwq7vwgZlBdRFkcflRCX6V5yp3IMO0GatPy2xTZ4QFgBzATy9ES7A9y
51UrubgbvF1sf0T0NFm3l+BiCpePWSbKWIDhKPVUTQrLpNzZUhED3apNpYPe0F+/
tRcRSQ9J2bnPCE+sx5oZu7HXmNZKntyCN0blc5MtSPodLKgVXq1D4/4fFVH1J51X
BH8D3du+chM/ty5b+yL9HJIhYu0mLmr7h3fMpy8kPAjfSXi+LELtp/pFrDrFmf4S
kz1qTumC098pw57QKG+OJKOmGeT2x3wzmdOHWlkMHGh0HYHY1pSPA60P7rOw+9uR
p7clYTtu07rWsGMmwWJmBcb/YxtASagdSxD2fI50mTkZfkd7Tu3j405lcXMizsGg
IOteqeKY4g4ngrVlHxHg1hcc2QlKlUpSOQFidbBCL5EsTc8HkIc=
=ERNm
-END PGP SIGNATURE-

[SECURITY] [DSA 4587-1] ruby2.3 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4587-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 17, 2019 https://www.debian.org/security/faq
- -

Package: ruby2.3
CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255

Several vulnerabilities have been discovered in the interpreter for the
Ruby language, which could result in unauthorized access by bypassing
intended path matchings, denial of service, or the execution of
arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 2.3.3-1+deb9u7.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl34o91fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q5Bg//fOjMRcVQ6GUsbc0Qaj2t1HCmVR066U6fGrDzbd/7ofWIwzJMLYfdWrIs
T3S2W+vuz1sj2lCN8C8PS81Oz+nxg8GXEMd4XGPmmH++cORSizOHimN3DF3ezXKA
WanSLuTzP7dR9QCHO0AoVpLzL+P9s5xJOwhhWon+odr2y87XQqO2wIrwn/wRlroy
ShKS9EcJQUITJw/MUhE8PCyRc7qIjsDl8p4JG2wsCJU2VSaiKuryHDTMvGlKZgGR
C1TebMVjKmUahfcfga1Fd4P7AjiKirOsfRFoPsXmVRpdjWzXml8HdKOsLK93udw8
z1vEPhg1iJEzUKMapCjK3V32W//G+Mxsznt6a1TJ6RexhOsol+w6xoaHPeLuWbKH
rMJvyTXVF9kPpN4n3QbwGmyyyAhL9Gekq4S2IGrjcn8IsDaQiqIooqz7tFMCmWQ8
IFa260TvVuHQhwluOUJ/upfFsaspFRsRTtRXpx4wZmo0TuOZQZH71uw35xPBVjFr
OXH5hqqhit3g43w+Il5LRIGFEb/4ckLTTECLmAjqjEHDhfwIJgCpI7UxIcP5D1FE
+M9ckMorWQTYKB76IrW8cN4k6USVmApBtfmwUzCjK0lZ69dMLnOO4qrXaPTo4SR3
UXfUb5UxEdW6a7ZDfMRkyxkFFFnKBdJrxf+dFO564+4nmMvz+58=
=VHpf
-END PGP SIGNATURE-

[SECURITY] [DSA 4565-2] intel-microcode security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4565-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 13, 2019 https://www.debian.org/security/faq
- -

Package: intel-microcode
CVE ID : CVE-2019-11135 CVE-2019-11139
Debian Bug : 946515

This update ships updated CPU microcode for CFL-S (Coffe Lake Desktop)
models of Intel CPUs which were not yet included in the Intel microcode
update released as DSA 4565-1. For details please refer to
https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/IPU-2019.2-microcode-update-guidance-v1.01.pdf

Additionally this update rolls back CPU microcode for HEDT and Xeon
processors with signature 0x50654 which were affected by a regression
causing hangs on warm reboots (Cf. #946515).

For the oldstable distribution (stretch), these problems have been fixed
in version 3.20191115.2~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 3.20191115.2~deb10u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3z8HFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q6Mg/+OxHO9X+gNqI4c+KhBOFT6xsurXPVOHK+GlMWk7G8bQ7JIXTkP57lwTZq
DKvgZAYn8oLLeDiAe9VfdYMKG6dmmGVqDFuSyI+0hJ61EnxnmfHr0v142g3lpHqn
kWZDaJ9Isd/zYTtmTOLiieM2ln5ryqIA5zt5DGjTKorRsXooBDXN0kw8FiLbCIJV
NRcsHtpZOh8W7t7DEXKjY1ReSXiZSUxDcYwD8Dzh7gEuF4rwwLOPMHzU/SREIIF3
6ioR2TJ95uEYfqFpUIuk2KrSnT9s+sXPFppOGSfRNDzQXeYgShtOsChWYYDcur4G
Qe6ppnhMxOBB7Byi8oSBFSFr6YGQORAKweywiYIxXtQMWC4iYqL+1rA0HxjxjweT
1nqSLlEgAsSGlJBfLRd+MY6q7N8DQvJm1tLuUnonvbbKORy0umJIpw214i96Mlxm
6KTW1tq83eeg2iiqRjuP6BnraucYZhBOEVfnb+1qTes/QRe+nfDihbyLEHtoGebA
E1pPSa7jrW3cdvlaj2ZyM87VzS2mxlgZRbjr7pnKdzZLcnfxmVpnVdbDQEwiVspL
6tUzzkCyUxgCMAjh73f1orr6Voq83j1Fg1KXhI2OCYRCFJASop+MGWbb3sYZG6Ek
dxxqzl917/V0gw5qan+TzbqXjRGhNkqiYE8EDSlIa398RR95B6k=
=jWMK
-END PGP SIGNATURE-

[SECURITY] [DSA 4584-1] spamassassin security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4584-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 14, 2019 https://www.debian.org/security/faq
- -

Package: spamassassin
CVE ID : CVE-2018-11805 CVE-2019-12420
Debian Bug : 946652 946653

Two vulnerabilities were discovered in spamassassin, a Perl-based spam
filter using text analysis.

CVE-2018-11805

Malicious rule or configuration files, possibly downloaded from an
updates server, could execute arbitrary commands under multiple
scenarios.

CVE-2019-12420

Specially crafted mulitpart messages can cause spamassassin to use
excessive resources, resulting in a denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.4.2-1~deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 3.4.2-1+deb10u1.

We recommend that you upgrade your spamassassin packages.

For the detailed security status of spamassassin please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/spamassassin

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl30/SJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SXcw/+IAVbfMfYo6ziYojovPMWgQsYoyN0m2vdiXiCIOFZZwSv1F4SXkoRAoQG
sidPfSpjdSsTVa8btQ7EpRN4nNXlkFtL1k3JiVAcFGfasoTry7RDAhmeIN2hcAaP
CckJlNusNebsRA/6EfbGM1Z/vmYInCY+Q0VM02xRubfbfunLXfU9ui5uZu5Gjqnt
bgzRQLScVBWMCtbmhiib3p5vNEFiOnqwfBvaNaknvhCH0nQYtFWQDz9wje0uZKmZ
cq1jSfehywXcDdeIQ6UQVJUXvxGhkaNOimkW1oHSWCrF6NOG17ip2bG1V7ToWf0r
+GCbHt4rVwOqXDxEIOuWUldi+HH61UL4ZiD4jdyf/R1JxhuP59NfiidX2bZFmL6M
hWLDtBIMNccyLyp+UhxI/c3mJy1u3YCOc11S4fFXvuc+PFc3vh4WNemb48qz0sWt
GmvUicLEiMEEWRAPEwUSgEiOrKVIyQmjHBNS2SI1xBMtrsFcsHL4pubqSBh02GZ9
KFYyJC05vXDT0+xGL2e266rMNAWSWYHA/GCCfRiIy0w3T5W70cjIhj2R3ujkvz3K
VSdYd4tImVeLsFfNgiobeE98nCbhZoslMDyJ9p5MBb2V4nnsKasxKJzbhJCsN7aO
Bw0t4PXC55XPiOlJeSAj/BmrfvZBbBo1ckmNTqITn3UUNOn8uyE=
=1VBK
-END PGP SIGNATURE-

[SECURITY] [DSA 4581-1] git security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4581-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 10, 2019 https://www.debian.org/security/faq
- -

Package: git
CVE ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353
 CVE-2019-1387 CVE-2019-19604

Several vulnerabilities have been discovered in git, a fast, scalable,
distributed revision control system.

CVE-2019-1348

It was reported that the --export-marks option of git fast-import is
exposed also via the in-stream command feature export-marks=...,
allowing to overwrite arbitrary paths.

CVE-2019-1387

It was discovered that submodule names are not validated strictly
enough, allowing very targeted attacks via remote code execution
when performing recursive clones.

CVE-2019-19604

Joern Schneeweisz reported a vulnerability, where a recursive clone
followed by a submodule update could execute code contained within
the repository without the user explicitly having asked for that. It
is now disallowed for `.gitmodules` to have entries that set
`submodule..update=!command`.

In addition this update addresses a number of security issues which are
only an issue if git is operating on an NTFS filesystem (CVE-2019-1349,
CVE-2019-1352 and CVE-2019-1353).

For the oldstable distribution (stretch), these problems have been fixed
in version 1:2.11.0-3+deb9u5.

For the stable distribution (buster), these problems have been fixed in
version 1:2.20.1-2+deb10u1.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3v+DpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TR6Q/+IWXXUuRm25//+lK49cbuK/+FeJeflX+6jGM6xoCjolI5PytqxycP45xm
rYhJfinm4slwb02m6i3nBlWQ1UQrIrJMqx0jYLIsPQy49vKyBrXXG10yTQXY0W6O
Cu4UJyt0+vHciE6nCgJTqcHYfEAP8JcuTyVCd//mkKGN3XCWKllc31bTjzWq1OzI
ssmZKJhx38uK2M+PyCIIiTHsZioW07j+Z80KbIBjExLRZx+5tggs46F/Az35hyQX
Ff39tEPJm3Wx+9YkNBi7IIaRUQeYD8lcUfQydaVGT8qyR4uaAoztU9vWMDKGcMXd
paZWr2OHu7q06QrTfbiZ1dnTaC5F88atgu7oy9689+MZjwyMCUCo6rloRCwDA+Sq
EZaJYIeFeRM9G04FEwcvAwWiYaYFMbFM2rTh+dKccJArxm3eIvqlyQE+zuqbUkeh
AMFKHDJknG3ilnlUZHG5PLWYMUnHRaIzTWEicppwe7RnbtrlMTPFCaVCXW90y2+5
lZAQYeGBh18CF7O5K2OJSFtcypx2Viu6hIARSdzwNsiF5im0iusOYk17XjrbEs3q
Bvqf299HRYtzbhKG60BSxgUbFZi5rjMbVKOf5TYc0dGYmT2K1tkIMOkXDXRozjC0
qX4sPRldX+QZAtjJnpDvqmUNwXCpggfGlQFk2Dofph1a/kahwsY=
=mFpS
-END PGP SIGNATURE-

[SECURITY] [DSA 4576-1] php-imagick security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4576-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 25, 2019 https://www.debian.org/security/faq
- -

Package: php-imagick
CVE ID : CVE-2019-11037
Debian Bug : 928420

An out-of-bounds write vulnerability was discovered in php-imagick, a
PHP extension to create and modify images using the ImageMagick API,
which could result in denial of service, or potentially the execution of
arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.4.3~rc2-2+deb9u1.

We recommend that you upgrade your php-imagick packages.

For the detailed security status of php-imagick please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/php-imagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3b9nVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RztQ//SBNrmvwjUaqVRqcVLBIZoZA+pQj8QrI/WBDJCYx0lLdTdKK18kdH4aRw
e9IVnxIDrfv+aL5jBicCt5kFND0dTtAHzBIlg8BdG5BnpemM98zwkahIVMc35bP0
ZumS49335SsHzE+mfrdpzPpC8dNHMLuA80/acDWqmgF1tPhCJuOjtm+113poRpk1
E0vPkXzWS2mnItYBHqppmcVE0BtNqjzYlJU6td2WhfRzhHNB7yNiwt6QIA6rH3jn
ApKHCIhHvUHdXJB+HIDm897DpOaemXfnuc3KNE5UlGXm/NO/uPWjjpH9wNZz6LBs
jvJ2SG+9fFsVsOMXtNqUmgcUOJR5YCzmzGCJU0HAnMPkCaLEM/9eR7bEB1iQQ/ja
DQE+PzGR7QTg6v6eYQGnUmjs5i29bYCdyFJGc/eV1XImQlUoaDK1gxEYajmV2KJa
h2r7X2LOC1j7vUgl0eusgZLiYlxdqWiA4WXNoySZ+ghOeLoKQ79mv8XSjizgWS+T
7Yt5BvhDsFc7PwjtOMkELhKazL1wK6F4wTs/e0tvJTk9RGP6Ku7gNUT3QX/UvTaP
wHux1seWhMpeo9aCj5tiFJ3pUamU9BMitiQ3mLLleufYDHGWohfpvw07E/fFvr9h
Zm/ppFkMiztiKfLDq19fNGPb1HBYETWsgcLRfboFdtzbs+F50jE=
=w6sZ
-END PGP SIGNATURE-

[SECURITY] [DSA 4569-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4569-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 14, 2019 https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2019-14869

Manfred Paul and Lukas Schauer reported that the .charkeys procedure in
Ghostscript, the GPL PostScript/PDF interpreter, does not properly
restrict privileged calls, which could result in bypass of file system
restrictions of the dSAFER sandbox.

For the oldstable distribution (stretch), this problem has been fixed
in version 9.26a~dfsg-0+deb9u6.

For the stable distribution (buster), this problem has been fixed in
version 9.27~dfsg-2+deb10u3.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3NyIZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SIEQ//ZQ2brpwtvsjfwlORLcfH96jAuxH3GkUyqdD+l05zIV6VDBiN6LhPDl/d
upsuJtqRP1yhjpNuQeXR9vgbM4jdbRuqb9JeITAAfSII+wfF8yMGgdbM0QY/0kTp
I7oI6n4HqWrbLqa6Ea3Qhgk2i9fBJTQ92TQuiVDFrWPOLtoA5Pj5i9xf219P16gu
7v44/zB6X35Vq+5iMNcQQ9oRCX5H/hnrGO8NFgcbnnuR6vIHyBzPfisesbTpNfxx
GLTAmZTk3CyDWQvA5wWlWOtAe2ruVLfFK3ZtfSN7jxwMwsbng3v9KXfFtsJIKT0E
1pE7tf63JdFBpcmn2Kpbu32da18uwhawfi/EMxIW99Mpv+P5rXO0dvC5GKoEvkBD
7NM2RmYHAxLSkGmmY5MYZgPBE1SFNNXWlmXexqPgoGmAQT5elhMQq83CcSUzTgn5
dB/Ql/07O/OdF8uP7vFovJqDULk0mYkY2Lci1GzjLpk5SNZi44ZWO83Jjz9GuE+C
IanEjurkG0KiIosJDBfR+wpwktpjXuWCriDCK8FA0jfbUbnVTpElqF/PB3h/lsFv
mVyIPriJ9GcLYp43E6iFUUUFGr2sOae0iLuDd5HnIuhHkusN3av3hrT3O+h9onch
fJXl7buH9oESAjOtvBkYjVpeWNw6x2m4AVJ5InSXUv8KTe5zEOU=
=xllT
-END PGP SIGNATURE-

[SECURITY] [DSA 4570-1] mosquitto security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4570-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 17, 2019 https://www.debian.org/security/faq
- -

Package: mosquitto
CVE ID : CVE-2019-11779
Debian Bug : 940654

A vulnerability was discovered in mosquitto, a MQTT version 3.1/3.1.1
compatible message broker, allowing a malicious MQTT client to cause a
denial of service (stack overflow and daemon crash), by sending a
specially crafted SUBSCRIBE packet containing a topic with a extremely
deep hierarchy.

For the stable distribution (buster), this problem has been fixed in
version 1.5.7-1+deb10u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3RcLtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SuPw/+Kjp7jhHNqBz7plrwenpurz3zVmuqmV/BIS5Ws8aydFK0mCx4/KDoT67G
1APNJfNnbOeSURcakSrTYINXoSDTp8+L6NEuEPBByFKZ3NPRRc8YFqaFhDSd0kuT
F1hGToXa7KBgzGASIvDKKWRTC8zoywG8+cRJXkrFmWGh3EU9TFp9s0hYcEunvNXR
k+fEeV9s91zaeODCR13dwBqJGmgpyJHKRCLLrVtxbpdh+4ibQK51mEXfR2USpXbE
SDbk503qfLB3OPeHtP+CA7ueO2/elCcEHYQMvesl2dlEi4jXtOVMcDgq4tuYn1bE
kKZY9WgF2LgxjaEgSJewYzxFqYYu/oZBKaZdFfDdaa5TnpFdAVOy9Oy6hIM3lWc1
KJgGoroI2SmLQD7MCUsXJ6DPrHhxC3BGz7/MGhSzrUNPK+WCDpo6bvqh5Xz3Br12
OmNNF1QIgoahx7pOeXpR3EuWVEWWXQxmiT/+o+JmXY8nmnYHMhqs7F3NGa+yaUpP
8nYZ+P0FsaassVQHDuB9SKDRKDfVkZGUg2aVGsVd5v+bej6cjznhdp4u6RtIVKPq
OTmXaBEubdMLAYur1cqWguancj2vz2N5j/9odXuP8jW6f4fKU79QDHIXR5nIYrK6
knbd/pHvNdAAq96LgiKv3LqwdEnJKhj3hTJoLlS52dfqcUhp6Qs=
=+aZe
-END PGP SIGNATURE-

[SECURITY] [DSA 4566-1] qemu security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4566-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 12, 2019 https://www.debian.org/security/faq
- -

Package: qemu
Debian Bug : 944623

This update for QEMU, a fast processor emulator, backports support to
passthrough the pschange-mc-no CPU flag. The virtualised MSR seen by a
guest is set to show the bug as fixed, allowing to disable iTLB Multihit
mitigations in nested hypervisors (cf. DSA 4564-1).

For the stable distribution (buster), this problem has been fixed in
version 1:3.1+dfsg-8+deb10u3.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3LKylfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RaQA/+JeG27QXBa7STvukXHeG/er/zZ/nI8bAqn8eUBZcCKqqGhYQLn3+Sf1cy
9TbO4QnHtm586paa7jaW9xcC62K7Vk5SIqPCZilS4Y8lu+84LZPmcf02/uJYL4SJ
5vkYsH178lag/yeJVzW8R6lH+44voIzNxLFPTnHQZpTnLV+5HjhjMacryoJbtb8r
nqbGr0ww2gO/+moTwm+yFzxTvQEQm5LTnxK5aAWsCWcK+iyCW518rGBC7+M5K5O2
DDePVPj/X76bMGoWQuKlDhr2W9KAoNuJuDrct7xIxnVhh0omMt9iNmiWEnU93ASL
QA82Fo67qMWZNalJ5huZDNPJmCemnzYU58p48HXJ9plZdUoGs71Fyxd9cVjVc8v2
nWuUs9bVy/o7zwOYlqowIzKBmybfIyEst0YOCsr3nyUP5o0XYQl4tfe/fP8eob3x
a1tsRGAfLOlqSPzQucNWAczOvmjlfVa6dF4ctBFSXXD8O5K48RjHJWSmezvSjXKa
VHoPvwd9y8Q1bCGfGSO9ck2KN1l17Ob6FQUjTjVmCfumcb2fQFmdofx2oel8iq86
MGVMEwJQfMijXuoHQjg/xnxao3hMFUswxw37zv/7EDWKgyCj0k+GhHGypHX6ZCC1
R4RXMuur3jl9DpO4ZADjgtQPiuAzl1QxlLzJ5SzZ7eaubo+Kmi0=
=408l
-END PGP SIGNATURE-

[SECURITY] [DSA 4565-1] intel-microcode security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4565-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 13, 2019 https://www.debian.org/security/faq
- -

Package: intel-microcode
CVE ID : CVE-2019-11135 CVE-2019-11139

This update ships updated CPU microcode for some types of Intel CPUs. In
particular it provides mitigations for the TAA (TSX Asynchronous Abort)
vulnerability. For affected CPUs, to fully mitigate the vulnerability it
is also necessary to update the Linux kernel packages as released in DSA
4564-1.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.20191112.1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 3.20191112.1~deb10u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3LnHtfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TilA/9HmD2AOtkdmrIpWu/voKt3g8936z6q/CmSPiSV08DcEu1sh5gm3atYRrA
tVasCdjiC2FNZN/IdV7FjAZ/UQa9FwTPWcL27DGAHHhd78+ZlxivfToCr5H1CKuV
GKd0oidSyxpqXsw6yOEajABvcGFttAJZi0lJ7hrUgudRcTcK1QujcLmgOXtrYXie
PkPGmmiL6/YEAmaoNwehzxANsUrsK7VZjK9K+7modyY2WGqzr6TlmLqhpROSWOPw
CyYZxMuiNhcSciHu3J1GigIUf/YcvsilInerKdoki+iUUdiJHQe+geY9wpz7Xqr5
sojqsuiyAhQXk4QJctaD34NvnWtQUGX0iKSQhi7fn7/iwduR4JdOEktDCCnBKh0d
7k1RjI3GaTwt+ZgeeKNSZXCZFesxddWrAxuLrSYxcWcyjhxbgJIudevhfksbmQXw
EGRkyOMg0O2i0Pw2aMGencxq7YLmXQvuBKLZYHWeu7q8GSp3db6CdJYwMGsR80K/
upg23s3NSbweq/s/4OS4VNhFBUsf2JKUTVMBaT2TRTAZUMk5XOxx3ua25RCjm+re
BbNqaHC2XSr3ShgwNjc8faPwo1skhmejAU6reZDuJODR1o450PfGyb+P9UO+9chM
48BumPMnYCiEsWhJrdPefKLI/oUEDXPYNlSB/zZpn34ae81Zjak=
=X8mz
-END PGP SIGNATURE-

[SECURITY] [DSA 4564-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4564-1   secur...@debian.org
https://www.debian.org/security/Ben Hutchings
November 12, 2019 https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2018-12207

It was discovered that on Intel CPUs supporting hardware
virtualisation with Extended Page Tables (EPT), a guest VM may
manipulate the memory management hardware to cause a Machine Check
Error (MCE) and denial of service (hang or crash).

The guest triggers this error by changing page tables without a
TLB flush, so that both 4 KB and 2 MB entries for the same virtual
address are loaded into the instruction TLB (iTLB).  This update
implements a mitigation in KVM that prevents guest VMs from
loading 2 MB entries into the iTLB.  This will reduce performance
of guest VMs.

Further information on the mitigation can be found at

or in the linux-doc-4.9 or linux-doc-4.19 package.

A qemu update adding support for the PSCHANGE_MC_NO feature, which
allows to disable iTLB Multihit mitigations in nested hypervisors
will be provided via DSA 4566-1.

Intel's explanation of the issue can be found at

.

CVE-2019-0154

Intel discovered that on their 8th and 9th generation GPUs,
reading certain registers while the GPU is in a low-power state
can cause a system hang.  A local user permitted to use the GPU
can use this for denial of service.

This update mitigates the issue through changes to the i915
driver.

The affected chips (gen8 and gen9) are listed at

.

CVE-2019-0155

Intel discovered that their 9th generation and newer GPUs are
missing a security check in the Blitter Command Streamer (BCS).  A
local user permitted to use the GPU could use this to access any
memory that the GPU has access to, which could result in a denial
of service (memory corruption or crash), a leak of sensitive
information, or privilege escalation.

This update mitigates the issue by adding the security check to
the i915 driver.

The affected chips (gen9 onward) are listed at

.

CVE-2019-11135

It was discovered that on Intel CPUs supporting transactional
memory (TSX), a transaction that is going to be aborted may
continue to execute speculatively, reading sensitive data from
internal buffers and leaking it through dependent operations.
Intel calls this "TSX Asynchronous Abort" (TAA).

For CPUs affected by the previously published Microarchitectural
Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127,
CVE-2018-12130, CVE-2019-11091), the existing mitigation also
mitigates this issue.

For processors that are vulnerable to TAA but not MDS, this update
disables TSX by default.  This mitigation requires updated CPU
microcode.  An updated intel-microcode package (only available in
Debian non-free) will be provided via DSA 4565-1.  The updated CPU
microcode may also be available as part of a system firmware
("BIOS") update.

Further information on the mitigation can be found at


or in the linux-doc-4.9 or linux-doc-4.19 package.

Intel's explanation of the issue can be found at

.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.189-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 4.19.67-2+deb10u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

[SECURITY] [DSA 4561-1] fribidi security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4561-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 08, 2019 https://www.debian.org/security/faq
- -

Package: fribidi
CVE ID : CVE-2019-18397
Debian Bug : 944327

Alex Murray discovered a stack-based buffer overflow vulnerability in
fribidi, an implementation of the Unicode Bidirectional Algorithm
algorithm, which could result in denial of service or potentially the
execution of arbitrary code, when processing a large number of unicode
isolate directional characters.

For the stable distribution (buster), this problem has been fixed in
version 1.0.5-3.1+deb10u1.

We recommend that you upgrade your fribidi packages.

For the detailed security status of fribidi please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/fribidi

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3E82lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q2/hAAndIdw+w0cay/LsIBweriCcMKwW9CCKr5N+xjcn/wRtyYn/62KhlxTKrO
FZXkbjZEplTNENBsvGyW2+ZLdH5slQpnTMem/MqU0olny82Ve3k660QpX/nAIP2c
XqgkgWyyOtKK4H2tdlvF0LQnc8LzzqfzIjzPzWSuH671j5OB559j0XHHbRHTArjH
VXbRbtGAGPlWIFGGOKMbTGiecEv1f3NYoOQn8FPxXTACeerjlNHSqbIKgMqeYK+w
6N2UjNW/SF3f0GyQB+rBbp/aDbkeDtrq3nX8ed5nsTd7oQtB4eEazOQjLxL3uP8l
S0l9PGy1Uue9c6pA3bXgbS5owNJmQazdY5n2C+tSXQlkJHeggoRfVQM+WqnyrvFv
sx8d1aGNc1e7576wlGrlVcHOp68Erf3JxKFsyxpdcSKgbwh9vDzKbZLe+XUETrg2
frMCQZpQ9CRTujETLxs1TYrIKVy39U1Y2uyJALk5E0lkWVYFKHU5Gt/XP9wbWpRI
BGIFbUjCTd6gVE4VgyDmFTrH/hCucVBdTih4rxVzQgXTl1n90NVqancMsINthWvR
36cQHGxoiEndEA/sOgcSXwMUVFpSS15+ggy4guQ7NhzvsHvsBb5cWfwwf9IBah5V
1g0SgonvN4sUBSe5CY76dQOCDaHGSCAuQ/pIM2zoZxUK6JRDYjI=
=2gr9
-END PGP SIGNATURE-

[SECURITY] [DSA 4509-3] apache2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4509-3   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 15, 2019  https://www.debian.org/security/faq
- -

Package: apache2
CVE ID : CVE-2019-10092
Debian Bug : 941202

It was reported that the apache2 update released as DSA 4509-1
incorrectly fixed CVE-2019-10092. Updated apache2 packages are now
available to correct this issue. For reference, the relevant part of
the original advisory text follows.

CVE-2019-10092

Matei "Mal" Badanoiu reported a limited cross-site scripting
vulnerability in the mod_proxy error page.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.4.25-3+deb9u9.

For the stable distribution (buster), this problem has been fixed in
version 2.4.38-3+deb10u3.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2mNi9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q7ig//YbDu8Xr3fplS5ksJtPXAB+nYoI87e2rmAfNKMcV98H2nHHl1ZDocMhEH
P7UE3cJAMei5ZwuC/9J+R7lz3O5yf8cmS4Ktrzvdctc4++4qtITZmt+bYtNTkQfF
d+gXMQyF+k60lwvjKE57xaA7lzDvmx8jkvS0pwrHzTDl8L7zjN1W1oLGsuxks1TH
x26w7yxOK3Zhi9WbOV/XA7pOgNJzWNzqiTgw3b4uR7cPygX3+GvPoS6v9UbOXgPT
N37pDHn5JDsIHJ9FDuqcN2GSIA8BJOUwm+KFH5e6YxxIJXkVKsRnIsKh7pPWa3rM
NkDEB0cAIFUof3dYPW8nS9mA5Wc2GcttgH8tQkIY7jpv17fXsv3tdbJm0dle4BYG
7jvNcMjNUitN+eQjfgnbR9yq+Mu19GQdnfpQ2vlaRZqqAWhUYdYyL9ky5MCK7cko
65uBeGdb7E6oNaesxaFfXoh5wSt6oITrUZu1g4tDNCfmo13kl11AgIniZ40eT1WU
D5s+XktwS6WIeREAslZHMGNE3tetBW/g0VEMkxbm+33wpz0/T8dEq7XhtpCFJd5a
5IfwtY1V584nhvsQ4QUpFdNgxB6zdp8IK3r2ReyZUlgxwK4+eWfnrhU70rvGOSCW
pQIYJDWcPhzmERejY+HF7YAMCWdD7Up/GuYL5pRswHUfF/0vCHc=
=gcRG
-END PGP SIGNATURE-

[SECURITY] [DSA 4543-1] sudo security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4543-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 14, 2019  https://www.debian.org/security/faq
- -

Package: sudo
CVE ID : CVE-2019-14287
Debian Bug : 942322

Joe Vennix discovered that sudo, a program designed to provide limited
super user privileges to specific users, when configured to allow a user
to run commands as an arbitrary user via the ALL keyword in a Runas
specification, allows to run commands as root by specifying the user ID
- -1 or 4294967295. This could allow a user with sufficient sudo
privileges to run commands as root even if the Runas specification
explicitly disallows root access.

Details can be found in the upstream advisory at
https://www.sudo.ws/alerts/minus_1_uid.html .

For the oldstable distribution (stretch), this problem has been fixed
in version 1.8.19p1-2.1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.8.27-1+deb10u1.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/sudo

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2kxixfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QX0BAAnFE7RmSJXfz4uSIdt9s+9sM9AF/QS9iq5/yZnNIGjW5POgE4vqK3GipN
8WSXVxv41xxp1J6z4SJvbybCIm33du5RcIdijDuFhhbRlY7uvF6XwqioyRo3eiPN
JVuVeHIDPod1bU9HVMMtNiH2QMI/WObM2hQ9UjObr2Jz9XLKDNZXyzdE4bOVV5sX
uFNs4IemuXMORYRZpsGb2CBFcI9D0qHqtiRJCLEbkj3yjLyIGzAlb+qlueilA82i
bWFabQeNzg9iGMYomd1gIV0bKF/UxARqMvm/EHi1bla2HAh44XenmKkZoFHByCV8
YVZlYPjK1l2eIavGSclRhnaqv3EczsOhF3V0v/l2+CbsGScIW8QcP8hzESfB24FN
/B3RGXVJsZ5ssu5icXvOBz/3TK15nzw563gRBQYYUCRZ4kwZdO72weTFLU1ziEXf
dzaraawTpErOAOFh9aT18OWGxZpMABHlmAoXDC2wk2bkwdh2cf6UVY7bhU5NDFG3
2yQpbe62xHJrD1UxL9NVVIYvt4DfuNUhaOrBglNwxXoxsZ5FCUXDet0/QKlO8rle
z9El4yJoG03kW9OJqnPVsRh/QBtitoCEDpT1aON8U3DWEOSjBT8p7QG8qt7448aO
96QEZKrLs0DDwH9krOPZdod65HvlrLD49Y5Kawy/YGzrMVUeRX8=
=jALx
-END PGP SIGNATURE-

[SECURITY] [DSA 4539-3] openssl regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4539-3   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 13, 2019  https://www.debian.org/security/faq
- -

Package: openssl
Debian Bug : 941987

The update for openssl released as DSA 4539-1 introduced a regression
where AES-CBC-HMAC-SHA ciphers were not enabled. Updated openssl
packages are now available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u2.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2i1SBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qftw//SnbKmK414n/3dPnhaWJKn8sIbcx+sCUc/3sQ5ZJfDrq+fkgbLhzZIlY4
1tumctsArHw313g/bHwGyCkI3su/0otfRCoBxZW6xcJOHc5IAQZ9QplMj+rjMdxW
Y7lESG1eU8Se21G7yvFx+Y01dqpsdaqL8RphkIQBVCcqZiwdknGnB/8CuBzIjbP7
zAViB6btkdHkrVXG+2fbec8IvVCVrI6IYeTSSsfo5YxpO5xtOiyYj3owEo5x4pUi
FExr+kSzbyZILPFtRA84sG/WOuKy59vFtri3TnaPP2PKPMp/08P9jBXCWAyDX3EP
WIUVdWugt6hUVcQ8CuqyVCtnRaWpd8i1Aftxs6y17E1hWajjL7hUF2gTXBhnUK4f
VZvBDSHyzP8MVRk7ic2BiApEcPC8p9Z0+ItvnTXHI1GNOquQ5/KLZSeM/eGR6hKo
oft3ThptO9aIWD+w8efhe7BMzj7JX89cPfo64RLgLBL4gdVhCRnxI31sxLv5wAO/
c2v/iFBWgoh67b1RsDeHtlKsZVuJzZbp2xFdFy+suUQSBuw+6QnaFbdzoLTYXezU
vZrAC1WYvg3msdpJBWW1zHlhL51VJN8QalsvxT7se1nTEYfwAs0sarnnhe2My6Dw
ZFRiGUEIyJfb1SJFh7O2wm2xLkyjwZg8hWGfCVatqTverY/yFEM=
=2zTK
-END PGP SIGNATURE-

[SECURITY] [DSA 4539-2] openssh regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4539-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 07, 2019  https://www.debian.org/security/faq
- -

Package: openssh
Debian Bug : 941663

A change introduced in openssl 1.1.1d (which got released as DSA 4539-1)
requires sandboxing features which are not available in Linux kernels
before 3.19, resulting in OpenSSH rejecting connection attempts if
running on an old kernel. This does not affect Linux kernels shipped in
Debian oldstable/stable, but may affect buster systems which are running
on an older kernel.

For the stable distribution (buster), this problem has been fixed in
version 1:7.9p1-10+deb10u1.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2blxxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q2Fg/+PRTFfyFWa9WwzLKXUPw+4y+jiFkzwbZV+qK1PLO1th0Ho2UCiuc2WGY8
oSc7OOOXJ7McQqsqJJdz6ojaRNxKUjix7/OtfxTx/29s5imL3mXGUtu/v91nuyca
DUKrtEf/eI7EvtaKjgN9Ty3wCdyLhJhGjUqchLsC7vixi2Al7BxR8E7Pt0jkyvyD
qw03AsaiLTgkt7KnKFI4dsRco8tslrowcraAhzKQwrd5pfKIMWoBsJJepnHKqS6w
f2xBGqacSpFkQz2eXAernhPuXZau1Wy0oNpHunGxje3oUqum9WXE7dYJovSU7Nul
thZXkheLYFD7Uu9/8xLoSsOIiD6WQHW9ZLhayPqEfLyIJYqqTETPCyYaRhoqn21T
Jw4FDgoVZ2dC6lCL36S5IpFqVW9ePswHoWlgWSol603ZXRz965K2vbdLAn0A6oxW
XX5k5yuqm2Dl8FTNa5JziCGauLioSavvvAebylfPzekXZ3Jxwi3jUGC4TQPCJ47B
HgOPKf6vP8MF3tY5QBp+lfD6DDESgk6oTtdpFyT4PjqZA1SJV7q5ryb4kkvHcxo8
RaZc4rO0X9x7tWbxp7TmdoiQjc7hei/uYWB3TI5ljuvue9PnbLQxFjbvnwyaigfW
HcOFzpbPJxk1ErijNBglrppMvHMkZA8lYQ6Hg0Ocxkz+5TjPf1U=
=NOpU
-END PGP SIGNATURE-

[SECURITY] [DSA 4541-1] libapreq2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4541-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 04, 2019  https://www.debian.org/security/faq
- -

Package: libapreq2
CVE ID : CVE-2019-12412
Debian Bug : 939937

Max Kellermann reported a NULL pointer dereference flaw in libapreq2, a
generic Apache request library, allowing a remote attacker to cause a
denial of service against an application using the library (application
crash) if an invalid nested "multipart" body is processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.13-7~deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 2.13-7~deb10u1.

We recommend that you upgrade your libapreq2 packages.

For the detailed security status of libapreq2 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libapreq2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2XviRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RrDw/9FA4QiadtHQetF280iS+r+8RCR7FMJtd17WatVUrhLgByabc6OuCeJ6wb
Ra60ZQGQUzRfO/o2WeZi07+RutwMWif4NQw/xCdimsjD2lcZ7kgGTixby4ix2UAo
OX4VbYmo+gVucRhDCSLjBf6+jxQgGr2oTte7JR7uqkbf1ImcD7Sl7njYx1pD5+t3
M1/axLfPPI69jTqtFN5oz52IO6C52IwcSCi+efdzEnPTBRlcWve8I/TzUNWjPm8w
o5WuuHVT0xrEiVXDyGoX6ePScDVfGvrE7gld6n0d4a1GDd7nAm2H39CZ67srs7sd
x3MZJiluqvGBaZpDvC0xGIPbysW08GOQftSbp3I+Md7FgciMwGbfHsyVqKiP/EzC
2kQICwNyU1N++ROxW5JbaqoApB0My3sG6H3Fthvz4CYYVW5d9O2AgyEHSa0qhENj
XljCPWfGtLoGMvboNXJitHB9caGgNUX8Uv0vm7sBSlkT1JYFPKg2BpZJnES9yxis
rEFSPnI1cauzCce/Tuv6htvTgb4mFLFc6pij6SwBVMZ2MOyOUU0v76ISIJyag2eW
iLMJEhxSLA1m919bJXNDWtSzPhZssZeN/J9bnqL//P7BtpBFM52irnmoijBPr6o6
zzw3psMQ0q8QI20NotEGyYANekrQq9RJTzvOcvIUQ2PXXGXW8j4=
=HkcC
-END PGP SIGNATURE-

[SECURITY] [DSA 4535-1] e2fsprogs security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4535-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 27, 2019https://www.debian.org/security/faq
- -

Package: e2fsprogs
CVE ID : CVE-2019-5094
Debian Bug : 941139

Lilith of Cisco Talos discovered a buffer overflow flaw in the quota
code used by e2fsck from the ext2/ext3/ext4 file system utilities.
Running e2fsck on a malformed file system can result in the execution of
arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.43.4-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.44.5-1+deb10u2.

We recommend that you upgrade your e2fsprogs packages.

For the detailed security status of e2fsprogs please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/e2fsprogs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2Of/xfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q6Zg/9GWawqZcu65yl5zr0+vs8RSWB5193eMW/EmzjPEqij9iuy3j+uPWiVwy3
W8e0+87IZgY9cQUsilqsXVEelyx+Kg2uvMRiQET47WGGeWAxL5Hy2ntYTfgMKZ0z
OA3h8I0Dep1ex6WbOYrhrNYYbRQhz2+LMScL2Z1oNiK2+kCnFwZ8T7c8ZYczXpHz
FIP1rtKn0z0rLhncpcsmNmLIlOCnk7htGb5Zq0wfjkqNQICTL/fUAQYPHbT8i27K
sTyZTRA72URw7iYbbjFW86Lv/ly34ss3OT0Skoz/EDTihAF3MZfIyFNeYYyTST4L
yt4XSvNEyfKriLZuiB4KGr5ImgRU7RHo92aLfo4WTsnW4DzvXqaxVl19lMBBLh4/
JUYEweJLorf6KQ+Umbke11evr4d9ayKj5tyPtWfGQ4ts5auOGzx7qkyzGHvd9816
y8duWITrc4ANguGx3wX2dtWR1AFuEGyGhsvMMYOILwkef3sfIBILLLVkFvA/1w/H
Vo8LLRGGRMMcEgezmWKKFym0k309D3ldnn9u3ES87ANQU0wGE6Z3K3QzkfscAKzS
Sq18f6oo+GoETQBuWEDTpE8gM5jX6uEBcf1I/g8cJamaHdz3rjuYQPjzwRkiz3xn
j4qFI+sENriVCx2XK/99FiRJfrhaNkgWG8eR0mKnXHKnJ0KZxiQ=
=RTeU
-END PGP SIGNATURE-

[SECURITY] [DSA 4536-1] exim4 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4536-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 28, 2019https://www.debian.org/security/faq
- -

Package: exim4
CVE ID : CVE-2019-16928

A buffer overflow flaw was discovered in Exim, a mail transport agent. A
remote attacker can take advantage of this flaw to cause a denial of
service, or potentially the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 4.92-8+deb10u3.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2PB39fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S1Mw//QYO6JUMl0GxGtb9gnFFFQsfkEpF5zd5Ua2TH7jA1WY5t8z/J4VmKoxqy
JV6gM+iCzcRlzOHICujjflg6kqM9zUwX/1E7HdCg+3L8eEr7fGJzvfW5e5EgP3gN
Hilk9Mb4WBNpOe3OlpwvGXHGbXbL0TuFpSAjNYi7b8L4xdce2jKexqLAjWEOPJKw
KEDxgbPdObjSyXRm27n0lgfrJfasDL0ekzDGnUq2Jx7Wb3z0ldjEPrhPHD1uOJBY
0/bCE8kOSXzf1hO3lDg0Uc9jwBZjJwI0CSla+/ZwGQdayVj14NKmklBXSOugeUVX
ZdPExYVa54mvruYbPIJexk0j+AN9FzIADwAXKpbkNuaAe9uHoougJdSU+MDYDv3A
tFUFORAaNmRaLYxMHlBvd2UQ79qL6gphWuYNpOJOkYaxZa/aE82XH2pTT5Lehlu2
aMUoStwclH5wjWoT9LpH20LBbu5cwNzuRL9uCw3OK6XWzRDpBPXi1b1dkzcf6jgE
HjWVsBZkh11Ah+wnFCKg/vv2TAVcKuOz4/U6WLJ7jAbn9flzzCNrH8lfUm49epZj
xYADGuoH8BuJeQJwLj2aiNf/JFhSsKyOoXXXjHbvlR/5YOBiUxlRqTujwDt/YA/J
pAEDfLAw0d6XworKr47+yTiqUQG++CZYpGYAcK/2R0eU8tQXiZc=
=jv3k
-END PGP SIGNATURE-

[SECURITY] [DSA 4537-1] file-roller security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4537-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 28, 2019https://www.debian.org/security/faq
- -

Package: file-roller
CVE ID : CVE-2019-16680

It was discovered that file-roller, an archive manager for GNOME, does
not properly handle the extraction of archives with a single ./../ in a
file path. An attacker able to provide a specially crafted archive for
processing can take advantage of this flaw to overwrite files if a user
is dragging a specific file or map to a location to extract to.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.22.3-1+deb9u1.

We recommend that you upgrade your file-roller packages.

For the detailed security status of file-roller please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/file-roller

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2PaX5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sa0BAAmadwUS/FqfwSwSV34tYk1mCHAcFix3hmEc/JPg39gBKkT0CnpSdwarad
DN1yfdO3N7xdc7iihQSXumUiWLhE6o828kyWwm1EMuMEX/X7sRbxqxHZIVwSjzHK
KBdDah60B+q9kmr67yV7MhUuWvvHHuwUAYyGGu6SHxppo/kzEvr/ZX1M2MNiIxZJ
NT+Z1FiUf2SylypfZOhTAhagSDKsVDX+joPvtGQ2hcFaosxE5pF8yEV+dVw15L5Q
IONiZ6BR+ewbgnC9OmkaZP/DsXeOHYNuXhk21CHaAKnijIie8WPUAqBzpKvdJ+l0
sU7Nnk6QIf3n48CIQKQitFbUWH5e0SD2n6li2dRwu/sNs6GA5XQRPGYBVIR8RJZR
7rxAKQ0J+VaOiWWvtv3Q6MnYVbqN6Db6OFhcJkUSJx3IuSYa1wSAp6n/7DjGuxJX
lyjGoMlx9ulNASR9qMNqw7v0OwvBR2AVBQ2mOPquyTwiQX3u0jcFcXmMnsMj9Gub
GITVOcDrt8d+LTxysLC5bTCBaTi9f/MIu78Uo9Rlnvyqovk018PGVk0YuR7CNxiH
wh7uVwoOmFpEUehMjt1Md7fo/1HcSlE87IWbeMqFYpBoEybMMdEHq3m41wTYYYKK
Zq8WGeZ/tl1o89n+b8B4HaAVQdvYhbuJs1Izx46zAFm73fI5wZY=
=u9N6
-END PGP SIGNATURE-

[SECURITY] [DSA 4531-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4531-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 25, 2019https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118
 CVE-2019-15902

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2019-14821

Matt Delco reported a race condition in KVM's coalesced MMIO
facility, which could lead to out-of-bounds access in the kernel.
A local attacker permitted to access /dev/kvm could use this to
cause a denial of service (memory corruption or crash) or possibly
for privilege escalation.

CVE-2019-14835

Peter Pi of Tencent Blade Team discovered a missing bounds check
in vhost_net, the network back-end driver for KVM hosts, leading
to a buffer overflow when the host begins live migration of a VM.
An attacker in control of a VM could use this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation on the host.

CVE-2019-15117

Hui Peng and Mathias Payer reported a missing bounds check in the
usb-audio driver's descriptor parsing code, leading to a buffer
over-read.  An attacker able to add USB devices could possibly use
this to cause a denial of service (crash).

CVE-2019-15118

Hui Peng and Mathias Payer reported unbounded recursion in the
usb-audio driver's descriptor parsing code, leading to a stack
overflow.  An attacker able to add USB devices could use this to
cause a denial of service (memory corruption or crash) or possibly
for privilege escalation.  On the amd64 architecture, and on the
arm64 architecture in buster, this is mitigated by a guard page
on the kernel stack, so that it is only possible to cause a crash.

CVE-2019-15902

Brad Spengler reported that a backporting error reintroduced a
spectre-v1 vulnerability in the ptrace subsystem in the
ptrace_get_debugreg() function.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.189-3+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 4.19.67-2+deb10u1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2K5xlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sj8xAAnBGWzlmy5RyQe8VCE3kkMpwmH/00I5IFpjTbAVvyHzKVYl96YbY1YuAP
ID++cBxBElWCQriwCESc5Um/BGpOMmTa3VlkXIVy6uHgwt1Hn+ZW/syFaGt0/brW
eKIecVQLyZaV7OOx4Q+J9H5WN1FNKoV3BCsfUFlRqNCUtYQ46X7pN+gyytW4KbZo
AEbPkEdUhv2Z6ndq8Z/OJ5cyYms+OonEt08e2qcN0Ig+qRY9l3fgSn/X3tKQiuJj
jGKPkd0VYrFzfDKekcboIBZyegahReRe4k+V8I+o/acuQJGR1cV/qCGxboFFI2+s
WeSUhaVixP+7HLXyRljFBdvXlAnx/IajEPG+RAVt6zZs1yK+8bVIhai5TarcwbF3
DWQZvpAeLaKgIN4x7s7xDHNJzO9Ea9fhXm/9T1AoaO3wdN2zjOYHLG3YO4TF0PpF
rYY9t17uNdAuCxPeQWCciDOiNQVbEmr3+al/78m2VZcBYEI2s1E9fgQJV21rRlv+
fEavwX9OJg6GKcW9v6cyegyf4gfTvjyzIP/rcmn55hiQ9vjVNykkoNUES5Do6sTb
/pSSRuUpJtEE+6LnnqbdD0E6l8SC6zgA/+Pu/7BrACxlk9bhYFmVaAwbPPEuRgrz
3d87MB8FEHu4RDGSgomb849wuAXnEVDwM034VtURUSEAXVFQ0dY=
=Wqdv
-END PGP SIGNATURE-

[SECURITY] [DSA 4530-1] expat security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4530-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 22, 2019https://www.debian.org/security/faq
- -

Package: expat
CVE ID : CVE-2019-15903
Debian Bug : 939394

It was discovered that Expat, an XML parsing C library, did not properly
handled internal entities closing the doctype, potentially resulting in
denial of service or information disclosure if a malformed XML file is
processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.2.0-2+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 2.2.6-2+deb10u1.

We recommend that you upgrade your expat packages.

For the detailed security status of expat please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/expat

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2HJHlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RrDg//d7+G9oQ9I1tIaopja+KfeJeAf9NN6qGTfemPeBoitDQhE6r7lIMB+/i7
r8yPIdTo6yt5u9KhJ2q2qnQjhaosqh5/Zus48K5lqrN+TMaoCjs/fMJBdWqXcnPv
5BsQyjelUVQ8aAiqGNfCSNIdmvDFbNic/x/bk1kqDXBQj145JMwkEz4hYsRf2HqD
tJYfnVEax3oD0L1RawW6PLUPKQ5lyWiwq+cXWA5lVNb4gIH1DZmVeUTlvbzgniz8
3WfwylztodKfTK139SsZGNM9wmmNZUmeBIBnlXGAW80fTZ6qI2XYmUevBCR4pVM8
SgHI2FxRqrbQjr9RX3u7Fnrwi+2weDQFxAncPSYBLzrJhoC/TdqhHsLXisYI6gFB
Bl3+fdnfh1KqYI/0JMVdee+aNM7N+macbvcwIOirYHwiB8MKC4mB4w5XO5CNjCb/
NGmt4rutAXWd2KL6ZiH9sqjnxnaqUCNjeXvVcSDzbnw9bS/aWu6G340+Idl9dLwE
RUPupv1eVILWbyy4lDSCqsvrvV3zbONkxG+QAZNmIOxe0PeriYtv3SrOXKfJxaut
eNnAruRTPvWE15doWKxAXTDD8A38rWoywWJFrWJ6P/X3TNPnbZfOvC4L6cOhqRnR
c1XThoFBS1DDgVRhgTsfWmSPodkoyWHNLwKr33qfabmw0NCxnLE=
=aD+U
-END PGP SIGNATURE-

[SECURITY] [DSA 4526-1] opendmarc security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4526-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 19, 2019https://www.debian.org/security/faq
- -

Package: opendmarc
CVE ID : CVE-2019-16378
Debian Bug : 940081

It was discovered that OpenDMARC, a milter implementation of DMARC, is
prone to a signature-bypass vulnerability with multiple From: addresses.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.3.2-2+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 1.3.2-6+deb10u1.

We recommend that you upgrade your opendmarc packages.

For the detailed security status of opendmarc please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/opendmarc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2D2sJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R4qA/+NxgwWpKCcSbUjEKapJwuNxgGYNlmKn2h53vWciSItpm/ElTTZOhA8mBE
eG5XN2lqEBe4pjiZW2/WjU0Ym8wc2xq4WaQD7CIGSWX0s7wyXkF1RqrFR847aWmK
onkkQnBcqPgaZ43yfcur7xZ6ctPda8EeUcMxpC4mnL0I/bksQsTKJjaXXpLmgvmD
ErEPTDbWwHRNU2AqZOL7tSTBWJLb3HD52mhGVvHsQ0TxDWoRmTDz0V0IURphp7Rp
/g9gKJ0sEE1hpo58ucIWfm3OENSPVpvPqaGVco2f5aXwIYnfvKbletKH2yhQoMS4
+UUq0/Cla+gapuQrB1dZcF1FLwSEgJEOP0tQlUvUCHYsOvPi4GzjOgnPH9gxY9ct
76sdjzOpGPc70uE2GDjGSP4IYWmQd5CpYODrVjR1IBVotrkbGm23DHtS72l9nNrh
hLev5M/8oVc0nQB41zM5ACrPsG9SxFsLot9stIIIK+GlSjFWFHM+JFxR5+8Ptn5x
NLaa+v8UnktEVpauhqnhpIDfUmgIRMwlj9VRrARjW7M8SSeFa0y8L6Ayp18ShBRg
uxTNAtvUfe5WRf+yvTCt905i5f5i0bcBibJBAEl2wyzs30H/Q2nPnVcGWhBRkI2R
EPGb1XtFURsJ9Mdj9dEU2RqTqvqd0mx1typVh26RDLhBhbQPZLE=
=gqNK
-END PGP SIGNATURE-

[SECURITY] [DSA 4525-1] ibus security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4525-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 18, 2019https://www.debian.org/security/faq
- -

Package: ibus
CVE ID : CVE-2019-14822
Debian Bug : 940267

Simon McVittie reported a flaw in ibus, the Intelligent Input Bus. Due
to a misconfiguration during the setup of the DBus, any unprivileged
user could monitor and send method calls to the ibus bus of another
user, if able to discover the UNIX socket used by another user connected
on a graphical environment. The attacker can take advantage of this flaw
to intercept keystrokes of the victim user or modify input related
configurations through DBus method calls.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.5.14-3+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 1.5.19-4+deb10u1.

We recommend that you upgrade your ibus packages.

For the detailed security status of ibus please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ibus

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2Cm1pfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qkpg/5AXT9nKgJobMbS15EmeAzC3uEbhXgMX5G4eFys+5vdDJBkQelfBlNZU/e
PMkLFpEw7s3h1Psi671SNc2nLUJAZkNlcytukOV2DjTQx/TM/7NeHgi5RQrcECG9
l/xnYDh4U4v0mftPw1p5Vro7VOT5NNHvS+qcjdaKCrZ8oGnaS9cvhGcAjiw11jyl
h9LRYxyMKt6P+WYHnCATTXro9AmUMMk101LStYihC1oCCsjckmaAAprlvoKJbXfi
0Fz5iNBB8KL280Oi7/ruvQMbvcpSSINEq3pUE7JKuYnscLEQd7A/kjfQHRszBqO2
1D6N39Oe+vyKGjnsLJXuajsUdQB+w7XwmVwvLvlZV2N5LptoeedFMyYdDzcb49t8
KIPqzr8wUuFSTuTv2DXQOF1EGS3Pt6PwM7ArRZrBSDmOGZJPpZWtXCwNuwp7IGr+
EiutIAa4LKBzqvQZrisI+gMYAvYUo3c4Ot0am+v7TvNw3lM440VPE+narQ1kI1s8
lyQ0/9w2aO1lqmnFKpvn9EroXCIMQHRKMGl95ZAaxMj+YPJhB0tyy2YFJkUSIYFq
l5OMBWdHRZevLgYuj7G+U6w6Kx7Nedk7SUmvasofWOiOkycYRKEa0CJmhKjDI+kC
b0E2a5FQRD4kEMTqqd0H6i5Ur4fsrgRXrnp4rdTlDpV12QYqPlk=
=BXb6
-END PGP SIGNATURE-

[SECURITY] [DSA 4518-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4518-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 07, 2019https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2019-14811 CVE-2019-14812 CVE-2019-14813 CVE-2019-14817

It was discovered that various procedures in Ghostscript, the GPL
PostScript/PDF interpreter, do not properly restrict privileged calls,
which could result in bypass of file system restrictions of the dSAFER
sandbox.

For the oldstable distribution (stretch), these problems have been fixed
in version 9.26a~dfsg-0+deb9u5.

For the stable distribution (buster), these problems have been fixed in
version 9.27~dfsg-2+deb10u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1zz6NfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RVKRAAlO3AS95Zd2dPgTpSZFbLoEFOYbKa+6dGhqzgPLDBE8CPxcpMh4EGXP4A
PN2rG7layvn9ePez9byBxJa5XBXjeB+64BlS9OyNP0hDOZ6hIntm5zs1KhEr6yqL
UZPizj4ZH7djNaHT7MrOoPiUT1aJnREjOF8u9dXADONLv0EbF9+5jiPBUXcuvQyM
bZF0VvgdOLWgJe1La2rzpV5HEGFM4OB7UsjXRyLLh1dUdmY6Bk4thE7Hj4Nn3SsR
c4qqlJ1SUMcrJB9g2CQAmwDD7CPe0f7tQ0SJ4SHhPM4rIfXfIJq7Z63+JV2miKJ1
I0LRzAGDKgSgMJsLAAG2hbI9ref+jzMP5DBdORgqypJ2J52eTfiZTTn36UuPgVOq
5LBfU61dZb7hUf3hnDsm1gl+2kNDIyuSDwWKNQkbgQoDNMKvji+XXEyZQ6DWIIUp
UDY9xUEsthpjsYips184YhR3D89EdVcn/t6JYxDwGczCnKtyaewABEO1foHVuKKr
TOGuG9iiNeAGj8UNUwdi0zwoEL4p6yJG+h6TXCeTnGY9j7dS2Tv1/706mJC8XsSr
MB8C5I6yIZpD7108BHIMSEuekoSC0DWT9HQezirDcgDgzvp1zk1vHC9jvhQUBeXF
1DxaM2heMnLlvH7Ru4eZwExCBBlEG9+lrH80GnIlmLqNxmE5kcs=
=VN8W
-END PGP SIGNATURE-

[SECURITY] [DSA 4513-1] samba security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4513-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 03, 2019https://www.debian.org/security/faq
- -

Package: samba
CVE ID : CVE-2019-10197

Stefan Metzmacher discovered a flaw in Samba, a SMB/CIFS file, print,
and login server for Unix. Specific combinations of parameters and
permissions can allow user to escape from the share path definition and
see the complete '/' filesystem. Unix permission checks in the kernel
are still enforced.

Details can be found in the upstream advisory at
https://www.samba.org/samba/security/CVE-2019-10197.html

For the stable distribution (buster), this problem has been fixed in
version 2:4.9.5+dfsg-5+deb10u1.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1u2PlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QpmhAAlfRkvD9vRf5Ygq8eG5nzZRuoLum8yWfzA1/TxI93u+arlw7fIPvnzWNB
s0uDcCaltqc/tsI3V0WjKKZ3hiop0WdEMgQ4ZY5Smo2iZrAZAFgsOUHwf8aToG3n
r/j5eJ7E3gKk4IibinDY/iJzCPWKwwFB/0R3qiNFNRAtzvavci06BAMARGkHxAcZ
sITXN5gDgCNbU0gzWNRD6NkTRVBZ+tF5/IAKAv+y+Wgq+QTXLWfTzJgi4TjUeTVY
oFVKDPeO5N3sjp0plkZkSkwmzRGlv4DtUXKwEpScPVZuMms4AOH7ca+zMomTkhOn
xVmEMOsmlNDyTJnHEHKNLKTc3nrKG0NTkyAf7QDmquwl5FVlrgIUui0fzxp/qRHE
gbOSTW4OOk7cLK9wro01COk3FGB5nqTUO2qkDBRA/R3g4rJyu2WEBSY0aAq6J4Ht
6w7XNrbrj6hEaBKo4tToYVI+bE3KBZSY/imsYTyvdzVVksqcPe4S0NuK4WkDGMer
veJk1YSc5FNdPeCsxM9z5+0v8If81wyWaiECiuadTb9vR78vCO4XtcayJfPy9mTK
KCKs81lbcReA9gayr+L88MjeYVfFGRCpnFh3CXDTznFdNN87guR0BpdNbZcoHJ+v
tQzndSbwVCnfOwCZyS/krD8AJfRQCKXZy2fdAAX7saQjvV0nKq4=
=YjR/
-END PGP SIGNATURE-

[SECURITY] [DSA 4510-1] dovecot security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4510-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 28, 2019   https://www.debian.org/security/faq
- -

Package: dovecot
CVE ID : CVE-2019-11500

Nick Roessler and Rafi Rubin discovered that the IMAP and ManageSieve
protocol parsers in the Dovecot email server do not properly validate
input (both pre- and post-login). A remote attacker can take advantage
of this flaw to trigger out of bounds heap memory writes, leading to
information leaks or potentially the execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:2.2.27-3+deb9u5.

For the stable distribution (buster), this problem has been fixed in
version 1:2.3.4.1-5+deb10u1.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1mb8hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TKsxAAk63zTXm80+KBP2rCeRNtkVmAKXd6yFSbexwFFNJGQAjp11OJJTtCPtVa
D8wQnq6XeTSqNoKH7gHamB6B5nKnPrADGo3H7Zi9yLdmdY4i4c68A6FtLmh/wTBk
6hIpWmQ/xQV2BfdEcEXO+n7OqXGJq1x41uB/HITRlVXUlU3+4mP5F0366QA5P5MW
XQhFltv6cgCZuoFC9T+fQkiSGC54NYZiuyfNyF1MSeClxrLe7/nB8nlfPwFe+Y4N
xfAnuKrYk3cz5Pt55zz3GwaRLeVjbgxdIDzlFrhO52w5VERtdjQR0gg5hgeify9s
eY4s6BOAKl3WHPmT1tVqnsuVwOx/eAFu23AQpG+QHzTRMb1/z6/zoLa2JHCkppsc
BltptGA8GpiKLCYMA8cxjS1qe0CPdtOWVLE+Lxn55UlL6ABQMq/aj01v2BhYVDHF
H2hNfzFItdRVUmwQpHXyEbfdwQGauG+quZwqgeBCASs641oTyKVAD/O3Rc8Ju0fM
NOU784xJs5JmrSzmzSNMEIcAVLgBLspGlz8rA0JvjJ5mKJ9uODedoGFFFAyCme8Y
3kghzMYV4CLjnBR3kWfukRauwn4jdo+E4l/GiCf4D39/RJmtL86Xw1tqwuROTFB6
OBpJuvPTVCwd3TNj4Z2cGN3agjN4P4FfKRqaSDcFj2C8zI9LXhw=
=R+Xq
-END PGP SIGNATURE-

[SECURITY] [DSA 4509-1] apache2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4509-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 26, 2019   https://www.debian.org/security/faq
- -

Package: apache2
CVE ID : CVE-2019-9517 CVE-2019-10081 CVE-2019-10082 CVE-2019-10092
 CVE-2019-10097 CVE-2019-10098

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2019-9517

Jonathan Looney reported that a malicious client could perform a
denial of service attack (exhausting h2 workers) by flooding a
connection with requests and basically never reading responses on
the TCP connection.

CVE-2019-10081

Craig Young reported that HTTP/2 PUSHes could lead to an overwrite
of memory in the pushing request's pool, leading to crashes.

CVE-2019-10082

Craig Young reported that the HTTP/2 session handling could be made
to read memory after being freed, during connection shutdown.

CVE-2019-10092

Matei "Mal" Badanoiu reported a limited cross-site scripting
vulnerability in the mod_proxy error page.

CVE-2019-10097

Daniel McCarney reported that when mod_remoteip was configured to
use a trusted intermediary proxy server using the "PROXY" protocol,
a specially crafted PROXY header could trigger a stack buffer
overflow or NULL pointer deference. This vulnerability could only be
triggered by a trusted proxy and not by untrusted HTTP clients. The
issue does not affect the stretch release.

CVE-2019-10098

Yukitsugu Sasaki reported a potential open redirect vulnerability in
the mod_rewrite module.

For the oldstable distribution (stretch), these problems have been fixed
in version 2.4.25-3+deb9u8.

For the stable distribution (buster), these problems have been fixed in
version 2.4.38-3+deb10u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1kODxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RAEw/+OaEyxK9D+s1uIin5SkmJJ4buicbeEwh6Qwn03SCj5RYW+PbGaW67dSZN
qcTGyJqU2YrY3y75q0S5V6GBvcg1+QRCbTAlZhUwALGmMpnfkPhn3q6uUXY8511i
tZhKZYQa5ZVnpcDH2IF1EP+ilwK4q2uzMh1Wpz79PWLitWhk5dNMtjcjJ+KXP15C
oOs3aeHheAkLGKE8drgLpYRSgx3ccD9i7lts6gr/uAJOW7pvQoY+SDOZvceU6/0A
GIjOO56hw1tW6qkbDiG/sCYncVv6ZKTVsjhBJabw55kaIrReSnEMiWjqkV4BhCBF
JjsewEBYZMV7DC+gkHKRoHHrSrI6gLYAFuTREXAjnf6fsPoVgX8hYkZ0QqH7F5zX
dgSV7wpjjFzDb/iPkkncKJS1h11GlrM/6VhT1cr/6ZlHvqSAWlz0OUseRA9ii6Le
jVxFTb7EAGsrEzK9SPhA/IbvIBj1UPQhjEgIthfImw4S+M5q40Oh0oKW+/FgzMqH
LarHY+jQcOuGxE7T6EK4gozGxpLvpRhg8NcCzL/Vnst5JW7vr/F4R3H1NFk579tS
RcXuBUy8+DkKecawPgP05zPxrhuAFIi89TkEMX3LyyA/Kn0KX+2KXabQll9Q2KYz
Cn5eimlukcxKmWUxA3cJggcDj/80YgxE6wmFqHPtI/8Sx4XN0pY=
=v6GC
-END PGP SIGNATURE-

[SECURITY] [DSA 4507-1] squid security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4507-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 24, 2019   https://www.debian.org/security/faq
- -

Package: squid
CVE ID : CVE-2019-12525 CVE-2019-12527 CVE-2019-12529 CVE-2019-12854
 CVE-2019-13345
Debian Bug : 931478

Several vulnerabilities were discovered in Squid, a fully featured web
proxy cache. The flaws in the HTTP Digest Authentication processing, the
HTTP Basic Authentication processing and in the cachemgr.cgi allowed
remote attackers to perform denial of service and cross-site scripting
attacks, and potentially the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u1.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1hInNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TlxRAAmTnC2CP5i6uaW780UYQURd72nzQibuKPgHlO2Dy9+TAV/Ypc2htXYt5Z
BAuWsDyZNO4Ruc/DZvSD2Eh20CdHVTKHJoY2qDcKKnQV4XVR+LEQ0kcUbp2VDA4s
c5YLV0xCfGccPaoSwenJoulKbBrK36ALa8pu0kLKjVmMYAuw1YL7uPHONpVJOlXS
uZM0L+D4XhNN6XjjzaOOm9KH0+4PRVpz8iGCIVIRtjJOg2k7/yeYcgdNAFJ/542T
8B2np8Y8vLs4XFrHb4Hwn3pJNAMWpmy1o1vkF0OW1ioZ8WPuaiiG6fxnlF/A4ObY
LJyu9raRinSf+bH4pY+K9lB4WK9GUOiAEFHvxhei40D5vyz8KBaYKeQhKrheSVUy
7CifMLBRwgTMpjWrApAM4dX2sEhmwbcph6hB5ksv40nsod19/4n4G3yWB5mXmTnT
IdFmsH14EvrWmx2w1I1Wa4n5vjpAPw9MUUTHlviV/1gzrqrhHKiA41luWCEdR3p6
f41mLHn5oQsL8Loa3E3N8mtMabTn870Zm8pyxhizyKFEGGZ7cK42wMmhsfD570kB
AKoGJgBF1chagKQFLDZHYc0ONidivwQFYFIOslZgDCskHJ+FdqUXAEbztK4KV8mI
ZAUcoP4zhLf9MHuCGVMaBO5+OnZcaaQDSUXUZR3BZ18JUMuhxT8=
=ZcG+
-END PGP SIGNATURE-

[SECURITY] [DSA 4500-1] chromium security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4500-1   secur...@debian.org
https://www.debian.org/security/  Michael Gilbert
August 12, 2019   https://www.debian.org/security/faq
- -

Package: chromium
CVE ID : CVE-2019-5805 CVE-2019-5806 CVE-2019-5807 CVE-2019-5808
 CVE-2019-5809 CVE-2019-5810 CVE-2019-5811 CVE-2019-5813
 CVE-2019-5814 CVE-2019-5815 CVE-2019-5818 CVE-2019-5819
 CVE-2019-5820 CVE-2019-5821 CVE-2019-5822 CVE-2019-5823
 CVE-2019-5824 CVE-2019-5825 CVE-2019-5826 CVE-2019-5827
 CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831
 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5836
 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840
 CVE-2019-5842 CVE-2019-5847 CVE-2019-5848 CVE-2019-5849
 CVE-2019-5850 CVE-2019-5851 CVE-2019-5852 CVE-2019-5853
 CVE-2019-5854 CVE-2019-5855 CVE-2019-5856 CVE-2019-5857
 CVE-2019-5858 CVE-2019-5859 CVE-2019-5860 CVE-2019-5861
 CVE-2019-5862 CVE-2019-5864 CVE-2019-5865 CVE-2019-5867
 CVE-2019-5868

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-5805

A use-after-free issue was discovered in the pdfium library.

CVE-2019-5806

Wen Xu discovered an integer overflow issue in the Angle library.

CVE-2019-5807

TimGMichaud discovered a memory corruption issue in the v8 javascript
library.

CVE-2019-5808

cloudfuzzer discovered a use-after-free issue in Blink/Webkit.

CVE-2019-5809

Mark Brand discovered a use-after-free issue in Blink/Webkit.

CVE-2019-5810

Mark Amery discovered an information disclosure issue.

CVE-2019-5811

Jun Kokatsu discovered a way to bypass the Cross-Origin Resource Sharing
feature.

CVE-2019-5813

Aleksandar Nikolic discovered an out-of-bounds read issue in the v8
javascript library.

CVE-2019-5814

@AaylaSecura1138 discovered a way to bypass the Cross-Origin Resource
Sharing feature.

CVE-2019-5815

Nicolas Grégoire discovered a buffer overflow issue in Blink/Webkit.

CVE-2019-5818

Adrian Tolbaru discovered an uninitialized value issue.

CVE-2019-5819

Svyat Mitin discovered an error in the developer tools.

CVE-2019-5820

pdknsk discovered an integer overflow issue in the pdfium library.

CVE-2019-5821

pdknsk discovered another integer overflow issue in the pdfium library.

CVE-2019-5822

Jun Kokatsu discovered a way to bypass the Cross-Origin Resource Sharing
feature.

CVE-2019-5823

David Erceg discovered a navigation error.

CVE-2019-5824

leecraso and Guang Gong discovered an error in the media player.

CVE-2019-5825

Genming Liu, Jianyu Chen, Zhen Feng, and Jessica Liu discovered an
out-of-bounds write issue in the v8 javascript library.

CVE-2019-5826

Genming Liu, Jianyu Chen, Zhen Feng, and Jessica Liu discovered a
use-after-free issue.

CVE-2019-5827

mlfbrown discovered an out-of-bounds read issue in the sqlite library.

CVE-2019-5828

leecraso and Guang Gong discovered a use-after-free issue.

CVE-2019-5829

Lucas Pinheiro discovered a use-after-free issue.

CVE-2019-5830

Andrew Krashichkov discovered a credential error in the Cross-Origin
Resource Sharing feature.

CVE-2019-5831

yngwei discovered a map error in the v8 javascript library.

CVE-2019-5832

Sergey Shekyan discovered an error in the Cross-Origin Resource Sharing
feature.

CVE-2019-5833

Khalil Zhani discovered a user interface error.

CVE-2019-5834

Khalil Zhani discovered a URL spoofing issue.

CVE-2019-5836

Omair discovered a buffer overflow issue in the Angle library.

CVE-2019-5837

Adam Iawniuk discovered an information disclosure issue.

CVE-2019-5838

David Erceg discovered an error in extension permissions.

CVE-2019-5839

Masato Kinugawa discovered implementation errors in Blink/Webkit.

CVE-2019-5840

Eliya Stein and Jerome Dangu discovered a way to bypass the popup blocker.

CVE-2019-5842

BUGFENSE discovered a use-after-free issue in Blink/Webkit.

CVE-2019-5847

m3plex discovered an error in the v8 javascript library.

CVE-2019-5848

Mark Amery discovered an information disclosure issue.

CVE-2019-5849

Zhen Zhou discovered an out-of-bounds read in the Skia library.

CVE-2019-5850

Brendon Tiszka discovered a use-after-free issue in the offline page
fetcher.

CVE-2019-5851

Zhe Jin discovered a use-after-poison issue.

CVE-2019-5852

David Erceg discovered an information disclosure issue.

CVE-2019-5853

Yngwei and sakura discovered a memory 

[SECURITY] [DSA 4497-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4497-1   secur...@debian.org
https://www.debian.org/security/Ben Hutchings
August 13, 2019   https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2015-8553 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856
 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207
 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648
 CVE-2019-14283 CVE-2019-14284

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2015-8553

Jan Beulich discovered that CVE-2015-2150 was not completely
addressed.  If a PCI physical function is passed through to a
Xen guest, the guest is able to access its memory and I/O
regions before enabling decoding of those regions.  This could
result in a denial-of-service (unexpected NMI) on the host.

The fix for this is incompatible with qemu versions before 2.5.

(CVE ID not yet assigned)

Denis Andzakovic reported a missing type check in the IPv4 multicast
routing implementation. A user with the CAP_NET_ADMIN capability (in
any user namespace) could use this for denial-of-service (memory
corruption or crash) or possibly for privilege escalation.

CVE-2018-5995

ADLab of VenusTech discovered that the kernel logged the virtual
addresses assigned to per-CPU data, which could make it easier to
exploit other vulnerabilities.

CVE-2018-20836

chenxiang reported a race condition in libsas, the kernel
subsystem supporting Serial Attached SCSI (SAS) devices, which
could lead to a use-after-free.  It is not clear how this might be
exploited.

CVE-2018-20856

Xiao Jin reported a potential double-free in the block subsystem,
in case an error occurs while initialising the I/O scheduler for a
block device.  It is not clear how this might be exploited.

CVE-2019-1125

It was discovered that most x86 processors could speculatively
skip a conditional SWAPGS instruction used when entering the
kernel from user mode, and/or could speculatively execute it when
it should be skipped.  This is a subtype of Spectre variant 1,
which could allow local users to obtain sensitive information from
the kernel or other processes.  It has been mitigated by using
memory barriers to limit speculative execution.  Systems using an
i386 kernel are not affected as the kernel does not use SWAPGS.

CVE-2019-3882

It was found that the vfio implementation did not limit the number
of DMA mappings to device memory.  A local user granted ownership
of a vfio device could use this to cause a denial of service
(out-of-memory condition).

CVE-2019-3900

It was discovered that vhost drivers did not properly control the
amount of work done to service requests from guest VMs.  A
malicious guest could use this to cause a denial-of-service
(unbounded CPU usage) on the host.

CVE-2019-10207

The syzkaller tool found a potential null dereference in various
drivers for UART-attached Bluetooth adapters.  A local user with
access to a pty device or other suitable tty device could use this
for denial-of-service (BUG/oops).

CVE-2019-10638

Amit Klein and Benny Pinkas discovered that the generation of IP
packet IDs used a weak hash function, "jhash".  This could enable
tracking individual computers as they communicate with different
remote servers and from different networks.  The "siphash"
function is now used instead.

CVE-2019-10639

Amit Klein and Benny Pinkas discovered that the generation of IP
packet IDs used a weak hash function that incorporated a kernel
virtual address.  This hash function is no longer used for IP IDs,
although it is still used for other purposes in the network stack.

CVE-2019-13631

It was discovered that the gtco driver for USB input tablets could
overrun a stack buffer with constant data while parsing the device's
descriptor.  A physically present user with a specially
constructed USB device could use this to cause a denial-of-service
(BUG/oops), or possibly for privilege escalation.

CVE-2019-13648

Praveen Pandey reported that on PowerPC (ppc64el) systems without
Transactional Memory (TM), the kernel would still attempt to
restore TM state passed to the sigreturn() system call.  A local
user could use this for denial-of-service (oops).

CVE-2019-14283

The syzkaller tool found a missing bounds check in the floppy disk
driver.  A local user with access to a floppy disk device, with a
disk present, could use this to read 

[SECURITY] [DSA 4499-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4499-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 12, 2019   https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2019-10216
Debian Bug : 934638

Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL
PostScript/PDF interpreter, does not properly restrict privileged calls,
which could result in bypass of file system restrictions of the dSAFER
sandbox.

For the oldstable distribution (stretch), this problem has been fixed
in version 9.26a~dfsg-0+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 9.27~dfsg-2+deb10u1.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1RwF1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QI1Q/9HyIwtDrLUqtUIBMUIMG5C6iJXP8tF4iXkTGN7B0Lyk7fubQD1ux+0X3z
z+LeuuNjXVSUq6TLDF0YLn7zTksQkX1wmctg8esKM6NGiGKRFYc+/h52cO30MJwb
p2MUxWurigejugP1FEtcAJKXNXm+tWOVk9DuI4cIBb0PG4ID/gM1EIe/EB/4yb39
lVL3ZlmetAu+H4S0bNYNzoB9x4dRvOgdEIoGBJpObKXQMLOKEZHLGQMFmmviYIQ9
6zsTwDuqLrpCWXpUuL5dkRZIwEGMEBZdLQo52B/e4zcN8gDkpND9HaHG+6OJIfRe
COroBLF4mDf2GymsYFn0zINaV0Grl68Y0JWPlr7WhGcoDt95tcCmNIFde5g4ij4U
thiNRrOAp1JE87L0TpnXzt/AgCcPL/qjExsScZknjq9Dm+ZlU7Tj2jbac7x7CTV/
f9WIqIjFAX+rGxPRTNMHOrVNONqQqin8D/UH8fsiPDSMbhLnPpdDrzkZeZsDJBKl
RjP6EC3s1xv/AupUqY9ciKfc12oXZaZgrrdBfeh9Lwnm4OHvDh3nzQTpUNQKf3x4
8arCHszYsTlxx3Tgxu2DdxGaJL8g34iOlOo9WyA51tV+tdpKpY5eLY2Y72iQSHYN
WXcLmIsaPQl6/6+6he+ab0ZafiM3HQPN5OlI0lKgnmy++K449G8=
=WZJj
-END PGP SIGNATURE-

[SECURITY] [DSA 4496-1] pango1.0 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4496-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 11, 2019   https://www.debian.org/security/faq
- -

Package: pango1.0
CVE ID : CVE-2019-1010238
Debian Bug : 933860

Benno Fuenfstueck discovered that Pango, a library for layout and
rendering of text with an emphasis on internationalization, is prone to a
heap-based buffer overflow flaw in the pango_log2vis_get_embedding_levels
function. An attacker can take advantage of this flaw for denial of
service or potentially the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1.42.4-7~deb10u1.

We recommend that you upgrade your pango1.0 packages.

For the detailed security status of pango1.0 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/pango1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1QMblfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TNuhAAhi1fZW2f4T30VPfIfGdbZgGW+gO/1TH3eAqQXisy2ga4p5RJTIuNVUjx
mjD7FqYlrxuaAMuqqkCOEGTZIa8RVswjttcnsPZ+u9U8XhEWdbWy0iLq9+Ukkk2k
/bp5uHI1MCpG9pHY/cb2VKmK9XpBBZcykhR6fhoRgOt1MW/Qnmn+aNvGzfcSJugc
ZGziyvJ8FmVAqNpkuaiCTSbbx815LiZgd784X9VdN4hjso5uQfZfVSjwOVkXLnG2
oInrlP2GxKBptJAKtxe/Uzc1Bx6j7Q2iXUQPZ1O7d4e8/G7Knbsvub89eQSwJmHW
SmP//xLtmlq3bJGACekLs1cJgajLs7kfKxp+DI/Ar1PMZt3F5muMWTUSx1u33v9E
JiQD9q63Yhe8fAtPeFkb8HMu5fjYUCJ8fSEVs6bf0P2Ccy5hfZbsjs71YCUw+ddC
Pj2OFs5vFjOh8/Jr7bPHsmCiN+j4GKzHyOGdYxJcX7I62CVZDcJ27PXcbxpqEaj+
cxJ4oHdBz5L+LQUC4EoSIpCzv2Bt81xdibTUmx19sqTn5KdVl0H04PZoqstBYKwo
nzkouQd899moTQF33ECymphvrqGAx/ko6n/11w7QoY1EdTSuwTxyXOayu8I3NqGi
XKAKJyQJ7xEmwXIAvO25ZJLNO1d7p0pz7ij56BKYSnwb1xhYoek=
=66S5
-END PGP SIGNATURE-

[SECURITY] [DSA 4495-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4495-1   secur...@debian.org
https://www.debian.org/security/Ben Hutchings
August 10, 2019   https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2018-20836 CVE-2019-1125 CVE-2019-1999 CVE-2019-10207 
 CVE-2019-10638 CVE-2019-12817 CVE-2019-12984 CVE-2019-13233 
 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2018-20836

chenxiang reported a race condition in libsas, the kernel
subsystem supporting Serial Attached SCSI (SAS) devices, which
could lead to a use-after-free.  It is not clear how this might be
exploited.

CVE-2019-1125

It was discovered that most x86 processors could speculatively
skip a conditional SWAPGS instruction used when entering the
kernel from user mode, and/or could speculatively execute it when
it should be skipped.  This is a subtype of Spectre variant 1,
which could allow local users to obtain sensitive information from
the kernel or other processes.  It has been mitigated by using
memory barriers to limit speculative execution.  Systems using an
i386 kernel are not affected as the kernel does not use SWAPGS.

CVE-2019-1999

A race condition was discovered in the Android binder driver,
which could lead to a use-after-free.  If this driver is loaded, a
local user might be able to use this for denial-of-service
(memory corruption) or for privilege escalation.

CVE-2019-10207

The syzkaller tool found a potential null dereference in various
drivers for UART-attached Bluetooth adapters.  A local user with
access to a pty device or other suitable tty device could use this
for denial-of-service (BUG/oops).

CVE-2019-10638

Amit Klein and Benny Pinkas discovered that the generation of IP
packet IDs used a weak hash function, "jhash".  This could enable
tracking individual computers as they communicate with different
remote servers and from different networks.  The "siphash"
function is now used instead.

CVE-2019-12817

It was discovered that on the PowerPC (ppc64el) architecture, the
hash page table (HPT) code did not correctly handle fork() in a
process with memory mapped at addresses above 512 TiB.  This could
lead to a use-after-free in the kernel, or unintended sharing of
memory between user processes.  A local user could use this for
privilege escalation.  Systems using the radix MMU, or a custom
kernel with a 4 KiB page size, are not affected.

CVE-2019-12984

It was discovered that the NFC protocol implementation did not
properly validate a netlink control message, potentially leading
to a null pointer dereference.  A local user on a system with an
NFC interface could use this for denial-of-service (BUG/oops).

CVE-2019-13233

Jann Horn discovered a race condition on the x86 architecture,
in use of the LDT.  This could lead to a use-after-free.  A
local user could possibly use this for denial-of-service.

CVE-2019-13631

It was discovered that the gtco driver for USB input tablets could
overrun a stack buffer with constant data while parsing the device's
descriptor.  A physically present user with a specially
constructed USB device could use this to cause a denial-of-service
(BUG/oops), or possibly for privilege escalation.

CVE-2019-13648

Praveen Pandey reported that on PowerPC (ppc64el) systems without
Transactional Memory (TM), the kernel would still attempt to
restore TM state passed to the sigreturn() system call.  A local
user could use this for denial-of-service (oops).

CVE-2019-14283

The syzkaller tool found a missing bounds check in the floppy disk
driver.  A local user with access to a floppy disk device, with a
disk present, could use this to read kernel memory beyond the
I/O buffer, possibly obtaining sensitive information.

CVE-2019-14284

The syzkaller tool found a potential division-by-zero in the
floppy disk driver.  A local user with access to a floppy disk
device could use this for denial-of-service (oops).

For the stable distribution (buster), these problems have been fixed in
version 4.19.37-5+deb10u2.

For the oldstable distribution (stretch), these problems will be fixed
soon.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to 

[SECURITY] [DSA 4490-1] subversion security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4490-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 01, 2019   https://www.debian.org/security/faq
- -

Package: subversion
CVE ID : CVE-2018-11782 CVE-2019-0203

Several vulnerabilities were discovered in Subversion, a version control
system. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2018-11782

Ace Olszowka reported that the Subversion's svnserve server process
may exit when a well-formed read-only request produces a particular
answer, leading to a denial of service.

CVE-2019-0203

Tomas Bortoli reported that the Subversion's svnserve server process
may exit when a client sends certain sequences of protocol commands.
If the server is configured with anonymous access enabled this could
lead to a remote unauthenticated denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.9.5-1+deb9u4.

For the stable distribution (buster), these problems have been fixed in
version 1.10.4-1+deb10u1.

We recommend that you upgrade your subversion packages.

For the detailed security status of subversion please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/subversion

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1CEOZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Tn+xAAlXGJ2vZLwXuT+2SABhqLKTdSDEqCAwKLvHVB6LFHXFIu+WUdT8VSd6j3
lqSWzpOH4s6kmIz/yEiCWkYJmEc0hMHyPhljN+gbzpEQ3cPKyxJh9KekMEK23EpY
4DhKU+uDTCFKmsrfzcgIy8B5Bgw2H41w+MrQSonakfW7OtuVPD2s42VNd9O+JjY/
3G4GG+Udg/Sewndc2dxa8hOO2wFEWVks5g0Nt/soRwMEACQLmKeS6PwFb4PDljr8
H5fHcbQjN2UxpRKAyq2E2azSXHpUDz6psRMwfAQYs8lhx9Ozt538QaX6A6a63vLx
dtw2NVjg7Q12XDZY0Yt8V0h6oLEURLO8L1JOJeMkRiEVy6qPKQ4BLZ327uxkT4qP
La8Wk5A4Y/pr72L2WD36Y8cSWS3JFFgaFpM0kXzkfOfTClTHWamBehOnD7pslqly
ZvCmBavoslJ6uM8c/eLE6B8yaF13akqRIBeA2biaSHDEmf3mtpkDHNIGmZIMFNeE
x/Lx8PbQCq/eQ060ioEJZV4xF9nKFrDTuUs6YTaWAfHtR5bo+/5uzGVgSA7B5KU+
XZjxGnlSITMbcqwvawg9toLAyL71kenR6GdYrRculLsKtVDI+1FtCFisqPwEacUx
CaS3b0Bd8xyxbXnV0D+E/UaReS1x4i8lOSGOjj40d6b6Vv1X8Nw=
=IVo1
-END PGP SIGNATURE-

[SECURITY] [DSA 4489-1] patch security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4489-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 27, 2019 https://www.debian.org/security/faq
- -

Package: patch
CVE ID : CVE-2019-13636 CVE-2019-13638
Debian Bug : 932401 933140

Imre Rad discovered several vulnerabilities in GNU patch, leading to
shell command injection or escape from the working directory and access
and overwrite files, if specially crafted patch files are processed.

This update includes a bugfix for a regression introduced by the patch
to address CVE-2018-1000156 when applying an ed-style patch (#933140).

For the oldstable distribution (stretch), these problems have been fixed
in version 2.7.5-1+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 2.7.6-3+deb10u1.

We recommend that you upgrade your patch packages.

For the detailed security status of patch please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/patch

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl08jRZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qo5A/+N4Oe9u9MwdS0Cd3YumOIXbuovr8Vbc1ixBdGXlzALUNPLSZzlK33fahg
0SPYAFhHz3f5/aMUcIGdUcj31BxGZFWr0ANP5u4mTEpNLvkL2DvX3A/j3ppU7f+C
3oxRFMFSPf/JpI8x2Sfbvzkjen2qGUq+iiOk+6KilUY4LpXVZ9MgiSHQp29jTG2c
aPyi1mRuS8fUpQ2uzlyvyXd+iCU629FlJwWJ5k6wsg6VCOvlgOCmSSe3I9rBAHnM
7uAvEDf8yvT9ROBRzVcS1ODBqOmDalhrp2MB/f2SxLMMkMr/34xcX+AzeH3+fxV9
bA5blXoeLfwxY9Wxd1kqU9CQQhBYLFxgigQeyfh5HjplwiYd41oZ5x8Yfh88M77U
7T4oz07AGnlN7DohgjwR/AttDntOOfK5BpFFdLkCWYV5qjE3a0/YGI/PhlUh7vBf
v8GbBvOyWLnzsFMC8r0pAEjJvkEYmlBire3Vhrcyl3mfviNaMvRtKiesw3SUo0Im
vpesx9dWdVQ+b5zg4YZz4kv5iI4XJqfDM8vDumPqmROFWV5bnO+hWr4SPLVz0AjV
gNJbj6pcLIcbNyGf2O3fcrxxLUMNmWarHxCTZkdV1FnJvjBeXlPigDvXlWgw+UbZ
jrPI7db1ioDA5r3TFuT6f9ck1pANvH4aJukhcTNenMtZJ76VlI0=
=N9AK
-END PGP SIGNATURE-

[SECURITY] [DSA 4488-1] exim4 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4488-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2019 https://www.debian.org/security/faq
- -

Package: exim4
CVE ID : CVE-2019-13917

Jeremy Harris discovered that Exim, a mail transport agent, does not
properly handle the ${sort } expansion. This flaw can be exploited by a
remote attacker to execute programs with root privileges in non-default
(and unusual) configurations where ${sort } expansion is used for items
that can be controlled by an attacker.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.89-2+deb9u5.

For the stable distribution (buster), this problem has been fixed in
version 4.92-8+deb10u1.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl05qcJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RdthAAmZrkjgRoB0ClQP+vESwzbi+o3ApbxgNdEQ7QRI2GRYEBEoYlke7RQQn4
tmuuIOursepb9PPysSmQU18tL1YRZXZQY4UUeZOzcfHeLwvxBRWqQ9lL5eNR1RDJ
z7d+rwi+WZUUIM5uxVh6r2EHN55UmSS4UqpbjcoEyFCPgSDyYBE9p+yiN5oE33hi
LF1uJ0L3NIp3uqzbTNu3A/4d0AyTcc7PUO8ikK5MDiSzwO4dWLLmutkjZpn2XVaP
BjvtpHC79b44iRNoA3DKjN9BNMZYbqs5FeWDs7VP35G0wjpf3NZf+UXlwfYZ4oMr
yEPjKtod5mg7lm0O71g9faFt1NrmPkGM+ufL7BtJG75gYTW9uCFVs0AtP1Hw296u
DCc/iya6nJGalkUOwZ9tAc21ogc2qEAhtuewNGBHWvPUjSV+lZzUoh6eDvC4QOzu
/k+NcQre6F7F9pQlI5o/efB38RJIOINWJ1woYHlgHwr4XL/yw8ms/KWupy7y8mz8
xDSug0t1N4ymA8+77cgtvCVxdiXece+SxES0mOZ38XqGj/CWJEELvNwdLwdfz9za
eFFlYIDEXBUqhUU4HvvuexmcDsyoOv+YShQfbcLMDoUw6ml4I6JecSBEH0m3s13L
SJqBWaYcaMW/ed/keBxOO8LNU/WPFtIzZNMytB722UTq9vmO6d8=
=XBph
-END PGP SIGNATURE-

[SECURITY] [DSA 4484-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4484-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 20, 2019 https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2019-13272

Jann Horn discovered that the ptrace subsystem in the Linux kernel
mishandles the management of the credentials of a process that wants to
create a ptrace relationship, allowing a local user to obtain root
privileges under certain scenarios.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.9.168-1+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 4.19.37-5+deb10u1. This update includes as well a patch for a
regression introduced by the original fix for CVE-2019-11478 (#930904).

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0zJkBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SvYw/8CJrPtf7juWLaRa3m/LvFewU+BppoJqNaVUbQNXVT90PgH/zDWVbpkJ4g
Tr4MW6tzRKnAfUS+jObsnR9jGo871ZZ2wtlcM3W0bMnCwK6tPnTGiqTauflPXf2X
KW8V3YLI6W6MxPlSLa2EQkDJ/RfTke4SwQDFDX0lzYjC5LwCwDwKIWBC6P5xBg6w
yxNh6PHv9++ES8SKYpU3oMlWG43fJZJ8Oyy7Wdk0H84Qcjxb8FDP2iWyRf0Mvb+5
1uFosUswfN89imMrIFdYhv/z7CYFeHgYA0lPIvQ1gpNWOflrGqoMYL1Pys95mVCV
RdRBtWy2atPHos6HEgw85cxaTS9Ss9FYB0sL+QCqIdw5ZwTt5+QR+JLNvJ53VKEm
BxE5TncjlEAOc9t74xti/vBW2eCjp7IPaMP8X8eqWKiaMGJBlwaJEPUSmL4SiZo+
cW1plAYxc0CYq4lDWo3fcR7tBMQfp1ffDYUNn3DXvHChF1Ebi3zIdGl+oSeNP8hW
OuaH6/P+qko0S/TNXAK5uaekrzjYv2pWm6xoM10fMVXiT8GiyjIGmSTTu6WvaiCA
ITdy+o/jAfBiQsdFer2MYUna8QxjOy3XClKsy9+yjrj8ciekC4nOPHdz3/CYfOha
cojPRl2Qd2KSWfEUoze2IqPrr3iAnKFKH6a+WU1XQZuo6r3uo0Q=
=fTIm
-END PGP SIGNATURE-

[SECURITY] [DSA 4481-1] ruby-mini-magick security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4481-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 13, 2019 https://www.debian.org/security/faq
- -

Package: ruby-mini-magick
CVE ID : CVE-2019-13574
Debian Bug : 931932

Harsh Jaiswal discovered a remote shell execution vulnerability in
ruby-mini-magick, a Ruby library providing a wrapper around ImageMagick
or GraphicsMagick, exploitable when using MiniMagick::Image.open with
specially crafted URLs coming from unsanitized user input.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.5.1-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 4.9.2-1+deb10u1.

We recommend that you upgrade your ruby-mini-magick packages.

For the detailed security status of ruby-mini-magick please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ruby-mini-magick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKSBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0p3c1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TeaA/4inX0cznpQAv45vkxEnD3UnV15UA/Zp+bHieIdJHQE1dH2odLnsDde3C0
ZhpslhquGoJc2V0uFouV+cDHHSz9cCaFkF+7tHbUK4pIFnDNJck0m0SmimJUvJSs
YVr2Do/qqR+eu3hfejDU8Y/v55BDTlxsLQFEpSg6QZdHqRt5gasboDUOMRDVhOF0
dDIvp6kL/Ihia0gE/xso1pSMWmVhpUoApwtBwmyBSF0aqIUIm64zScIHDDYWj6+g
CZeLc4+RdwSviCr91yw1n90/59Sl3EQOmELWGwrKu+PXIenri7E07/9e11/8XHwK
Ie24rnRB6+xsPy7PoFnzn23jUmjJdUOFTPmoqDqOcDhQouaVgOjGIqAF1ePMP8rl
JXiwfIWFLi7D0ck/+JKYGDNuUaqrB+2PJ7FEZM0WT6EiMUNNbaPhbYFF6iisaB9L
HZdtcFmz9zoafHlLCd27YC+bpSyDI9t+XIBUrNr9D1Rpd3L07K3qYczm837llDLA
8GotPiv4fqs1BuLd08Z2lWv0MMm7B67PBUD7Ryjwr4piPBTdmaTKE280NlP+1G95
az76W4fQ9GfYASYm3r9UaHoJTnGf8/WNt/NuyjsQ+YikgdMJAcfsMFJAa7HVuO0k
W9iS6Ab7ZC5GDg3vpwL777QALxSZxjIpILVlj2Nh3JSTMz/KHQ==
=1n0N
-END PGP SIGNATURE-

[SECURITY] [DSA 4477-1] zeromq3 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4477-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 08, 2019 https://www.debian.org/security/faq
- -

Package: zeromq3
CVE ID : CVE-2019-13132

Fang-Pen Lin discovered a stack-based buffer-overflow flaw in ZeroMQ, a
lightweight messaging kernel library. A remote, unauthenticated client
connecting to an application using the libzmq library, running with a
socket listening with CURVE encryption/authentication enabled, can take
advantage of this flaw to cause a denial of service or the execution of
arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.2.1-4+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 4.3.1-4+deb10u1.

We recommend that you upgrade your zeromq3 packages.

For the detailed security status of zeromq3 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/zeromq3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0ja7JfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S6eQ//fHctL2HdOtdSGJeO7Nfsz6OR7UVP9avG3e/LNJCr7J91tvxGKjkm7pe9
x/QCHBp37L2XJsa7kSiqkE2D+bJ5Mdru6R/VdnOc6C8heTi0lXzJ8j6QoPwl3U7a
wGhar00tpQwRrQNeNBC0UmCSa2vBGW3Y7QF3kSKctd0ZgDfloeqlg8fxq10nSusD
bVZMtItk7R1pqrqFFl73yd8wESoLOU7+zsSEpi0Woo45v1h1rjmBS04hYaqvuLhh
Mwhx0GWzd2INC+0eiEzkhxKEEdrCe7WIk67g9mVH03NmgEAohGf7Mnm5FLsL8sm8
uh6jR3HiGxKYXxqZmX/3WCqJiDeN8t7V6EvuVaHOyeq5BxWotycZ8n4mmfxOkhIk
b99fGm2sIq45YUkP5xIuZ4qOcSYvDzy1bwR0Ok6em0sRIW55xMGJ7Kicmj1jnwSj
qKoG48KCLS9wVL4P425Ii2NIEEA4ScoQ00e7svqpcriLo+isRTsN7wRQ/RtLChG0
V7aP+XBypakqN39hG+B2AAlL1lS58homptFquD78GOCoeSEVYCcdlgrt3iIngZjf
LZIu1mCh6CFP+FLtSKzKXW5bZkOqFeDkmu44sNXISrehrEb2d7N3nz3QW2BxANjU
dbyxMUuVTvl0GecvK1KzPzM1Tbzr9RxWfOA+z7squfBHkJV1xaQ=
=ZdT9
-END PGP SIGNATURE-

[SECURITY] [DSA 4473-1] rdesktop security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4473-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 28, 2019 https://www.debian.org/security/faq
- -

Package: rdesktop
Debian Bug : 930387

Multiple security issues were found in the rdesktop RDP client, which
could result in denial of service and the execution of arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 1.8.6-2~deb9u1.

We recommend that you upgrade your rdesktop packages.

For the detailed security status of rdesktop please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/rdesktop

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0WL19fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TrDhAAoERpC+I+AVNow42eMwqxhOx6AG/n62ZLinXhu+9Ecl3oYsLQ6nQ8aWfw
jmapLfwWIZoYyhmtw3KCcv8rZcldsi7hHd7cs6h+cGjosN2+rc7+9KAQ2yl1eTJy
5coEKbH5znWwpOZvS4ndnK37rpIEdp0HLGMOI4aOmiMpFFQVaV/P8TyL2suaB3oL
o7xkLYjg/eQ/t4EJ4i8qjOSSDA+uAMF5rW7OLY6RVuvv2/8pAdNEaPhPsdp0gubE
c2Wk2T8ZiX23XeCYdVT+P++mJoN588PE9X8GEEIjB9JupbU5JIUlYGFaKbxjKFOG
Lq4QlMDsczYk2lHMdaPZrJ9vk4ihi5fG44msYECinFDIjuykVqD9gqFduje9MRdC
UGipO6EF39vjSWLdjHoKBjyUzHYKKK3cBriunFsA1neYM8F6n1b1TkcuSwtdLQ+U
HETKEmdbYbtFxjYofwS5/DplQIb9O+jRiJY5cbROBx4GPpaEKW6hQQKJ2Bpf6ljU
+/N811egQ16tOYi1xt492i2XlDN2aimgaFdLYPkDMhV/VaKYRpwhYvCUw4U2UDgy
walJogVIKd+Eezayuv6GHtKa2jstho3WVQaTTEq+snNGrddq/IcO/tqiEsmOGKoI
d8aojknvPTXhDWmzazW5RZePvGvSuwXF0N4rT2GmUwkAcSHMSNM=
=TJ9+
-END PGP SIGNATURE-

[SECURITY] [DSA 4472-1] expat security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4472-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 28, 2019 https://www.debian.org/security/faq
- -

Package: expat
CVE ID : CVE-2018-20843
Debian Bug : 931031

It was discovered that Expat, an XML parsing C library, did not properly
handled XML input including XML names that contain a large number of
colons, potentially resulting in denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.0-2+deb9u2.

We recommend that you upgrade your expat packages.

For the detailed security status of expat please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/expat

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0V3XVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qsyw//SzMGmBKKj5Lxsxd35i4Vo/Pa2I2pAtgAE+6aNIoJ8ddCRO9CtW4RsVSS
OLQDVUEB0mst7xFQizE3riJQYjYO65x9aP6TaRjMOaccNB+G992zJD/qP90W9nvN
2qbwNeEdbNnbLELTycPlhzDyJ5R7nmvgogHiqtIlisqI5ZSI7OMqOFP5LvAvw/tt
UJmy2ZTbVLo7rpWjLfIj0YcNXy2IKcF0SA/lZQuj6KYrbHnhj0rrLxEL2OwdDBsm
HV/SXRjLMEak5GhDBiwTTvfYFk8weKdl0MST1hizKSsqTQPqTvHLOOKXYHgCJSfV
87YbFT3k9xqotM8ymeajNnoepJbnbCAPo3i0rCqftARokfe5lFYWIqKpUCXepeQL
PnigDmnrql4acTlKOBOnq+3vKtf8xL1HHVegzzejbJB5ff3I9Pw4AuRoLl9sMmzI
rorVrMZ2tQCPrDL5XabSkRg3IBJcknS4qjQ8fgM9tt5ruImUX4RQn4J3ACLapCnt
0+wX3gtCKUviTght96hXGj4MDuMmiSxNEQ66Demiq5sXjP5c4x696XVjYaBy2uGg
mma8aksL1SJaOjS0yHzxzwXwU7caQEBThAOfaBwGplgv/Kv42VbrDp3idf+9SZdA
R5l4hGu8jyR5YDFoj4+WgmvhLwb4UC1JBDeEsBUe03ZmnDhyhxM=
=4Etl
-END PGP SIGNATURE-

[SECURITY] [DSA 4469-1] libvirt security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4469-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 22, 2019 https://www.debian.org/security/faq
- -

Package: libvirt
CVE ID : CVE-2019-10161 CVE-2019-10167

Two vulnerabilities were discovered in Libvirt, a virtualisation
abstraction library, allowing an API client with read-only permissions
to execute arbitrary commands via the virConnectGetDomainCapabilities
API, or read or execute arbitrary files via the
virDomainSaveImageGetXMLDesc API.

Additionally the libvirt's cpu map was updated to make addressing
CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091 easier by supporting
the md-clear, ssbd, spec-ctrl and ibpb CPU features when picking CPU
models without having to fall back to host-passthrough.

For the stable distribution (stretch), these problems have been fixed in
version 3.0.0-4+deb9u4.

We recommend that you upgrade your libvirt packages.

For the detailed security status of libvirt please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libvirt

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0OXUhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SDEw//TQJ0CQdeuADmjoGfnEyOPSf4hfcWFCZyF1H+oEgQ35MTIaxtHf/JgE32
BxeE6ZytyzpO3kGgptc5kNEThJ1oJJ5ClCSY75S/75pIQP5PlNSSvqKHDv6gX0zv
2FTV2T/KY1jXmpOe5jkH8RJSh3PIz37+mZgi/KqfaBNhcbO9JuIQreYxQl5woHk6
flK+g0s6sq5xPXzH+p88xMLgQAZ3LivTqsKDTy9anNQlHbJCw1TfWEBOL9BPpctU
ABXu2QanPTTQe5weCHBG+BwskUeqVS7WjQsgCtnKsaVA6MLf9KfSv/3CjwRmUetw
yGFXncfgnOmwx3QRBNlpw1zUqxpee9uU5dWOw8AsfJDUu13MHXchjUAzxiGKbFnS
w8S3i1hcD4x92/FwMSxu9T18QCXDbTSFDyPx7sIMY+0IlbhA5a4UsH5FdinCJNE3
Y8MOBJymywAhpD2aD5LytJZKJrPcLjTgbeF9PNLg09pzHPp80SNArOJEbRBaa/1R
kEk4R5ptHgOh79axYgDWgMoqw3rlVIAL8nh+7511k0BC1hPUvijUpbWrLRTbWMTT
TCq9CZPelblbGO9etSMPHVNDOy20+Go1ad6G7lkHgmooKZFyCnNZzk7o0RBJC8on
DjZ7rK+vLNH9TzYCHWdLd9eJs73emvrOalgq3Nwvb/OasobJwPQ=
=MlBA
-END PGP SIGNATURE-

[SECURITY] [DSA 4468-1] php-horde-form security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4468-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 21, 2019 https://www.debian.org/security/faq
- -

Package: php-horde-form
CVE ID : CVE-2019-9858
Debian Bug : 930321

A path traversal vulnerability due to an unsanitized POST parameter was
discovered in php-horde-form, a package providing form rendering,
validation, and other functionality for the Horde Application Framework.
An attacker can take advantage of this flaw for remote code execution.

For the stable distribution (stretch), this problem has been fixed in
version 2.0.15-1+deb9u1.

We recommend that you upgrade your php-horde-form packages.

For the detailed security status of php-horde-form please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/php-horde-form

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0MkOFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SW5A/9E7S6A7CA8KgwvxXf6rUrtrFfl1x8JW/yb/IIvIPRBCT23+5tSKeTbj5U
+i4530dWMi7EK9WWH15gwySKIRs+8MtVU+HfbFcUjZbRr7S/UoTw93iu1rca8q1S
FDTHNIy96XkKJFUIb488PRnkjNTKn7zXGY37qLqfsi4aAIbE7uGa8dMGxoiWcuv9
rAZhZwv7Ie3lhWRTun8OZCeYXx8AnkrQX+5FzPpDTfGjJyAwUZca78cTUYCMhEgS
2kOOJzx9U2QJcNKv+kEPojfImZkve/a8zMObSr7ouklpUsTayQNpliovMK3WYaLc
QjyAbTLoxi2/MmtvhjdGpwj6Gpagg01KuNhXRaVGeq9e/HFeUlUW53G+Zh6gCh7K
CMsU8bAETc+7uIm14Mwfdlv1/LVF1kl2a4OzfObj0ohIXIkwUbKfgO3GWcJFka2l
OcEFu+GzgOt/AtPCoV8JCfvjPvJwDRqhTMgQxsMhQ/HayG/wZtkFE5sl93wbloPQ
sqnv2eAvLmbK5p//PB3tkaO2py9XrofBF5o/BAfZexMgTO++PtnYUdQPAlTz8yn+
zZegX8TZTwlzodIISCaNOY+Dd6fnzZpo1Gq6JNOBxq6q1TR2YqvCLlkzjnfysOk6
aoIoAv2xyHepww5lg0igntzZszS8d341qpTxq8gLL80zPuuQW/k=
=3DIh
-END PGP SIGNATURE-

[SECURITY] [DSA 4465-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4465-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 17, 2019 https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503
 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833
 CVE-2019-11884
Debian Bug : 928989

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2019-3846, CVE-2019-10126

huangwen reported multiple buffer overflows in the Marvell wifi
(mwifiex) driver, which a local user could use to cause denial of
service or the execution of arbitrary code.

CVE-2019-5489

Daniel Gruss, Erik Kraft, Trishita Tiwari, Michael Schwarz, Ari
Trachtenberg, Jason Hennessey, Alex Ionescu, and Anders Fogh
discovered that local users could use the mincore() system call to
obtain sensitive information from other processes that access the
same memory-mapped file.

CVE-2019-9500, CVE-2019-9503

Hugues Anguelkov discovered a buffer overflow and missing access
validation in the Broadcom FullMAC wifi driver (brcmfmac), which a
attacker on the same wifi network could use to cause denial of
service or the execution of arbitrary code.

CVE-2019-11477

Jonathan Looney reported that a specially crafted sequence of TCP
selective acknowledgements (SACKs) allows a remotely triggerable
kernel panic.

CVE-2019-11478

Jonathan Looney reported that a specially crafted sequence of TCP
selective acknowledgements (SACKs) will fragment the TCP
retransmission queue, allowing an attacker to cause excessive
resource usage.

CVE-2019-11479

Jonathan Looney reported that an attacker could force the Linux
kernel to segment its responses into multiple TCP segments, each of
which contains only 8 bytes of data, drastically increasing the
bandwidth required to deliver the same amount of data.

This update introduces a new sysctl value to control the minimal MSS
(net.ipv4.tcp_min_snd_mss), which by default uses the formerly hard-
coded value of 48.  We recommend raising this to 536 unless you know
that your network requires a lower value.

CVE-2019-11486

Jann Horn of Google reported numerous race conditions in the
Siemens R3964 line discipline. A local user could use these to
cause unspecified security impact. This module has therefore been
disabled.

CVE-2019-11599

Jann Horn of Google reported a race condition in the core dump
implementation which could lead to a use-after-free.  A local
user could use this to read sensitive information, to cause a
denial of service (memory corruption), or for privilege
escalation.

CVE-2019-11815

It was discovered that a use-after-free in the Reliable Datagram
Sockets protocol could result in denial of service and potentially
privilege escalation.  This protocol module (rds) is not auto-
loaded on Debian systems, so this issue only affects systems where
it is explicitly loaded.

CVE-2019-11833

It was discovered that the ext4 filesystem implementation writes
uninitialised data from kernel memory to new extent blocks.  A
local user able to write to an ext4 filesystem and then read the
filesystem image, for example using a removable drive, might be
able to use this to obtain sensitive information.

CVE-2019-11884

It was discovered that the Bluetooth HIDP implementation did not
ensure that new connection names were null-terminated.  A local
user with CAP_NET_ADMIN capability might be able to use this to
obtain sensitive information from the kernel stack.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.168-1+deb9u3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0H04lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Tszw//R1zmUfrItTVMKsH3SlhMG/Nyd1efD/MaYwK/MXHv02BH56G3Th/W1uxh
MEjyYTs7gE/UNyx6mr90G/BvymKNCqMEk5ooT7+xXcIgfBi+qvQW

[SECURITY] [DSA 4463-1] znc security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4463-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 14, 2019 https://www.debian.org/security/faq
- -

Package: znc
CVE ID : CVE-2019-9917 CVE-2019-12816
Debian Bug : 925285

Two vulnerabilities were discovered in the ZNC IRC bouncer which could
result in remote code execution (CVE-2019-12816) or denial of service
via invalid encoding (CVE-2019-9917).

For the stable distribution (stretch), these problems have been fixed in
version 1.6.5-1+deb9u2.

We recommend that you upgrade your znc packages.

For the detailed security status of znc please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/znc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0D/QRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R6Zg/+OBjUj1ewPAO8liP4P+MyrfQRI/iy0qCF+Daet5EPevDnJSt6ogDrTFOR
3b6oLlGw7aGnXswhb1WA3QM+onZ81RnLFgZgclb5hcB6le0P/zohtrH68Jn/FpD4
blcUNlAp6eglKQ4gtPgbl3eoJeeNNIoNPCw37cIIvKL0WuG5py1iMom9AnY/Slui
5UjuLFkSYp6lE/2MDjMtjeEcpAVQDQi2+TVimkamoAABSduFDl8nHqOPruzO6HQK
lAK81VZP5wyW6A4A3+i81L25zkW/Ooh3TTpbErBdYW4zabdzh6bIuYXmpf8/65/Y
r7FgzuvSqRy4JMEVHt86nIZCKJA9nwm+29kGkBjytWMhQzSokVWCSecjJD7fZjdq
QlilNcGx/J8wtU4H1xFpQ/SlvmIC4u/SJ7Fppi6BfxSfCKg9ch/FpXPaZmU+IE4u
YgGmKug6ngbzvTLBWjb2jkvn2mSBs2OTFfpOMnuYRxz5+YkvvIJYnvDcXWDytxP1
rr9jjbZ/hdSn2pW5DjmADVj5WjTNsnmpLgGMmH5/Uk8PZ2mx4RzGeBP0m+cKhM1n
YG52mOqGc04eca2hKPQ2Dxm2bB63TVshXb0kWZfd75M2gvvVi9gdZWsQdeJ52NG1
sAfYvYwLIzV/J0SUkBqurS3WW6MgPVnd2PP22FBF/UsSjTCVH4w=
=3yut
-END PGP SIGNATURE-

[SECURITY] [DSA 4462-1] dbus security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4462-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 13, 2019 https://www.debian.org/security/faq
- -

Package: dbus
CVE ID : CVE-2019-12749
Debian Bug : 930375

Joe Vennix discovered an authentication bypass vulnerability in dbus, an
asynchronous inter-process communication system. The implementation of
the DBUS_COOKIE_SHA1 authentication mechanism was susceptible to a
symbolic link attack. A local attacker could take advantage of this flaw
to bypass authentication and connect to a DBusServer with elevated
privileges.

The standard system and session dbus-daemons in their default
configuration are not affected by this vulnerability.

The vulnerability was addressed by upgrading dbus to a new upstream
version 1.10.28 which includes additional fixes.

For the stable distribution (stretch), this problem has been fixed in
version 1.10.28-0+deb9u1.

We recommend that you upgrade your dbus packages.

For the detailed security status of dbus please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dbus

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl0Crf5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QQuA//SREVvaxhfUhUiAI8h/WVf68kOoU0HP1eC7O27D8HJRkMpiHL8bGyZmZ/
J6b2JUrLSYI7L9LZbmz3u9Nw637BRxZXMH1++lg8AuvNahc4kq5NjU+T8iMKeNNr
bTuyF4GfiniwfWMI1ekaI3o7DUQLDLGpyAn2x+0jJxqH3EUPMky9YTKy3u/duE7B
ZjR05Pu6W/32AELUlPBzhKABtZh+CUICJZ6aBL/9oF7ra3TcTBwTFXADqF7Jjg1W
4fZ6A0UYFBO7WRdlmuVLX9ugiy60T3DZRFmpmlRYBelExyKXK7/DcCBvpXsdsE8G
3gXmIUDR1UkG6J7zM8CGSn4ewYtuoY3L0qTM/v+EnibAdjhrDCwoWNVZb7kd3aXe
OIg+iMvAlAx4ZlaplCZ+fvwzduD6iiok07tZvO6Gltw9mMZdJZtfkMdtz9EvyPQQ
y8cLHArxziK2ZBscZKNuhsLF2WCxGgqGMzjA/7N4pRkWGO3ptCCc1zlzyt9xpW8r
uS4Sly0b3t6OzsMhWGMxkAcxlgpizsTn2fBBjNMJTdnqLVQ/C8PreNdpGPA5FSfE
1ITpoI3av51474jcMkER/ggDfzF/T7Nr3+FhtDz3CYcRCc2Gj2UxR2OC7rLVgnFI
7RUubl1cvSie+IkI0L0aaBacB7QvpLmo0PcgaS7ZozyXgowNQSY=
=2JS9
-END PGP SIGNATURE-

[SECURITY] [DSA 4458-1] cyrus-imapd security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4458-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2019 https://www.debian.org/security/faq
- -

Package: cyrus-imapd
CVE ID : CVE-2019-11356

A flaw was discovered in the CalDAV feature in httpd of the Cyrus IMAP
server, leading to denial of service or potentially the execution of
arbitrary code via a crafted HTTP PUT operation for an event with a long
iCalendar property name.

For the stable distribution (stretch), this problem has been fixed in
version 2.5.10-3+deb9u1.

We recommend that you upgrade your cyrus-imapd packages.

For the detailed security status of cyrus-imapd please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/cyrus-imapd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlz7XsNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QPZA//Si9MSZrKPf3e27w9SozLx26tfgq3xmv8GvCA4s5mG8Pa2zUEu5gGjvbF
y0xhVvl2ZebDPCIwKMTFJCbeksb2TyuRmdqsM9mmMgmeLUNL+vpZr7zQUw/x1Aa0
vZ5B7BaHlJoXf4kvAA6sWScVZUn/W2wYI3U3BMbHRX91hTwTz/y53E1CQeoan0Jl
eYAxNhjjbfphXezER2byjiOq2WvW9AXJ5y9Rma/0+HgTlhcvztxlNA/olc9MBrto
CPBD0b/DkR9zVfX3foZokTtkyCaN+6KvvA17ypN2qplJHvihAbCUdAXgbmFrhdkL
0hpqsQazlql+GGJjXQHi4zYfug4ZVrWdFO/zJxCjXO8UxXG8mj5NLu19UUDHI6pB
JwXYdmYksBPkAAU7y4epgF6OCM5S2NTjIrLByBtoIXur3CAf60MAavuaRor0Q61O
OnreH4tqhbXeqV5ieberKCDhgMX02cCPlqHKXC0v4cIhhRqSsBziXfnHOzlCf8wg
LNSwJcBMo9lphuc5NvkUWjV5hp8djN1MinDAI2cWtNeGOkjMNSCBdxyiFxLcjesq
ze4pSozImvWvN4bF+lGVQ/YMO+nd4begDYBrno/FWqy9A7LJVFgrbLQfXVYW4g1z
V5JjY/gWZBp9JNMWLIfCJxrhm0Yofo1dErj5GmN1ZPv3fvU06uE=
=4fQm
-END PGP SIGNATURE-

[SECURITY] [DSA 4454-2] qemu regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4454-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 06, 2019 https://www.debian.org/security/faq
- -

Package: qemu
Debian Bug : 929067

Vincent Tondellier reported that the qemu update issued as DSA 4454-1
did not correctly backport the support to define the md-clear bit to
allow mitigation of the MDS vulnerabilities. Updated qemu packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.8+dfsg-6+deb9u7.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlz5GY9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SmKxAAmkELLuseXfMRrXq/OCCJjCyZ3TuTLn9h7p/xo4Ueac93aiQsIBFVNXJ3
oOL3IW9mNhfqIbNNtIlbVnbvgpN/Jk+ThDJBXfwr6qyV4rDmupB2P2EDOzq/aXJv
yzJYbfMCrGkPTQsMGDkK93LjgWAcumaatEgMj+QESQ3wENLJV+QuYBxI8ptM/4jr
CTKdHfJkSY1aqFxfd+SqVIlmpGFtVGsomsoimbldZBeZaXeW7CyPhPeFwK2sxouT
warlxBi0LOihF7hrYNL7GM+c6MHHhD9ZJ64gy2hSCeI8/ZS1lgIcJbzHYVHLB+CS
mtmiCIZ4fOl2VQsPM59Yh/zjCLi/osRRyeYr3oNgt75sf2MFykNxslx707E+He/P
yQpbRoXt5V3u3sWvvs4vatXbRICPW4DxL/4Hp3z1Ct+Op6tzL9VhaYfQ82nvDyI3
HFToSDrdudRR+wXtiM/FZeSaY62BoVeYuc5o3rS1vEvbyXOHgGnKRIT99HfCiz/f
+pbMsfkAGsaOOgoPca+gPJLG3hXn9QDVJjnwf/PDYzMEc67WdN1LsPGdMYSUhKQ6
vghZnyG3JGr8B+ML/xIScYr818LNOsKr8j98Q38KiKx9CvJeFnVyBXNW2pQsUit8
UATYXra78vKp8+D2vXkYMYKp5k9MmskqodsS/xNmlO+a3BEXIpc=
=yofH
-END PGP SIGNATURE-

[SECURITY] [DSA 4456-1] exim4 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4456-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 05, 2019 https://www.debian.org/security/faq
- -

Package: exim4
CVE ID : CVE-2019-10149

The Qualys Research Labs reported a flaw in Exim, a mail transport
agent. Improper validation of the recipient address in the
deliver_message() function may result in the execution of arbitrary
commands.

For the stable distribution (stretch), this problem has been fixed in
version 4.89-2+deb9u4.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlz34D1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QCqxAAlkVHIGImt1pE5N7GjCruh99Wr6RZc4zNomIQg9U1hT7WnVokLb94PTJG
2B2GI+s7jAbF5Uqz+gFgzIAFIDmRS49wSuevFS9lS0UVu8TedsXCVVsWvprqxF3D
w9KSfgQJOVNQybcjx3b3L+xkoUtKDz2vh4tM6k9Gaz1x/HBvynV0vTGIk3V95eeZ
/unZZSEuShNOD4K1IU+CmP7kfbyTL+VL0lPYqRccMXD8SLSjWTtBkA4ZPKtdMM4k
tkxhlj3MGe+9xk7XoFTvZonZHCizC1LyzWjI7HW3aqon641XveYQVfRE+quSOOFq
PnQuMBQjuujmmAVbGXbnZ5AbJocPHkYcDXEdG+VbjhcAOfQjO/maOPs9XjdJdfjF
AiB30SBogrjJpft+Bwy9I4fUde7S70GaYLZdYzWWZWykAVDkecQyr42tlvmAiSic
6AyhQTrLS7q/Y3Uqs49Nd21xTVGL2V402N9gQUHuJwwrODXAwaG1v1J+i3pn7WZN
iGKvME+E/m0T+VpLPsQLePvaef3nPksMgme2uohhHlMqz6rn5bW1emE5LixkKQoP
84bR25vAJwTo3mRIQjtamZ6FQPKhzGoFuCjnH59S6zfJdgqCJc2026xtq3elUl7v
L1dKAGe7nLWBrZrFZD1cTRlRFSHemfHMm34LrXsM+s10IrCM1ZQ=
=frZm
-END PGP SIGNATURE-

[SECURITY] [DSA 4455-1] heimdal security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4455-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 03, 2019 https://www.debian.org/security/faq
- -

Package: heimdal
CVE ID : CVE-2018-16860 CVE-2019-12098
Debian Bug : 928966 929064

Several vulnerabilities were discovered in Heimdal, an implementation of
Kerberos 5 that aims to be compatible with MIT Kerberos.

CVE-2018-16860

Isaac Boukris and Andrew Bartlett discovered that Heimdal was
susceptible to man-in-the-middle attacks caused by incomplete
checksum validation. Details on the issue can be found in the Samba
advisory at https://www.samba.org/samba/security/CVE-2018-16860.html

CVE-2019-12098

It was discovered that failure of verification of the PA-PKINIT-KX key
exchange client-side could permit to perform man-in-the-middle attack.

For the stable distribution (stretch), these problems have been fixed in
version 7.1.0+dfsg-13+deb9u3.

We recommend that you upgrade your heimdal packages.

For the detailed security status of heimdal please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/heimdal

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlz1hOJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TSXA/9FNen1olQOi06nXBFLeIZvf/2IjmNxO5ZOPKPDRgLfT2MV4fIMqkSqVMU
jE4RBdkhQgk493adOmHkC1Yv2UZ+aAY7yg/EAJwIqX15klVwDGMJV5jHHrrgNORd
cX+YceJG/vGX96YTjHU54w4r2pnXELawy4Uf5TTBow1K9cvYTymCSpBv6ahsqeLx
2v214CeIqqXgLniD182st07IKczc7383GlEkwakpEQVwTeXBkPIDy55hwEJHEvWR
1oirnKJp7M62+69mFaUMQVCtNmwG7rrrP61w7ICLfmDdyGelzy2XL3WDD4NVPn8v
pT3uybV10/fG4OSLBTaTiLH6WOUNbbq1BWdzoTU+AIF2NSSWKh8bTikz3a8MEcQ8
ObPhqkYUuQ6K7MD496tKjx6h4s0BzCS1mN8hwHsP1GMv28z0ibvkkzN+DwZCM+b5
hFSD2w7zo4UhYkoNFNKGCQZT6FOVFdRbSD8BAglyzK9Vd9LUVgO1UZppXCE+qHe4
WQ8k0Dfcl2okl8LaXSFug8XwqDhpO5mlSQN9XL946c46FnAMbm1XwVEcyUbPk3Mt
jMXDYcHqLv1trpGrg8wpFxFE/cxCoQruVsQ87OAd3QDlpkde2EHb5pwi5faNfxDm
1tbEsX5A1W1hSMqCfENWHsUkKcZzmnA1ITOvWig6u5N6VigN34Q=
=GEYX
-END PGP SIGNATURE-

[SECURITY] [DSA 4444-1] linux security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA--1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 14, 2019  https://www.debian.org/security/faq
- -

Package: linux
CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Debian Bug : 928125

Multiple researchers have discovered vulnerabilities in the way the
Intel processor designs have implemented speculative forwarding of data
filled into temporary microarchitectural structures (buffers). This
flaw could allow an attacker controlling an unprivileged process to
read sensitive information, including from the kernel and all other
processes running on the system or cross guest/host boundaries to read
host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
for more details.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode. An updated intel-microcode package (only
available in Debian non-free) will be provided via a separate DSA. The
updated CPU microcode may also be available as part of a system firmware
("BIOS") update.

In addition, this update includes a fix for a regression causing
deadlocks inside the loopback driver, which was introduced by the update
to 4.9.168 in the last Stretch point release.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.168-1+deb9u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzbK/hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RDbhAAkCG4A3Yx+lAGMIgm9lXWeacyTFQ7RhS0NzQ+7rewiQZti4JphoEnuub1
sq9GH041twKbQQKJiuRD7AvKIzt8hfziQVBvIs+Nojp3fOHU9TIDqqENmfBYflkQ
qvP/tP5vqXREMihV6zGAzK47lfIvEztAQYiZymD4zMzWF0QrY/9/uEQFgwgD5AaP
xvreR+M2tsWQR3MZOAfWlTbX9nSbyV2K7nULs5y+g0ko8sbJDxNhfKO/6yauSiHK
pq6I3Fg56PsNtse/r/II9jlGE9DYvC+cI9vRNEBZep9A0dmRqN8j3sk0jmNVfi/F
Tm3jWFgtRtaa6ANMeBHIBQzkGjML6GbE68Iyf0+EGZ7ZrXSeAIi4InYFCNJA7w5/
K0Nu2nCMAaxVwYPAO7mvNxAnKgOPLE+e7fYNlqztpHOO/nXNmOG7zknqstlkS+Vc
LfsjAiqtAGw6PubdXMSc5BVrdQQTmT3tvqg4BW2i3bWeaW43MyQRc1cizplVrNLt
KKgC1qNLGIvSZLejDF5KXX8VT50UEa05QshRHWu9Ckkvid2hedzipZkTsN5tsRoc
XuCtYsbZqawHmExfyryqtkhTc4pti2nvHPzcMpJtmXtdkkvxh3ZYXbTR0vsSwJHt
rLY3ms+Sw/DT0kdXgEb1gz4prezXcINgPhGDiP/hbRaQnsP2x7U=
=ukU9
-END PGP SIGNATURE-

[SECURITY] [DSA 4442-2] cups-filters regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4442-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 13, 2019  https://www.debian.org/security/faq
- -

Package: cups-filters
Debian Bug : 926576 928936 928952

The update for ghostscript released as DSA 4442-1 uncovered an issue in
cups-filters which was using the undocumented Ghostscript internal
"pdfdict" now hidden in the ghostscript update. Updated cups-filters
packages are now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 1.11.6-3+deb9u1.

We recommend that you upgrade your cups-filters packages.

For the detailed security status of cups-filters please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/cups-filters

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzZ4ZRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RTyw/+LZ3VfRahSRRCcOZQeBsm6xGfgT9EpL1rrx1pWRD/c7/UdtM/pwGAs4ye
T6Gp2fHH3OKZy+tE4S/bwxNObCYAIs9FPFKUfEQde+hprPVVFi17ZZf0hckK7Ebw
/8XvOVb9mugdrnb5a3p0ZULqYceg9J4VBfsv+c7dWJ6blgJ4V9Gq6vrBO52gKTIJ
ovXLghI5UFVakmVbd2MMhpgULOp3dO3V2NCEwlas2HKWuTtcWbtk1ZkfyB7lIA8L
0avr5ZthjUMBX1Zuug05Wk+FFjTqF/02zjNHtXv3rZymNf6HR0LQEqok+LWrkj/J
hpgmB2Zrea19FAofY/bbNbp1YyQejpko6i7zVWM6tDCO/PYCAAlQeFa9ATvfdAP+
OYqlyZeU7SKYLpqtjXKtLFsYHpzluWQF7aljmTlyP08i1ddRaTyraKtQP2rHV68c
pyZEEjIFWFsrnP3AXBI9QcpO5U+XP62SdbN1mB+2So6nR6DWpQ9bKMEvys0cPsR4
xM7Mmj1eU6gOGuNhjQlhA5SSU+52ZogP8dgqHWeKVbkmv2EOMc9ycxuLbeWxDHQF
rNv+AiQt2z7xLOHrPF7+jrlXkKl8rJhu/+oGkTxit7JZ6xrFkzpCpJK28DO8F8Po
uFwafT5q74IDA+egRcgdseeMiu8TrECIjmgRMo+50YSatXjqsh8=
=jRtJ
-END PGP SIGNATURE-

[SECURITY] [DSA 4443-1] samba security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4443-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 14, 2019  https://www.debian.org/security/faq
- -

Package: samba
CVE ID : CVE-2018-16860

Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos
extension used in Samba's Active Directory support was susceptible to
man-in-the-middle attacks caused by incomplete checksum validation.

Details can be found in the upstream advisory at
https://www.samba.org/samba/security/CVE-2018-16860.html

For the stable distribution (stretch), this problem has been fixed in
version 2:4.5.16+dfsg-1+deb9u2.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzamKFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qk3g//SQQTI/J8JjwiCTND4yPp92NkSlEeulnprC/OEjCj3LFa9whITfRjzcoH
wwpdcuhrZ5r861dudaBXd3AWwAQUjcTZnOCPhC7f+DBGcstVQiuQ2RsSFJmnINyH
s3lv4hlKPWtRkqyEwRDS8q170ljiIbjCtITvxn9p/tby1/iOMZxEuSwI9mXGqBxn
doOVv5x55/MH+vz1sxFHR9b/bBBi/IxUHmLxpF6Fn3glMRglAaJ05R7hVZs0gUvN
GBrZgMyRfhybYZ4tQbJ1Ljb0ACdJo9aM8udjPZx6Ngbk7mDrEl7dS2aFjDvZEXrl
+mzkgXR4HEGmKAUDeKL7UBoSUi4So9LPtkRdrPlB4uV5xObYP6dV75Kk3bf+RCZJ
qRNFQbeQI96AVxe5x5qW434H9xZaYg4pJOXEdShqhy83dyKl3sa0AmSWBpPXx5Ob
xRXYbVPUYWQsD2kkX9+YmKST5M20CNph9TKU7McMlnYDheuNSuKZvueqRdzY009x
LyQizXtlGIsHKnEiYEu7LURvRjBe2D2Rav/TmUyx8JbqanFZCiEJ9hlHV9NK/19h
FXP/JbiVzsPOvUns6h6Gsj4so2+H21e0EE0DinuZs81eMlSvDfV52ika3+ST7dcP
OhdMsTA4SeeqIyKcwWegfLHEHA3zp8U9oXbw5jHiH5hGvq0Cqv8=
=qIgj
-END PGP SIGNATURE-

[SECURITY] [DSA 4442-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4442-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 12, 2019  https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2019-3839

A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF
interpreter, which may result in denial of service or the execution of
arbitrary code if a malformed Postscript file is processed (despite the
- -dSAFER sandbox being enabled).

For the stable distribution (stretch), this problem has been fixed in
version 9.26a~dfsg-0+deb9u3.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzYfmhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R0nA/9HwWnGjqu+x4qM2nF6BUg4k3RTsa6EuhpoVb2cFCZ4aWeNN1ziW1R0+sP
BAempPWK8UA+ypSsyg2PIoUIGcTBo9n+lkw+35kQY5qwrFgCx/eCbuk1h/pwSDbR
Vanp/0KckQnQSR0cTL+gb39UWEQsQiD8BdG6Ytk0YtbErm+8GP3Bt8GkhXCc7TB7
guBuV5npQvrOZgQc2DvJp+JzLMW2ig0PwVhvNfna4LGptIOqMA0nQDcQW9Xuad54
JOOW+Hwum16LfvTgSFYZ8LFKjm7eWvc1dc/u4c92OOZPW1MUqnp0IYIBZ90Uh9xI
BBuVjbR0nYxE33G20E0CeNyDtET+niKnJAr+Svi2cGdC2YJqfvJIy12gofLY6mGL
LgdysPfvWqE0+rFFTFGz4l+/h3XOBAJ/yqn8GNDiGUuYhzFpNfycBHP0w+EkUVr+
zUyqAjnvvHYYdOhtnl+YcEbDYnyk8ikjqONidP8GeSsXuSXGPAQGmhjtjOultfXI
NKDHkPKoqBR8IOKG33GHYXSli2Hktx4dmK8cAsPfJ5Hz/C0elgncP8dxWxZhv/5F
wtUGLud01FTZtRZYbP1Qc07lNQYxGrkr6ALq2UDPJ25e/VBwRqF/S6Wi7lhORsNC
Q7bQyNw9uK+6qe+rPDUoTgO2W9WFbxLt34VIihzsHMEaHVass0I=
=kTeP
-END PGP SIGNATURE-

[SECURITY] [DSA 4438-1] atftp security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4438-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 07, 2019  https://www.debian.org/security/faq
- -

Package: atftp
CVE ID : CVE-2019-11365 CVE-2019-11366
Debian Bug : 927553

Denis Andzakovic discovered two vulnerabilities in atftp, the advanced
TFTP server which could result in denial of service by sending malformed
packets.

For the stable distribution (stretch), these problems have been fixed in
version 0.7.git20120829-3.1~deb9u1.

We recommend that you upgrade your atftp packages.

For the detailed security status of atftp please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/atftp

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzR3plfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QUzQ/+L23mHpE64W7kHpO/IDO42l1Xdg+JajDyfHKk0ObIkETbTdBx3RrRsXCg
GBhayk5JhoXeE0w27/vIV2sUi9n1mdyptpVia45XRoBQPCBg7kYctWmI3N4gIRLb
SY9EJnyTCJEOeEqbSUuOFJ0BinNqFjj5Mr+miCE2TbzHaSluo9EYC+JrEvljgBSU
eolYt60R6Li3LXQlA53QhcVUOSR4G3Dg3RPGNSizq4AmTVGCM4YX0h3mvO5B6e1N
wb9+XELHPEIIb6cRAClKwZagpvCcETxaKObgwVdNir96ChJXoG+WIsLqqGGRKhjT
733PHtveVXPo6RDVAUeybQ64bexq4vhznbR7U3X2Uvbbxxw+vN68rdCKAKBiqEK1
Ei9xflVwC1pBN3awyfNPC9AzWzDXUZZmy+wGw73ItWcpT/4GM+BLl9sYFqNmU71g
dRKVtUUkoTjIcr5xXhNNu/x2ZEi+PifdQVloNEWqaJJ9WmY7flpXEhzCo4JKKLNe
pC6jZKB6I4oAqQzgPBu0zQSHuwYl5kjG7XIq5ysclWIyDLUv4/365n871MLyMDwN
cFrI+uFKgeZhR88x/RRLp+3co6nDx7y6TgLZQ1ZiH4oZQMV9AOJaUOTBpJY/GBlr
qCJvKn3+wNinPwrmFeJ6Q1fyGXWpLu6QwmRYCInafPEJhdOVX/o=
=cSGs
-END PGP SIGNATURE-

[SECURITY] [DSA 4435-1] libpng1.6 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4435-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 27, 2019https://www.debian.org/security/faq
- -

Package: libpng1.6
CVE ID : CVE-2019-7317
Debian Bug : 921355

A use-after-free vulnerability was discovered in the png_image_free()
function in the libpng PNG library, which could lead to denial of
service or potentially the execution of arbitrary code if a malformed
image is processed.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.28-1+deb9u1.

We recommend that you upgrade your libpng1.6 packages.

For the detailed security status of libpng1.6 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libpng1.6

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzECBJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Txww//aZy+AZ6sloDpGd6f8r2C5/9DsbwGLdpNsJSVaA7jX6OWKWfb+UMb7vwz
fz8jUhFZFrjD8DtF1fyrhO5yzbnFGMGSd8HpfOP7aNfBQBnud0jwnVlmTRiB4idq
bKC5SEhjjU7SlGBNZ7vfrM2AbaPEp+ge08O6Pd7YpeV7JbwSHEEDLpLaPLFkLyik
h2zb7efpHRew0QmVfi6HcIf5jAKBz2G4JTIKD9tHrfWcVBOpehmCGV8VJ9Hx0ean
J+VkhDn1ix1M686spf+OuG8GGgdmWaR5IA3Mp9Arz52Mxq83660G4ji1cMcltZa/
Hlb9pntp8Mlz8uQ71FUcy/RZmZiqDXy49SHCA1Dt+EnE5vcHi1LXLopnOHdqo14B
xjW88ME7gzAtHTyup2UFOS93mVmklGytmPUixXEiWo8GMazJvlPvvFqoAmB1igeY
BD2wa1exgZgS6UpmOXmsKYfOeFjRYY3muqtF5zme4Az0OYxr5UzB5kvDuUm3SHhA
WXysaVYyq7eFuhXT95gSQgKfUVZIC6AeOZ/jSJ7HcEex8oj71KyHjbbHFr5Lfx3g
fsLeD59kj8ovTrx02/e2LcSpuXqZDLcbipJlhAiUItSQf0vJK+DUbgZ0r6GjdInO
78W1KDDUpmXk4uGEWae/bR/HuoAZV26Y5VX8Pd6TaU59oif8/sQ=
=jInk
-END PGP SIGNATURE-

[SECURITY] [DSA 4434-1] drupal7 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4434-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 20, 2019https://www.debian.org/security/faq
- -

Package: drupal7
CVE ID : CVE-2019-11358
Debian Bug : 927330

A cross-site scripting vulnerability has been found in Drupal, a
fully-featured content management framework. For additional information,
please refer to the upstream advisory at
https://www.drupal.org/sa-core-2019-006 .

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u8.

We recommend that you upgrade your drupal7 packages.

For the detailed security status of drupal7 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/drupal7

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAly7ChVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SoqQ//TW58OzhPH29Yy+fy+KWpbMgv3xkJETntbRXcfoKf26G7szVHpMz6ymqp
Vw1VRKdxkI3TYgr5ytQKGrrRsq7NWVruLfRLN4I31NDVlG+OiBi67FTHzCGs+cT8
wx5ZFB4wahaqEa23CVoWn2hMl50FgR/stiJISja1gJAv9YaAjGCgwaJppw4F7xlu
uZcP0Pk+shFtPl3T4hmeuXiKGHPYSHt7rrM9QxkWitOnC3FmDB8EuXnBEOyc9nEz
Z/HJTBSjaVaPBq6DZUKJ/WUhcfowr/a7hAtoJlQt4DdzeKP56ZsZ97Pu/4EXAvMa
Xk5926rkWzuCy4mmu5KzoAjCBJQbJcJf9xgUUn/mEszfShXVX5HGWopm2agg+vzD
4jSMdrB1r4qiN2CYOWf06B59VYLdY65dIL56BKW3b/fjTtdgwYubw7U5/wXXDr9M
GncVJeo2peqFwaB/gkxO05QR78RzqssH4HECNdWjk39YJ/ZZVMsA3VSQjZR0hiol
wtSTOhalaaUW3yOLN+7dFRcxIQaVamSiSWdWrloUhI/r/NDS4tTBHznkObAMuufB
zDAnSESDLZWCy7BKwdDuRhRFcmyxPni03S5qSBKMprJHlRKb0IIc8GVXfP61Sk00
84O+zxgcl/NAQkEDMdaWZN9KApqDag2+O8T8UpElULrXgo4ny40=
=1kwh
-END PGP SIGNATURE-

[SECURITY] [DSA 4432-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4432-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 16, 2019https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2019-3835 CVE-2019-3838
Debian Bug : 925256 925257

Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in bypass of file system
restrictions of the dSAFER sandbox.

For the stable distribution (stretch), these problems have been fixed in
version 9.26a~dfsg-0+deb9u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAly2MydfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R8ow//WWAtoLtNgZuYQPWG5pC/YHuaB07sTkMbp9kb66PuuOpEmY54K23Tkl25
OYuHU9M6hFTwQuTOLCn6HCfbANIPKV9fzLEFVyFa8sDAxb4roFQicih4qiRZHuaf
YFmkb7OVsPUn0lQfcyGNvjIaWv4FyFTt+6b3/nH3lez0Q36TZve1XYJrwW2bO5aQ
+NtW7D6y5GrOIXV0bHbllxqZBWkTbY0eHhZwKjW4Z9dQSPNgKBuP6YSMaI9ri69t
W44PVPpY/2qRaiE8JbF+lhFri56NkHFjGf179YKMYtXE2X6u7GFZdMzaIWoMd5vb
h3wthZ4QY1KxnrNw994d6D7Mjbz9fIHM4MSJm02PZMAgsPoFMrYyA4Fj4ftATWeO
57cOpt2r3sHHBqDnqIuZEDq6ecSXtQmg277ltkk42p7DE+vzcvAKpMWeOAqffRFF
pD24hM+yb5LZZy6y/II73YiDyiJgiNuW1tahFrxCr95dIDB85tFLAnGy5blZhxrF
wYDqN7AsZGBzHDDEkW0GrlPX48c6TDEGlLL1jW0RQMQaAZeNErh3SQCpzLdIMd8J
w/ogVKlmv3oVAqDsehJQhS53ZkowxmPcT6yCZWNnPOAyxqELOp30Gh+rey/98h44
+n5q6I4ouIWn9jM1v0OfYfzQ2x2iTaIqLvNO7ZIFYYTSIJBT4Lc=
=Wu4U
-END PGP SIGNATURE-

[SECURITY] [DSA 4431-1] libssh2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4431-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 13, 2019https://www.debian.org/security/faq
- -

Package: libssh2
CVE ID : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858
 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862
 CVE-2019-3863
Debian Bug : 924965

Chris Coulson discovered several vulnerabilities in libssh2, a SSH2
client-side library, which could result in denial of service,
information leaks or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 1.7.0-1+deb9u1.

We recommend that you upgrade your libssh2 packages.

For the detailed security status of libssh2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libssh2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyx3z9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QuJQ/+OXoYuhuUFBmpw6JJQElM98wGGsQnr+DEBcNKBrXNyZTfh2jZgZ2C+Loz
1BHewzhBWWCLPyVduTaW0xnQksfBGkiKoEQosdaFARtwgjfGw+hEOvZifm1CIxbM
8SlIbeXEDUeS+cMrzk92kOZ5CJt7y1v/bRdqshQ+i2jNj1bWUju5w4N15h+WIdSe
C/QPiVcht9pHTdV4HP6J4kONbRNOfCBtafac1dGFqfu1bG4XhgNhrWUUkyAvlMJ7
GLuWxZp6k8XW8svTWwlqzuBaRh6IYDq/lFdl4hbZH5BDfrAa1F91DwV24316/9AJ
qsltmm/9F7MSg8Pg3ENkip2EV8Az/dwpwMXXjo2nvYVQ5eifg3Z8/8rxg20bE/jM
r99Y+5TyQMtNRmUVZ0qmifYNwocniBEK3pgrgpUYeQFF+3d8IpmlA1YY6m+APMvv
Nv6s8P0VPpzzyT9wlVb4SZxETRRfhSSOIXH56elrEcKhI0hJMpPqYy37x6Ffl1UY
XQq59S3veIjyVPk2pKbvz69hLdg/HEVLOb4sxqeNUtowfLfgsDLr7Hvt+ZjKXqR5
xyxQFPV06m0UWIPih55f11TcK3INResR+KnzN+r5E5gmOT2qdL3L76jG6DwmJdm6
qLYAU1EokRLv+l403jrVM4H5N7MPd+Ti+95W6nT0IUNV/DHtbbM=
=scVb
-END PGP SIGNATURE-

[SECURITY] [DSA 4428-1] systemd security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4428-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 08, 2019https://www.debian.org/security/faq
- -

Package: systemd
CVE ID : CVE-2019-3842

Jann Horn discovered that the PAM module in systemd insecurely uses the
environment and lacks seat verification permitting spoofing an active
session to PolicyKit. A remote attacker with SSH access can take
advantage of this issue to gain PolicyKit privileges that are normally
only granted to clients in an active session on the local console.

For the stable distribution (stretch), this problem has been fixed in
version 232-25+deb9u11.

This update includes updates previously scheduled to be released in the
stretch 9.9 point release.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyrsfpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S19A//eYZPzdFbJILUh0RBa2uZAxRHrOBIb/UsDKVPu4wZrMJdPGHSZoL+R2RQ
Tm1xLhFU+dgMLjfx1n70NIvg5hjPRrhD+6A8QVeU5IcsrMm7cSEFAgj3H5Cok+SN
OndAGXQ/EoRrSTDUjnNA7x4H3oxlsnH8nnY4vMqLezlPimMve+hsUSmB/ggDfB9M
FoZX35xUsSb/VvxdLqdVM7SFpti63XzAyYOueshaseGNR76rXkaPbXBSpzmcOhaz
9f08i1XG0IeojM0iHzBvOR8skicAPIwFXVLTCt1QE3nqzYeRhZAcq5yifAVm0A6G
qzVihq36Sw1roz5uI95x/jBd+odLbSZBG3a7py7jMDsWi8lRkD3kftQVsF9OmUgE
FaJtVKCydcWDRA9zWDLMG/6XqRIpDviK8DY/9dq6VkG6VHswobMs87LsrKrdb1tC
SqIV2n0mvsUs+BeMI1DDZbJuoXKjHi+3hS+wLFrZ/TM+riAuUq4KbfbSR9JLQdVS
D9Vq4J+hECgquS7c/YjmwNm2IdK4R8oSYs410AOmaWB/1xPzn5u5j4HMe3D6DJ6h
8H20PL1O6npyJOWGNimfZDGoxTR87Qfv72v5s59FtJzSVxGLaynsgIv0+ZO0SGH7
80/FYzsd0O4AtrZhjF0jxhwcCmCDMfNO1rEm/whQkmPhdLNxgTM=
=flwI
-END PGP SIGNATURE-

[SECURITY] [DSA 4425-1] wget security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4425-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 05, 2019https://www.debian.org/security/faq
- -

Package: wget
CVE ID : CVE-2019-5953
Debian Bug : 926389

Kusano Kazuhiko discovered a buffer overflow vulnerability in the
handling of Internationalized Resource Identifiers (IRI) in wget, a
network utility to retrieve files from the web, which could result in
the execution of arbitrary code or denial of service when recursively
downloading from an untrusted server.

For the stable distribution (stretch), this problem has been fixed in
version 1.18-5+deb9u3.

We recommend that you upgrade your wget packages.

For the detailed security status of wget please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/wget

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlynxeZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qhfg/6A0X8LF3leDrRWeVdRRmpDcFTenmnzjdhnnZce4KLddMPu6L0L91Nr9gA
CVbyxqVporj4dtvEaAdZJLgpqTAGJFhwkCuFYoyI1AQINsbsOId6eEYntY/bWXyh
JBQfQq1eurhB0QZHztyeybr2aGtFY7ONZQ1BXgehnTmaGN4qXEcmU5x/hYzjVNCt
PO6fgN/ZvxSl6uPEAK2Q19+yLppT7wVv12Z4RYNUqrWwFn1snfWk/NiWXtbr5sTT
oYa6CqlGgiI+9Y9BxA5Qo0oKU2JrnWSm2nSCzpxI9dMHvgdko2To/1PiGxSbTOPQ
bit4siOk2W2hF85rv3LpDFMtqEC9VsuP1EWRIGE+7jr9fw8yJ8kS18OPF7aa1E6d
f/mPA0NH2t09mFbMEcP3rvUdRkwwgTP9zENMs4TTWfDOThAuAqqldpDhrjTtqE14
5/FxqZ96NjmmI5CoYi7dUEsZ+yU+m7BeSvUr764/7tPi7UPD3TGW0a0Rk8ryRT0l
0X5JZo+D+H1kXhMO4Wnq92qAPtQ9ZPloRaYhhuakO9dY1HguzGjgjo7FlvuN7P4P
j9F4o2dcV81vOan08zs4ZVdkNedAa05S35Uro80LUfKoQZeSfWFhTYQUrriojjKX
VEo/3MQ2GHpJW6kmd2yJUrQlEKTOSzEoP0CpaTc1rL/9rUvRm50=
=uXvM
-END PGP SIGNATURE-

[SECURITY] [DSA 4422-1] apache2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4422-1   secur...@debian.org
https://www.debian.org/security/   Stefan Fritsch
April 03, 2019https://www.debian.org/security/faq
- -

Package: apache2
CVE ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0196 CVE-2019-0211 
 CVE-2019-0217 CVE-2019-0220
Debian Bug : 920302 920303

Several vulnerabilities have been found in the Apache HTTP server.

CVE-2018-17189

Gal Goldshtein of F5 Networks discovered a denial of service
vulnerability in mod_http2. By sending malformed requests, the
http/2 stream for that request unnecessarily occupied a server
thread cleaning up incoming data, resulting in denial of service.

CVE-2018-17199

Diego Angulo from ImExHS discovered that mod_session_cookie does not
respect expiry time.

CVE-2019-0196

Craig Young discovered that the http/2 request handling in mod_http2
could be made to access freed memory in string comparison when
determining the method of a request and thus process the request
incorrectly.

CVE-2019-0211

Charles Fol discovered a privilege escalation from the
less-privileged child process to the parent process running as root.

CVE-2019-0217

A race condition in mod_auth_digest when running in a threaded
server could allow a user with valid credentials to authenticate
using another username, bypassing configured access control
restrictions. The issue was discovered by Simon Kappel.

CVE-2019-0220

Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL
normalizations were inconsistently handled. When the path component
of a request URL contains multiple consecutive slashes ('/'),
directives such as LocationMatch and RewriteRule must account for
duplicates in regular expressions while other aspects of the servers
processing will implicitly collapse them.

For the stable distribution (stretch), these problems have been fixed in
version 2.4.25-3+deb9u7.

This update also contains bug fixes that were scheduled for inclusion in the
next stable point release. This includes a fix for a regression caused by a
security fix in version 2.4.25-3+deb9u6.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKSBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlykd6hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QbgQ/4iQf0raPpUGhb+xBt7cbh/l3dayLkH7WxB0uGVXeq9P1lrOVVLbehWJIR
6QalSyDCRYpJguby9OL3cV/FrldKWMamvQhO79vLiJ4OR6RXSFvK8w0fHg/Ep16e
XoQOw6yrYukLeJgJ3r4P0v61t0LgXG4sATBaeHXbhpddgiisZubOWMfn1/5gq+wu
TUqtoaskDISd20oKDnpsW3XY1V+6SSvXM7C1BUVt1fqm6g6eMbsWlelcC/NxCf5W
q+TvZidZGMTKtkVvuCuR+lkfsYQZMmbnNkwDES0VGh8D07GY1qOk8h/Oz93pspt6
R6DISqUMMflabwEdIKej5TD5Z91ufDBbX/ZAjfZgRnap2DS/3A+6mMwG5HEjjnJE
qJ2BvSq4dKpv2rgggab7l95OGPak0Pr1W6uBYqggUC//2//x2YnWvs3yKIP1fGLp
AiA33W0lnJ2ruivMPI05tuiybsRiUhbJesxGI0xn+i/g5umhrLV0TyvlUzz5nBsF
Ym4JQr9lPPJQghk5dxheys8GNtzCzpeEOGLl93HKHuok9dSBmpEe0hU6PZGoatxS
Id3Z2MrMNlOFm53scDEZtqPINyjDFKUZK46Eaa5qfSPadmiiadUw/8BIsewk0JCS
/dZnShvaVdifjH3Oh0Ym2HH5bg/GKF8nhZ8cY686SenZWh136w==
=SFa1
-END PGP SIGNATURE-

[SECURITY] [DSA 4418-1] dovecot security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4418-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 28, 2019https://www.debian.org/security/faq
- -

Package: dovecot
CVE ID : CVE-2019-7524

A vulnerability was discovered in the Dovecot email server. When reading
FTS or POP3-UIDL headers from the Dovecot index, the input buffer size
is not bounds-checked. An attacker with the ability to modify dovecot
indexes, can take advantage of this flaw for privilege escalation or the
execution of arbitrary code with the permissions of the dovecot user.
Only installations using the FTS or pop3 migration plugins are affected.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.2.27-3+deb9u4.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlydJ2BfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QeAxAAnrz+NqPivUYsdYgGYodb62w2/ofsuRu88KPaCUiGU/yGNG7kbrCD86D6
mYzdvrr9k2IO4vpDVj4CxEMUAVVEeoZB2SFw/8EoCjk+OlNT5prWcbIrnV3A9nGW
IqHo39nBnwwSCq6ork4PtOJMWcoiHHvKSRt48qs0X56MJ/I+tUzbOhCTFNEal6/8
TtWnhJs5uJy/VyrjLfCK5NXdU8uxhN5i1kyKyjS60Ddtvsmx/mMM0dMXdCOzE83w
zJ+ipPNlJmDHaWv7ZG3nJXo03Hn8Pm/cbZ2Le1RF3EiJ76jwx62K2JyBFDIkVxJc
a0lwvCxTSlrpSFZj1ljwsotoJ1GCWyh9NbEvEl1teBESH/n+eUhAJ+rRw0yNUcED
h8bT9zN1ijJiIHtkESChGy/7c+cTycrbSwodoa9eAYKi/RxfKJRdrAopMMa48RWT
MoF2YaMvUFpcok7xdukt4PdFUSTkncP6yU/9j3IA9r18wbzWINl/Nmqzu3Vu53fE
jJuUOeqHFXbOvYuwsvi/zE87ZIsnlZ1NLJv2hN7hvlespV+mXSBA30ccCkuFgShc
PD43YjqZBi443LK8XbFCJ6G4f57yKm+IdlhDf1lm2vAwuBiGHcwwrMietLdpCMhN
YPQRQZJz2XoiZnktxOzu7WG9inUNh00xkTygriExrN9m4Z8z3X0=
=tQEW
-END PGP SIGNATURE-

[SECURITY] [DSA 4416-1] wireshark security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4416-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2019https://www.debian.org/security/faq
- -

Package: wireshark
CVE ID : CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719 
 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214
Debian Bug : 923611

It was discovered that Wireshark, a network traffic analyzer, contained
several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE,
ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of
service.

For the stable distribution (stretch), these problems have been fixed in
version 2.6.7-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyXfvVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Ralw//YQ+Yq8jUMhu8aczj9gl84MLH/ddCC0LhUVbY9WjQgNasV4ZWa7n+ptxa
GGYAU4uRNZCvuXsXeG5/oiF9tAF0YuZgKLdyDDmLqqa39jA+ngFpim+cId3lDNiY
pNUY0wQrdrcREvJrssaiBUvZ7d5O9VYPa8RoSzGo/zuvKohRI41vW0p3YvgVXhiA
eHGmGaijnfHPMa/nYyUCy1MrNf3+2o0eA7rDmeeWTtOk+Q7K4Q969cyFDeR4b7s7
jaMBHaRaNFdIya2OsK7D3dwa9xeZJDuR/MeZk2enC8BsB5Is/wMvDwh5k0OIjj6i
W88dtPcKCq6KnmJOv9qy3uLt3QR4NMsBZElnbpYN9MBdnoTsG7TdMn6qQurUSw6c
fHvbDEVOCPrQ1uEM6yG+oD4Gc8ql4maXeb8pBzaaxuqGzu2uBuYi/Hg+cKcqCNJe
0rs0Q2itkPHvlj02FsxmNXq44y4v1gev61cbblZPdDeK1EGbNCKI7/u0uuQqjaEN
LmxozyblmfmDxJxLyg/cuwQSo1OQuAg5hwA3u9PGQ6bDYnenonWR0KCEv8qmThVB
XZyAUqGQNK0mwIL3/IVLGzhmPKMtkUeolFg5chrb99wJtD8tyNoiED7xpfA4paoO
WOMR1LygowgMedoWWE/akmpfTdneLjSOe9RneBl9t0iTp/IXg9w=
=7sHL
-END PGP SIGNATURE-

[SECURITY] [DSA 4415-1] passenger security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4415-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2019https://www.debian.org/security/faq
- -

Package: passenger
CVE ID : CVE-2017-16355
Debian Bug : 884463

An arbitrary file read vulnerability was discovered in passenger, a web
application server. A local user allowed to deploy an application to
passenger, can take advantage of this flaw by creating a symlink from
the REVISION file to an arbitrary file on the system and have its
content displayed through passenger-status.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.30-1+deb9u1.

We recommend that you upgrade your passenger packages.

For the detailed security status of passenger please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/passenger

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyXY69fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R70g//eQOENnft2PrdGs/wb3roVULaENGCw/TGuGHZXJzIf49xEJ2/+ad4WGt5
rVwB0hHtwI6bwH0bb7cZNHYpVNBNb2ze8T5euYleQqfKZM5VSfx7xscmAaiWhxiW
W5p1P6doUISxD3W0uQ0Q/WNvEsERoHcHAmZF9VfW6j8gEqkEA6lizkUVxxmvKBdD
EZQ0iOwJ2PtcLpWSJXJArbso2ImUaVCEIgjpI1wfVTV0aU7OpTqiUYpKEx0hnmR7
gSH+mOT6Y52Jd/puXzEFhbzTZwU5cTYXJvLIWiSlx67B7Mg4PYOUNRHoF9TJbFpE
hapM1SnO7TYu4SuEs57uS3cWZqh/ZaayG7E4m69Jf/mYrwpoCeAq/DOTxybZpXtL
fNX/jSv5Tuwa+L4DPmD0xGyl1PAah5bZ2cIisEK9LgwXdXaezy4IArT9hDSZFfaI
z4qmV6LNIBmKNe93xEhSgPcD5B8NhM4WWcizdSNjBFgc2EF1pELa9MhlomEacR/f
fuNqqptZ+VbgkmqAsGEeVJj94RvtZ5PeTfinVEbZmhsGT8QTl+0oRuMxnw6bo53e
Za+ulSpv6s0UAlwTY/DqhNnzsPzUztnlDA5SeGWz2L2RZE5ZrrSMmDthC0brAjJS
3vqPc0XNXH6jDOV+SE6LJ68mIPrflV14ofuYa5cCzEGr+xKNCgg=
=gsgD
-END PGP SIGNATURE-

[SECURITY] [DSA 4413-1] ntfs-3g security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4413-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 21, 2019https://www.debian.org/security/faq
- -

Package: ntfs-3g
CVE ID : CVE-2019-9755

A heap-based buffer overflow was discovered in NTFS-3G, a read-write
NTFS driver for FUSE. A local user can take advantage of this flaw for
local root privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 1:2016.2.22AR.1+dfsg-1+deb9u1.

We recommend that you upgrade your ntfs-3g packages.

For the detailed security status of ntfs-3g please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ntfs-3g

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlyT9CpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RsURAAg50+LqSrMKGcKRhKXsJvFKFXdyCzpe8I1mAAOh97deIHM3OYADBoIbWS
h9B+uN/2Ue3INrB9KDLQHjDxtrddLHn5tZDGIIISl/5QRGgq5AbAXmtSFbm1EUzD
lYeM9Qdh6NIlfr9GmnTe/XoJGatHzQmHMJnTQfdD1cnIXHUO0vQ0PNRTuhCrURH8
9XcWf27qBpViORDxl9NjIRF/QTg/lwQl+lv+VYtfLXjgvbsbalEi9JDkXsL07Noc
kP5x2nxJzkX72AHsap/i00uXKYfJJ9MhXa+dIz9PQx+0QJjxs2bbPrAtrVPhKiHi
uwxDhhzFR0n41pDGRPi0Xxxc5c/98bImY4tBatZacSabAuSd0bwI2Wu1Wsy8sYGB
aIEkx01KcLOG8KdGlTmqsZoeZTJpnNKLuRPuBhZXIuEBGlHl5Z7wXF8GAeHqoLIt
KppJNetczJESqWDBPW/VGRSTW8U3KIeM4ci+InZN9jKmlqVQipAco/6JNH6B4lb9
EnFJHDBnEYCdzbxLrEtoUnKXYPgHMOAtip6QBsEs/KA1B0MdsOW8yoDXUmyPfIT4
fAVyTdu8Z/S8WCfnLjJ/8lqC48fpcb/OSwKp42bUgHar/KIpgZ74qDtDqctRel8b
x7Bo1xnJDbLsFqVwIQUSPBZ18mg+cPggGBm80T/TrlYyTVtqDco=
=jmPt
-END PGP SIGNATURE-

[SECURITY] [DSA 4397-1] ldb security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4397-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 28, 2019 https://www.debian.org/security/faq
- -

Package: ldb
CVE ID : CVE-2019-3824

Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare()
function of ldb, a LDAP-like embedded database, resulting in denial of
service.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.1.27-1+deb9u1.

We recommend that you upgrade your ldb packages.

For the detailed security status of ldb please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ldb

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlx4OBpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R1oA//YuTxQ4iQkHgqW12SWdWMdFZC2rFuHBWI+u7pOUYNkkI3CiPwvjTrKFkn
K2E6ASlB2vmoJfoTqTDzCgssOT55JKQsD8a7ocfq9tloSSbz4RUEgqNS93Yqc4Er
+eUhTe2491qNGkshyuIENSoYR7cO/FMpUqRWdXH0W65nx9tD/D1Q2mCCVQwXNfQz
2jlRCvaSklOL9hyt/ibnhce23LuM1t50W/eicG3XAcjp4WGx735uq9KqjfcyJ1QT
voL4qoJJxizi04M6oA5z2iUR/qKIW25qTHzj6b+uk/MJX+Rj+3j3nz5prvx5nn4t
EGq537Yvhg5YYMbTSfThPOu/jgfMe/sUx3q8/2wkGs76enwFZ0eQTKvMi8Fo4fOs
kRJrz6HXQJeCuv8T1NDBPMekebQw9bzdo9DyHukF+0w69LBGxySW5q7qG+NDmN19
zKbP9t/GH0BUQbq1B7x67W20i0EXHNk36GVSMjI17ksbJptVpok86wamNeoSpKgy
nLf70RZ45W+XEBMyV11NdU7kusgHh3Fj3owrGsLhIM07noao1hSYVHLVqscufdbw
9zofA1ALjCiFyYeJmzGfEGh60U+ibfc3w9EUbfi31kGXZMDmeZ8+p3fWohxjlijg
2RspyOq1AX/t1ql3WWuBOBJctlUjNMVkiLgaDmspingEDV93UlI=
=VZSx
-END PGP SIGNATURE-

[SECURITY] [DSA 4393-1] systemd security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4393-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 18, 2019 https://www.debian.org/security/faq
- -

Package: systemd
CVE ID : CVE-2019-6454

Chris Coulson discovered a flaw in systemd leading to denial of service.
An unprivileged user could take advantage of this issue to crash PID1 by
sending a specially crafted D-Bus message on the system bus.

For the stable distribution (stretch), this problem has been fixed in
version 232-25+deb9u9.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxq1wZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SSQA/9GlUDe3irg4c81ZItUwSLkWQZH7khlFUDPZnxjpZoCeTuGxrVr/uXkaDe
XXbe1Mdsz+Aq02WORpMxLRZ8ThV2dq0/ESH3b6amGCV1k5dtTT1CkGMDJOoZ66RP
mwf7/w0LczYmZOdPJ0VoFD/k6pE8ufY8QobvZmzvtTtmvfhJAaBKYJlayUf1EiO4
RBtLwbibUgMPAuMob7rcnrfH6ntSIVkvSZ9fKSJHGHn+DSOg0CoNF0d4eAA6FwXS
aOyu/EkmAzPWQxj+Y1k4cHwA3P25tOSXuAOBE8X+2rmSlsEvsUXbojZjdHTRyJ4o
KsdrOsSHwFNJuwsj6MERz6uE1DTCKcuuvaEA36k3RjqIWcEeHTaGAvNMQtCnToE8
/4ukWYP2Tru//sz27LP16Sn7sycoRt701pVxluhv33zb6ggMc+YyJkBNphazy7l3
1zSwJrEbL+ZEK3Q9llDRauKZoO5bWR/WZPExv/2LooTxG6g7TDg39vLCobMr7dtK
ZPnT+YlcanirvJgn8onQ3WMLpaj7NPhNfVAnl46Qth5FWodZ27CRHMihRAUqDcVs
oNg3teA8ikAXi4qbxESi3eDFL+4QS/63U+jFAhyWcPjS4RX8p3d/3yNwQ4Sb5XC7
0UvEWZLfdjucDm7Vp6uODi8KA8lcdqVDd4bLr/ak4RJbKtHn040=
=kbxi
-END PGP SIGNATURE-

[SECURITY] [DSA 4388-2] mosquitto regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4388-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 17, 2019 https://www.debian.org/security/faq
- -

Package: mosquitto
Debian Bug : 922071

Kushal Kumaran reported that the update for mosquitto issued as DSA
4388-1 causes mosquitto to crash when reloading the persistent database.
Updated packages are now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 1.4.10-3+deb9u4.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxpyjFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TGjw/+Jf5JsOqqDFBXo68SLiaMfZ+u0bdM1VFGHtGbr4houBwpW6UTFRKZt+8G
ClRxDmjoXVM8+LTOtA0KgnL5udKC8duxFGeg6s6Q3gIyIEPWo4GPle0i3PON4L7/
JvlppclsZuzkrn4/R3sQjcnjereLoQUfPIY0XxBQoQGWXI0oJxRb/GQO9PI0JtvI
P3gMv0Lf6D1trDUB7sEmzHBp91Vyd4U/pRZEGhd6L9/JawAeNMWOHOM931JOPhPs
pUAdnnl0WEX3xYKOI/QaMlxinp7tYoQqcunCBai+VdCZM+3XNXLJef7BxDx2qKCz
DAg4UtaEAkLRQ/r3xmVTAeQHBsDJyaWx1nshHqnasokzd/XCyTOTk3icsjTuUq5p
1q/lIjiAm0vfFKmE5LSdLpBFu//jei+9BtCuKr/uXtWRLJP3EjmopW3a1VtYtW5+
3crtDuG6Y5JTBF7jSctPS6BO7TcJq3rV52W7Vh8un7iY9r/riaVwtzAhbN2SEX+r
ZATcSk0tipUmi0soXfnn/SPr7fWBoiHO1bJ9tK2OtQmccZNAzjsIf1Fj4ofOo8vk
jWtkJlPZaa/2oEfq7KcoylDP4vJBb8Rcq3yG0WHb+lLp0LQQm53kknP9dt5UyYKd
XJnj6dNT8TDtagyns0L+pzMML92+quNWbJ6KXveGfn18ULNskzI=
=uSDG
-END PGP SIGNATURE-

[SECURITY] [DSA 4377-2] rssh regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4377-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 11, 2019 https://www.debian.org/security/faq
- -

Package: rssh
Debian Bug : 921655

The update for rssh issued as DSA 4377-1 introduced a regression that
blocked scp of multiple files from a server using rssh. Updated packages
are now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 2.3.4-5+deb9u3.

We recommend that you upgrade your rssh packages.

For the detailed security status of rssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/rssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxhnshfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R8AA/9FF8cVX0NDYsJPBOA4eIuqEWcfVUm66FcyHiOORDZ0J0jXNgXAuwJ4KVz
CpgkmRkxbVudV4naOiJfuiASMxdPREs6VENWsEVc1E1F467V6he2ngJb67owOW4B
Z5cHtHEaWFgThdf7cojlmswQ0hzXjQrIdu1CxYDRHyEDgDu7IxGPD2nonpZwTwOf
MkwlXSCpQbAk9SbVbgGgwUOWtYX0woldR3JaaqOV++ufV24Pxwnalgse2lV9Cxou
VinbJMQZ+0ABBBFuH2YXAnn5RCFn5IYMcsUveQQKslL9tBI1EFpIYEqxifcRxHS8
k3RWCZZ+OGUwCF0xwxcWLmbvLYhbzfKGv4NXxBGjo5++w322oqVNaQmoIxwJs+9k
2vc6NM1kr8ubPJxgDTpoA0ea91wh7B65IhUGZAnfj9lAuJw/l4Caf5+srFDxCDZg
YGK/nAumEBR+3vec2MDpfs0suUtog7u/xmFYfqPReq6SaQD2GJTS5pYu1hwUBu8W
PxWbwq/Ezx4ivJq+jLMwLT2EY0gIPh5i9tj8NT0o2QnJZcB9VKyKBSslMev20EYq
5gE6wC/uR9jCGl8W2fdKMAX71sXGFE76xP/waUtXykeihhEovB+SlTiua8F2wv+G
aOLZ1S3gwzBj3SPtgnc0dEoVJdzs/cnYukMFxTJDmM6LmnkgdS4=
=35hB
-END PGP SIGNATURE-

[SECURITY] [DSA 4385-1] dovecot security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4385-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 05, 2019 https://www.debian.org/security/faq
- -

Package: dovecot
CVE ID : CVE-2019-3814

halfdog discovered an authentication bypass vulnerability in the Dovecot
email server. Under some configurations Dovecot mistakenly trusts the
username provided via authentication instead of failing. If there is no
additional password verification, this allows the attacker to login as
anyone else in the system. Only installations using:

auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes

are affected by this flaw.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.2.27-3+deb9u3.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxZutdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RyVQ/7BzaC81yAtjVriknRUERhdnQhiB93JiuSaW6d+m073Yvgro7G6b4+C3in
MHlVbIsKufMNu/Nyt5cnO9PiLWWbt0XbXI17ZOAkQhvButPikCWRx1Rqz5IyZyCv
r/h1atFgIwzhBd7RsgEGqSRwxB+uPAMXauF38Sw26mDMQy5FoCr8Neij4g/HmPf2
IiUg39sgs2CLr29BMkpmu1suKPHwqtayDW4Rwr8fLXORk6wZ/rYth7I6LkUCbcMb
Q0nQSjvSrcz04d7FSOJoWKDqdsliLSNqgci9s9IEjW7LEpXy6s8Iy8WNUH2PNQfH
NDTLE1WyQsGdUTQmE6BiIt9oNzP7A2Vhz60ljOX8FMfA2IZ7sL/SEaIwKc1U+p/V
Nx9oMjSL57PGaXpucJwibSJ3zlMVLhwqfwJJdmZnPBBXcAoSB8dm0GVxpksxh1ZI
jSjDJFiLrUpKNFywXXrpR4QcaIk8Uiw3lsth4btzkV4lpULPTkzOMTy4Y80od9yp
xqYHRNrHb8MS++HNd4nMK2Gg7oVC9/GwGACAI3VKfTDgEvb6ft/q+90s+qjWdI8l
/q2174k3yUhgxfDqVJFr+wDSKtWHc41Cc9zokJqIVN9f+qH/VqIfWx5k7SOwchX0
ijgKLYqY08Ti/nMpBGKvJGx/F7S5KMGGi23pK8zhEzckLN3kYoc=
=9qPn
-END PGP SIGNATURE-

[SECURITY] [DSA 4384-1] libgd2 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4384-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 04, 2019 https://www.debian.org/security/faq
- -

Package: libgd2
CVE ID : CVE-2019-6977 CVE-2019-6978
Debian Bug : 920645 920728

Multiple vulnerabilities have been discovered in libgd2, a library for
programmatic graphics creation and manipulation, which may result in
denial of service or potentially the execution of arbitrary code if a
malformed file is processed.

For the stable distribution (stretch), these problems have been fixed in
version 2.2.4-2+deb9u4.

We recommend that you upgrade your libgd2 packages.

For the detailed security status of libgd2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libgd2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxYpyRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q1hg/9FxV5wWZ1rYxUiOd/10behLAoRHTW8DOter/dkNadjTHpN/HdLDTqKM4E
HdzZkszEi9TPi47avdO5mZBZ6cDOR/NE+qGghxmqavG5l6DSPN6oyy70Z3g/IwFv
2POg84fCfGBAKmgro12iciii7M0IfC4k2vrVniCfAgEP5/iMJssPMXo25SbFrsgw
t9O+fUktLWWWFkhFQ3rFc4hx9abIIWSrum3j6W7nUL7XrnIJG/r/2yqlhOSoq4Jt
VL6Y++1cKld+eZ+tVEinYbu+T3Mic6z3WvdQtmkZnpxzHdiRuyWBVz0nv4W3Ss8E
SbPSkpFqnbhhh7ZVFKInNNXjbN7lS7ffevVCLqo5BSBXU83zlKerA3JS9w2CvNGy
6XeLPwhLRdHnAAWJH+HVzM2mzPNpvgo+HR3ky00+aJamUP8xjPlc1TZoYN1axaz1
rrc/mPgro2EVvTjxCIak82Hj37rFqbmRRRwiVp4zhJe20dJf0h5gLAt/9waRhGmb
arPozGIFQmMK6pgkhNHqHB4elAwt1TX40GKaKIovRwHK1XK3PE8VG7kkofcWGPRr
UqfjZ4Mrfv7mH5QazFU9Of0TkofOPplgVXMCC1IX8qiNqjxPW4KOai0YGutBKhEf
bfbo2mMcc6IBADyrbpZS9glDuau156qdQpPlOzgW2RN8Pt74doI=
=QL/8
-END PGP SIGNATURE-

[SECURITY] [DSA 4383-1] libvncserver security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4383-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 03, 2019 https://www.debian.org/security/faq
- -

Package: libvncserver
CVE ID : CVE-2018-6307 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019
 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023
 CVE-2018-20024
Debian Bug : 916941

Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a
library to implement VNC server/client functionalities, which might result in
the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (stretch), these problems have been fixed in
version 0.9.11+dfsg-1.3~deb9u1.

We recommend that you upgrade your libvncserver packages.

For the detailed security status of libvncserver please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libvncserver

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxXVEVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QnFA/+OdqSdVFFyBtT3WnOMUez7pBsk3wx0rzbCZ5uBJHYzr0ogMgDInL4GwdW
RrTvSQtpKiUjmN4tfocXxKiWq6/KVZ5wgfYCeIjzzSr8qQHqYnV9NH2A8bUpVFAp
M04zpV/zqPd2vlUPkppigHCyemV7sRuaXikGyUYm4Y6zBEhSg2vfyqfFmoggKoq8
aD6cWtKgCW3aSALA52JlVn5cPz17xvrk1zfStgtLPjHZTMHW19fDXq1hubxfR3q1
66LEfcs+13BFZW+09/eYSsC5vM96s4AfshErjtwpMxtVnc9MEIRNfRM9kfteaRvi
s60EmM7xFvbx9acIQgKnLNNyjExzjySmgO0Bq7GNBu0gK1wNVpnOHI9EtBLfjOE7
YrYOxvwyTI5jFS0Txl846/dXwxy6gcX/bTlO6mqQFUicJcr7DU4GflHrt/t15VcK
e7DBeWlhzV7yBoxC5yjS37dug0Ab9A9+TpCRxD5jwMWHZ3g+/8oXybCEqpuFwrqb
kS1L4op0CHvouGbRldEtFookQud5deuqbEGxScGvOr8buENpnQmc6fzDh3jMH2wZ
BNUHPzIYJHKqMXCK41jUB40/0v5iz5z5gHvRYfo8+ZOoLIFCp7zER3RDxwR8fGiK
tqycmFiHaax09jHvqffRbwARfVrrrNbh4u/F7n3WWpbIsCjPOC4=
=6dI2
-END PGP SIGNATURE-

[SECURITY] [DSA 4378-1] php-pear security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4378-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 30, 2019  https://www.debian.org/security/faq
- -

Package: php-pear
CVE ID : CVE-2018-1000888
Debian Bug : 919147

Fariskhi Vidyan discovered that the PEAR Archive_Tar package for
handling tar files in PHP is prone to a PHP object injection
vulnerability, potentially allowing a remote attacker to execute
arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.10.1+submodules+notgz-9+deb9u1.

We recommend that you upgrade your php-pear packages.

For the detailed security status of php-pear please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/php-pear

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxRxlRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SLYQ//c4cCTBaPrJpEqyQxbR6F860XakSy4wIV+rcarH8e50wPTGfR9xU6x8jI
PxvjkEP+HsaHNhMHnfnK6Y48P1In5M9UaLMVLKAqmIZAYnBrlxmwgaA3oQMscSe2
R1hJzuZ6arnYJP6fSAu+fBs4zY6MmLsoStcKx4pTM+dYwcFSanzmQlN8EhPFE9fP
YtvzSaBeKEJU7JZ7psMSK3/Zxi7WNyAjhwJPh+y3C0JNY5hyCBtr9UhJjXt2utSu
txG0wfXyhdArwOcSRHGtyA0cKLZBYs/tp588tYQ1bhA9WZqrkON2MqrPlxYLOsRj
lu3DWW4AMijXfvjDd8VUd0mfwJrgsANf1WktTx3Iycmhad2TrwDfyab2zuutBL1b
U96qpklflYuXiGVHsZE9eH+HilkKPTnEseePKpxePM6XBMhQjCaAEjXZTwxEKfOU
aXMZq3woLVs4dIcu+IwIqHQDtyxIefkUVpsJ7VLc/KPO8V3PsnWQaX76raoQ/EpM
tdxCLoDyHkdIHznKdMSn2sGBDpD6KxNIXWf/K2GRr9V3wN76cqjcBa6zIxBte9k+
4MYaxfCq+u/BIecGSMPAVrHMVvsqO+b/f6Jrr8Dp4a8fr5uGAujDn9dPnXJ0aO1+
yKPr77CtBdpV8iMM7L4dr83E+Ci+KS+4gU9ctT8JpZo/u1qmqlk=
=sDXt
-END PGP SIGNATURE-

[SECURITY] [DSA 4375-1] spice security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4375-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 29, 2019  https://www.debian.org/security/faq
- -

Package: spice
CVE ID : CVE-2019-3813
Debian Bug : 920762

Christophe Fergeau discovered an out-of-bounds read vulnerability in
spice, a SPICE protocol client and server library, which might result in
denial of service (spice server crash), or possibly, execution of
arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 0.12.8-2.1+deb9u3.

We recommend that you upgrade your spice packages.

For the detailed security status of spice please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/spice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxQf1tfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0R7ug//buBcHjBbjFtWAu3YIOVE1vcbybhYXU/APkth2+ICd6WaGCSn2FOA+uEa
1p0tWAjOkbpLIdCjOpFH3yaurR1lDOqRnKOG5Wlyi6lSu9EImOuu6ChXL3XXuPD/
OcU+KvO2LkHH/HKsFa53MxA6a/niLThgy0CQjwKkaot/bMx0GLTcJZcrXXi0ZUZk
oZPBw6JfiFYxtNK4tzAIon20r8N8aDaKZao88Q9hOf/mYXQR6Hz5DkwS6prJPztq
v/E8Zp/xnkCItxh861mGOSFZ4ibmq8qieBrVyj3MOuEB6U7qZw62Z4pRTskev7pC
5LxdyNHVy045YewrmiqmaYSM88nOtnSvARcdM/YosYZEzvu55t7axJVPec9voOJQ
UUlXlqdKzoolWAirwFyT89Up9jrB/F3yg6e3KgO6X8n4K3kBufYBWUMCepUZKCUN
29BHwNVVhWzz87JGL5bQno0Oh0yKvEKjGrbhwKZZTNuf3VGpo0xyubk07zsw6vbm
4DJKsJix99zEFwGV0Nhiv9/U3uN7OnSNckdgOQ1QfWOdOs6s3R4iZP21uiZzPiiy
KVj0WUTxgu3rdmQFA9mwy9nsCi7ustFiO0IvWqXm0rrym7TLiMWCJ9DqaVVUTAIN
Pbji7lkJn6Hd5lFFYAGcA0aESYbf2Bk+vBrTBnTodJTBECR2oa8=
=2aES
-END PGP SIGNATURE-

[SECURITY] [DSA 4372-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4372-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 26, 2019  https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2019-6116

Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed
(despite the -dSAFER sandbox being enabled).

For the stable distribution (stretch), this problem has been fixed in
version 9.26a~dfsg-0+deb9u1.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlxMczFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q1MRAAlCetloIVfSnNj8TX8cRElftZYu8q1YY4XR8vH4Hv3gro2rvjdpy1j7qF
ruj3tqVvnVN14m3FUpV6g3OSgqacZBtteffMeDJEhHVsD2cfEisApWMog+F7Fc4o
rVz5kIXGC7tkLgGR2UVq+Tytdim/t7qZxdXgDavXJatiB7B53SHznFcEYfpUtOVe
ZyfBlQsdu46xsxYU+hx/6XIoRjCwtgvlXvUecnRDmEYbcqCqjCCcd5cqw8yt2Gmy
2f3WzxNxkXrVH0ClW9Fu3045IjEzru4o9T9yBBZMUA4XSllHrAjvQ0ObysEyltwd
2xCiJMRfHdjg18ugT4Qj3J56KrfUMHS8k3sPj7TORNo12doMO5zVdZxSLzVxD1Mx
xkKsGYomTUh0T93N9NGEres41FvRRgmq0lbzRXzn2QsvbMxGyxIMG05zgaehP93A
Zae2dLJ3abWXV5snuRPuvXVrscDlXvpaz5iebVEPWEIXaI3tzQeqDmy87AzaMVv1
70m59E8UTiu6YIpm2NdbqMMA4SH9b1U6ym549PSZMnrO248uku7fk1Jtx5Qn1cH5
Ot//Jg4AXMF8DU3MaPvVYQlg5xfcJTJaUYvMiYVMHuUf/oMSPyKoKvPKMHPtC6oO
u5lmXWV72u0q7nsgf8l+ONVQZUaaGQV3TYE12HM2sDWGv+y4qI4=
=gkMQ
-END PGP SIGNATURE-

[SECURITY] [DSA 4367-2] systemd regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4367-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 15, 2019  https://www.debian.org/security/faq
- -

Package: systemd

The Qualys Research Labs reported that the backported security fixes
shipped in DSA 4367-1 contained a memory leak in systemd-journald. This
and an unrelated bug in systemd-coredump are corrected in this update.

Note that as the systemd-journald service is not restarted automatically
a restart of the service or more safely a reboot is advised.

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u8.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw+CIxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TAOw/6AhNiQlXjFUuQojPreWohnhmdpDN+AWwT0xEL+f1mSxh1UXKCDjFYPqDT
oCCOPoCHchrXzZR3xv5PqhOvFzWEQnmWpku5MgE2gJ/2UJvjQ2CUzObuQ5f4/WVx
d+QMStfUhVCrzYdE/CECDg8HTJIb1ApqMTYRlS4NWQkZeBS6cLqfaNnn0++ZdU0O
uEUN7GH+/oF2kbzXZe5/Y+CsdJ6/Sy2ipHrQLh6ABkSz9yyuKC6tQiLqznpumqpk
nEejq5drLdAAEU2xC8hfbb485qvtxrFJMu3VXHY56aNnEY5kTjA/V7htN6gjIwE4
7xvUpFY2h6Rh5l46reQ7pigg5pQIyX8zd/PSCzpXkZY9ph3yr2OWCBGewa3LQfiN
A/MCY58oZ86uVKokbPIdFdWHXu0P0Ghzvoag7Z+bksRKHTR6FWeGt74Fcg/5Wl/b
hQhdrzJrf1mtI6HfV06NKyHjO3nWvzWgFvUAM8RX8yPU7J9ubf34vS5cWPU4MS2+
EQPmXWT72X/KolkalsvEOTsy54OdZmCIAiFbzLfQkVc26cu32Ka9YpIVRtv3WHxp
NuDVC8fS2jivQJ3F88rA2NKer/1sGLpmDZGcqOxOPUO+ibCQ9pyL94KsL0k2oLqd
t430+tu7AALHgLz/iW3v9dR1Qpvz7IRrXAPffVz+5ykIfRSDHpo=
=yZ9m
-END PGP SIGNATURE-

[SECURITY] [DSA 4367-1] systemd security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4367-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 13, 2019  https://www.debian.org/security/faq
- -

Package: systemd
CVE ID : CVE-2018-16864 CVE-2018-16865 CVE-2018-16866
Debian Bug : 918841 918848

The Qualys Research Labs discovered multiple vulnerabilities in
systemd-journald. Two memory corruption flaws, via attacker-controlled
alloca()s (CVE-2018-16864, CVE-2018-16865) and an out-of-bounds read flaw
leading to an information leak (CVE-2018-16866), could allow an attacker to
cause a denial of service or the execution of arbitrary code.

Further details in the Qualys Security Advisory at
https://www.qualys.com/2019/01/09/system-down/system-down.txt

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u7.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw7suFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QXMw//Vb6Fylrn7Ue3gJZYnwiBe5evNAsy/XagW00ppFcYJ8E/cwW//ulVmUZw
DgKqboAy7BxZCA27rkcEwH4dnRldY6Y4Z3DU/dn1R5ujyKO67qnP/KfAPgm00ipy
OEz3Qz/knEwTt8qoORPJEU4PIuWYhezKM+6o5+/I6Kg60Bvcxi12WhnVorMxko3r
0nZWt1eIjLFVem+wi8IDw1f3xsFOapB5TUB7TP/vBq6fOkq5DfdYLEwX0yYyWu5v
OjCW6pXSekg7lJq8aNFZnkFu+JotOsYwyrhsqAnYQGZTgqFDpY0BEtdmgwZ6NcEj
gZKysX2PZ4ePcUJlRu3FUkXrM2ziIEFn/VVKGQAi1ccBuTM8R7MB33OakvKBAfaM
VeQBAuTLpJ32M5ryk2m2+Avs4/bZlXIALjc9ycMpVt8E/rcertLaBAFsAQZSJgKh
sGMT+bIPoEq0Td08qoHU3R9ypYdsDBwTYbaaJaq+rJcaiSblN/8D0Qdbg2dgpHqk
jl+nCePlyXI3nvQZQAGEeaz7fkwSzezYxuf+WZxbyVJZbvYk1IyD/DIb2utZ1RTz
+Q0Zo3kpfHlEN4Zi4+sgtXGheH9PjRF79UmTZ5PQerRRF7PECD6skEEomqIbLWPf
et70TC1a6l+N0iHChezmK6kAjmuwkFv+TAGWrZ58Se71MqHmD9s=
=Ihyf
-END PGP SIGNATURE-

[SECURITY] [DSA 4358-1] ruby-sanitize security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4358-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 27, 2018 https://www.debian.org/security/faq
- -

Package: ruby-sanitize
CVE ID : CVE-2018-3740
Debian Bug : 893610

The Shopify Application Security Team discovered that ruby-sanitize, a
whitelist-based HTML sanitizer, is prone to a HTML injection
vulnerability. A specially crafted HTML fragment can cause to allow non-
whitelisted attributes to be used on a whitelisted HTML element.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.0-2+deb9u1.

We recommend that you upgrade your ruby-sanitize packages.

For the detailed security status of ruby-sanitize please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sanitize

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwkw3FfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QjiQ/+Kl2eo3dK11Y89BWyA6ABCC0P+1kldIuz/G+o0aJ4LkdojUh0UjOP4zpo
liqM84GeNs0YJn+ou6xtm4Tbesv5fm7PeMIlHE98AnuwwRXL/yFIC2X0FcJybQ/I
xvPKdcxfKaJCljSreyPT4uMaHf27J5P4QEHH7cIrzoCFvtgIcONfE2MV9wmGwqak
JGpKVsW9/U9zIDPrVFGKyWamqqJ2pAIyoAHV/bF2J7b5TGte6hGycpLP4ilwn20h
M545+AByYky18UlKdnXJIOazowO463VGpa6/0oAoUH8hGdzkRKREEHGDuhA7CBgW
8Qagb3NM/Gq5tgcrsSoqiVgy4iM+4MEgF8Qy1HwpNXIGYd791xr1ecfelcDfckPb
ExTcFPlhfANGsqoMTUyuR9bbgRf6kFipdl/9ApzRNN8dEFatbbfL0ccBr6B/RTBz
RD4nhDLV9rEma1/z13Ua08gZqnVoKLQGr32vFjlrq7U33gDBZBr/LAD18j4rHoVw
zodDnX4qD9OpUBKkH1tjm0dW4gyhc+jzwe2K+Zl2cdknYrUgBsRObcmSiuvCJsRW
ntG6DUlksnpefXrvu4NGXzDs2VXuvvVc2jSPPrbu+fecSstOE/u3H0/06Sz5nRvo
n6D5oB9v5I2BMtbZxBIVHF1KCfp52mE/TpqFxh19GJbkg1Jsdw4=
=wojJ
-END PGP SIGNATURE-

[SECURITY] [DSA 4346-2] ghostscript regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4346-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 23, 2018 https://www.debian.org/security/faq
- -

Package: ghostscript
Debian Bug : 915832

The update for ghostscript issued as DSA-4346-1 caused a regression when
used with certain options (cf. Debian bug #915832). Updated packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 9.26~dfsg-0+deb9u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwfiEdfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TLxxAAoQGRHJ9Fpxo4Rx0EDn4Qi9f6+4qR6uoYIhOfrmA2S+gRGkIRfye7r07f
reJL6Ruo1WazlDk2M0qypIzZ6wXQXTXcTJN1XDo0k2cALKPSnse8G7tKQOqKUcgx
8Wj1Q9gBQv3HM7hcnIYPeALnveOGBIDlc0rChn1LnXtUZWpPJMlq0tbC45XJcBeU
puHcKsURn2HI8wsFM6D0Nlnju3alC/OfkHPKLCRhwRZ/EwVS0zuFnLeFgeiEYx2/
dFBwfuWrRgMT1szwj6b3hIUlAmbwtopJeZG6BGio/FWiJ/4qaGVHEqEh1Bhq3ZpK
yhrzqqTyFnQYXQaS94eUJXDnCWYX6Zd24FwUBeTa2C/Yob6nHg1rwAfzVo9vEyGO
yAFZuYzO/V3P3wIi4+hAAyLLFj3rsBdS+RHynvKdJz7ql3vyxItXI/UZx1TtfI8P
QQ4RIigY/IwAMCp71Eo/CHth7mflYOhOsFi4k1W+gc3GaqHsWb4iFKfMcDkqISkH
TJhy72/EFMG7D1st6Cgr7CO4R8R/UjBB4R3YbH5ae9MXjXLpDKlUkaEB2HMx2RFg
SWgk0wImCUnJiZRohbOd2Fe2KDGCBf7FdfQlCHi3DW+9SEFAiJxW9gzoH0082Cn+
0zLAycxNnKr7jrbMfnNRLqUJdVC3t++CCpwQMyCkR2AoTWkl6L8=
=T/3v
-END PGP SIGNATURE-

[SECURITY] [DSA 4357-1] libapache-mod-jk security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4357-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2018 https://www.debian.org/security/faq
- -

Package: libapache-mod-jk
CVE ID : CVE-2018-11759

Raphael Arrouas and Jean Lejeune discovered an access control bypass
vulnerability in mod_jk, the Apache connector for the Tomcat Java
servlet engine. The vulnerability is addressed by upgrading mod_jk to
the new upstream version 1.2.46, which includes additional changes.

 
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.42_and_1.2.43
 
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.43_and_1.2.44
 
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.44_and_1.2.45
 
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.45_and_1.2.46

For the stable distribution (stretch), this problem has been fixed in
version 1:1.2.46-0+deb9u1.

We recommend that you upgrade your libapache-mod-jk packages.

For the detailed security status of libapache-mod-jk please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libapache-mod-jk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwcFXJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qu7Q/6A6UGJsGJox6vlwjOso6/n0kSUW+Q/ojIL5O3BkDgxY4SkZ0Aw3OBWuj4
b4WimxndglxjA2/Lx5NPzthA82kSSYVJWkngjlhRCIX1eqFadpHrkXVPb1pBxvQ5
/JJsArO0X01qQQPlqsjSHtWQVDlRsELwycb48B+3u7Si9LUiyg5Z2kaBSanWvYNw
zDwludKjJpvMg8XoqR1dvrycXPK5NDkfqAud22cquog8XCNpc/jDNPMFLHwXQp1H
JJgLpIIJncHB9CPbi+7rMYpNsRBnAQNEcz6LGjsWY7fkgSfJfx/P8ezYjliDY7xf
EzxFDNXj+LHs1xH/7cTkf5+EX+rjU8lonPEAxqXpsZ9OKqGZfUBUAM7dyUWoMAMI
W0EB1Hr3ysa69V5EjGMdp2djH56OcMAAYB/uHu+R0p4YrE0Ivkx5XfUglnYLa9Wa
X9+jVf5Unp4qRNuCVwaI2k9P2u60UZezYx6hjMG81nxkZLDg6CAzDcVqGYR+dS4D
Z8wY0ya6NOMwnrkhuJfTX1LONbkwgzvNh/EvAZNduy6r8x62Sff7PVtaRWf2LjXq
sjjs9IT9Tc7Ta96GcR/nXkLc+VVdefvf2hZ29BDhEWovYhnb9X4k8Wsd2e/x4NFW
uz4nNmazB9Yyj1QD3G5DN7tfIoJ+iSuqIWtJqLIiOY7/VO+scPs=
=CyjI
-END PGP SIGNATURE-

[SECURITY] [DSA 4356-1] netatalk security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4356-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2018 https://www.debian.org/security/faq
- -

Package: netatalk
CVE ID : CVE-2018-1160
Debian Bug : 916930

Jacob Baines discovered a flaw in the handling of the DSI Opensession
command in Netatalk, an implementation of the AppleTalk Protocol Suite,
allowing an unauthenticated user to execute arbitrary code with root
privileges.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.5-2+deb9u1.

We recommend that you upgrade your netatalk packages.

For the detailed security status of netatalk please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/netatalk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwb2aFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TaWA/7BLosSUP7w9QtHSSXqZcQQ2S2SzVNbANKjK0E1VFb+P8yZYXmQTQIBcLI
SvM8A8tewM7gil0d8Nl+5m1xPZeWZ9eLrwCkD9CvAbqS+6h1HiiIGAEyAFJ0wzL8
P49BUZtUmg/vFFecjhdwPW+D5ve31EKZlB/IJngGm4ETHnRUyGXvYtW6Y89KWKQL
Fl2t3quM1zq6nIi8ovtHUvEMkenHfziT3I0WcEjqZp/YJb8WlckpQOBs/oIH9Cem
m5FmQmYbQLFt40RPORjhsA+7vWOCofBFfW7caVY+9hkSL75USzhfZRHeIWS4LHrA
4tKmwS4ZDv/9FyT/KEOnA0qBjLltFUYoK3ZnWGvw0lGVVJE4ae9N5nsLYuVsbEey
6Q8MYn7H/Kks8/CXicb9Mg4pgCcRK8PdudY+BTo6BTZHE6oRT2fj1t8COYWJ7xWo
92CoIbuQ6E5fJwxyZ7aDOGbzQxUmuE1SL6QblK/xlIdUCdJ8qtyFBat8++KVNoAn
mtYah1/VFfqUA2XqzRdQIq3O45Hks48jhKWhqIPjJaK9kJQaiRLkSkqZr/SBI2Vy
ZIe4mHG/j5Ps4Y2Z9WiamvZCP2jlFRWFsaYKpS7Bj1auf9ekA3zOB7PH+3Lxq93N
KDl9HJLTrKym1v4p3hAeuHpkbMDOxH4Bpf5K9Qys7/ce6cPOhVA=
=VFiz
-END PGP SIGNATURE-

[SECURITY] [DSA 4351-1] libphp-phpmailer security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4351-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 07, 2018 https://www.debian.org/security/faq
- -

Package: libphp-phpmailer
CVE ID : CVE-2018-19296
Debian Bug : 913912

It was discovered that PHPMailer, a library to send email from PHP
applications, is prone to a PHP object injection vulnerability,
potentially allowing a remote attacker to execute arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 5.2.14+dfsg-2.3+deb9u1.

We recommend that you upgrade your libphp-phpmailer packages.

For the detailed security status of libphp-phpmailer please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libphp-phpmailer

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwKh31fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0ThNg/+Id/B70l8gr5iLIvwYtVBiqRAD+ZZcjKGwqJxXkxjK3RU9za5BU4qRwMO
usInjwMDiry+MpLvXAyMnH4WQFBY8EcziNiNMVhRiNhXwxHiwGJkxL2cizyqsZ8o
U90RDQdspt351IUDN2pMa2FNirMPPoaCQ1Ix0Wmaesyep7zU/sQT+udtE97d7uUV
Hjpx5JE2v5CygOavqUeK9RS1nxJ1qsRsv1E1okoKoTuYQWglgDWyWHOpDDgM6vBL
Zlsm4S/SEEoU2iwY4JvJZVnUHNSmSjFtMj2V/z2S5pffyApwwz7L2N/L6ZkgI+9X
qjJvNe285WF/zu4aKqsFUsdmF8QUIK+AHyuZawT0zxfHJbduGCQgL8jzCUBe9i7C
7RGQAfTVKou7uscOAPrWnPpsqFM6CGVZo0x11vAThHoamAZ6DbqzyjmaslpR7+xn
/Sc1qveBLFo9vZ4nrZyguYm7bSjl5xLx4dHexYgIf6jwzc2WpAX1WthhF32hBu2k
kWKqaFPd8dX4IpVGtaQzN4D34sMmcRGC7PEYRUhvO8rOmPxUIPsPc5OgWA7nhETR
5rGCGj6wFmltIbJSmaPew1SV/NsIm6gWrXUyl02sE6KXO2W9bNkeAocsQE93pwAP
TLByPiua2O5TAFjPzu/QJeMkw23PseJOT1cgEArJdWH1mMxYSsg=
=BKSR
-END PGP SIGNATURE-

[SECURITY] [DSA 4347-1] perl security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4347-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2018 https://www.debian.org/security/faq
- -

Package: perl
CVE ID : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-18311

Jayakrishna Menon and Christophe Hauser discovered an integer
overflow vulnerability in Perl_my_setenv leading to a heap-based
buffer overflow with attacker-controlled input.

CVE-2018-18312

Eiichi Tsukata discovered that a crafted regular expression could
cause a heap-based buffer overflow write during compilation,
potentially allowing arbitrary code execution.

CVE-2018-18313

Eiichi Tsukata discovered that a crafted regular expression could
cause a heap-based buffer overflow read during compilation which
leads to information leak.

CVE-2018-18314

Jakub Wilk discovered that a specially crafted regular expression
could lead to a heap-based buffer overflow.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u5.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwAY45fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SexQ/+OyRsCOK4ZPjoe/mZD6nYcTZskjNu6o0XbV0dUwqGLz3+ztWAitThvLqw
OdbVmhPD9OBPXEw/CEGG/AzCzy+TTuo4B6CEevTviEq2ACS6MHWpXYk98qSLE+4a
1S+MO+kmziz1NKDJ11/7mUcS+hAoeCSbKpwkcBztyMqgMrbNpzOnlsNcXwu7kiTc
TMrTrTh8a/AWYN/IZITUN742STKODbdb86Zmypl6ecdOCY0kQLlrVbSH9SaEUr0v
y0R8dvl0g87lq+ipxhU2IiDzBgymf5HagvCAKcnUKWylPg/Dgtj3f7VjaK1I9cr0
GMpTCFoxw6fHsi221JzTKCYLjRC+kd0eQ+XbJmT1Djw5MBnkToNAQrvne7otNu2r
VM+pV8Iizze/UiGD33VOYCA9ukzExtQVk1aqXd7jb+s0GC3bThHwApkI2pWIH422
u8fZ4nlc4TBFXzKznT7GHiPMCLL3VxxAeOD0KPrL87Z+XIZTd2ZnuAtbTt3gpDY7
rmlKsCq7ovGYOMqzmT7sNrBG0dTUogDK+pqfsDw780kmlric5/lhpTROBIj1l/Sn
XN3ja2TsEwQyyzHd+tjBVxyGygawsa662PeZoL9B6iWGdSeoOhGjDHFXgyNJR4/7
49pvIdcgt0AxftuwlfN4W0h+8rhRFxNggFpC2dtGLZPhXfYI++s=
=tA1+
-END PGP SIGNATURE-

[SECURITY] [DSA 4346-1] ghostscript security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4346-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 27, 2018 https://www.debian.org/security/faq
- -

Package: ghostscript
CVE ID : CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477

Several vulnerabilities were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed
(despite the -dSAFER sandbox being enabled).

This update rebases ghostscript for stretch to the upstream version 9.26
which includes additional changes.

For the stable distribution (stretch), these problems have been fixed in
version 9.26~dfsg-0+deb9u1.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv9yK5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sl8g/9GnHpR7PrP47xykdjn5kJnepTk3xCknUC9xSZol0MAJ+jfHf92BnxUhD2
kOQvFlFVoQGdxcoieQ8YFue+1k2MHSJyVi/oyngwRt41qxPj0Nua0UKk/eGfIlQ/
HsAWHcPgjJF1nMC84oiwFzEUPVoH+hY1yxIFATIAWFU9wdKD7IoUF4MTzbCpfuMp
nhK9eTJA0PQoHYH9c3VHSkHPtcV6nLvgR4RUC9UPkJtKKvp8zGIaXObjr9DkrlDI
pztcryAI/Hwoj99ZEpZXpuDGZArp4Ndm1FFqS0M+oPWezBFBd9Z4cWiLwjEeOtfR
nR43jcY/vElIn6qsIHQSI4RRfpu3WUCPGZDtZn17CIzIA1v0ODfKD16zIR+tau5b
j89frAABclSCFIAJn61OP8RqQE/fArG5EjL8uyEQDeiwdQh+ce717NKUX4YK9Z21
2pWSa022BxT490+pFKmKGPgdFdVEdz/uj/+qBaNKmt5YcWH3OyisyGv3Yn4QCcZf
fZAbGQ4y+4A9LbHtD5R6e6g7tipUQWyHcKxsTrD+AIfIZcKIB7BTpAJhcEZJCDk6
QX2DFA+g6AwIQqIC+/0JW5amjU0SZM1N3fVVFc9hoiOqEGtAUzjMQ9deBapkbPon
Nh7Z8HViCx6j1gfNjhPc2Wj+Fw1wkEC2fjG1Mrd00izIXtj7isI=
=xNXq
-END PGP SIGNATURE-

[SECURITY] [DSA 4345-1] samba security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4345-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 27, 2018 https://www.debian.org/security/faq
- -

Package: samba
CVE ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

CVE-2018-14629

Florian Stuelpner discovered that Samba is vulnerable to
infinite query recursion caused by CNAME loops, resulting in
denial of service.

https://www.samba.org/samba/security/CVE-2018-14629.html

CVE-2018-16841

Alex MacCuish discovered that a user with a valid certificate or
smart card can crash the Samba AD DC's KDC when configured to accept
smart-card authentication.

https://www.samba.org/samba/security/CVE-2018-16841.html

CVE-2018-16851

Garming Sam of the Samba Team and Catalyst discovered a NULL pointer
dereference vulnerability in the Samba AD DC LDAP server allowing a
user able to read more than 256MB of LDAP entries to crash the Samba
AD DC's LDAP server.

https://www.samba.org/samba/security/CVE-2018-16851.html

For the stable distribution (stretch), these problems have been fixed in
version 2:4.5.12+dfsg-2+deb9u4.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv9KLpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qw+xAAnLGnQAqs45jCSDuVeKzjOGDZcz2/PQOtRDINDJ1AoBJz9YeIP83hqVb4
gJ3ZW/efuciS670xqRGFEkGHIIt8Wh+YtCsfblbY6xatmG/z5iNK7C12H0SH3A9+
0k6GR9LHQ/uRTuBEtE+ggfx/uhhHw6zZWu+NIXHHIdK7c2j9/Wz1+CJjkfkbGfPa
G9lk0uxuK6Yy+p4PhUtcMVdBHW1zbeODYj/qcSNULm9OSXCXy/L0zDdbblS8qAql
OYAsNAnnVt3JMIG8eYfCaibX61xW//ViIRfbg0qLoe91Zn0rt3S2piY9003fkSD4
h+2PnmUSZ8EyBb5HUFTMuGdB6jSMVZBtmDH+A9dSVHKB663HlRGIP74Ro4T9yp8t
07+HCA15KRTisjCgHSeURUkRLKJYN1ceFitXhOFNa+Tg/EOxCh1uNLGqHIHL0g+5
w5VVf6HQNc+GoDy6xxTAAu3yI2HmiYwG3QWKvRTrzNNEWD4GMeKug3+RiP8Ipcc9
4PpCk9rsqzLl2LzFhfqEKC33pZ9go73zVkWzDkzhYA5pB+YWvJMWlDs6WD9L10qT
jbjC1txBVfgEoM5zJuXXDAM9eSiIaQeW2399B5QnUqImMMGQQc+ci3YtkPFoRMIm
pWTtSheRA/wnDQf4VU0o21Q8zOU0uc9EoIGZZiC1f5Q2ZPAkcEE=
=GZz7
-END PGP SIGNATURE-

[SECURITY] [DSA 4344-1] roundcube security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4344-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 24, 2018 https://www.debian.org/security/faq
- -

Package: roundcube
CVE ID : CVE-2018-19206

Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to a cross-site scripting
vulnerability in handling invalid style tag content.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.3+dfsg.1-4+deb9u3.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv5uYVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SU1w//YkLqGUCLGeFqjofgYMTNxoMQtcUwtqmBgX6tXv5Uu6mjFw8VWMw7rZhT
F43NWzypKejgNRdpPhO9QUXskGXbXXwLHqfoNeOEhXpOD69kQ5uUPWTi0KCrtlRN
rQMt8tOgscPNuxbk8FPE47ZmvfFHE9ASBKf6NRY5eu2/p87GDjMV6JgjloOcFDCE
wCoosrXKxQO0AtiTJcWslIlBsxQtf1s7r+t4AIOUAxOZmyzKPcjQ5AtYviRWAdZM
TRAjc4XXBKYMp6wCZh7ibUzWy/q6QRtfYbtEUtKmyhhn69x6fhoWBMZ4wWohvfhN
ok+X6pd7djYA5wtFzj3n6jS9hxMGu5TNn5MgYh/gnX0ujPAfJvHaDprskdmyL0z0
gSzAmvQybkfWd9O2LSJVJ8+x9YM/CjchZ+8Q/jUmm8dykr8FnYwlA3ihB1zpYBdV
8BfzUL9MoTVZoBwtkiUBOVWnTzKyij+h/1WcQCADeTKoXIy5cO4X6vxAaies8b87
mGCJ2354UMPmr0RssIbTa3YikDeXVkbJbSD3V+jfuvs0/gDNsEopG6kHIiOV75/R
Q93vfSx0u5UvrUSQLlCGlDoUxEIzFllrJnoZ0c6o6JKeRezp4kKzFFDDzjsaAeQ1
EbpMx91AaF5L/Qs/ERwxFHglyljl6XYs/JZGAgrcUDw1DZcLoKs=
=qFzO
-END PGP SIGNATURE-

[SECURITY] [DSA 4339-2] ceph regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4339-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 21, 2018 https://www.debian.org/security/faq
- -

Package: ceph
Debian Bug : 913909

The update for ceph issued as DSA-4339-1 caused a build regression for
the i386 builds. Updated packages are now available to address this
issue. For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system: The cephx authentication protocol was susceptible to
replay attacks and calculated signatures incorrectly, "ceph mon" did not
validate capabilities for pool operations (resulting in potential
corruption or deletion of snapshot images) and a format string
vulnerability in libradosstriper could result in denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 10.2.11-2.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv10tNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TnSg/9EWpuEYFq8CqFXFKz0GQ7pvOvJXZzg8VRRdGtSqil/yOGLkia7X0C4aox
C8zF62JXyALlRjyR7ti2U9RD7E5D+r2jSWjaxHzbHTDYPMQI0U7bww1T2cdj9yze
zYl1pebLvWwhnhRF9c1mG1g2CcxHtjU8zxGRKjsjupjF0v/bFL+IN1OcyjEeCVG5
yDwjU8h9ux3FbLxxSGHLl8Yzk/Q0WAOo2KcxIva/0mTZ5zDxwJlltbkw0pC8gcKd
RQFU+J88oOUbNF4n2HxK3OATJhiOmrQ8xBy4E50AE7GuRDoJYcDfSmEkBVBwxOTN
QmTNxyd/vooUkF6eXhJHJ45cm8QWALoYH4MzPVrBTYLx985WVQ2Q4pa1vv7hPfz6
kllnsJO9ZjyT4POvGihfR3W0y2Cb8tTe/x0WHci/0uTEBvnhAIrUpjfTO30ajGXe
QitdTxZA955O/JtpdwyqRGywZXJyrtjJTqaZeQA1G2bKC9e6h19kwi2WX8qYXTdQ
N3gK//BeWkaE6EylB6c6aionmN5AuVEd5jmZ+GO1BfOq3/oRSKfQcDJly6JG7UaM
0jpT85eIYiNQc6JvZ+78NwxrqVgAnKq8F7ejsT4FQyQkZxcjljyyix+y6iAPhAut
bunmOl3Q/U8JE8FzDuJA/rKXhXdSGCUMytTwuXo1pLY+m5JBz/c=
=UHIj
-END PGP SIGNATURE-

[SECURITY] [DSA 4341-1] mariadb-10.1 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4341-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2018 https://www.debian.org/security/faq
- -

Package: mariadb-10.1
CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-15365 CVE-2018-2562 
 CVE-2018-2612 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 
 CVE-2018-2668 CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 
 CVE-2018-2767 CVE-2018-2771 CVE-2018-2781 CVE-2018-2782 
 CVE-2018-2784 CVE-2018-2787 CVE-2018-2813 CVE-2018-2817 
 CVE-2018-2819 CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 
 CVE-2018-3066 CVE-2018-3081 CVE-2018-3143 CVE-2018-3156 
 CVE-2018-3174 CVE-2018-3251 CVE-2018-3282
Debian Bug : 885345 898444 898445 912848

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.1.37. Please see the MariaDB 10.1 Release Notes for further
details:

 https://mariadb.com/kb/en/mariadb/mariadb-10127-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10128-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10129-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10130-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10131-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10132-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10133-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10134-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10135-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10136-release-notes/
 https://mariadb.com/kb/en/mariadb/mariadb-10137-release-notes/

For the stable distribution (stretch), these problems have been fixed in
version 10.1.37-0+deb9u1.

We recommend that you upgrade your mariadb-10.1 packages.

For the detailed security status of mariadb-10.1 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/mariadb-10.1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvzLpVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S3jA//U4w3WOfpHeLP54Hvw/N9/BhaJpBdG9zxTFSu1OJk2bjIY4vm5eGW7vVA
yYQcaZ8zgNlnDgsmLzjVqMWFlt9FnQpi2YYt35CsvVjNGdkv/yKwVs//S/Ul6Sw7
a7m2QnxjpJxRAUpmbkonOOGZZ42lMd/Usxt8hKqk/TXyjkFQPv/M36/Y7JqL4Qjt
UDRDEVbm196gMHtFU2qPBoT/XDI/Q+ymsNzQiNCUo4Y8Kl5Og0I7snXLmf2F7eeY
qcUiqGm0bI0c1Be7tLUpQCD14ipvETKSBaLL2i7ksPMv6+IJYelRXYq4kh297xZW
AOSdT9JkRWFODUHttA1wEuA8Rc7z6FbbOeh7/Aaf/E3VThziNnNnYSPh46PVNe3U
m+nsev+aEbTBi8KkEkCjoWzO0p/UggVoYfC4wQ5zC5dmvnVDHUS5A1g7x9AoS8jT
0LJ7H5c/BbsV+wL5fNMG5W6EcuHui+ONbeukJIr29IxB0/iE/SFS1JRnCHq2oYaS
z6/YhhsGgfsyjA6ZzCcLYRl/YI7g/w+0KXECJjgWRRfT2Xq66SWLRbccX/PAqJva
+AZK8XuiMZrvCnLHvGXPQddQ25YPtWZ1c1Xy5cnwX4DlaZUL8NSoVzNvWqlu6udR
8fs1gR/YKQBQ6AuN6MeB37Yb0Fh1CChHUBv1ABMsQTaTVSie81Y=
=YD7h
-END PGP SIGNATURE-