[SECURITY] [DLA 644-1] libav security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libav
Version: 6:0.8.18-0+deb7u1
CVE ID : CVE-2015-1872 CVE-2015-5479 CVE-2016-7393

Multiple vulnerabilities have been found in libav:

CVE-2015-1872

The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in Libav before
0.8.18 does not validate the number of components in a JPEG-LS Start Of
Frame segment, which allows remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact via
crafted Motion JPEG data.

CVE-2015-5479

The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav before
11.5 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a file with crafted dimensions.

CVE-2016-7393

The aac_sync function in libavcodec/aac_parser.c in Libav before 11.5 is
vulnerable to a stack-based buffer overflow.

For Debian 7 "Wheezy", these problems have been fixed in version
6:0.8.18-0+deb7u1.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX9Cl1AAoJEKyQrD7FJAZeMuMQAKgY0GrUyy+sil9wrK/mNRkc
fyH4zSGezjVe3IlmDxT1/swPtfA9IxKR1Sc5JUuz2ZQCnuVWx3OzW20q4l1EMGBU
YgH1t/Ev+w1j8cL6uOJqaYmk09Ru3BKPZAnZOPAhmzTC7WLr1szauEzNucgFryoo
E76TVC6s3gRcVfzQRxcod9EjaOmNfP8E2C+2h5kLSh8omoiBdWkdJUKpKWVSarzN
ZCR8G+2pPIV/ydA6OOizDHuQVZ8IivGFgiVwaZ1a7OAyA8jJc6jU+RRHE6kH8m/3
RSrLPxNQzGkwI2gZv5AT9AcPIsr1nksHTifXl9pNuExG/a4cA3KdAfB3U4vdC7wO
4V9EvQsXoQz6HzpIhIjN33Qe3219iYC9YFGTnrjv+svqJgNCP3Yn+oNIYZHCrXSA
qpnDkUKE7R1Gs+jFEMPs7dMrVWWkJTb5W5z/lvlRYlEvbAl6JALRd2IZgic4fnwK
QG/y1MZOUoJywSF0/C1oopk62QR1Ppyxuk30c1HUhpHLc5zUWb22b7KuBju3wsP4
Fmy2SmOoMEb9NSNOTD+AjWJxvp1hw2Btav6Mekh446cnRfSazojYIeVw9gHRjk98
9L1dUblm0WFXaaxqthjh4TWVkB3Jx2rY0wuIEckXzrcZ8R4ED2M7qMSdeVmyFnlr
voYLfanTLMpTgAvU2Gfd
=Qf8O
-END PGP SIGNATURE-

[SECURITY] [DLA 652-1] qemu security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: qemu
Version: 1.1.2+dfsg-6+deb7u16
CVE ID : CVE-2016-7161 CVE-2016-7170 CVE-2016-7908

Multiple vulnerabilities have been found in QEMU:

CVE-2016-7161

Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite
in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on
the QEMU host via a large ethlite packet.

CVE-2016-7170

The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick
Emulator) is vulnerable to an OOB memory access.

CVE-2016-7908

The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator)
does not properly limit the buffer descriptor count when transmitting
packets, which allows local guest OS administrators to cause a denial of
service (infinite loop and QEMU process crash) via vectors involving a
buffer descriptor with a length of 0 and crafted values in bd.flags.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u16.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX/JmpAAoJEKyQrD7FJAZeseYP/iuCclAuXmQFEUq+dW9HM8yH
TUCc1Xo9XvIXe+3qpQY8w8bSQPBZOExfQqCFfZ/7ZbeOsCsjNFp1qw53ZkGkcL3M
Uj88y7rYtknsQXd40DA0Gxpnl5iRqKGai3opirLZ6ItvUTFh7YlfTPEv4CN4f1SO
CcGrODcrjN59T0oKWIu5Kh4g8b0p6SJew//9bCqF7Hu2ueRWPPGfu/aD89iDgh5M
IM3qcrRkHDL+Ai7PKDhl6HDfqToRTXNHTxkXNW5bHW/8sfzENySSVdQ8n88Iv6c3
oBWWTNRorFLY4hhqiO8JpZwdfPu+H0svug6N8HDATQ7tVbLoysfO6R8cm+EpqAe0
BRCUFM/mo2Dujt6RrWtPD1+etd9M2o6B1x4Gd/6yIJjzyhHz2wEbPCZNA3jjvJg3
lPNzGVfKWWELqi2bb3ln+sGw2el7x3zII/zkMsW5NgqA89MH7Ae/UaddwxtFOeN2
abbtaVhrpVn07tUzJDIjM1XkAvojo6iP7myl67V62hiHkeg51YanIMxdRO0TSZfN
QQiN9G5NsTOictDYrt3Ei/vinE/IaYcm2rL1NDHPJf43oABpWN1XUo2icrzYrRod
YTHqyxOfWFcgplvF/QyRA1HCXwbPrYOxHSLK+208y/2mg67ohtveRm+op5b0B5QP
gkJPMazN9ArzCn3TCZ05
=g90S
-END PGP SIGNATURE-

[SECURITY] [DLA 660-1] libxrandr security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libxrandr
Version: 2:1.3.2-2+deb7u2
CVE ID : CVE-2016-7947 CVE-2016-7948
Debian Bug : 840441 

Insufficient validation of data from the X server in libxrandr
before v1.5.0 can cause out of boundary memory writes and integer
overflows.

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.3.2-2+deb7u2.

We recommend that you upgrade your libxrandr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYBSUVAAoJEKyQrD7FJAZe4TwQAL2w4Pr7h1X6kLcbvCF/3rKr
56vXDIAGra4IQv2UqpC2jMcly7A7rlsBM+rOuxQ62HyQ6j0Vg7PGZRzFzJpzXkc6
a3dGoWnuEORgWK1TarolelaRGURX57RteK4Q1yw6eKO8aYNRMXHXMnyXf8GVTdXf
5vXYvlbFg+cGGW8/vHhqSckLmZhmEUjhuooGCVHKVw6bs4W9xpJDfp6n/lWL0oOC
Tinc/Pll2rZ2uVcud+x9XsXc4aemtr0Gen6oGm6i9OCsKkR3ztznRqnt0Jxt6BZ4
rSsp80QcG1eD73Jg46PV2Z9NFgZwQRtP8IAXeEekrJ/X39e87uG3M50pm4nmRBgY
YHjcSWqsRHa8mhnaMJVSm2F0PcvLP1r4AgnsWnZUhjbhf+BRxkzaY4JKWmrtd0l2
gcTUUmoQtBdjpg2H52Oirn/AqPOw9GAdAlt/qkH8lSgU26QHP2D9VIXHbonWmx9r
ZMxDcJZD4lTmZsK7SGJz34/PdIVMcZQd0Pt/t3DI1EYIza2Fz3xPlaxWhU9SesuW
3hDoyR5/pvY5q4pcPbnmODPqWV6UtdshBQh0aZH2P/4MG4JOxr+hJA2mIS7HJFgk
pFxySigoY0bSfdmfhs3V+xjePxdiIYzqTWVCsZ5GqA+g87hugH74E8pr906QLCQ1
QW09ghHqt0/bvcFWTi+2
=wVBC
-END PGP SIGNATURE-

[SECURITY] [DLA 780-1] libav security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libav
Version: 6:0.8.19-0+deb7u1
CVE ID : CVE-2016-7424

Multiple vulnerabilities have been found in libav:

CVE-2016-7424

The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in
libav 11.7 and earlier allows remote attackers to cause a denial
of service (NULL pointer dereference and crash) via a crafted MP3
file.  

(No CVE assigned)

The h264 codec is vulnerable to various crashes with invalid-free,
corrupted double-linked list or out-of-bounds read.

For Debian 7 "Wheezy", these problems have been fixed in version
6:0.8.19-0+deb7u1.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlh3nPUACgkQrJCsPsUk
Bl4hRg/+NkD5YCrteRs5rNI/hSvBj1BSwX2Y1ehPPhiPpWyGbBRRYHfGrt7axRjV
EGDdxWOThPU50YgJiDxwXWVCu08jwpBRqVgvGb1uNbNtg4R1QvANa+GAHwzNXA3t
AVnREiPLucFllpAUOLmmJj5DDMU02caiI/fNDdS6XyCMMTFKp45rw4/imImO8POn
aMzTZRdcnui3HhzspWRawCeX4y3cz62fkUpexVKq+MgoBZkG/FXaNYBQFdQatlYh
whMLlmi0EzAB6Zi9jPjw/caMr6Eh2jMPpNJVJUd8s6rlatpuwykzXVPhD9y/vnbM
NEMUIejN73UEogvb7+qscSWrFynOm52C1/JJQPN2fpfEo+yHxU9APMR3DyvIC1rI
qf/X0AM7BHaOiyw4B/FObVnBAjyiBhC1aaoLQUhzDdzqSeCNncDASK4JoiKTunDP
9dZ/svul/kvDl30GTnrgAbjUKq6BldQQda3NCfrcreqhsCdRzwTO0wxpcEnW/LCx
vC6T3tJZ0DE90aeXsJjX7d/X8uMYD5/ivMxLARtReaxyNkF8n6Oc0oe65BT6XevT
TUcLSVr2+NccsfA2Ln9P668eDazmmD5ZEyvl4lpVUD+2ygC8UsUTHI4PGs9FamYc
wmyQwBQOVgJRDCsVNzI3QUZMyd3runXZH6dD99jC/nekdbSfjaU=
=4jor
-END PGP SIGNATURE-

[SECURITY] [DLA 765-1] qemu-kvm security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: qemu-kvm
Version: 1.1.2+dfsg-6+deb7u19
CVE ID : CVE-2016-9911 CVE-2016-9921 CVE-2016-9922

Multiple vulnerabilities have been found in qemu-kvm:

CVE-2016-9911

qemu-kvm built with the USB EHCI Emulation support is vulnerable
to a memory leakage issue. It could occur while processing packet
data in 'ehci_init_transfer'. A guest user/process could use this
issue to leak host memory, resulting in DoS for a host.

CVE-2016-9921, CVE-2016-9922

qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is
vulnerable to a divide by zero issue. It could occur while copying
VGA data when cirrus graphics mode was set to be VGA. A privileged
user inside guest could use this flaw to crash the Qemu process
instance on the host, resulting in DoS.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u19.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhhH4gACgkQrJCsPsUk
Bl6t6RAA2edm+kEJKSH+4xanmkuZql8gG37jsUP1yFjkOu5q1RiJJW5wGAp/bU6o
PBXDnBrE4SAalrtsYdqj1nhoHa7q2km/kefWCW2on1fNxfcwVUVi6b33lahi0oaU
1swybQk1HUODenmoNKRCV6d9r1OJKHak/6TFXj9BmNqGQnq1w3FmcmAtfV3mFgwd
lkMfer4A/K42ANmXirp6txxUYWqT3s48tU2CRWtq7zWoHK6/6CWszfOXmFR66bdU
pMa3rZXhxOYzeikfQrh+WTobBFbCJWP63HBPmJlnXfGRdHbhdH62ucIjbV04kQdu
Vq8Bkl3JP2oZWyw8SjVa+wvPdSyuAWSHGi/W7u2T1JWmcUxLjqkzd5Il9BenviRl
BewVdtIbMVcTDZxaDueSc+owcVQY5sIJCCIviNDQXJpYU6iSNuLAhPka6XzLDIzJ
qIPBWOAgw0xQ2XJwMiyKUQXce17A0zEOHh/+5bDjdTPPPR4jmnLcpNcZNw6MH02L
LKqcg3p+pwgtgdNW5sb4kUzZ7jMOBgZR8ftbAmCKcsjS9RemISPuviNTLYzZkL1C
5VWyzZFQblVx99LsH6Udxhl6PykamqN3er/H/BqUeZy3PGsujcjpA3TZNuGuBdUd
wGgvi4HijmkUHbjcrjKcjvo8YWV/1cgyW5V3kkn9nZ+ljMd3bwc=
=Ri/R
-END PGP SIGNATURE-

[SECURITY] [DLA 764-1] qemu security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: qemu
Version: 1.1.2+dfsg-6+deb7u19
CVE ID : CVE-2016-9911 CVE-2016-9921 CVE-2016-9922

Multiple vulnerabilities have been found in QEMU:

CVE-2016-9911

Quick Emulator (Qemu) built with the USB EHCI Emulation support
is vulnerable to a memory leakage issue. It could occur while
processing packet data in 'ehci_init_transfer'. A guest user/
process could use this issue to leak host memory, resulting in
DoS for a host.

CVE-2016-9921, CVE-2016-9922

Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator
support is vulnerable to a divide by zero issue. It could occur
while copying VGA data when cirrus graphics mode was set to be
VGA. A privileged user inside guest could use this flaw to crash
the Qemu process instance on the host, resulting in DoS.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u19.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhhHqcACgkQrJCsPsUk
Bl4lYQ/+NU802RirLbLCt658JHIwlf/xtk4KHuO2a1oc5z562EKayKvO2bmnrHN9
1vCz5IoVTmnPyHtPA4dW4SZmDi+/DymPv4LTm0m9JJGRHWSdhxYfycEDI8CZX8Bn
7qK5zp0c+Zr4jrSw//weZlDSLRix+IJy3dXhIY+9Bg1lPwqV5SaARuubSGCJD78e
KIB7mgu9MnBppc80kyKQ0lY+RCTDDq13Ej+6xynvq4vMgZw3ebw8P6SHKQcszoIt
cwKwKRJNvx28XB9TEPh+m3jVS6L3ZmP+t6tG4xcM65Bf08Yew5MR8b3r4+IL/8O0
iEZz9mPUxwxo8dqzrWkFrfNn9FD0Dn4DiK2Vy4uKfhpvZ/dCFi1pcbSMtw+Kfw4N
qWjk3qbaAiZ7Au4/H3xu5O07YKnmQga0WTGG1jdxFrNjUFKcQfFcdGhmSCrowBBl
xncYDHNbv1wD4XKtMug/NoGz+hABGDHefWWOIWa0ltYOOuT8z4eubAFSiMtpQ6DM
lLAC2E+KgXm+9ZzguysTd74bfBhwPqcbxLtCBUMd5ziNTjDve4ryMhvmvThknRfu
KpKaruEMJlDZHak9Q4YfvJq8fKTQ3wXWKJRFrbCFxxirpT8sflUkhomdQqLN/bvI
Nmb3pGuB6tEV2E6FlUtLp/i9cbenIEJCIo+TEqXwJuNX3CGSRWA=
=4xlL
-END PGP SIGNATURE-

[SECURITY] [DLA 889-1] potrace security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: potrace
Version: 1.10-1+deb7u2
CVE ID : CVE-2016-8685
Debian Bug : 843861 

It was discovered that potrace, an utility to transform bitmaps into
vector graphics, was affected by an integer overflow in the findnext
function, allowing remote attackers to cause a denial of service
(invalid memory access and crash) via a crafted BMP image.

For Debian 7 "Wheezy", these problems have been fixed in version
1.10-1+deb7u2.

We recommend that you upgrade your potrace packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAljqkmgACgkQrJCsPsUk
Bl6PfhAAnGh4McwsPFzT8yjjQtvpDpjDi0HTOPihGH+T2/GhitKgHZ0oALPOeWpg
Fc2KOVe6UNFhJlC/OQDcJ0oBDBmXOZ8MLXrfdIj8XAK8oABHdWAgQbiOdjY5M0+l
qxBCBPaXdnyq5ZuJh0i428vudOU1HnC1iHcZBHN48yqkr4gmntOCxlxcz31dx5Xu
hcwyrT9PYqmHHAS9HM95n6ZL5hOsgHIdcU+xsm/VKvtQPsveU/90v3w0YWB0FHzD
OtZ6mCfb6lIuE6JFiGpEG2g7JvWJYNPbcc6uML5Sytxe2vaaT62DKwsZiWQBLAVp
MQg0FUtUysxaOIOYWz71E44ow67Ci38G/Xop14Y5SXrPtAtkCMW++//l1/eWnG8c
aFc2tDFz3O1KlcQXte+1vM4w4DTMWHQNAKyr6YG5ryW77fZi5rw/9KYLabDYoNda
FSjF/joQMAAJfiRIih7qsCh/YrI7VRr2QOE3rcZwqsdlNDExu1rk8lpeVVNwA+dy
2BlC+67YTjkZcIsA+sAOH1+D94kJT15p8tr2NodsukODgi/nY2cLgC5oKFuohDAt
N/7GmFudjfnLC0CYjom+9K3yPn8oOhKBLHhFJKwDJAfu8heS/Sda+1Hs91F7/Tgw
FytIcmbWtrukGrtA92aGnsSmg4hXnZ8LVUjIIgpgLlRxq6G8p9U=
=0uo0
-END PGP SIGNATURE-


signature.asc
Description: PGP signature

[SECURITY] [DLA 981-1] apng2gif security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: apng2gif
Version: 1.5-1+deb7u1
CVE ID : CVE-2017-6960
Debian Bug : #854367

It was discovered that apng2gif was vulnerable to an integer overflow
resulting in a heap-based buffer over-read/write. A remote attacker
could use this flaw to cause a denial of service (application crash)
via a crafted APNG file.

For Debian 7 "Wheezy", these problems have been fixed in version
1.5-1+deb7u1.

We recommend that you upgrade your apng2gif packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlk3p8MACgkQrJCsPsUk
Bl4g4Q//Vs+SxqSSCtU3BwKik5no/0Kc1rEXHH2Mc8CFdcsu4bYfkRn8eSJKa98k
v02YrHYQqTM9sFmjXjYQIdh/pyPAUU51bqXLQOSn89RbdW5z0DCGYkEpYoSZoxG5
egsL33o0zCLckRFhAYBR7QC8z1bcBh3HpW5DSJdyano7sePNCbzkF3+pkaJFmn0a
MJWT+cEwD+F4R1jSq9EHxT2ecrwP+BAWCmTgzYpF43qLXH8znnXJhKI9Sxv6+GOH
J7MX5xhFZKOQKd9NKc14Y9yBMzV+PGJRvD0e1wqd/E1YXhaAxrD2AlDOc07HFK6B
+bJ6/lRSBWpyOLDhnsig0m/Ji6x7rNDmZoHmOkY4Dj7d2Y4O16ztn0s54gvO/DVh
OrOhhUFKDHuZ3z2hmFK9vdw/p9R+4a5nI2Ci55ggIgXZ69+hvtpoMNlADVG1iXFW
11LRjac3F1tP7iHRtCRXY9HdHwb4D82/a/+9vV6hOPhvistCSwxFQ118elPbq05a
p/mubHey1MSM1Iqo0AICBxye+NzC+++QDXbUEWeXvhyDEwz+5mIAr3WuxBpyXuno
tz0wh9p6hvmNfYLo/lz09uLo++Ze0x0c5gCroYJSZA/3S52zQBbwo0+i86/qDG3d
AYY1Vj4ZfiM8jZxPi/x25tlIovCx2r5fq1GszcJwr8EWgLd0EM4=
=anaS
-END PGP SIGNATURE-

[SECURITY] [DLA 1105-1] clamav security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: clamav
Version: 0.99.2+dfsg-0+deb7u3
CVE ID : CVE-2017-6418 CVE-2017-6420

clamav is vulnerable to multiple issues that can lead
to denial of service when processing untrusted content.

CVE-2017-6418

out-of-bounds read in libclamav/message.c, allowing remote attackers
to cause a denial of service via a crafted e-mail message.

CVE-2017-6420

use-after-free in the wwunpack function (libclamav/wwunpack.c), allowing
remote attackers to cause a denial of service via a crafted PE file with
WWPack compression.

For Debian 7 "Wheezy", these problems have been fixed in version
0.99.2+dfsg-0+deb7u3.

We recommend that you upgrade your clamav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlnFdpEACgkQLVy48vb3
khkktggAj2ypS5W9mbo6JY/DPUrH7vFRillZKHifwWnbqZ6NdSLo94chCasrSGeQ
uT4JBLouAeTxFMSEwMWa66KKgrpO951NU4LycZlGdZUDJ+gEI2pwVEEk3BpQRcip
UzhhUyk6KxK/0xaddVnW3qm+UDUn2MkAO160m/qcQnTFbBWWpGhkCn/WdPLsywn2
ovpQrR+w+gBtqXC9w8pzYPYuNVOEIy9TB13aZQgG9tX2X/TRnhpv5LgftIYS+bzp
45LcsUcrcotA3gafhLMJ01P0uaXjrczglxMmhm9fq+oqeVIXQIqVfyW0KMBLuxun
x4+wKbBS8k5PEm1rSNYMPXH9p0e8Sg==
=j3iE
-END PGP SIGNATURE-

[SECURITY] [DLA 1152-1] quagga security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: quagga
Version: quagga_0.99.22.4-1+wheezy3+deb7u2
CVE ID : CVE-2017-16227
Debian Bug : 879474 

It was discovered that the bgpd daemon in the Quagga routing suite
does not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

For Debian 7 "Wheezy", these problems have been fixed in version
quagga_0.99.22.4-1+wheezy3+deb7u2.

We recommend that you upgrade your quagga packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAln4jecACgkQLVy48vb3
khk9Lwf+O6XzblrxsJ6cBJGR+zes2B2ztLWhut/+fM1J8x9M+iNQGzNyXqp+cgZv
5jOik68Mq2cj3vB4MJIhHoYlEUQS8iaKZHih9/0uTzPw9mgY08ZgkChl71a6JVbY
U2Nuo4FxAMTRQ2a43YpEvuct8/YOHuFBORntvBmILN3OYCRGCHSpCk8om3QgdaM/
AD0ql6nH+d0dajI/zMIDCcG4ZN5k81t0Vpo1keH/Y2agb+zzl8vWdxeytIYYBBfD
ldMmuMSsrpjYmPkbkAT6bCBYwZQvIVyIHjRdjsbPtPtnsYkdscfgOcIV55KBBzZS
t+Et40tN3a/bEAKROdtL5CrqPa7d4w==
=NQ5a
-END PGP SIGNATURE-

[SECURITY] [DLA 1377-1] tiff security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tiff
Version: 4.0.2-6+deb7u20
CVE ID : CVE-2018-8905
Debian Bug : 893806 

A heap-based buffer overflow was discovered in the LZWDecodeCompat
function in tif_lzw.c (LibTIFF 4.0.9 and earlier). This vulnerability
might be leveraged by remote attackers to crash the client via a
crafted TIFF LZW file.

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u20.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlr44RIACgkQLVy48vb3
khnWgAf8CTgLA1I8ztCE6crlr0jRrTKUhdguFS4gl2WqnZtVeuX19W45UfAWUVuv
6EGsVKKoEBmC6NnxrkxzfhB2enW3zbuax3VT1vwM1clscuE/vxbPNcEw3sZakl/3
4v2/+xnMT5mAOzNVZV1pcO8naIF3MeveOLfrGM+Y53CadPo8ZeswgZvRdE2sChCd
jvWtsRUV9KMYGCNiH5Am2GyL+7tQKgVuBA6DT0mJbzWn46rA2Ld8/jyPRzzlZOKJ
hWvCeAe9RnTICbXNcsQN7F5BPkBi4tI0ETOSWN+plc4TTNQp7xoGOZqaneHRuoh0
R/IOS5DQ33I05zQrV/Cn1/yn1mXY7A==
=mrNK
-END PGP SIGNATURE-

[SECURITY] [DLA 1378-1] tiff3 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tiff3
Version: 3.9.6-11+deb7u11
CVE ID : CVE-2018-8905
Debian Bug : 893806

A heap-based buffer overflow was discovered in the LZWDecodeCompat
function in tif_lzw.c (LibTIFF 4.0.9 and earlier). This vulnerability
might be leveraged by remote attackers to crash the client via a
crafted TIFF LZW file.

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u11.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlr44TkACgkQLVy48vb3
khkz0gf9EHAkzzjc3zZSh60d5zW5tp94hbKQC1E8HaQOc4/SRxxxi+ialRSR0SSa
z+V5PKQCqIsXRhGbm20drp75zwUFWrsX8UpQxd1Nj+M/2dROGyFKsfsghcP0bcAi
TtWiMbt1aVZvFcNv5AJAzMlN5B4HakqIUClxSqNOKOp+qQA8j/LtncNfNeB1pLX6
nFJ3B5PYA/48CVYuB5A7Z1I67xvxhPYjW44GJedTDALrg+6G4WTf8cfvvXbdFcYX
aSmCe1vf6vO4TCZx7l37ZVT9BAaUznXHB0AsYxR+eZPSOrc43MfuMucNC3gyGteG
5x2bBnxYe6OCGAEMIJqDo5+Fl5beAA==
=m1LP
-END PGP SIGNATURE-

[SECURITY] [DLA 1386-1] ming security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ming
Version: 1:0.4.4-1.1+deb7u9
CVE ID : CVE-2018-7866 CVE-2018-7873 CVE-2018-7876 CVE-2018-9009 
 CVE-2018-9132

Multiple vulnerabilities have been discovered in Ming:

CVE-2018-7866

NULL pointer dereference in the newVar3 function (util/decompile.c).
Remote attackers might leverage this vulnerability to cause a denial
of service via a crafted swf file.

CVE-2018-7873

Heap-based buffer overflow vulnerability in the getString function
(util/decompile.c). Remote attackers might leverage this vulnerability
to cause a denial of service via a crafted swf file.

CVE-2018-7876

Integer overflow and resulting memory exhaustion in the
parseSWF_ACTIONRECORD function (util/parser.c). Remote attackers might
leverage this vulnerability to cause a denial of service via a crafted
swf file.

CVE-2018-9009

Various heap-based buffer overflow vulnerabilites in util/decompiler.c.
Remote attackers might leverage this vulnerability to cause a denial of
service via a crafted swf file.

CVE-2018-9132

NULL pointer dereference in the getInt function (util/decompile.c).
Remote attackers might leverage this vulnerability to cause a denial
of service via a crafted swf file.

For Debian 7 "Wheezy", these problems have been fixed in version
1:0.4.4-1.1+deb7u9.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlsI5QcACgkQLVy48vb3
khnjrAgAj5+bqzPtXEp80FJmU5u+nF5ATda2czc0w7SjIDVdxIP1u/TBWroT0JsV
QcI5oeZk+19MeZtNJhTI4nk+wr939JE7JA0IkdTsZBa1jkzFM/stcesooM37421S
BLTRaPzY1I3cz7/NYHeRZy6LQKhp9OmXKPYSqUDcRHT+CROvS8iAHa27f+EkC2fO
yKaZer+IhXlJeTLg5PeqWlSARBYl5FTF5dNFihOyy5er32ED+CA6TIhMT7ISWtVT
t92zDfYlp77Dn88azT5v3+Jx9uciH6JxCh1PWdgHskA6JYHIQDGPml5Ck9lxG5+q
ihTRxfzPzHHo4WvCTQnL06V/5Dwgdg==
=2c4p
-END PGP SIGNATURE-

[SECURITY] [DLA 1240-1] ming security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ming
Version: 1:0.4.4-1.1+deb7u6
CVE ID : CVE-2017-11732 CVE-2017-16883 CVE-2017-16898

Multiple vulnerabilities have been discovered in Ming:

CVE-2017-11732

heap-based buffer overflow vulnerability in the function dcputs
(util/decompile.c) in Ming <= 0.4.8, which allows attackers to
cause a denial of service via a crafted SWF file.

CVE-2017-16883

NULL pointer dereference vulnerability in the function outputSWF_TEXT_RECORD
(util/outputscript.c) in Ming <= 0.4.8, which allows attackers
to cause a denial of service via a crafted SWF file.

CVE-2017-16898

global buffer overflow vulnerability in the function printMP3Headers
(util/listmp3.c) in Ming <= 0.4.8, which allows attackers to cause a
denial of service via a crafted SWF file.

For Debian 7 "Wheezy", these problems have been fixed in version
1:0.4.4-1.1+deb7u6.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlpXQgUACgkQLVy48vb3
khl+kwf+KzzwzIB9vGLaggt00v6QvOXHpN05vEl9ViBjdjx9EHmppCJ7tGdV7rb6
Oo0MS0Wam76GGVGytNlunY8IoyX7JR3r0qs8kfn5BhvXFgrLTN+e4CX6PMU8ReDq
jjaiT80gKeC5vIIIRng3IPIYBm57IwraajbnozBxKPqfOif9E+/Hvbei0BhiR+G3
OVppnz0AnGZcsBZFwcxvklhD/enT5pBIFzfZgtumGOGa6Rt3NQ2MZGdS3ZIdMrkl
OeEgD0Qdrd+CUfiMOxJRzKekxmC5dMqtv4YsZWzoHjAodiMu+tytWyQ1xKXwKzil
D6fBbtcdZ95tKGrsC5nBvWm5SEJqWw==
=u/v7
-END PGP SIGNATURE-

[SECURITY] [DLA 1305-1] ming security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ming
Version: 0.4.4-1.1+deb7u7
CVE ID : CVE-2018-5251 CVE-2018-5294 CVE-2018-6315 CVE-2018-6359

Multiple vulnerabilities have been discovered in Ming:

CVE-2018-5251

Integer signedness error vulnerability (left shift of a negative value) in
the readSBits function (util/read.c). Remote attackers can leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-5294

Integer overflow vulnerability (caused by an out-of-range left shift) in
the readUInt32 function (util/read.c). Remote attackers could leverage this
vulnerability to cause a denial-of-service via a crafted swf file. 

CVE-2018-6315

Integer overflow and resultant out-of-bounds read in the
outputSWF_TEXT_RECORD function (util/outputscript.c). Remote attackers
could leverage this vulnerability to cause a denial of service or
unspecified other impact via a crafted SWF file.

CVE-2018-6359

Use-after-free vulnerability in the decompileIF function
(util/decompile.c). Remote attackers could leverage this vulnerability to
cause a denial of service or unspecified other impact via a crafted SWF
file.

For Debian 7 "Wheezy", these problems have been fixed in version
0.4.4-1.1+deb7u7.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlqlNM4ACgkQLVy48vb3
khn55Af/So3UmQ05hs+lyOpKbHmEbLPmkaLh3Aq352eGBqIqfrVGKMAmX63GsQZP
zxsSpRpjGkEkN9ss4z/S8ydQc28u7pOeWjCIoJJ/T1xo4bd9dcyy/34Ii6GB9+Fx
n7ap9syaU8MyiyvqQj68hDZ4+X4w7vUvpGGsHYnA3zLxnDISwW67MHCjBC7ymNUw
J+7wNlgnleh1tKZaXvxcLDiDXbl53X81yEPzPH1mxOBLuLE2hpQ4rflSPERZkgIZ
R7ColdOVXEgBzNFApAeucs9HbQgVKFGlsxJSO0gOeWNuuuZqARmcXsTRHyscgdJB
Li+jc5ibTbNP8BIVi4NFT40xC6VYFw==
=eofB
-END PGP SIGNATURE-

[SECURITY] [DLA 1343-1] ming security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ming
Version: 0.4.4-1.1+deb7u8
CVE ID : CVE-2018-6358 CVE-2018-7867 CVE-2018-7868 CVE-2018-7870 
 CVE-2018-7871 CVE-2018-7872 CVE-2018-7875 CVE-2018-9165

Multiple vulnerabilities have been discovered in Ming:

CVE-2018-6358

Heap-based buffer overflow vulnerability in the printDefineFont2 function
(util/listfdb.c). Remote attackers might leverage this vulnerability to
cause a denial of service via a crafted swf file.

CVE-2018-7867

Heap-based buffer overflow vulnerability in the getString function
(util/decompile.c) during a RegisterNumber sprintf. Remote attackers might
leverage this vulnerability to cause a denial of service via a crafted swf
file.

CVE-2018-7868

Heap-based buffer over-read vulnerability in the getName function
(util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7870

Invalid memory address dereference in the getString function
(util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7871

Heap-based buffer over-read vulnerability in the getName function
(util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7872

Invalid memory address dereference in the getName function
(util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7875

Heap-based buffer over-read vulnerability in the getName function
(util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-9165

The pushdup function (util/decompile.c) performs shallow copy of String
elements (instead of deep copy), allowing simultaneous change of multiple
elements of the stack, which indirectly makes the library vulnerable to a
NULL pointer dereference in getName (util/decompile.c). Remote attackers
might leverage this vulnerability to cause dos via a crafted swf file.

For Debian 7 "Wheezy", these problems have been fixed in version
0.4.4-1.1+deb7u8.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrLWxMACgkQLVy48vb3
khndugf9G1fRWhVJaXb1vOvfztyqweHyu1ppZeVhG7P9EdJcLM/jHPfRU6UZlmcj
/0WgxNoMxHmcnIv7f1c64gfWdqJfAkPXxjAyrjzDMam7LuJI7T25B4VGcXg4G4N0
+m4lWvZn+tBJzigDx1Fs9ZYE7bVTNJP+hApyNSDPuDTLlD0NOpTs4Lq0kM14wVIU
mJTloRIuHWLkfUiRu9v+c6i5aKoBuqY7XenzqxrEU515HmfOPnTejxlSzyAyH6or
yShz6eWExvBs7pXu9TB3cCirtP5gsqrANE/UxGSzPwlk//XtpojSMlysyRwEXxLX
Y30B4a+e1VkqDPNMUhtJ+fIOBZBq2Q==
=ZzkF
-END PGP SIGNATURE-

[SECURITY] [DLA 1347-1] tiff3 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tiff3
Version: 3.9.6-11+deb7u10
CVE ID : CVE-2018-7456
Debian Bug : 891288 

A NULL Pointer Dereference was discovered in the TIFFPrintDirectory
function (tif_print.c) when using the tiffinfo tool to print crafted
TIFF information. This vulnerability could be leveraged by remote
attackers to cause a crash of the application.

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u10.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrUC9cACgkQLVy48vb3
khkpqQf/T8mlN9ec5Gx0EmkS9RCC/06VJ7t4GzptVRjuNKnuPCNXgb4Zw7ZxNzoi
sSfcJ4GMoy+Ytwe5CCF6FdbQ+WFGMLUjm5ywBOHzkZ6Si/1jSKpyWHAIqnn9e/41
+JYLm1hoC1fHh/zro1kIdPOsUJD4fnKsTo+EV30vwij0wiF5te+ByOghLCK2V13R
rxc+w8OWTtCKeSzcjtlC5zDHXLIFHMZGg2v6041ETB7vbYSaWAOj2XCKMhbN8kHz
PLy56vtiS54jTYfyC51nVNi39c2LfUTcoMi6usnJn44eauMAoKJz6iDEeW5CnxER
85mfKtUy/RwV9F2L/RtNWqHlQCjHdQ==
=j1X4
-END PGP SIGNATURE-

[SECURITY] [DLA 1346-1] tiff security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tiff
Version: 4.0.2-6+deb7u19
CVE ID : CVE-2018-7456
Debian Bug : 891288 

A NULL Pointer Dereference was discovered in the TIFFPrintDirectory
function (tif_print.c) when using the tiffinfo tool to print crafted
TIFF information. This vulnerability could be leveraged by remote
attackers to cause a crash of the application.

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u19.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrUC10ACgkQLVy48vb3
khmXmwf7Bfz6v8Lle0D5CA8pae67570bO31pJpcbdcC9JMpdWVB9Pci8FAULtaE5
kJPGjy/nonKy5nSSctEEzydoVqQ6hkiknpWU+eKd7gZu+pcaC0lXtULrKsvQ6g1W
j1KBaZV4XGhnRrKVixtTwMphUlTaJa/pv5/WZeJp5pMAKEwv93zBCStf1efx1XYu
/+4Ey+glVtpS+rLRjzLJtFULQfCcPIZb9hTCLlQcErWxAJm6Xxw+ZNedzirQe2Im
+q9o/toDIJHzb6ZpG+PW5/wdTCQ5pqoov/k5bZI8Q+7LbqLKBifBrOUefGm8HkJd
ov//MNlueQRseHr4JhJH1tGvKwf+8w==
=0znQ
-END PGP SIGNATURE-

[SECURITY] [DLA 1554-2] 389-ds-base regression update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: 389-ds-base
Version: 1.3.3.5-4+deb8u5

A regression was found in the recent security update for 389-ds-base
(the 389 Directory Server), announced as DLA-1554-2, caused by an
incomplete fix for CVE-2018-14648. The regression caused the server
to crash when processing requests with empty attributes.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u5.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlvSFuwACgkQZYVUZx9w
0DSiAAf/ZqAyt9GvowS4CbJDc0j0krsziy9hkGL8ng6JsUTnxAO2wmYVNP8AooH3
OKH3VlMSX6dUKWMrqPNeeJwUy+suff8oyUnQckSjtJRXF/n1Pgtkt4cb6niZsviu
pknQM5HMM0LzCd0GfhrKH5tIhxE0fg0paGDw2sYH/8bGS9r0kCrlB1K9KQUKNXXf
UDz4fVyU5DshW/FTXwuFjQcyA/6bW4viFKBICc19xi6K7kHRhKDNx+DslrY3w9gL
EG806E8ZuSi7eai5me0xpGROWaGgCPSzUp+J82795y+wJre7jC7Kn+3M1T0vhvMk
k6aA+jue/pHlMaDJPpinnlwfOFrc5A==
=wqdE
-END PGP SIGNATURE-

[SECURITY] [DLA 1554-1] 389-ds-base security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: 389-ds-base
Version: 1.3.3.5-4+deb8u4
CVE ID : CVE-2018-14648

It was discovered that 389-ds-base (the 389 Directory Server) is vulnerable
to search queries with malformed values in the do_search() function
(servers/slapd/search.c). Attackers could leverage this vulnerability by
sending crafted queries in a loop to cause DoS.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u4.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlvRn6AACgkQZYVUZx9w
0DSaqgf/UovxxepF+64NBh7m9LtixOa11T61ocMr1ebPQExv76NujJQlqYQ9O36v
Bidt5+3RHlznAn/askLm58wwEMb+yVdiFco5axQF84rjtbBLSiVfJ3+3ZCM2unDB
oO45quFbE/f+dCswZZrtsMaTT6Ssf1GlRgmc2Fpt2pJQZygo37vsXQmgW3Uvk3lU
9hr2Jdsl0SdFbSpMET38xrsxYB6oF+5sRV/bsjCbQ1I7G+S8JGrr3576ESIzXsUa
CQ2vc62/YUlXnVWv5NUNzmCDUIbeZ+rXgh1ZR6axn303tQU0Y0Wm0Vd8Oc7sVswu
d6yPSsfmxrA4kUSjmktCzJF6uT6GvA==
=CTcG
-END PGP SIGNATURE-

[SECURITY] [DLA 1526-1] 389-ds-base security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: 389-ds-base
Version: 1.3.3.5-4+deb8u3
CVE ID : CVE-2018-14624

It was discovered that the emergency logging system in 389-ds-base (the
389 Directory Server) is affected by a race condition caused by the
invalidation of the concurrently used log file file descriptor without
proper locking. This issue might be triggered by remote attackers to
cause DoS (crash) and any other undefined behavior.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u3.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAluvxpQACgkQZYVUZx9w
0DT/Lgf9Gbeh15E+J+oAiICOxsGEi1TfRACFUaoejXzCVaUl7ObXXz/UHTtHrzzh
vZxjdMa/CkQ1Wu0G3rKJhyoHsYgWp8/+aD+jAmhi5831sNxKv6uzre5dqq3GjYBm
kHNrUy7Ri7FFGsM12wrd+32W+Sxi8iC92nlpLtvk+Ecl28wp9FbToXeVQ4bQmdYO
mzKRGK90fUOY3giljtmozfhqbUaF7vSA/5avSUgT35HWLK5lcp6WmI1GOqQiGKxQ
QYsqAMyagrWQW0qBj13E2gEp9jvvfdCWgkZdRjruYG0Y3t4gxMzAlACNYI/M1/db
LlAniSRSU8402KACRwjitTg8aGxMwg==
=SBjy
-END PGP SIGNATURE-

[SECURITY] [DLA 1610-1] sleuthkit security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: sleuthkit
Version: 4.1.3-4+deb8u1
CVE ID : CVE-2018-19497
Debian Bug : 914796

It was discovered that the Sleuth Kit (TSK) through version 4.6.4 is
affected by a buffer over-read vulnerability. The tsk_getu16 call in
hfs_dir_open_meta_cb (tsk/fs/hfs_dent.c) does not properly check
boundaries. This vulnerability might be leveraged by remote attackers
using crafted filesystem images to cause denial of service or any other
unspecified behavior.

For Debian 8 "Jessie", this problem has been fixed in version
4.1.3-4+deb8u1.

We recommend that you upgrade your sleuthkit packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwYIGkACgkQZYVUZx9w
0DRpSwf+I4o9JXqFz2AztMjg3Xe8tgWY8D804Bj2a4eZ5xZxcr4FzN2MirHxPnBV
HiZ29H8DHuMv1NhXl5jTHZt5rANOkAzz3XavJyFIVKMRL6Wz8uMORSwt9QJS2Omm
4OGnbRtibknfMm76UAQ8lCo9bxLTKvdPJEhFizgK1fwRQJSLiAmnSOKkN1u6VFeB
iflsMqX9DRwk7q4qBOfZomxY42HEApNdJ6S6bXM9qbBIDbM6w85EZ0tFE2qcjVOO
7A1DqNN1TjkNNtAQh5AbRNXlhh+BPrQI9QUnz1pxySCQcB+KVp33YiQ4lDN31Hgs
83VluIZwlKqd1hEjYT5thby+rrutZQ==
=vCVP
-END PGP SIGNATURE-

[SECURITY] [DLA 1614-1] openjpeg2 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: openjpeg2
Version: 2.1.0-2+deb8u6
CVE ID : CVE-2018-6616 CVE-2018-14423
Debian Bug : 904873, 889683

Multiple vulnerabilities have been discovered in openjpeg2, the
open-source JPEG 2000 codec.

CVE-2018-6616

Excessive iteration in the opj_t1_encode_cblks function (openjp2/t1.c).
Remote attackers could leverage this vulnerability to cause a denial
of service via a crafted bmp file.

CVE-2018-14423

Division-by-zero vulnerabilities in the functions pi_next_pcrl,
pi_next_cprl, and pi_next_rpcl in (lib/openjp3d/pi.c). Remote attackers
could leverage this vulnerability to cause a denial of service
(application crash).

For Debian 8 "Jessie", these problems have been fixed in version
2.1.0-2+deb8u6.

We recommend that you upgrade your openjpeg2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlweQioACgkQZYVUZx9w
0DS/Lwf/aZgI6PM4CYMwu48BF+uElKdp+IGoGpn6z/OdjQtHhYODZMtfm6kT+/XS
HMS0NcNnkDMLhyoUKU8vqeEHP1uVCwize5bqJBHUhqzFFkJbtSajGofZIdLgKWEP
hpKz0zsUo6QoRPUSk/Wydvd1WxrMAs+uOAoxXeqmt6OlhXeAAs4ohs1PLTAKTsTK
9HAAjAGiQwYn2K46SX6z/YxIZBVnBVkp5zFCqSNzYWYhNXZweRPwONa06OCIbRXw
E3yHCyBVz/J58Y81hJATcoahrDosPPFsiX8myBQqYFNoMLcHkFse5FPeyC4BKbbS
p+qrzWTRgQgWtPxAkIxR6hw+12qeFQ==
=yEk6
-END PGP SIGNATURE-

[SECURITY] [DLA 1618-1] libsndfile security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libsndfile
Version: 1.0.25-9.1+deb8u2
CVE ID : CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365 
 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2017-17456 
 CVE-2017-17457 CVE-2018-13139 CVE-2018-19432 CVE-2018-19661 
 CVE-2018-19662

Multiple vulnerabilities have been found in libsndfile, the library for
reading and writing files containing sampled sound.

CVE-2017-8361

The flac_buffer_copy function (flac.c) is affected by a buffer
overflow. This vulnerability might be leveraged by remote attackers to
cause a denial of service, or possibly have unspecified other impact
via a crafted audio file.

CVE-2017-8362

The flac_buffer_copy function (flac.c) is affected by an out-of-bounds
read vulnerability. This flaw might be leveraged by remote attackers to
cause a denial of service via a crafted audio file.

CVE-2017-8363

The flac_buffer_copy function (flac.c) is affected by a heap based OOB
read vulnerability. This flaw might be leveraged by remote attackers to
cause a denial of service via a crafted audio file.

CVE-2017-8365

The i2les_array function (pcm.c) is affected by a global buffer
overflow. This vulnerability might be leveraged by remote attackers to
cause a denial of service, or possibly have unspecified other impact
via a crafted audio file.

CVE-2017-14245
CVE-2017-14246
CVE-2017-17456
CVE-2017-17457

The d2alaw_array() and d2ulaw_array() functions (src/ulaw.c and
src/alaw.c) are affected by an out-of-bounds read vulnerability. This
flaw might be leveraged by remote attackers to cause denial of service
or information disclosure via a crafted audio file.

CVE-2017-14634

The double64_init() function (double64.c) is affected by a
divide-by-zero error. This vulnerability might be leveraged by remote
attackers to cause denial of service via a crafted audio file.

CVE-2018-13139

The psf_memset function (common.c) is affected by a stack-based buffer
overflow. This vulnerability might be leveraged by remote attackers to
cause a denial of service, or possibly have unspecified other impact
via a crafted audio file. The vulnerability can be triggered by the
executable sndfile-deinterleave.

CVE-2018-19432

The sf_write_int function (src/sndfile.c) is affected by an
out-of-bounds read vulnerability. This flaw might be leveraged by
remote attackers to cause a denial of service via a crafted audio file.

CVE-2018-19661
CVE-2018-19662

The i2alaw_array() and i2ulaw_array() functions (src/ulaw.c and
src/alaw.c) are affected by an out-of-bounds read vulnerability. This
flaw might be leveraged by remote attackers to cause denial of service
or information disclosure via a crafted audio file.

For Debian 8 "Jessie", these problems have been fixed in version
1.0.25-9.1+deb8u2.

We recommend that you upgrade your libsndfile packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwjPosACgkQZYVUZx9w
0DTnWgf/QvnHvJzU2F1H5orbb0Dn0OzQ1nxFVs01B5fYYgtC57bFDQ2ezTKuCfim
cvQqABOtQarpnvPlWlybUKU/BPHbwvpyFgLj+l0iy26dlAVoE2Dp3XS/tIA5DH1G
XH/hWa3Q14rovfBHANzi1u1V8SFfW7RW1KeKvpRQ3XQfRLY6RUKNYWe14fqoGds5
qzaKhj+hy5i4PQnRQLrEN/cxdOippjqxM8X8DtXBcLcCzr6gA+MHVlvb2anc3X39
6ofL325BHOlhgiJWMHB2bYCLVYswi5D+vsOU+dPLsRVLecq/OIw5zGJOttFAR1hN
E3JxQ8kwBkp70/A8CdCe8qMk05EE7A==
=6i6S
-END PGP SIGNATURE-

[SECURITY] [DLA 1619-1] graphicsmagick security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: graphicsmagick
Version: 1.3.20-3+deb8u5
CVE ID : CVE-2018-20184 CVE-2018-20185 CVE-2018-20189
Debian Bug : 916752 916719 916721

Multiple vulnerabilities have been found in GraphicsMagick, the image
processing system.

CVE-2018-20184

The WriteTGAImage function (tga.c) is affected by a heap-based buffer
overflow. Remote attackers might leverage this vulnerability to cause
a denial of service via a crafted image file.

CVE-2018-20185

The ReadBMPImage function (bmp.c) is affected by a heap-based buffer
over-read. Remote attackers might leverage this vulnerability to cause
a denial of service via a crafted image file.

CVE-2018-20189

The ReadDIBImage function (coders/dib.c) is affected by an assertion
error. Remote attackers might leverage this vulnerability to cause
a denial of service via a crafted image file.

For Debian 8 "Jessie", these problems have been fixed in version
1.3.20-3+deb8u5.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwk1jMACgkQZYVUZx9w
0DQP/wf+LCE2kx897d4LwosqAQROdO/Dr01v0KDm9Jvc+qMahL9HEFDSkWT5uxxX
3llovYRgxbFBCtwwfQ5etWFge5GuUOHeBKzh2x5d+5Ml/FzVfPbocR1ou2avKHi4
4jlb6QbV+dvqnpGrkgzPUkix65RcgV4nVS7XbpNAs07BzADnH97MXjK1MPBqnPTA
7VY5Z4OXfrjcw7U3ZI1VZtjNRS5A8BX5pWGJ1CV/9hLLkwb3WY/MR3MTlZMQ97XJ
mY07PZJyGEJNwi16Q/77Mvsen2MoGSCz+rxjvoBtH7S+3kY1pU8rdeuHwhorr4Tp
j5U/1ndWtlbKSkZzqjGn35thyFTisw==
=MAph
-END PGP SIGNATURE-

[SECURITY] [DLA 1582-1] liblivemedia security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: liblivemedia
Version: 2014.01.13-1+deb8u1
CVE ID : CVE-2018-4013

A stack based buffer overflow vulnerability was found in liblivemedia, the
LIVE555 RTSP server library. This issue might be leveraged by remote
attackers to cause code execution, by sending a crafted packet.

For Debian 8 "Jessie", this problem has been fixed in version
2014.01.13-1+deb8u1.

We recommend that you upgrade your liblivemedia packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlv0ehsACgkQZYVUZx9w
0DRt1Af/UYgC0k1JxyfW838Q+qEutCcobOuQwSWb3fMa57uFTzDtX696M/F52dq+
piVcGrRFW7khT9movCYy0jvRs65ujb7MqNqRdIyw4q7PShqaR4CfTmCE7JbekGYM
/u3XqKQNHXEcyt5OSLvehA4mIO6rVl4FkSSE8aafAyjyk6CgtlTYHO9FUlpnrAeK
nqZpiXy4CG4iIp2lCg4eicpPFcOTzoPzgRaGEXBrNAQIusOwn/AMKZW14oRVIK6E
MketkrjT/DItOyi9/VdUyXsUZXfZx7l2lrkSPJIUD8mxUPTIn+3vLw/OlgkupH1t
Ov2U8QpbI/eS2ZSdIWCJMPtoxpc1/Q==
=c3Um
-END PGP SIGNATURE-

[SECURITY] [DLA 1579-1] openjpeg2 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: openjpeg2
Version: 2.1.0-2+deb8u5
CVE ID : CVE-2017-17480 CVE-2018-18088

Multiple vulnerabilities have been discovered in openjpeg2, the
open-source JPEG 2000 codec.

CVE-2017-17480

  Write stack buffer overflow due to missing buffer length formatter in
  fscanf call (jp3d and jpwl codecs). This vulnerability might be
  leveraged by remote attackers using crafted jp3d and jpwl files to
  cause denial of service or possibly remote code execution.

CVE-2018-18088

  Null pointer dereference caused by null image components in imagetopnm.
  This vulnerability might be leveraged by remote attackers using crafted
  BMP files to cause denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
2.1.0-2+deb8u5.

We recommend that you upgrade your openjpeg2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlvzx1sACgkQZYVUZx9w
0DSLLQf9H24nge2ANjnk9HMVA2wy1C8IrUM/5amc2tODBWG4rVcfKqeBM/gBtSt9
mTbgzhWWb3a2eRjuU3YIAlEuQu+5QTxUF9zKpHajDqPfca1zrhGOKAhHiTRYhkpW
pVXvfXh6zQRvpYJGixuvnu5mtV07W+eEcYfe948l4X7S3vZWyRj0bstNNbCJliJD
0bp0MOVM/HE0taEbpL2VQbPW0nhke3WTL4h1HvgsQIGJ5RL5rrn+V7PF3m8ZjFvQ
Omb71868OCQvYRmp05mry9EBnPkkB1siXsVqqQMbgpzLzC3CCeRJ3rLFgzNb8gtY
4UMMj8cNmYe+/srWpFr5lYmbxpmraA==
=GZ93
-END PGP SIGNATURE-

[SECURITY] [DLA 1632-1] libsndfile security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libsndfile
Version: 1.0.25-9.1+deb8u3
CVE ID : CVE-2018-19758
Debian Bug : 917416

A heap-buffer-overflow vulnerability was discovered in libsndfile, the
library for reading and writing files containing sampled sound. This flaw
might be triggered by remote attackers to cause denial of service (out of
bounds read and application crash). 

For Debian 8 "Jessie", this problem has been fixed in version
1.0.25-9.1+deb8u3.

We recommend that you upgrade your libsndfile packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlw3Z2wACgkQZYVUZx9w
0DS7FggAsbtuVL2bIHx+iC9rT8sepU3Rjf5+1h08qzATylBbL+41IAy/pfTvwhEI
NaHJICP4KKEIKjSWXBHcXGJ3+LSw7VCifNvAo6lwdg+tmKjw95qVIADY8sOujFze
07mSlzEgCwCL28fzzJhYAFDJuMqfXXJCja7qZN8ZBGkVIrrwCkahNulSCdBT0wXd
KsbffCYKre+X1UqEgAZ9w+SkB4Ae8IFDH/C1AVbI9X81l7ynOEauai++Y4yMzBTp
quhW8ZwYB+19FoSfhvE6Utjsf7I/VTUFZjQ8DSifR7wTNQdRIGoA94+SA3JC8edp
s6dUa72F+zS/z76IaayAp8bv67QvVg==
=icpz
-END PGP SIGNATURE-

[SECURITY] [DLA 1640-1] tmpreaper security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tmpreaper
Version: 1.6.13+nmu1+deb8u1
CVE ID : CVE-2019-3461
Debian Bug : 918956

It was discovered that tmpreaper, a program that cleans up files in
directories based on their age, is vulnerable to a race condition. This
vulnerability might be exploited by local attackers to perform privilege
escalation.

For Debian 8 "Jessie", this problem has been fixed in version
1.6.13+nmu1+deb8u1.

We recommend that you upgrade your tmpreaper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlxKHHcACgkQZYVUZx9w
0DR7ugf9GGdAdqrSrqvuMSx1Fff8XH2QWYDMZIJvnkoyfTFv3s0JFUslx8Q2EXgy
F2Ke5OZoH+mj4FVXIZ3nLLBZZdOia93XJil2GLse7hfYlifp/6Y36lc3xinm49jw
pW4XX4UtV9rv4cDdfY1f2qVeNeHVXJNxJtwSQiNjMWgbPappUry/8x9SUDF9irOt
7qxXbGkEqLYyBP4sxk/XIXlln8pD8aILRrYdeZs+EldvfDz/rBwn1D80/PqiLAaV
AmR859D7fElmCiSn4F9U1o5x8zuQvGboEvJeo01cFcD82grNtqYVCEIzDa6BckeJ
ZL8MrZfs3osmT4SZJQNeJS474YFoqw==
=V/nR
-END PGP SIGNATURE-

[SECURITY] [DLA 1690-1] liblivemedia security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: liblivemedia
Version: 2014.01.13-1+deb8u2
CVE ID : CVE-2019-6256 CVE-2019-7314
Debian Bug : 919529

Multiple vulnerabilities have been discovered in liblivemedia, the
LIVE555 RTSP server library:

CVE-2019-6256

liblivemedia servers with RTSP-over-HTTP tunneling enabled are
vulnerable to an invalid function pointer dereference. This issue
might happen during error handling when processing two GET and
POST requests being sent with identical x-sessioncookie within
the same TCP session and might be leveraged by remote attackers
to cause DoS.

CVE-2019-7314

liblivemedia servers with RTSP-over-HTTP tunneling enabled are
affected by a use-after-free vulnerability. This vulnerability
might be triggered by remote attackers to cause DoS (server crash)
or possibly unspecified other impact.

For Debian 8 "Jessie", these problems have been fixed in version
2014.01.13-1+deb8u2.

We recommend that you upgrade your liblivemedia packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx1J7YACgkQZYVUZx9w
0DQgzgf/SlZIr7JF9izZiddDLqDnVOF1L2HZzyh8i71quc28ny1ODooPxHlL00Wn
KQaBbF94HhGh4JwOfHtwP/2HvkDugm2VJDugMHs/eiPEdMmWNzHqG7f/nbpxB1Aj
wcbyUWrbEMHDfln4BVbSxQ70lwI9oXduIs8QzVBkX/2K16im1xrrJPbskOVZ3vFq
42GmKFKvLpoSkiInbKLuvTgaF55SHFnpSubV+H9rSZK5fI+82qAbJGpSrx10Cvzg
46mK0Paq0JIGXSCCKW/ovrmwPGQl3O+PDPyav2PNx9YxH0gxpwbLnxMrdftq9gWk
gp0LWsd3SL1k0h3A6pFMycux36XOOQ==
=Tq/2
-END PGP SIGNATURE-

[SECURITY] [DLA 1695-1] sox security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: sox
Version: 14.4.1-5+deb8u2
CVE ID : CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189
Debian Bug : 878808, 878810, 882144, 881121

Multiple vulnerabilities have been discovered in SoX (Sound eXchange),
a sound processing program:

CVE-2017-15370

The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer
overflow. This vulnerability might be leveraged by remote attackers
using a crafted WAV file to cause denial of service (application crash).

CVE-2017-15372

The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a
stack based buffer overflow. This vulnerability might be leveraged by
remote attackers using a crafted audio file to cause denial of service
(application crash).

CVE-2017-15642

The lsx_aiffstartread function (aiff.c) is affected by a use-after-free
vulnerability. This flaw might be leveraged by remote attackers using a
crafted AIFF file to cause denial of service (application crash).

CVE-2017-18189

The startread function (xa.c) is affected by a null pointer dereference
vulnerability. This flaw might be leveraged by remote attackers using a
crafted Maxis XA audio file to cause denial of service (application
crash).

For Debian 8 "Jessie", these problems have been fixed in version
14.4.1-5+deb8u2.

We recommend that you upgrade your sox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx32H4ACgkQZYVUZx9w
0DTrYAf+Pa43RA9I4gPVN/i9lHTYuFoS7Md8PwnyuxltGIN4RAgwL9bJ0LX6bpHO
063RPWJTTkEZ5kq6M4azRd/FA2159aiBHsW4RF8tJkkMs7qfVlt6VTEySTkGz7nd
/7Exf0eH6C0HTdQ3axQMbOztbtQclw1TOcw1CmsDLFQtQUKEXcDZ/TKrcXHPYAR4
Q98Psq6FNA7o0GjInnJAcrLyuT9W2jdwJfbmOgkyCkuTj7huyFazDFtBhLlQ/yAD
jJ8V5dfJHuG301X45St4elgY601scx9s47t6+eA+kDDndChbYd4azUeQgU2FoUUL
bHk4S03ZMDJgmM3z8TSjVJTTYVtQSg==
=Qo1p
-END PGP SIGNATURE-

[SECURITY] [DLA 1705-1] sox security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: sox
Version: 14.4.1-5+deb8u3
CVE ID : CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15371
Debian Bug : 878809 870328

Multiple vulnerabilities have been discovered in SoX (Sound eXchange),
a sound processing program:

CVE-2017-11332

The startread function (wav.c) is affected by a divide-by-zero
vulnerability when processing WAV file with zero channel count. This
flaw might be leveraged by remote attackers using a crafted WAV file
to perform denial of service (application crash).

CVE-2017-11358

The read_samples function (hcom.c) is affected by an invalid memory read
vulnerability when processing HCOM files with invalid dictionnaries. This
flaw might be leveraged by remote attackers using a crafted HCOM file to
perform denial of service (application crash).

CVE-2017-11359

The wavwritehdr function (wav.c) is affected by a divide-by-zero
vulnerability when processing WAV files with invalid channel count over
16 bits. This flaw might be leveraged by remote attackers using a crafted
WAV file to perform denial of service (application crash).

CVE-2017-15371

The sox_append_comment() function (formats.c) is vulnerable to a reachable
assertion when processing FLAC files with metadata declaring more comments
than provided. This flaw might be leveraged by remote attackers using
crafted FLAC data to perform denial of service (application crash).

For Debian 8 "Jessie", these problems have been fixed in version
14.4.1-5+deb8u3.

We recommend that you upgrade your sox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx+uIsACgkQZYVUZx9w
0DQowQf/acsaPafRmR+T9N0zY38y6eFXMOARkQDIttwXVSVHCowNUmlZqTGFb3fx
I3gWc93lqY0Mn3G0bB3RF0Ndtgk5BkYLLYWFBi4UBxbke3wUX5qzDU7PVIojr6u2
UJGhdnVnPzF34JxpAo70FsStaR52q/7ebbB6373HoCRyMfOt++9gmyoEVIWLOcnN
P5chAdG9w7Y8lq2iY+IwZAHci0NxkVVD7FEOqJtm7wBbJKorh17ZGgLNAYz5WLFw
xIE4A6frMhtT2z3QIRaN8HAL0pK/MAp0RLaxZSKIoNcZimpJN7rJAp/RJIMp3WKh
Yed196mMuUzfEiPNN6AZM0ZLDDRvUQ==
=opAI
-END PGP SIGNATURE-

[SECURITY] [DLA 1694-1] qemu security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: qemu
Version: 1:2.1+dfsg-12+deb8u10
CVE ID : CVE-2018-12617 CVE-2018-16872 CVE-2019-6778
Debian Bug : 916397, 902725, 921525

Several vulnerabilities were found in QEMU, a fast processor emulator:

CVE-2018-12617

The qmp_guest_file_read function (qga/commands-posix.c) is affected
by an integer overflow and subsequent memory allocation failure. This
weakness might be leveraged by remote attackers to cause denial of
service (application crash).

CVE-2018-16872

The usb_mtp_get_object, usb_mtp_get_partial_object and
usb_mtp_object_readdir functions (hw/usb/dev-mtp.c) are affected by a
symlink attack. Remote attackers might leverage this vulnerability to
perform information disclosure.

CVE-2019-6778

The tcp_emu function (slirp/tcp_subr.c) is affected by a heap buffer
overflow caused by insufficient validation of available space in the
sc_rcv->sb_data buffer. Remote attackers might leverage this flaw to
cause denial of service, or any other unspecified impact.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u10.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx3nrgACgkQZYVUZx9w
0DRI+QgAkfsQUegInTTeJQpptCHey+NYMdMfehEBUzvMh7AX6vRX1SV/W98liyaL
P52oCDngc31tADsZpRbO4PCk4LLUfGMva0dSJWK9eJOBVWDZpVhHvqxIBJhaLyrG
ieHO2TZ+79s56idbEc1mTOO78Ot4Ysv/UKq8OBc64VtMdkV6JFhqHCAVP6lZuDKQ
pEtlSAq1TRZRxKC/XSyEO+dV3bBCFC0unR3jOpP+XEJy2b+DrbImj875nlir3vQX
8Nch3HQleUSY2rYNZSkHiUPlskBm1hesoZaXm8WbZyO6FYtd3Vo98yKGDb7QaZjp
xEQDRooLmOMxvJDhE+KIvMK1mXuYMA==
=71bv
-END PGP SIGNATURE-

[SECURITY] [DLA 1720-1] liblivemedia security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: liblivemedia
Version: 2014.01.13-1+deb8u3
CVE ID : CVE-2019-9215
Debian Bug : 924655

It was discovered that liblivemedia, the LIVE555 RTSP server library,
is vulnerable to an invalid memory access when processing the
Authorization header field. Remote attackers could leverage this
vulnerability to possibly trigger code execution or denial of service
(OOB access and application crash) via a crafted HTTP header.

For Debian 8 "Jessie", this problem has been fixed in version
2014.01.13-1+deb8u3.

We recommend that you upgrade your liblivemedia packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlyP98kACgkQZYVUZx9w
0DQ/dAgAl7x/KjMZpvuL1MiK6PSDQUwMxGRS4vnSTOyw0svg+/fDh0jzmcZG2HOp
5NdX0fjfqsfkRLw46BLHwF65rDXhEuxJ8c1GqxxMZ/uZOnXkbfpQFELNYyqpigm7
SkE51CCS1mJILmAuBKuRequ1rrhl7v+lbvoiMOlC99g4o8XJsin3kVmdTdoyZRSc
F6SE63IoXJGMf/JyFWt4aLqaX5VOhBMbjDle/5JJieXr1oNNbtgOfcPzqUzQ1/zg
9KHrV/1KOjOx/bwlupP8oTKEtua4N57k/3WuYskKhApZyVNTXPABEjZnJ5DXUeDm
gn8EfA+F2KTB5jORXx3DrzAUxcW9bw==
=sXeH
-END PGP SIGNATURE-

[SECURITY] [DLA 1646-1] qemu security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: qemu
Version: 1:2.1+dfsg-12+deb8u9
CVE ID : CVE-2018-17958 CVE-2018-19364 CVE-2018-19489

Several vulnerabilities were found in QEMU, a fast processor emulator:

CVE-2018-17958

The rtl8139 emulator is affected by an integer overflow and subsequent
buffer overflow. This vulnerability might be triggered by remote
attackers with crafted packets to perform denial of service (via OOB
stack buffer access).

CVE-2018-19364

The 9pfs subsystem is affected by a race condition allowing threads to
modify an fid path while it is being accessed by another thread,
leading to (for example) a use-after-free outcome. This vulnerability
might be triggered by local attackers to perform denial of service.

CVE-2018-19489

The 9pfs subsystem is affected by a race condition during file
renaming. This vulnerability might be triggered by local attackers to
perform denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u9.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlxQjc0ACgkQZYVUZx9w
0DQoAAgAjbsSs3747Qh++exkEVdHZVzwkZVJrEGnvfM6SpVjDhH7qw3/vJ6dOpMr
8QNkLrSKmd94wWEXawKbCKQOuys40FevGiPAlQyjVwQf3wdbxl+8pT93y6vtYpe4
o69bwGodh6x5hrRVI27OS4XuqwnPhPzW7720tWT/hsdABpdI/TQFsLqAW/Gkmp2s
+4bJOjglN4W+4/ARgFLrYptXMGWm9ojgOOI0UeT6AF4C4r8UXCAQcqKwdW3Y062V
g9mT/zB+mXSUCk6J/iK+lbzUOnIjtfRCrH5mq6AKycoaQdPQLc5E+LOrIutSySBu
vORujrAFLroahHamdNiNiahPv7CFSg==
=Me5S
-END PGP SIGNATURE-

[SECURITY] [DLA 1802-1] wireshark security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: wireshark
Version: 1.12.1+g01b65bf-4+deb8u19
CVE ID : CVE-2019-10894 CVE-2019-10895 CVE-2019-10899 CVE-2019-10901 
 CVE-2019-10903
Debian Bug : 926718

Several vulnerabilities have been found in wireshark, a network traffic 
analyzer.

CVE-2019-10894

Assertion failure in dissect_gssapi_work (packet-gssapi.c) leading to
crash of the GSS-API dissector. Remote attackers might leverage this
vulnerability to trigger DoS via a packet containing crafted GSS-API
payload.

CVE-2019-10895

Insufficient data validation leading to large number of heap buffer
overflows read and write in the NetScaler trace handling module
(netscaler.c). Remote attackers might leverage these vulnerabilities to
trigger DoS, or any other unspecified impact via crafted packets.

CVE-2019-10899

Heap-based buffer under-read vulnerability in the Service Location
Protocol dissector. Remote attackers might leverage these
vulnerabilities to trigger DoS, or any other unspecified impact via
crafted SRVLOC packets.

CVE-2019-10901

NULL pointer dereference in the Local Download Sharing Service
protocol dissector. Remote attackers might leverage these flaws to
trigger DoS via crafted LDSS packets.

CVE-2019-10903

Missing boundary checks leading to heap out-of-bounds read
vulnerability in the Microsoft Spool Subsystem protocol dissector.
Remote attackers might leverage these vulnerabilities to trigger DoS,
or any other unspecified impact via crafted SPOOLSS packets.

For Debian 8 "Jessie", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u19.

We recommend that you upgrade your wireshark packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzo2PkACgkQZYVUZx9w
0DRlwwf+L49dVzkhsvHzwrMZkHXJiYE1Jvuve6tr0FO/d3ZgYzT6W0E6vo17MrIG
lZRhyuatjiUe7KPZ4IGfqRYXuZSmK9+ApHziWon+5HhPpz3dDX0tjUMbmm6qh7eO
2Rz5u1NGKBoK4hiQaMXMc1M6U6F+Ome/iuSuI/YQFkfvf+YuHrnMRPotSkPfB3TO
bCPv9LCFE3fkvoIFtGaGfA+jgWGu7VCflSXKDxdq7pBvKS+wYyTjdqXJ1COONoH4
CpN3AMFD1nPqCp5+0WqCrUYZzHtfsgIlDgO/ACZyTSvRCbRUc1dqmw3HTsHuGSHM
8YYvvUG06nSPDnVgBTXzI0OUhbNrmQ==
=tdK7
-END PGP SIGNATURE-

[SECURITY] [DLA 1791-1] faad2 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: faad2
Version: 2.7-8+deb8u2
CVE ID : CVE-2018-20194 CVE-2018-20197 CVE-2018-20198 CVE-2018-20362

Multiple vulnerabilities have been found in faad2, the Freeware Advanced Audio
Coder:

CVE-2018-20194
CVE-2018-20197

Improper handling of implicit channel mapping reconfiguration leads to
multiple heap based buffer overflow issues. These flaws might be leveraged
by remote attackers to cause DoS.

CVE-2018-20198
CVE-2018-20362

Insufficient user input validation in the sbr_hfadj module leads to
stack-based buffer underflow issues. These flaws might be leveraged by
remote attackers to cause DoS or any other unspecified impact.

For Debian 8 "Jessie", these problems have been fixed in version
2.7-8+deb8u2.

We recommend that you upgrade your faad2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzhXiYACgkQZYVUZx9w
0DSd7AgAnx+bcGQQ52QVsGN9pp7pNXewl2T2e0u9T9FnJtBEULdps/FOBcX7hD73
WXFuJ8KKB8fnYmvyaqEH4YBJfLK+oBZltafogg23Y8vU4X9b1w0RaMQUI0kfYVwy
7sxEX5j45I9N10gW0g0aBpHo0Clan2N8Yp7JaOyDgQ5oT/IHp0T9QH5n7B3sU0No
xNCtJ4WpCC0BRUVKYiyN2eRNOFW+MZ1w8Z2JCuF1fxtMWNWJ5vLn0UbYgGbSNrqn
PQbA92rFi/riY8oFGBhgoDaOIoygdAl0+0nagAmQEb0gn1A1GBfoIBzPKd81xrL4
Sd5hfA0xD2MBG6K3jr9pu9hNjIdVEw==
=rojk
-END PGP SIGNATURE-

[SECURITY] [DLA 1795-1] graphicsmagick security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: graphicsmagick
Version: 1.3.20-3+deb8u7
CVE ID : CVE-2019-11473 CVE-2019-11474 CVE-2019-11505 CVE-2019-11506

Multiple vulnerabilities have been discovered in graphicsmagick, the image
processing toolkit:

CVE-2019-11473

The WriteMATLABImage function (coders/mat.c) is affected by a heap-based
buffer overflow. Remote attackers might leverage this vulnerability to
cause denial of service or any other unspecified impact via crafted Matlab
matrices.

CVE-2019-11474

The WritePDBImage function (coders/pdb.c) is affected by a heap-based
buffer overflow. Remote attackers might leverage this vulnerability to
cause denial of service or any other unspecified impact via a crafted Palm
Database file.

CVE-2019-11505
CVE-2019-11506

The XWD module (coders/xwd.c) is affected by multiple heap-based
buffer overflows and arithmetic exceptions. Remote attackers might leverage
these various flaws to cause denial of service or any other unspecified
impact via crafted XWD files.

For Debian 8 "Jessie", these problems have been fixed in version
1.3.20-3+deb8u7.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzieVcACgkQZYVUZx9w
0DTI4AgAsXVth5VMdXxTIOF4IQmDyF97wYwPIbTGbt98/z5TTfI47SSiCdINZhfd
9NEjV1dQsErtpCh5HEtQzbHyUtt0ONtNA6H3Pol00qiQ8xjhN71+NI4U+MbMyFVH
nP+Rw8dtAN8o7RT0TUMxzD+mtnab+mp2NM/EjZXoeS/jxpxySUCugVAlQqGpt2PS
OQH2h7ocOC4yL9dE4b0drCkA+hMm0SXFCFGHgPtUrBGBH52oJHyK6ne4YEcef2ux
P+cFtr42JdR5sNiRDuv0bw5JmKgygV7UOnWOLh2RbPhp8eIcCoOvgSV82QM2HgB/
EEiSI7CUXiYnXt5dD+eMQahoGuQ0AA==
=EBdo
-END PGP SIGNATURE-

[SECURITY] [DLA 1888-1] imagemagick security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: imagemagick
Version: 8:6.8.9.9-5+deb8u17
CVE ID : CVE-2019-12974 CVE-2019-13135 CVE-2019-13295 CVE-2019-13297 
 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306

Multiple vulnerabilities have been found in imagemagick, an image processing
toolkit.

CVE-2019-12974

NULL pointer dereference in ReadPANGOImage and ReadVIDImage (coders/pango.c
and coders/vid.c). This vulnerability might be leveraged by remote attackers
to cause denial of service via crafted image data.

CVE-2019-13135

Multiple use of uninitialized values in ReadCUTImage, UnpackWPG2Raster and
UnpackWPGRaster (coders/wpg.c and coders/cut.c). These vulnerabilities might
be leveraged by remote attackers to cause denial of service or unauthorized
disclosure or modification of information via crafted image data.

CVE-2019-13295, CVE-2019-13297

Multiple heap buffer over-reads in AdaptiveThresholdImage
(magick/threshold.c). These vulnerabilities might be leveraged by remote
attackers to cause denial of service or unauthorized disclosure or
modification of information via crafted image data.

CVE-2019-13304, CVE-2019-13305, CVE-2019-13306

Multiple stack buffer overflows in WritePNMImage (coders/pnm.c), leading to
stack buffer over write up to ten bytes. Remote attackers might leverage
these flaws to potentially perform code execution or denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
8:6.8.9.9-5+deb8u17.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1WubkACgkQEeMFjl5E
GkJK5gv/ea/suYbbgYuXTRO7A9M/aet27uhn/U/81KEQWf6LlAXL93JvkwOR9Y0/
UvxSWbbm4grWsgg1X60Gy8Ffprf3xOLgpNfkgS9MBMzx+t+kTiw8XpVxycfp6j4N
ovmJWiJq8m7bXCx41mDlOLyGKg8grfA+boINpDKEArHnkXA7F/C3aI4yEtZWqGKT
wH9wBNKu5otRub9ezc/Hd3TNE60Cw7Ahi1xDpBHPHsEladPJ16C9Ae+Fs5UZQutM
LIE48uTfaXyCl+mN53K5RITx43R2KZ61YquaTL8iLltWEqiL9uRVrrwyL+h1gBcd
33G+pzZ3pkJ6FfbRatufA+0g5yy9MjPkkiLQPIsgkQMl8Ul2VvO/o9MESP/Z/iIG
7ho+yBgmEpBGbFZ9M1m1mj0Yh/ZhysRSSSGqU5ZGu/FSZGOHzqXSFWiWcMcpt/U6
BAI1F5RACiYhSy8VUXY6zBWlMdxVUGGgIcAnLIuukp/oZn4lPbPJeL8DRZG1L1My
0XogYx28
=edCG
-END PGP SIGNATURE-

[SECURITY] [DLA 1899-1] faad2 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: faad2
Version: 2.7-8+deb8u3
CVE ID : CVE-2018-19502 CVE-2018-20196 CVE-2018-20199 CVE-2018-20360 
 CVE-2019-6956 CVE-2019-15296
Debian Bug : 914641

Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced
Audio Coder:

CVE-2018-19502

Heap buffer overflow in the function excluded_channels (libfaad/syntax.c).
This vulnerability might allow remote attackers to cause denial of service
via crafted MPEG AAC data.

CVE-2018-20196

Stack buffer overflow in the function calculate_gain (libfaad/br_hfadj.c).
This vulnerability might allow remote attackers to cause denial of service
or any unspecified impact via crafted MPEG AAC data.

CVE-2018-20199
CVE-2018-20360

NULL pointer dereference in the function ifilter_bank (libfaad/filtbank.c).
This vulnerability might allow remote attackers to cause denial of service
via crafted MPEG AAC data.

CVE-2019-6956

Global buffer overflow in the function ps_mix_phase (libfaad/ps_dec.c).
This vulnerability might allow remote attackers to cause denial of service
or any other unspecified impact via crafted MPEG AAC data.

CVE-2019-15296

Buffer overflow in the function faad_resetbits (libfaad/bits.c). This
vulnerability might allow remote attackers to cause denial of service via
crafted MPEG AAC data.

For Debian 8 "Jessie", these problems have been fixed in version
2.7-8+deb8u3.

We recommend that you upgrade your faad2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1m1gQACgkQEeMFjl5E
GkJaVQv/W48503HIzAfOvNfvM/7715Ap1txzTGjIM+mdPeWPm9FtnZDczkWQRK5S
2YZ+vYS5trLI85byyETZ47PnhOHk6txT8LZsN9oNySYPZgcHA0VIenZIfi75Zx90
f1ZgodovmK0ZfiGedZjy1wveCrn9GwLtCnH7Ob01M0aC4yAVEO+2DP0y8hjGp8Gb
g4aGEbETo5GIHCdWtIQ6azdUdxBMxjQL6Go1VIWueGQstacs1SGC3p26V1h/ZQSZ
ZA8Cwk9wxl+sV6E0W3l59jE8VINW7oLcU3FeGAnMXz6FD8kl4g9D2r+QemqoTNVF
1bhpS75vqDsT1uzMfO8Fc6kXGVgmBMdNVSAVFnPsR4JOifhfNQZt81eikaXN3+x7
ZU/9sMeTov7dggZva/ub7lvc2Iegv99xabeM2l1LAA6ISeuC7j5r4C+6G27EOqOQ
fM4gtrAxCkhfUfF3iPpAa6H+XyL5Y9M+PONfo1j6cWDPYa/Tu5Cxy3Usk2yZYtxV
DV/HSA1S
=y/B2
-END PGP SIGNATURE-

[SECURITY] [DLA 1861-1] libsdl2-image security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libsdl2-image
Version: 2.0.0+dfsg-3+deb8u2
CVE ID : CVE-2018-3977 CVE-2019-5052 CVE-2019-7635 CVE-2019-12216 
 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 
 CVE-2019-12221 CVE-2019-1
Debian Bug : 932754, 932755


The following issues have been found in libsdl2-image, the image file loading
library.

CVE-2018-3977

Heap buffer overflow in IMG_xcf.c. This vulnerability might be leveraged by
remote attackers to cause remote code execution or denial of service via a
crafted XCF file.

CVE-2019-5052

Integer overflow and subsequent buffer overflow in IMG_pcx.c. This
vulnerability might be leveraged by remote attackers to cause remote code
execution or denial of service via a crafted PCX file.

CVE-2019-7635

Heap buffer overflow affecting Blit1to4, in IMG_bmp.c. This vulnerability
might be leveraged by remote attackers to cause denial of service or any
other unspecified impact via a crafted BMP file.

CVE-2019-12216,
CVE-2019-12217,
CVE-2019-12218,
CVE-2019-12219,
CVE-2019-12220,
CVE-2019-12221,
CVE-2019-1

Multiple out-of-bound read and write accesses affecting IMG_LoadPCX_RW, in
IMG_pcx.c. These vulnerabilities might be leveraged by remote attackers to
cause denial of service or any other unspecified impact via a crafted PCX
file.

For Debian 8 "Jessie", these problems have been fixed in version
2.0.0+dfsg-3+deb8u2.

We recommend that you upgrade your libsdl2-image packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl02EU0ACgkQEeMFjl5E
GkLZ+Av/Syo6qR4z18viJ7PSsczhO2eZQP4uk3BbtqSc2nfRTmU84gvaQscFtuSO
L3BDgTgnzeN4CVZuzZAPuLQknav37nHQ/wzjrzGqCjqYh1zruZgwcZXPtyXjAjBp
O31bKpbwJ6H1szKanCOZ0JOUpDAdWQ9q5zvktw/f1HGcFPHOum/1fDyUnghG9h/V
9L+8Fh12Kx2yifExw6gFRaAVEUftUnibr0iff8XUZFul4b4hB6N01yrkEXgRaZZH
VoRXU32y0gpkbkOhuGq05mkY+Ds0o8/xG59yvqmLNQ75zcdFjfkQrwddmo/huciH
v2TvBe4AssPrDamxoPl8N0VikFPo9D3Z+XGExAVNgy+59JO8Da18vUbUGze6hNHh
Z28YDU/u0dNzsElnP87HCsZ/nDeaxRaPR6jH/qMEPKrVEPulS71vE+dX7BqrSoFD
qx0A4SOOl56FxeFudNQv3jGsivsCdlAQKh2L8jmvrHrCv4Vs4Vg7QRZ2BjDhRtXo
qEyQJQyC
=79YB
-END PGP SIGNATURE-

[SECURITY] [DLA 2000-1] pam-python security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: pam-python
Version: 1.0.4-1.1+deb8u1
CVE ID : CVE-2019-16729
Debian Bug : 942514

It was discovered that pam-python, a PAM Module that runs the Python
interpreter, has an issue in regard to the default environment variable
handling of Python. This issue could allow for local root escalation in certain
PAM setups.

For Debian 8 "Jessie", this problem has been fixed in version
1.0.4-1.1+deb8u1.

We recommend that you upgrade your pam-python packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl3Y89sACgkQEeMFjl5E
GkIJugv/YPnAlABsiePx5eepDYO2Qom5l8/ARczass379gkl/0p1wd3TfFD103yI
33SAgIItRkGoloMxErcZHfSfltDBMzs5hvC5m4VuoYwPpbekMMPptDpYoEx9K0aw
dZt6p7u9LMjprU6kbvcwbs75qtjCx2fe5ZHXdQN8cdgWr7mJMkcQ5EYtvFk1rUBJ
ldHJkOMIy5Ge9lAJCrYsps2LTv2HmEbQ60W3GRV1ohaLeNfiBFg2XnWk7Qu+VBEd
nIAximBlAOT1QQz60U8Z4ifhdYl00fQistHZyssvWkCZI78YhMTh0QpkSlnUUXOA
yRXUNGRvw7QjGaCuJSIQNy8DNvQdvrczM++H8HJuVqe3PVTUH0XkW7dUEfSWM29m
OTnXWZQSU6ViiqrTyi9jA3/35xJdD/9Y+2tP/f6QvG7+xMxMn3gqFegXEks7Tdcu
8gpzITKOaeu1li5rwdpeaES9gPj5NwcUBT1IKZLZFW5Aj3owHQv/eQOBZy1BRTg7
eg1+2bLS
=0OMh
-END PGP SIGNATURE-

[SECURITY] [DLA 2031-1] freeimage security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: freeimage
Version: 3.15.4-4.2+deb8u2
CVE ID : CVE-2019-12211 CVE-2019-12213
Debian Bug : 929597

It was found that freeimage, a graphics library, was affected by the following
two security issues:

CVE-2019-12211

Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw
might be leveraged by remote attackers to trigger denial of service or any
other unspecified impact via crafted TIFF data.

CVE-2019-12213

Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw
might be leveraged by remote attackers to trigger denial of service via
crafted TIFF data.

For Debian 8 "Jessie", these problems have been fixed in version
3.15.4-4.2+deb8u2.

We recommend that you upgrade your freeimage packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl3vylAACgkQEeMFjl5E
GkJAjQwAmsgpg0WZCWgPBEEwsHI6lJQZ7YUbqTdxXfuA/TqZrsWvtjT9I7ZR9InY
zGG7Yi1cAsuWCT7WOhlX+/QNFxkVBv0to4Bhv3JoOIMY/RK6HImD9ej9M2WdkLRr
enPjAAwouHIZyfTt2ld9ODC5XX+Gy5Mz0TyoCZDaDQ8UbLkYJQZG3bvAOttzgQaA
3oZtncEbcs5UVbpFtxDewuR2Zf9pJnUmVWRmxVEE5jxiWDrlbish5PeuteL16HeY
pnT1ClZBo1jrAy5asKUohYKLl6WwuoQoCMjy31VYChjVikH5qtub5NJTh5jXnnoQ
2A58bEAJK64swb4Anq/tttKwIwAb53rJJbn5PtIonDAr5BYeywZZXmbRBMRtu51b
rnvrU1pJrNFFzUaf09ek4Duvrk9rH8Kz2ZADBjeXQYi477M8IvfxWAA2Ky4GryCS
pN4xz4HQPlNO2crA38OtlH2HdYnhosuqfHUkwLI/IvaBeqvhfpd4PyvhfJLyVPcs
Lp46A9qi
=EXjY
-END PGP SIGNATURE-

[SECURITY] [DLA 1968-1] imagemagick security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: imagemagick
Version: 8:6.8.9.9-5+deb8u18
CVE ID : CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140

Multiple vulnerabilities have been found in imagemagick, an image processing
toolkit.

CVE-2019-11470

Uncontrolled resource consumption caused by insufficiently sanitized image
size in ReadCINImage (coders/cin.c). This vulnerability might be leveraged
by remote attackers to cause denial of service via a crafted Cineon image.

CVE-2019-14981

Divide-by-zero vulnerability in MeanShiftImage (magick/feature.c). This
vulnerability might be leveraged by remote attackers to cause denial of
service via crafted image data.

CVE-2019-15139

Out-of-bounds read in ReadXWDImage (coders/xwd.c). This vulnerability might
be leveraged by remote attackers to cause denial of service via a crafted
XWD (X Window System window dumping file) image file.

CVE-2019-15140

Bound checking issue in ReadMATImage (coders/mat.c), potentially leading to
use-after-free. This vulnerability might be leveraged by remote attackers to
cause denial of service or any other unspecified impact via a crafted MAT
image file.

For Debian 8 "Jessie", these problems have been fixed in version
8:6.8.9.9-5+deb8u18.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2tdIcACgkQEeMFjl5E
GkKTPwwAqtQhPT+Fko3ii29cesbysIQguLqqm7u2rhVGPzGSa2HWdRa0U/Cr+xlQ
SKXpQkAYIlX7laXJO4qQupYEC/rYabhL+MzTe+YNHFe7hQlGLfS+8B7alIMdOc4Y
sOGZ0l/utplAT2ms4OFz6wY/h8iCAIVkgtMG5etmcx9DHLjN5kUb8+JfnGjuxQ7E
1iRK9ZGFkk82MRyB2E/HgrOHFOeLDiwUyQeRisrNTNf/yt+Sy88MXFCJ1AEQvWSl
Q8oztTRxw3yKxXyn3AiBm6vR/8f41YJR6hL9MdX8cfQ/HWgMLqTqsTgcjYCeGVM1
gWjlbxWDC6Ym12opo5epO6T0fXi6NHNJtyNuiHOHg1ieZVRD5d2OIhNxxv9xFhI8
5FVUJ7IjEioNopYYOFq3AvhI20aW2VuUMTBuLuWpoYsE5J2DbNpaSX82EsBQbI8J
1jqSFY99W8cyKnq2xdD3MVyHlcrMdS/Ubf38zfFRTzXup95zGdDhqkuQkl1kEyOY
nPXApiw4
=bf8B
-END PGP SIGNATURE-

[SECURITY] [DLA 1713-2] libsdl1.2 regression update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libsdl1.2
Version: 1.2.15-10+deb8u2
CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638

The update of libsdl1.2 released as DLA 1713-1 led to a regression, caused
by an incomplete fix for CVE-2019-7637. This issue was known upstream and
resulted, among others, in windows versions from libsdl1.2 failing to set
video mode.

For Debian 8 "Jessie", this problem has been fixed in version
1.2.15-10+deb8u2.

We recommend that you upgrade your libsdl1.2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2oNm0ACgkQEeMFjl5E
GkLTbgv/TrCtLsPxJArNkyfjlqJUyTU2DHcXjSKfF7KdMwO28CZGGd+wIwTVw8sN
w70UkOOiCUrBEvKV3voLsvYrrVftnxlt3UmPm2CWNVqFtYrSowPS/8aXKwVKfIJQ
2Eon7mNZDOayPy+A9AM2h90hdcik+RooIr5QSWQa1VkJZAOZeKx97td3eUnnsrMd
98ZMnxGmw9lhcqWbmGr5yp8Cyf13xs/o+Ex2IcGmT2lSGX7gAXqL6kEwBSdK1JEd
MGtwuEF37yHYyGfFf61d5J8tB2S3S5SjvR7tvjqefVpjGv4HMTquGYOtKQ4sP1vY
CdEKIazdN92GBfq/xPsXGtJQoPqGPirlZzoeyuXj6ho1KlY3Ww0wGc1IyIoXhYp/
qoFr+9zVnE78MQqr4UhSJnZ7Z2+pl677zWKC2N0tdEGYLWEHOhCFjrqjsMQSOCK1
muPzkWWXzYXKnpIvPEpROFhgXbAimjEyOFGWXlZX/KVLBYKoyRrC3QBW2/0pAgng
WV+T1eXK
=GYKi
-END PGP SIGNATURE-

[SECURITY] [DLA 1714-2] libsdl2 regression update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libsdl2
Version: 2.0.2+dfsg1-6+deb8u2
CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638

The update of libsdl2 released as DLA 1714-1 led to several regressions, as
reported by Avital Ostromich.  These regressions are caused by libsdl1.2
patches for CVE-2019-7637, CVE-2019-7635, CVE-2019-7638 and CVE-2019-7636 being
applied to libsdl2 without adaptations.

For Debian 8 "Jessie", this problem has been fixed in version
2.0.2+dfsg1-6+deb8u2.

We recommend that you upgrade your libsdl2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2oOB0ACgkQEeMFjl5E
GkKENAv/e+hV6i2H3cUMCanBNA92jnMUqmg/GPpjXQjVczk6N/fu1vZddWj9HNiH
lIX4+8rdZpzacuQkmGCzJ7UJRgHBe8ynSUjevSeyT5NySOEOdkjqCt50vGHB5NFF
C6PxIwGlL5WUjT05dHCj9d5dlT9JjOH88V2HExIZ/MvirObLZHqAYUo1Enb80ou3
Cswiuz1wWXzYTXGe1QdIU2EIquJEbLzI6M3QN1n1UVrTqzXaCKAQgg4H0KW7s0uR
eRH8aOLQAuNh84iqOrdL3nII95sqnkILRHvn1sAij+mGcnGjS2PnzFwD3SBStFzv
LF6ku31AaET9+zZ9OG1mZeyXf2WNlEpteeTKIoPNDnVPnMqBO7aZ9ksufMFkA0YT
wQyx3Ig1q+mkVVPSY3Juxj8cn5Axguyyg6GILC+ViyYRVsFLiHK1mVzgann3iBci
acZpEISfIXNIuPWdReq28L3ZqwC0+UTB4aMhRgVQLj7Rba0kKkeMCt4e3GkwlqnD
yY83+FZT
=MSWo
-END PGP SIGNATURE-

[SECURITY] [DLA 1950-1] openjpeg2 security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: openjpeg2
Version: 2.1.0-2+deb8u8
CVE ID : CVE-2018-21010
Debian Bug : 939553

A heap buffer overflow vulnerability was discovered in openjpeg2, the
open-source JPEG 2000 codec. This vulnerability is caused by insufficient
validation of width and height of image components in color_apply_icc_profile
(src/bin/common/color.c).  Remote attackers might leverage this vulnerability
via a crafted JP2 file, leading to denial of service (application crash) or any
other undefined behavior.

For Debian 8 "Jessie", this problem has been fixed in version
2.1.0-2+deb8u8.

We recommend that you upgrade your openjpeg2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2cmK4ACgkQEeMFjl5E
GkJV4gv+ILr9iKuvrc6dyINgKyIhmPjyAFv9Y4+VvTpj8ezQtvgFlcA90mhvcDDa
02ib0BLmo8VFdT0ObIxc8wd4H9qw+9M0M+9nppflKVoCsRLYswQeVohgoMPNXnoV
s/9RVis5t/HGrbEGX6mXohdRmA3U8VC4Ja+sXwwYjpQH2+yRX0vB7joIt92yOdtE
HLG/IBfXUidywacNr/acv/pXvAT3l2f2xqYk66s+6i56G2FK1V0bEdg4hmaoiWpQ
mEYr2UYNB4q+p8gdfUtMa7H155iR+9oa7YXO8cQyGqneMZUn5FmOlHDRyKulFKuB
sv5yCjVgsweeqgkV9+H1AjqFtfspZLHF+W7Qt9iASSgitzC44/xVcwCZpXnPRlAP
b1xHHi55zFwL+UpE9UpbEs/fOabDBc/NmYkQPpljzS5pnn5DwoY3SDu6o7pmIY79
TC6FYcK4326WISEkrpjUoSW2FbX/8vxB7WvwXoT67ViIoUw6NOoYxx1nn87mIPwg
rqLBYrhW
=Rgi3
-END PGP SIGNATURE-

[SECURITY] [DLA 1953-2] clamav regression update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: clamav
Version: 0.101.4+dfsg-0+deb8u2
CVE ID : CVE-2019-12625 CVE-2019-12900
Debian Bug : 942172

The update of clamav released as DLA 1953-1 led to permission issues on
/var/run/clamav. This caused several users to experience issues restarting the
clamav daemon. This regression is caused by a mistakenly backported patch from
the stretch package, upon which this update was based.

For Debian 8 "Jessie", this problem has been fixed in version
0.101.4+dfsg-0+deb8u2.

We recommend that you upgrade your clamav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2kW3MACgkQEeMFjl5E
GkKr7wv/YEYv+JEQtyZjni/qD9WyM0wdlIi7u0P7pYx5TyBWtymMJxaICnkGyRzC
CvUuqinlkhwPVw0Wl0bzWKbo8w/CeEdA9ZK9neTeBmxXoF3rvBKZkHOCjI2g4h4x
ji/o06bLJVu0wDsCc4usyONBtmIUnGQJcXzrGRIhWNzZnUmlqqv7mF+fRo2g5gdt
hJOVQPPJdIZxq2HmitnAxCz31ghGo6xgLSdqUrt9hlwIu1TlMbkV/OY+cFx9zjrh
XUirqnhmzy7GLAQS1/i7NlkVDqDQ8yUnIaeRfovR8luje+dfuZvRmMZAbhDaDvWa
vlJiS1mdnZZhEyAUh+ey0Rxw1W3qjBElNvFsXy9zcP3Y5DejSXRX2AdwebUIx3Nj
iDzhqAt4icZllGF7GRqct97C2/HHfinHDnesYzdyTgfZrXD9cbWeo3l1enalFap0
6T04uzpTSO9q33WJ84XgbKWcXCqafCptTikN8Xfb9tdKpDY0VLjfqQDr/Rrsc/Mp
tQhfGsXj
=YgzF
-END PGP SIGNATURE-

[SECURITY] [DLA 2100-1] libexif security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libexif
Version: 0.6.21-2+deb8u1
CVE ID : CVE-2019-9278
Debian Bug : 945948

an out-of-bounds write vulnerability due to an integer overflow was reported in
libexif, a library to parse exif files. This flaw might be leveraged by remote
attackers to cause denial of service, or potentially execute arbitrary code via
crafted image files.

For Debian 8 "Jessie", this problem has been fixed in version
0.6.21-2+deb8u1.

We recommend that you upgrade your libexif packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl5BZVIACgkQEeMFjl5E
GkIgNAv/fEKz4nsXhd8E3BMfeuMBKS/mdIem9sfXr4wdl7sddv5zw4VANygkQUFE
FVAIN1xLl5XoZujwcgh73enMjbwOvpJaGeGe/P+BxhiNu8mpDW6hYwuQKZuE0HB3
OlZTLOtqGthzdqBoh8hzmnpAXjT8SYqi97RMGy4SdSKUdwhNdIuhkCBiJNN0/TxF
E0TriZlqL2X6o4g9Xd02vSlJ11MBIfgH9RMl8NUd/hF7l5fXS8S3V27XGmywuQWi
YT4o24/9PBg9CutryfCEjNs/g8QCjZno0oTKet49gmgf1pRWzMIYBupFdASoOQk+
mOSPQxSYwrWXwt28zlvN9ZQT/7MQ9bBq3nm9BKMSus+5Gjz6iQ1XpkSlf0AETI2Z
qFHzktdDUExf+8uwJA6LWlp50mzdy6GN83DcJgEkYZH2D02GW0npp9WmcfnNgKe4
+kqWWo9pd0dptkPqp9/oLZuhcSSjNjGBSg5hOZYGIkc1STyofFbAc1qJz6kGTt1M
LL8x8JtA
=28Gp
-END PGP SIGNATURE-

[SECURITY] [DLA 2049-1] imagemagick security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: imagemagick
Version: 8:6.8.9.9-5+deb8u19
CVE ID : CVE-2019-19948 CVE-2019-19949
Debian Bug : 947309 947308

Multiple vulnerabilities have been found in imagemagick, an image processing
toolkit.

CVE-2019-19948

Heap-buffer-overflow in WriteSGIImage (coders/sgi.c) caused by insufficient
validation of row and column sizes. This vulnerability might be leveraged by
remote attackers to cause denial of service or any other unspecified impact
via crafted image data.

CVE-2019-19949

Heap-based buffer over-read (off-by-one) in WritePNGImage (coders/png.c)
caused by missing length check prior pointer dereference. This vulnerability
might be leveraged by remote attackers to cause denial of service via
crafted image data.

For Debian 8 "Jessie", these problems have been fixed in version
8:6.8.9.9-5+deb8u19.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl4InAcACgkQEeMFjl5E
GkJrbAv/eWOqkyABBeozgLK0wt5ckcRkkFus8h1mAxM+a+isfUF19gM6sBqIB1AW
R/HZFcyavNm1CKzkbjUAT7ACP4Y32M4gK1MBsWK0TqSQYiGVxVwcSMPRa+GGbhgl
c9+Bdv4/ntYvikhkbrxbJ4DkqrpUfz6bsWTKKSsUoQ//ntlY/Yv8QqwjOLpLVQ5H
sHrv8qC5NcAnuRn3ae9v5epSxlLe8H6v1CEDu/yoYT5j7k0YEMoYV4MK74GdPdXp
qXryn+Hgm0dKgsucFRJRMHKqnElu0E3hP2peMJt2a3oVwEF6wnvrDBHMFN/49eG+
HVgbsfRGto8qAiHqORRW/6ms2/BaynE9HDYl12XMaC/A1qv8xLKCB0rg1BUtJkHC
xBChp+EPpzHg3DfDJFznR3Zg8i3UrT29znxkOym+jO/ta6BiKJt/BL8mMJgJZWYg
zO7BpFu1/zeIazB2+SxHB7ZZfhr2mnlh6Th/yP8Vohlw7+FffYEC50uSJQT3xX6v
QdGdVwKL
=5vMR
-END PGP SIGNATURE-