[SECURITY] [DLA 644-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libav Version: 6:0.8.18-0+deb7u1 CVE ID : CVE-2015-1872 CVE-2015-5479 CVE-2016-7393 Multiple vulnerabilities have been found in libav: CVE-2015-1872 The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in Libav before 0.8.18 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data. CVE-2015-5479 The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav before 11.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a file with crafted dimensions. CVE-2016-7393 The aac_sync function in libavcodec/aac_parser.c in Libav before 11.5 is vulnerable to a stack-based buffer overflow. For Debian 7 "Wheezy", these problems have been fixed in version 6:0.8.18-0+deb7u1. We recommend that you upgrade your libav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJX9Cl1AAoJEKyQrD7FJAZeMuMQAKgY0GrUyy+sil9wrK/mNRkc fyH4zSGezjVe3IlmDxT1/swPtfA9IxKR1Sc5JUuz2ZQCnuVWx3OzW20q4l1EMGBU YgH1t/Ev+w1j8cL6uOJqaYmk09Ru3BKPZAnZOPAhmzTC7WLr1szauEzNucgFryoo E76TVC6s3gRcVfzQRxcod9EjaOmNfP8E2C+2h5kLSh8omoiBdWkdJUKpKWVSarzN ZCR8G+2pPIV/ydA6OOizDHuQVZ8IivGFgiVwaZ1a7OAyA8jJc6jU+RRHE6kH8m/3 RSrLPxNQzGkwI2gZv5AT9AcPIsr1nksHTifXl9pNuExG/a4cA3KdAfB3U4vdC7wO 4V9EvQsXoQz6HzpIhIjN33Qe3219iYC9YFGTnrjv+svqJgNCP3Yn+oNIYZHCrXSA qpnDkUKE7R1Gs+jFEMPs7dMrVWWkJTb5W5z/lvlRYlEvbAl6JALRd2IZgic4fnwK QG/y1MZOUoJywSF0/C1oopk62QR1Ppyxuk30c1HUhpHLc5zUWb22b7KuBju3wsP4 Fmy2SmOoMEb9NSNOTD+AjWJxvp1hw2Btav6Mekh446cnRfSazojYIeVw9gHRjk98 9L1dUblm0WFXaaxqthjh4TWVkB3Jx2rY0wuIEckXzrcZ8R4ED2M7qMSdeVmyFnlr voYLfanTLMpTgAvU2Gfd =Qf8O -END PGP SIGNATURE-
[SECURITY] [DLA 652-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: qemu Version: 1.1.2+dfsg-6+deb7u16 CVE ID : CVE-2016-7161 CVE-2016-7170 CVE-2016-7908 Multiple vulnerabilities have been found in QEMU: CVE-2016-7161 Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. CVE-2016-7170 The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) is vulnerable to an OOB memory access. CVE-2016-7908 The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u16. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJX/JmpAAoJEKyQrD7FJAZeseYP/iuCclAuXmQFEUq+dW9HM8yH TUCc1Xo9XvIXe+3qpQY8w8bSQPBZOExfQqCFfZ/7ZbeOsCsjNFp1qw53ZkGkcL3M Uj88y7rYtknsQXd40DA0Gxpnl5iRqKGai3opirLZ6ItvUTFh7YlfTPEv4CN4f1SO CcGrODcrjN59T0oKWIu5Kh4g8b0p6SJew//9bCqF7Hu2ueRWPPGfu/aD89iDgh5M IM3qcrRkHDL+Ai7PKDhl6HDfqToRTXNHTxkXNW5bHW/8sfzENySSVdQ8n88Iv6c3 oBWWTNRorFLY4hhqiO8JpZwdfPu+H0svug6N8HDATQ7tVbLoysfO6R8cm+EpqAe0 BRCUFM/mo2Dujt6RrWtPD1+etd9M2o6B1x4Gd/6yIJjzyhHz2wEbPCZNA3jjvJg3 lPNzGVfKWWELqi2bb3ln+sGw2el7x3zII/zkMsW5NgqA89MH7Ae/UaddwxtFOeN2 abbtaVhrpVn07tUzJDIjM1XkAvojo6iP7myl67V62hiHkeg51YanIMxdRO0TSZfN QQiN9G5NsTOictDYrt3Ei/vinE/IaYcm2rL1NDHPJf43oABpWN1XUo2icrzYrRod YTHqyxOfWFcgplvF/QyRA1HCXwbPrYOxHSLK+208y/2mg67ohtveRm+op5b0B5QP gkJPMazN9ArzCn3TCZ05 =g90S -END PGP SIGNATURE-
[SECURITY] [DLA 660-1] libxrandr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libxrandr Version: 2:1.3.2-2+deb7u2 CVE ID : CVE-2016-7947 CVE-2016-7948 Debian Bug : 840441 Insufficient validation of data from the X server in libxrandr before v1.5.0 can cause out of boundary memory writes and integer overflows. For Debian 7 "Wheezy", these problems have been fixed in version 2:1.3.2-2+deb7u2. We recommend that you upgrade your libxrandr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYBSUVAAoJEKyQrD7FJAZe4TwQAL2w4Pr7h1X6kLcbvCF/3rKr 56vXDIAGra4IQv2UqpC2jMcly7A7rlsBM+rOuxQ62HyQ6j0Vg7PGZRzFzJpzXkc6 a3dGoWnuEORgWK1TarolelaRGURX57RteK4Q1yw6eKO8aYNRMXHXMnyXf8GVTdXf 5vXYvlbFg+cGGW8/vHhqSckLmZhmEUjhuooGCVHKVw6bs4W9xpJDfp6n/lWL0oOC Tinc/Pll2rZ2uVcud+x9XsXc4aemtr0Gen6oGm6i9OCsKkR3ztznRqnt0Jxt6BZ4 rSsp80QcG1eD73Jg46PV2Z9NFgZwQRtP8IAXeEekrJ/X39e87uG3M50pm4nmRBgY YHjcSWqsRHa8mhnaMJVSm2F0PcvLP1r4AgnsWnZUhjbhf+BRxkzaY4JKWmrtd0l2 gcTUUmoQtBdjpg2H52Oirn/AqPOw9GAdAlt/qkH8lSgU26QHP2D9VIXHbonWmx9r ZMxDcJZD4lTmZsK7SGJz34/PdIVMcZQd0Pt/t3DI1EYIza2Fz3xPlaxWhU9SesuW 3hDoyR5/pvY5q4pcPbnmODPqWV6UtdshBQh0aZH2P/4MG4JOxr+hJA2mIS7HJFgk pFxySigoY0bSfdmfhs3V+xjePxdiIYzqTWVCsZ5GqA+g87hugH74E8pr906QLCQ1 QW09ghHqt0/bvcFWTi+2 =wVBC -END PGP SIGNATURE-
[SECURITY] [DLA 780-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libav Version: 6:0.8.19-0+deb7u1 CVE ID : CVE-2016-7424 Multiple vulnerabilities have been found in libav: CVE-2016-7424 The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav 11.7 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted MP3 file. (No CVE assigned) The h264 codec is vulnerable to various crashes with invalid-free, corrupted double-linked list or out-of-bounds read. For Debian 7 "Wheezy", these problems have been fixed in version 6:0.8.19-0+deb7u1. We recommend that you upgrade your libav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlh3nPUACgkQrJCsPsUk Bl4hRg/+NkD5YCrteRs5rNI/hSvBj1BSwX2Y1ehPPhiPpWyGbBRRYHfGrt7axRjV EGDdxWOThPU50YgJiDxwXWVCu08jwpBRqVgvGb1uNbNtg4R1QvANa+GAHwzNXA3t AVnREiPLucFllpAUOLmmJj5DDMU02caiI/fNDdS6XyCMMTFKp45rw4/imImO8POn aMzTZRdcnui3HhzspWRawCeX4y3cz62fkUpexVKq+MgoBZkG/FXaNYBQFdQatlYh whMLlmi0EzAB6Zi9jPjw/caMr6Eh2jMPpNJVJUd8s6rlatpuwykzXVPhD9y/vnbM NEMUIejN73UEogvb7+qscSWrFynOm52C1/JJQPN2fpfEo+yHxU9APMR3DyvIC1rI qf/X0AM7BHaOiyw4B/FObVnBAjyiBhC1aaoLQUhzDdzqSeCNncDASK4JoiKTunDP 9dZ/svul/kvDl30GTnrgAbjUKq6BldQQda3NCfrcreqhsCdRzwTO0wxpcEnW/LCx vC6T3tJZ0DE90aeXsJjX7d/X8uMYD5/ivMxLARtReaxyNkF8n6Oc0oe65BT6XevT TUcLSVr2+NccsfA2Ln9P668eDazmmD5ZEyvl4lpVUD+2ygC8UsUTHI4PGs9FamYc wmyQwBQOVgJRDCsVNzI3QUZMyd3runXZH6dD99jC/nekdbSfjaU= =4jor -END PGP SIGNATURE-
[SECURITY] [DLA 765-1] qemu-kvm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: qemu-kvm Version: 1.1.2+dfsg-6+deb7u19 CVE ID : CVE-2016-9911 CVE-2016-9921 CVE-2016-9922 Multiple vulnerabilities have been found in qemu-kvm: CVE-2016-9911 qemu-kvm built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. CVE-2016-9921, CVE-2016-9922 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u19. We recommend that you upgrade your qemu-kvm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhhH4gACgkQrJCsPsUk Bl6t6RAA2edm+kEJKSH+4xanmkuZql8gG37jsUP1yFjkOu5q1RiJJW5wGAp/bU6o PBXDnBrE4SAalrtsYdqj1nhoHa7q2km/kefWCW2on1fNxfcwVUVi6b33lahi0oaU 1swybQk1HUODenmoNKRCV6d9r1OJKHak/6TFXj9BmNqGQnq1w3FmcmAtfV3mFgwd lkMfer4A/K42ANmXirp6txxUYWqT3s48tU2CRWtq7zWoHK6/6CWszfOXmFR66bdU pMa3rZXhxOYzeikfQrh+WTobBFbCJWP63HBPmJlnXfGRdHbhdH62ucIjbV04kQdu Vq8Bkl3JP2oZWyw8SjVa+wvPdSyuAWSHGi/W7u2T1JWmcUxLjqkzd5Il9BenviRl BewVdtIbMVcTDZxaDueSc+owcVQY5sIJCCIviNDQXJpYU6iSNuLAhPka6XzLDIzJ qIPBWOAgw0xQ2XJwMiyKUQXce17A0zEOHh/+5bDjdTPPPR4jmnLcpNcZNw6MH02L LKqcg3p+pwgtgdNW5sb4kUzZ7jMOBgZR8ftbAmCKcsjS9RemISPuviNTLYzZkL1C 5VWyzZFQblVx99LsH6Udxhl6PykamqN3er/H/BqUeZy3PGsujcjpA3TZNuGuBdUd wGgvi4HijmkUHbjcrjKcjvo8YWV/1cgyW5V3kkn9nZ+ljMd3bwc= =Ri/R -END PGP SIGNATURE-
[SECURITY] [DLA 764-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: qemu Version: 1.1.2+dfsg-6+deb7u19 CVE ID : CVE-2016-9911 CVE-2016-9921 CVE-2016-9922 Multiple vulnerabilities have been found in QEMU: CVE-2016-9911 Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/ process could use this issue to leak host memory, resulting in DoS for a host. CVE-2016-9921, CVE-2016-9922 Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u19. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhhHqcACgkQrJCsPsUk Bl4lYQ/+NU802RirLbLCt658JHIwlf/xtk4KHuO2a1oc5z562EKayKvO2bmnrHN9 1vCz5IoVTmnPyHtPA4dW4SZmDi+/DymPv4LTm0m9JJGRHWSdhxYfycEDI8CZX8Bn 7qK5zp0c+Zr4jrSw//weZlDSLRix+IJy3dXhIY+9Bg1lPwqV5SaARuubSGCJD78e KIB7mgu9MnBppc80kyKQ0lY+RCTDDq13Ej+6xynvq4vMgZw3ebw8P6SHKQcszoIt cwKwKRJNvx28XB9TEPh+m3jVS6L3ZmP+t6tG4xcM65Bf08Yew5MR8b3r4+IL/8O0 iEZz9mPUxwxo8dqzrWkFrfNn9FD0Dn4DiK2Vy4uKfhpvZ/dCFi1pcbSMtw+Kfw4N qWjk3qbaAiZ7Au4/H3xu5O07YKnmQga0WTGG1jdxFrNjUFKcQfFcdGhmSCrowBBl xncYDHNbv1wD4XKtMug/NoGz+hABGDHefWWOIWa0ltYOOuT8z4eubAFSiMtpQ6DM lLAC2E+KgXm+9ZzguysTd74bfBhwPqcbxLtCBUMd5ziNTjDve4ryMhvmvThknRfu KpKaruEMJlDZHak9Q4YfvJq8fKTQ3wXWKJRFrbCFxxirpT8sflUkhomdQqLN/bvI Nmb3pGuB6tEV2E6FlUtLp/i9cbenIEJCIo+TEqXwJuNX3CGSRWA= =4xlL -END PGP SIGNATURE-
[SECURITY] [DLA 889-1] potrace security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: potrace Version: 1.10-1+deb7u2 CVE ID : CVE-2016-8685 Debian Bug : 843861 It was discovered that potrace, an utility to transform bitmaps into vector graphics, was affected by an integer overflow in the findnext function, allowing remote attackers to cause a denial of service (invalid memory access and crash) via a crafted BMP image. For Debian 7 "Wheezy", these problems have been fixed in version 1.10-1+deb7u2. We recommend that you upgrade your potrace packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAljqkmgACgkQrJCsPsUk Bl6PfhAAnGh4McwsPFzT8yjjQtvpDpjDi0HTOPihGH+T2/GhitKgHZ0oALPOeWpg Fc2KOVe6UNFhJlC/OQDcJ0oBDBmXOZ8MLXrfdIj8XAK8oABHdWAgQbiOdjY5M0+l qxBCBPaXdnyq5ZuJh0i428vudOU1HnC1iHcZBHN48yqkr4gmntOCxlxcz31dx5Xu hcwyrT9PYqmHHAS9HM95n6ZL5hOsgHIdcU+xsm/VKvtQPsveU/90v3w0YWB0FHzD OtZ6mCfb6lIuE6JFiGpEG2g7JvWJYNPbcc6uML5Sytxe2vaaT62DKwsZiWQBLAVp MQg0FUtUysxaOIOYWz71E44ow67Ci38G/Xop14Y5SXrPtAtkCMW++//l1/eWnG8c aFc2tDFz3O1KlcQXte+1vM4w4DTMWHQNAKyr6YG5ryW77fZi5rw/9KYLabDYoNda FSjF/joQMAAJfiRIih7qsCh/YrI7VRr2QOE3rcZwqsdlNDExu1rk8lpeVVNwA+dy 2BlC+67YTjkZcIsA+sAOH1+D94kJT15p8tr2NodsukODgi/nY2cLgC5oKFuohDAt N/7GmFudjfnLC0CYjom+9K3yPn8oOhKBLHhFJKwDJAfu8heS/Sda+1Hs91F7/Tgw FytIcmbWtrukGrtA92aGnsSmg4hXnZ8LVUjIIgpgLlRxq6G8p9U= =0uo0 -END PGP SIGNATURE- signature.asc Description: PGP signature
[SECURITY] [DLA 981-1] apng2gif security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: apng2gif Version: 1.5-1+deb7u1 CVE ID : CVE-2017-6960 Debian Bug : #854367 It was discovered that apng2gif was vulnerable to an integer overflow resulting in a heap-based buffer over-read/write. A remote attacker could use this flaw to cause a denial of service (application crash) via a crafted APNG file. For Debian 7 "Wheezy", these problems have been fixed in version 1.5-1+deb7u1. We recommend that you upgrade your apng2gif packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlk3p8MACgkQrJCsPsUk Bl4g4Q//Vs+SxqSSCtU3BwKik5no/0Kc1rEXHH2Mc8CFdcsu4bYfkRn8eSJKa98k v02YrHYQqTM9sFmjXjYQIdh/pyPAUU51bqXLQOSn89RbdW5z0DCGYkEpYoSZoxG5 egsL33o0zCLckRFhAYBR7QC8z1bcBh3HpW5DSJdyano7sePNCbzkF3+pkaJFmn0a MJWT+cEwD+F4R1jSq9EHxT2ecrwP+BAWCmTgzYpF43qLXH8znnXJhKI9Sxv6+GOH J7MX5xhFZKOQKd9NKc14Y9yBMzV+PGJRvD0e1wqd/E1YXhaAxrD2AlDOc07HFK6B +bJ6/lRSBWpyOLDhnsig0m/Ji6x7rNDmZoHmOkY4Dj7d2Y4O16ztn0s54gvO/DVh OrOhhUFKDHuZ3z2hmFK9vdw/p9R+4a5nI2Ci55ggIgXZ69+hvtpoMNlADVG1iXFW 11LRjac3F1tP7iHRtCRXY9HdHwb4D82/a/+9vV6hOPhvistCSwxFQ118elPbq05a p/mubHey1MSM1Iqo0AICBxye+NzC+++QDXbUEWeXvhyDEwz+5mIAr3WuxBpyXuno tz0wh9p6hvmNfYLo/lz09uLo++Ze0x0c5gCroYJSZA/3S52zQBbwo0+i86/qDG3d AYY1Vj4ZfiM8jZxPi/x25tlIovCx2r5fq1GszcJwr8EWgLd0EM4= =anaS -END PGP SIGNATURE-
[SECURITY] [DLA 1105-1] clamav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: clamav Version: 0.99.2+dfsg-0+deb7u3 CVE ID : CVE-2017-6418 CVE-2017-6420 clamav is vulnerable to multiple issues that can lead to denial of service when processing untrusted content. CVE-2017-6418 out-of-bounds read in libclamav/message.c, allowing remote attackers to cause a denial of service via a crafted e-mail message. CVE-2017-6420 use-after-free in the wwunpack function (libclamav/wwunpack.c), allowing remote attackers to cause a denial of service via a crafted PE file with WWPack compression. For Debian 7 "Wheezy", these problems have been fixed in version 0.99.2+dfsg-0+deb7u3. We recommend that you upgrade your clamav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlnFdpEACgkQLVy48vb3 khkktggAj2ypS5W9mbo6JY/DPUrH7vFRillZKHifwWnbqZ6NdSLo94chCasrSGeQ uT4JBLouAeTxFMSEwMWa66KKgrpO951NU4LycZlGdZUDJ+gEI2pwVEEk3BpQRcip UzhhUyk6KxK/0xaddVnW3qm+UDUn2MkAO160m/qcQnTFbBWWpGhkCn/WdPLsywn2 ovpQrR+w+gBtqXC9w8pzYPYuNVOEIy9TB13aZQgG9tX2X/TRnhpv5LgftIYS+bzp 45LcsUcrcotA3gafhLMJ01P0uaXjrczglxMmhm9fq+oqeVIXQIqVfyW0KMBLuxun x4+wKbBS8k5PEm1rSNYMPXH9p0e8Sg== =j3iE -END PGP SIGNATURE-
[SECURITY] [DLA 1152-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: quagga Version: quagga_0.99.22.4-1+wheezy3+deb7u2 CVE ID : CVE-2017-16227 Debian Bug : 879474 It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity. For Debian 7 "Wheezy", these problems have been fixed in version quagga_0.99.22.4-1+wheezy3+deb7u2. We recommend that you upgrade your quagga packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAln4jecACgkQLVy48vb3 khk9Lwf+O6XzblrxsJ6cBJGR+zes2B2ztLWhut/+fM1J8x9M+iNQGzNyXqp+cgZv 5jOik68Mq2cj3vB4MJIhHoYlEUQS8iaKZHih9/0uTzPw9mgY08ZgkChl71a6JVbY U2Nuo4FxAMTRQ2a43YpEvuct8/YOHuFBORntvBmILN3OYCRGCHSpCk8om3QgdaM/ AD0ql6nH+d0dajI/zMIDCcG4ZN5k81t0Vpo1keH/Y2agb+zzl8vWdxeytIYYBBfD ldMmuMSsrpjYmPkbkAT6bCBYwZQvIVyIHjRdjsbPtPtnsYkdscfgOcIV55KBBzZS t+Et40tN3a/bEAKROdtL5CrqPa7d4w== =NQ5a -END PGP SIGNATURE-
[SECURITY] [DLA 1377-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tiff Version: 4.0.2-6+deb7u20 CVE ID : CVE-2018-8905 Debian Bug : 893806 A heap-based buffer overflow was discovered in the LZWDecodeCompat function in tif_lzw.c (LibTIFF 4.0.9 and earlier). This vulnerability might be leveraged by remote attackers to crash the client via a crafted TIFF LZW file. For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u20. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlr44RIACgkQLVy48vb3 khnWgAf8CTgLA1I8ztCE6crlr0jRrTKUhdguFS4gl2WqnZtVeuX19W45UfAWUVuv 6EGsVKKoEBmC6NnxrkxzfhB2enW3zbuax3VT1vwM1clscuE/vxbPNcEw3sZakl/3 4v2/+xnMT5mAOzNVZV1pcO8naIF3MeveOLfrGM+Y53CadPo8ZeswgZvRdE2sChCd jvWtsRUV9KMYGCNiH5Am2GyL+7tQKgVuBA6DT0mJbzWn46rA2Ld8/jyPRzzlZOKJ hWvCeAe9RnTICbXNcsQN7F5BPkBi4tI0ETOSWN+plc4TTNQp7xoGOZqaneHRuoh0 R/IOS5DQ33I05zQrV/Cn1/yn1mXY7A== =mrNK -END PGP SIGNATURE-
[SECURITY] [DLA 1378-1] tiff3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tiff3 Version: 3.9.6-11+deb7u11 CVE ID : CVE-2018-8905 Debian Bug : 893806 A heap-based buffer overflow was discovered in the LZWDecodeCompat function in tif_lzw.c (LibTIFF 4.0.9 and earlier). This vulnerability might be leveraged by remote attackers to crash the client via a crafted TIFF LZW file. For Debian 7 "Wheezy", these problems have been fixed in version 3.9.6-11+deb7u11. We recommend that you upgrade your tiff3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlr44TkACgkQLVy48vb3 khkz0gf9EHAkzzjc3zZSh60d5zW5tp94hbKQC1E8HaQOc4/SRxxxi+ialRSR0SSa z+V5PKQCqIsXRhGbm20drp75zwUFWrsX8UpQxd1Nj+M/2dROGyFKsfsghcP0bcAi TtWiMbt1aVZvFcNv5AJAzMlN5B4HakqIUClxSqNOKOp+qQA8j/LtncNfNeB1pLX6 nFJ3B5PYA/48CVYuB5A7Z1I67xvxhPYjW44GJedTDALrg+6G4WTf8cfvvXbdFcYX aSmCe1vf6vO4TCZx7l37ZVT9BAaUznXHB0AsYxR+eZPSOrc43MfuMucNC3gyGteG 5x2bBnxYe6OCGAEMIJqDo5+Fl5beAA== =m1LP -END PGP SIGNATURE-
[SECURITY] [DLA 1386-1] ming security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ming Version: 1:0.4.4-1.1+deb7u9 CVE ID : CVE-2018-7866 CVE-2018-7873 CVE-2018-7876 CVE-2018-9009 CVE-2018-9132 Multiple vulnerabilities have been discovered in Ming: CVE-2018-7866 NULL pointer dereference in the newVar3 function (util/decompile.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7873 Heap-based buffer overflow vulnerability in the getString function (util/decompile.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7876 Integer overflow and resulting memory exhaustion in the parseSWF_ACTIONRECORD function (util/parser.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-9009 Various heap-based buffer overflow vulnerabilites in util/decompiler.c. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-9132 NULL pointer dereference in the getInt function (util/decompile.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. For Debian 7 "Wheezy", these problems have been fixed in version 1:0.4.4-1.1+deb7u9. We recommend that you upgrade your ming packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlsI5QcACgkQLVy48vb3 khnjrAgAj5+bqzPtXEp80FJmU5u+nF5ATda2czc0w7SjIDVdxIP1u/TBWroT0JsV QcI5oeZk+19MeZtNJhTI4nk+wr939JE7JA0IkdTsZBa1jkzFM/stcesooM37421S BLTRaPzY1I3cz7/NYHeRZy6LQKhp9OmXKPYSqUDcRHT+CROvS8iAHa27f+EkC2fO yKaZer+IhXlJeTLg5PeqWlSARBYl5FTF5dNFihOyy5er32ED+CA6TIhMT7ISWtVT t92zDfYlp77Dn88azT5v3+Jx9uciH6JxCh1PWdgHskA6JYHIQDGPml5Ck9lxG5+q ihTRxfzPzHHo4WvCTQnL06V/5Dwgdg== =2c4p -END PGP SIGNATURE-
[SECURITY] [DLA 1240-1] ming security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ming Version: 1:0.4.4-1.1+deb7u6 CVE ID : CVE-2017-11732 CVE-2017-16883 CVE-2017-16898 Multiple vulnerabilities have been discovered in Ming: CVE-2017-11732 heap-based buffer overflow vulnerability in the function dcputs (util/decompile.c) in Ming <= 0.4.8, which allows attackers to cause a denial of service via a crafted SWF file. CVE-2017-16883 NULL pointer dereference vulnerability in the function outputSWF_TEXT_RECORD (util/outputscript.c) in Ming <= 0.4.8, which allows attackers to cause a denial of service via a crafted SWF file. CVE-2017-16898 global buffer overflow vulnerability in the function printMP3Headers (util/listmp3.c) in Ming <= 0.4.8, which allows attackers to cause a denial of service via a crafted SWF file. For Debian 7 "Wheezy", these problems have been fixed in version 1:0.4.4-1.1+deb7u6. We recommend that you upgrade your ming packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlpXQgUACgkQLVy48vb3 khl+kwf+KzzwzIB9vGLaggt00v6QvOXHpN05vEl9ViBjdjx9EHmppCJ7tGdV7rb6 Oo0MS0Wam76GGVGytNlunY8IoyX7JR3r0qs8kfn5BhvXFgrLTN+e4CX6PMU8ReDq jjaiT80gKeC5vIIIRng3IPIYBm57IwraajbnozBxKPqfOif9E+/Hvbei0BhiR+G3 OVppnz0AnGZcsBZFwcxvklhD/enT5pBIFzfZgtumGOGa6Rt3NQ2MZGdS3ZIdMrkl OeEgD0Qdrd+CUfiMOxJRzKekxmC5dMqtv4YsZWzoHjAodiMu+tytWyQ1xKXwKzil D6fBbtcdZ95tKGrsC5nBvWm5SEJqWw== =u/v7 -END PGP SIGNATURE-
[SECURITY] [DLA 1305-1] ming security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ming Version: 0.4.4-1.1+deb7u7 CVE ID : CVE-2018-5251 CVE-2018-5294 CVE-2018-6315 CVE-2018-6359 Multiple vulnerabilities have been discovered in Ming: CVE-2018-5251 Integer signedness error vulnerability (left shift of a negative value) in the readSBits function (util/read.c). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-5294 Integer overflow vulnerability (caused by an out-of-range left shift) in the readUInt32 function (util/read.c). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted swf file. CVE-2018-6315 Integer overflow and resultant out-of-bounds read in the outputSWF_TEXT_RECORD function (util/outputscript.c). Remote attackers could leverage this vulnerability to cause a denial of service or unspecified other impact via a crafted SWF file. CVE-2018-6359 Use-after-free vulnerability in the decompileIF function (util/decompile.c). Remote attackers could leverage this vulnerability to cause a denial of service or unspecified other impact via a crafted SWF file. For Debian 7 "Wheezy", these problems have been fixed in version 0.4.4-1.1+deb7u7. We recommend that you upgrade your ming packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlqlNM4ACgkQLVy48vb3 khn55Af/So3UmQ05hs+lyOpKbHmEbLPmkaLh3Aq352eGBqIqfrVGKMAmX63GsQZP zxsSpRpjGkEkN9ss4z/S8ydQc28u7pOeWjCIoJJ/T1xo4bd9dcyy/34Ii6GB9+Fx n7ap9syaU8MyiyvqQj68hDZ4+X4w7vUvpGGsHYnA3zLxnDISwW67MHCjBC7ymNUw J+7wNlgnleh1tKZaXvxcLDiDXbl53X81yEPzPH1mxOBLuLE2hpQ4rflSPERZkgIZ R7ColdOVXEgBzNFApAeucs9HbQgVKFGlsxJSO0gOeWNuuuZqARmcXsTRHyscgdJB Li+jc5ibTbNP8BIVi4NFT40xC6VYFw== =eofB -END PGP SIGNATURE-
[SECURITY] [DLA 1343-1] ming security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ming Version: 0.4.4-1.1+deb7u8 CVE ID : CVE-2018-6358 CVE-2018-7867 CVE-2018-7868 CVE-2018-7870 CVE-2018-7871 CVE-2018-7872 CVE-2018-7875 CVE-2018-9165 Multiple vulnerabilities have been discovered in Ming: CVE-2018-6358 Heap-based buffer overflow vulnerability in the printDefineFont2 function (util/listfdb.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7867 Heap-based buffer overflow vulnerability in the getString function (util/decompile.c) during a RegisterNumber sprintf. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7868 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7870 Invalid memory address dereference in the getString function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7871 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7872 Invalid memory address dereference in the getName function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7875 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-9165 The pushdup function (util/decompile.c) performs shallow copy of String elements (instead of deep copy), allowing simultaneous change of multiple elements of the stack, which indirectly makes the library vulnerable to a NULL pointer dereference in getName (util/decompile.c). Remote attackers might leverage this vulnerability to cause dos via a crafted swf file. For Debian 7 "Wheezy", these problems have been fixed in version 0.4.4-1.1+deb7u8. We recommend that you upgrade your ming packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrLWxMACgkQLVy48vb3 khndugf9G1fRWhVJaXb1vOvfztyqweHyu1ppZeVhG7P9EdJcLM/jHPfRU6UZlmcj /0WgxNoMxHmcnIv7f1c64gfWdqJfAkPXxjAyrjzDMam7LuJI7T25B4VGcXg4G4N0 +m4lWvZn+tBJzigDx1Fs9ZYE7bVTNJP+hApyNSDPuDTLlD0NOpTs4Lq0kM14wVIU mJTloRIuHWLkfUiRu9v+c6i5aKoBuqY7XenzqxrEU515HmfOPnTejxlSzyAyH6or yShz6eWExvBs7pXu9TB3cCirtP5gsqrANE/UxGSzPwlk//XtpojSMlysyRwEXxLX Y30B4a+e1VkqDPNMUhtJ+fIOBZBq2Q== =ZzkF -END PGP SIGNATURE-
[SECURITY] [DLA 1347-1] tiff3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tiff3 Version: 3.9.6-11+deb7u10 CVE ID : CVE-2018-7456 Debian Bug : 891288 A NULL Pointer Dereference was discovered in the TIFFPrintDirectory function (tif_print.c) when using the tiffinfo tool to print crafted TIFF information. This vulnerability could be leveraged by remote attackers to cause a crash of the application. For Debian 7 "Wheezy", these problems have been fixed in version 3.9.6-11+deb7u10. We recommend that you upgrade your tiff3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrUC9cACgkQLVy48vb3 khkpqQf/T8mlN9ec5Gx0EmkS9RCC/06VJ7t4GzptVRjuNKnuPCNXgb4Zw7ZxNzoi sSfcJ4GMoy+Ytwe5CCF6FdbQ+WFGMLUjm5ywBOHzkZ6Si/1jSKpyWHAIqnn9e/41 +JYLm1hoC1fHh/zro1kIdPOsUJD4fnKsTo+EV30vwij0wiF5te+ByOghLCK2V13R rxc+w8OWTtCKeSzcjtlC5zDHXLIFHMZGg2v6041ETB7vbYSaWAOj2XCKMhbN8kHz PLy56vtiS54jTYfyC51nVNi39c2LfUTcoMi6usnJn44eauMAoKJz6iDEeW5CnxER 85mfKtUy/RwV9F2L/RtNWqHlQCjHdQ== =j1X4 -END PGP SIGNATURE-
[SECURITY] [DLA 1346-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tiff Version: 4.0.2-6+deb7u19 CVE ID : CVE-2018-7456 Debian Bug : 891288 A NULL Pointer Dereference was discovered in the TIFFPrintDirectory function (tif_print.c) when using the tiffinfo tool to print crafted TIFF information. This vulnerability could be leveraged by remote attackers to cause a crash of the application. For Debian 7 "Wheezy", these problems have been fixed in version 4.0.2-6+deb7u19. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrUC10ACgkQLVy48vb3 khmXmwf7Bfz6v8Lle0D5CA8pae67570bO31pJpcbdcC9JMpdWVB9Pci8FAULtaE5 kJPGjy/nonKy5nSSctEEzydoVqQ6hkiknpWU+eKd7gZu+pcaC0lXtULrKsvQ6g1W j1KBaZV4XGhnRrKVixtTwMphUlTaJa/pv5/WZeJp5pMAKEwv93zBCStf1efx1XYu /+4Ey+glVtpS+rLRjzLJtFULQfCcPIZb9hTCLlQcErWxAJm6Xxw+ZNedzirQe2Im +q9o/toDIJHzb6ZpG+PW5/wdTCQ5pqoov/k5bZI8Q+7LbqLKBifBrOUefGm8HkJd ov//MNlueQRseHr4JhJH1tGvKwf+8w== =0znQ -END PGP SIGNATURE-
[SECURITY] [DLA 1554-2] 389-ds-base regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: 389-ds-base Version: 1.3.3.5-4+deb8u5 A regression was found in the recent security update for 389-ds-base (the 389 Directory Server), announced as DLA-1554-2, caused by an incomplete fix for CVE-2018-14648. The regression caused the server to crash when processing requests with empty attributes. For Debian 8 "Jessie", this problem has been fixed in version 1.3.3.5-4+deb8u5. We recommend that you upgrade your 389-ds-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlvSFuwACgkQZYVUZx9w 0DSiAAf/ZqAyt9GvowS4CbJDc0j0krsziy9hkGL8ng6JsUTnxAO2wmYVNP8AooH3 OKH3VlMSX6dUKWMrqPNeeJwUy+suff8oyUnQckSjtJRXF/n1Pgtkt4cb6niZsviu pknQM5HMM0LzCd0GfhrKH5tIhxE0fg0paGDw2sYH/8bGS9r0kCrlB1K9KQUKNXXf UDz4fVyU5DshW/FTXwuFjQcyA/6bW4viFKBICc19xi6K7kHRhKDNx+DslrY3w9gL EG806E8ZuSi7eai5me0xpGROWaGgCPSzUp+J82795y+wJre7jC7Kn+3M1T0vhvMk k6aA+jue/pHlMaDJPpinnlwfOFrc5A== =wqdE -END PGP SIGNATURE-
[SECURITY] [DLA 1554-1] 389-ds-base security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: 389-ds-base Version: 1.3.3.5-4+deb8u4 CVE ID : CVE-2018-14648 It was discovered that 389-ds-base (the 389 Directory Server) is vulnerable to search queries with malformed values in the do_search() function (servers/slapd/search.c). Attackers could leverage this vulnerability by sending crafted queries in a loop to cause DoS. For Debian 8 "Jessie", this problem has been fixed in version 1.3.3.5-4+deb8u4. We recommend that you upgrade your 389-ds-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlvRn6AACgkQZYVUZx9w 0DSaqgf/UovxxepF+64NBh7m9LtixOa11T61ocMr1ebPQExv76NujJQlqYQ9O36v Bidt5+3RHlznAn/askLm58wwEMb+yVdiFco5axQF84rjtbBLSiVfJ3+3ZCM2unDB oO45quFbE/f+dCswZZrtsMaTT6Ssf1GlRgmc2Fpt2pJQZygo37vsXQmgW3Uvk3lU 9hr2Jdsl0SdFbSpMET38xrsxYB6oF+5sRV/bsjCbQ1I7G+S8JGrr3576ESIzXsUa CQ2vc62/YUlXnVWv5NUNzmCDUIbeZ+rXgh1ZR6axn303tQU0Y0Wm0Vd8Oc7sVswu d6yPSsfmxrA4kUSjmktCzJF6uT6GvA== =CTcG -END PGP SIGNATURE-
[SECURITY] [DLA 1526-1] 389-ds-base security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: 389-ds-base Version: 1.3.3.5-4+deb8u3 CVE ID : CVE-2018-14624 It was discovered that the emergency logging system in 389-ds-base (the 389 Directory Server) is affected by a race condition caused by the invalidation of the concurrently used log file file descriptor without proper locking. This issue might be triggered by remote attackers to cause DoS (crash) and any other undefined behavior. For Debian 8 "Jessie", this problem has been fixed in version 1.3.3.5-4+deb8u3. We recommend that you upgrade your 389-ds-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAluvxpQACgkQZYVUZx9w 0DT/Lgf9Gbeh15E+J+oAiICOxsGEi1TfRACFUaoejXzCVaUl7ObXXz/UHTtHrzzh vZxjdMa/CkQ1Wu0G3rKJhyoHsYgWp8/+aD+jAmhi5831sNxKv6uzre5dqq3GjYBm kHNrUy7Ri7FFGsM12wrd+32W+Sxi8iC92nlpLtvk+Ecl28wp9FbToXeVQ4bQmdYO mzKRGK90fUOY3giljtmozfhqbUaF7vSA/5avSUgT35HWLK5lcp6WmI1GOqQiGKxQ QYsqAMyagrWQW0qBj13E2gEp9jvvfdCWgkZdRjruYG0Y3t4gxMzAlACNYI/M1/db LlAniSRSU8402KACRwjitTg8aGxMwg== =SBjy -END PGP SIGNATURE-
[SECURITY] [DLA 1610-1] sleuthkit security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sleuthkit Version: 4.1.3-4+deb8u1 CVE ID : CVE-2018-19497 Debian Bug : 914796 It was discovered that the Sleuth Kit (TSK) through version 4.6.4 is affected by a buffer over-read vulnerability. The tsk_getu16 call in hfs_dir_open_meta_cb (tsk/fs/hfs_dent.c) does not properly check boundaries. This vulnerability might be leveraged by remote attackers using crafted filesystem images to cause denial of service or any other unspecified behavior. For Debian 8 "Jessie", this problem has been fixed in version 4.1.3-4+deb8u1. We recommend that you upgrade your sleuthkit packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwYIGkACgkQZYVUZx9w 0DRpSwf+I4o9JXqFz2AztMjg3Xe8tgWY8D804Bj2a4eZ5xZxcr4FzN2MirHxPnBV HiZ29H8DHuMv1NhXl5jTHZt5rANOkAzz3XavJyFIVKMRL6Wz8uMORSwt9QJS2Omm 4OGnbRtibknfMm76UAQ8lCo9bxLTKvdPJEhFizgK1fwRQJSLiAmnSOKkN1u6VFeB iflsMqX9DRwk7q4qBOfZomxY42HEApNdJ6S6bXM9qbBIDbM6w85EZ0tFE2qcjVOO 7A1DqNN1TjkNNtAQh5AbRNXlhh+BPrQI9QUnz1pxySCQcB+KVp33YiQ4lDN31Hgs 83VluIZwlKqd1hEjYT5thby+rrutZQ== =vCVP -END PGP SIGNATURE-
[SECURITY] [DLA 1614-1] openjpeg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjpeg2 Version: 2.1.0-2+deb8u6 CVE ID : CVE-2018-6616 CVE-2018-14423 Debian Bug : 904873, 889683 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec. CVE-2018-6616 Excessive iteration in the opj_t1_encode_cblks function (openjp2/t1.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. CVE-2018-14423 Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in (lib/openjp3d/pi.c). Remote attackers could leverage this vulnerability to cause a denial of service (application crash). For Debian 8 "Jessie", these problems have been fixed in version 2.1.0-2+deb8u6. We recommend that you upgrade your openjpeg2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlweQioACgkQZYVUZx9w 0DS/Lwf/aZgI6PM4CYMwu48BF+uElKdp+IGoGpn6z/OdjQtHhYODZMtfm6kT+/XS HMS0NcNnkDMLhyoUKU8vqeEHP1uVCwize5bqJBHUhqzFFkJbtSajGofZIdLgKWEP hpKz0zsUo6QoRPUSk/Wydvd1WxrMAs+uOAoxXeqmt6OlhXeAAs4ohs1PLTAKTsTK 9HAAjAGiQwYn2K46SX6z/YxIZBVnBVkp5zFCqSNzYWYhNXZweRPwONa06OCIbRXw E3yHCyBVz/J58Y81hJATcoahrDosPPFsiX8myBQqYFNoMLcHkFse5FPeyC4BKbbS p+qrzWTRgQgWtPxAkIxR6hw+12qeFQ== =yEk6 -END PGP SIGNATURE-
[SECURITY] [DLA 1618-1] libsndfile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libsndfile Version: 1.0.25-9.1+deb8u2 CVE ID : CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2017-17456 CVE-2017-17457 CVE-2018-13139 CVE-2018-19432 CVE-2018-19661 CVE-2018-19662 Multiple vulnerabilities have been found in libsndfile, the library for reading and writing files containing sampled sound. CVE-2017-8361 The flac_buffer_copy function (flac.c) is affected by a buffer overflow. This vulnerability might be leveraged by remote attackers to cause a denial of service, or possibly have unspecified other impact via a crafted audio file. CVE-2017-8362 The flac_buffer_copy function (flac.c) is affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause a denial of service via a crafted audio file. CVE-2017-8363 The flac_buffer_copy function (flac.c) is affected by a heap based OOB read vulnerability. This flaw might be leveraged by remote attackers to cause a denial of service via a crafted audio file. CVE-2017-8365 The i2les_array function (pcm.c) is affected by a global buffer overflow. This vulnerability might be leveraged by remote attackers to cause a denial of service, or possibly have unspecified other impact via a crafted audio file. CVE-2017-14245 CVE-2017-14246 CVE-2017-17456 CVE-2017-17457 The d2alaw_array() and d2ulaw_array() functions (src/ulaw.c and src/alaw.c) are affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause denial of service or information disclosure via a crafted audio file. CVE-2017-14634 The double64_init() function (double64.c) is affected by a divide-by-zero error. This vulnerability might be leveraged by remote attackers to cause denial of service via a crafted audio file. CVE-2018-13139 The psf_memset function (common.c) is affected by a stack-based buffer overflow. This vulnerability might be leveraged by remote attackers to cause a denial of service, or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave. CVE-2018-19432 The sf_write_int function (src/sndfile.c) is affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause a denial of service via a crafted audio file. CVE-2018-19661 CVE-2018-19662 The i2alaw_array() and i2ulaw_array() functions (src/ulaw.c and src/alaw.c) are affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause denial of service or information disclosure via a crafted audio file. For Debian 8 "Jessie", these problems have been fixed in version 1.0.25-9.1+deb8u2. We recommend that you upgrade your libsndfile packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwjPosACgkQZYVUZx9w 0DTnWgf/QvnHvJzU2F1H5orbb0Dn0OzQ1nxFVs01B5fYYgtC57bFDQ2ezTKuCfim cvQqABOtQarpnvPlWlybUKU/BPHbwvpyFgLj+l0iy26dlAVoE2Dp3XS/tIA5DH1G XH/hWa3Q14rovfBHANzi1u1V8SFfW7RW1KeKvpRQ3XQfRLY6RUKNYWe14fqoGds5 qzaKhj+hy5i4PQnRQLrEN/cxdOippjqxM8X8DtXBcLcCzr6gA+MHVlvb2anc3X39 6ofL325BHOlhgiJWMHB2bYCLVYswi5D+vsOU+dPLsRVLecq/OIw5zGJOttFAR1hN E3JxQ8kwBkp70/A8CdCe8qMk05EE7A== =6i6S -END PGP SIGNATURE-
[SECURITY] [DLA 1619-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: graphicsmagick Version: 1.3.20-3+deb8u5 CVE ID : CVE-2018-20184 CVE-2018-20185 CVE-2018-20189 Debian Bug : 916752 916719 916721 Multiple vulnerabilities have been found in GraphicsMagick, the image processing system. CVE-2018-20184 The WriteTGAImage function (tga.c) is affected by a heap-based buffer overflow. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted image file. CVE-2018-20185 The ReadBMPImage function (bmp.c) is affected by a heap-based buffer over-read. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted image file. CVE-2018-20189 The ReadDIBImage function (coders/dib.c) is affected by an assertion error. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted image file. For Debian 8 "Jessie", these problems have been fixed in version 1.3.20-3+deb8u5. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwk1jMACgkQZYVUZx9w 0DQP/wf+LCE2kx897d4LwosqAQROdO/Dr01v0KDm9Jvc+qMahL9HEFDSkWT5uxxX 3llovYRgxbFBCtwwfQ5etWFge5GuUOHeBKzh2x5d+5Ml/FzVfPbocR1ou2avKHi4 4jlb6QbV+dvqnpGrkgzPUkix65RcgV4nVS7XbpNAs07BzADnH97MXjK1MPBqnPTA 7VY5Z4OXfrjcw7U3ZI1VZtjNRS5A8BX5pWGJ1CV/9hLLkwb3WY/MR3MTlZMQ97XJ mY07PZJyGEJNwi16Q/77Mvsen2MoGSCz+rxjvoBtH7S+3kY1pU8rdeuHwhorr4Tp j5U/1ndWtlbKSkZzqjGn35thyFTisw== =MAph -END PGP SIGNATURE-
[SECURITY] [DLA 1582-1] liblivemedia security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: liblivemedia Version: 2014.01.13-1+deb8u1 CVE ID : CVE-2018-4013 A stack based buffer overflow vulnerability was found in liblivemedia, the LIVE555 RTSP server library. This issue might be leveraged by remote attackers to cause code execution, by sending a crafted packet. For Debian 8 "Jessie", this problem has been fixed in version 2014.01.13-1+deb8u1. We recommend that you upgrade your liblivemedia packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlv0ehsACgkQZYVUZx9w 0DRt1Af/UYgC0k1JxyfW838Q+qEutCcobOuQwSWb3fMa57uFTzDtX696M/F52dq+ piVcGrRFW7khT9movCYy0jvRs65ujb7MqNqRdIyw4q7PShqaR4CfTmCE7JbekGYM /u3XqKQNHXEcyt5OSLvehA4mIO6rVl4FkSSE8aafAyjyk6CgtlTYHO9FUlpnrAeK nqZpiXy4CG4iIp2lCg4eicpPFcOTzoPzgRaGEXBrNAQIusOwn/AMKZW14oRVIK6E MketkrjT/DItOyi9/VdUyXsUZXfZx7l2lrkSPJIUD8mxUPTIn+3vLw/OlgkupH1t Ov2U8QpbI/eS2ZSdIWCJMPtoxpc1/Q== =c3Um -END PGP SIGNATURE-
[SECURITY] [DLA 1579-1] openjpeg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjpeg2 Version: 2.1.0-2+deb8u5 CVE ID : CVE-2017-17480 CVE-2018-18088 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec. CVE-2017-17480 Write stack buffer overflow due to missing buffer length formatter in fscanf call (jp3d and jpwl codecs). This vulnerability might be leveraged by remote attackers using crafted jp3d and jpwl files to cause denial of service or possibly remote code execution. CVE-2018-18088 Null pointer dereference caused by null image components in imagetopnm. This vulnerability might be leveraged by remote attackers using crafted BMP files to cause denial of service. For Debian 8 "Jessie", these problems have been fixed in version 2.1.0-2+deb8u5. We recommend that you upgrade your openjpeg2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlvzx1sACgkQZYVUZx9w 0DSLLQf9H24nge2ANjnk9HMVA2wy1C8IrUM/5amc2tODBWG4rVcfKqeBM/gBtSt9 mTbgzhWWb3a2eRjuU3YIAlEuQu+5QTxUF9zKpHajDqPfca1zrhGOKAhHiTRYhkpW pVXvfXh6zQRvpYJGixuvnu5mtV07W+eEcYfe948l4X7S3vZWyRj0bstNNbCJliJD 0bp0MOVM/HE0taEbpL2VQbPW0nhke3WTL4h1HvgsQIGJ5RL5rrn+V7PF3m8ZjFvQ Omb71868OCQvYRmp05mry9EBnPkkB1siXsVqqQMbgpzLzC3CCeRJ3rLFgzNb8gtY 4UMMj8cNmYe+/srWpFr5lYmbxpmraA== =GZ93 -END PGP SIGNATURE-
[SECURITY] [DLA 1632-1] libsndfile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libsndfile Version: 1.0.25-9.1+deb8u3 CVE ID : CVE-2018-19758 Debian Bug : 917416 A heap-buffer-overflow vulnerability was discovered in libsndfile, the library for reading and writing files containing sampled sound. This flaw might be triggered by remote attackers to cause denial of service (out of bounds read and application crash). For Debian 8 "Jessie", this problem has been fixed in version 1.0.25-9.1+deb8u3. We recommend that you upgrade your libsndfile packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlw3Z2wACgkQZYVUZx9w 0DS7FggAsbtuVL2bIHx+iC9rT8sepU3Rjf5+1h08qzATylBbL+41IAy/pfTvwhEI NaHJICP4KKEIKjSWXBHcXGJ3+LSw7VCifNvAo6lwdg+tmKjw95qVIADY8sOujFze 07mSlzEgCwCL28fzzJhYAFDJuMqfXXJCja7qZN8ZBGkVIrrwCkahNulSCdBT0wXd KsbffCYKre+X1UqEgAZ9w+SkB4Ae8IFDH/C1AVbI9X81l7ynOEauai++Y4yMzBTp quhW8ZwYB+19FoSfhvE6Utjsf7I/VTUFZjQ8DSifR7wTNQdRIGoA94+SA3JC8edp s6dUa72F+zS/z76IaayAp8bv67QvVg== =icpz -END PGP SIGNATURE-
[SECURITY] [DLA 1640-1] tmpreaper security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tmpreaper Version: 1.6.13+nmu1+deb8u1 CVE ID : CVE-2019-3461 Debian Bug : 918956 It was discovered that tmpreaper, a program that cleans up files in directories based on their age, is vulnerable to a race condition. This vulnerability might be exploited by local attackers to perform privilege escalation. For Debian 8 "Jessie", this problem has been fixed in version 1.6.13+nmu1+deb8u1. We recommend that you upgrade your tmpreaper packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlxKHHcACgkQZYVUZx9w 0DR7ugf9GGdAdqrSrqvuMSx1Fff8XH2QWYDMZIJvnkoyfTFv3s0JFUslx8Q2EXgy F2Ke5OZoH+mj4FVXIZ3nLLBZZdOia93XJil2GLse7hfYlifp/6Y36lc3xinm49jw pW4XX4UtV9rv4cDdfY1f2qVeNeHVXJNxJtwSQiNjMWgbPappUry/8x9SUDF9irOt 7qxXbGkEqLYyBP4sxk/XIXlln8pD8aILRrYdeZs+EldvfDz/rBwn1D80/PqiLAaV AmR859D7fElmCiSn4F9U1o5x8zuQvGboEvJeo01cFcD82grNtqYVCEIzDa6BckeJ ZL8MrZfs3osmT4SZJQNeJS474YFoqw== =V/nR -END PGP SIGNATURE-
[SECURITY] [DLA 1690-1] liblivemedia security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: liblivemedia Version: 2014.01.13-1+deb8u2 CVE ID : CVE-2019-6256 CVE-2019-7314 Debian Bug : 919529 Multiple vulnerabilities have been discovered in liblivemedia, the LIVE555 RTSP server library: CVE-2019-6256 liblivemedia servers with RTSP-over-HTTP tunneling enabled are vulnerable to an invalid function pointer dereference. This issue might happen during error handling when processing two GET and POST requests being sent with identical x-sessioncookie within the same TCP session and might be leveraged by remote attackers to cause DoS. CVE-2019-7314 liblivemedia servers with RTSP-over-HTTP tunneling enabled are affected by a use-after-free vulnerability. This vulnerability might be triggered by remote attackers to cause DoS (server crash) or possibly unspecified other impact. For Debian 8 "Jessie", these problems have been fixed in version 2014.01.13-1+deb8u2. We recommend that you upgrade your liblivemedia packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx1J7YACgkQZYVUZx9w 0DQgzgf/SlZIr7JF9izZiddDLqDnVOF1L2HZzyh8i71quc28ny1ODooPxHlL00Wn KQaBbF94HhGh4JwOfHtwP/2HvkDugm2VJDugMHs/eiPEdMmWNzHqG7f/nbpxB1Aj wcbyUWrbEMHDfln4BVbSxQ70lwI9oXduIs8QzVBkX/2K16im1xrrJPbskOVZ3vFq 42GmKFKvLpoSkiInbKLuvTgaF55SHFnpSubV+H9rSZK5fI+82qAbJGpSrx10Cvzg 46mK0Paq0JIGXSCCKW/ovrmwPGQl3O+PDPyav2PNx9YxH0gxpwbLnxMrdftq9gWk gp0LWsd3SL1k0h3A6pFMycux36XOOQ== =Tq/2 -END PGP SIGNATURE-
[SECURITY] [DLA 1695-1] sox security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sox Version: 14.4.1-5+deb8u2 CVE ID : CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189 Debian Bug : 878808, 878810, 882144, 881121 Multiple vulnerabilities have been discovered in SoX (Sound eXchange), a sound processing program: CVE-2017-15370 The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted WAV file to cause denial of service (application crash). CVE-2017-15372 The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a stack based buffer overflow. This vulnerability might be leveraged by remote attackers using a crafted audio file to cause denial of service (application crash). CVE-2017-15642 The lsx_aiffstartread function (aiff.c) is affected by a use-after-free vulnerability. This flaw might be leveraged by remote attackers using a crafted AIFF file to cause denial of service (application crash). CVE-2017-18189 The startread function (xa.c) is affected by a null pointer dereference vulnerability. This flaw might be leveraged by remote attackers using a crafted Maxis XA audio file to cause denial of service (application crash). For Debian 8 "Jessie", these problems have been fixed in version 14.4.1-5+deb8u2. We recommend that you upgrade your sox packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx32H4ACgkQZYVUZx9w 0DTrYAf+Pa43RA9I4gPVN/i9lHTYuFoS7Md8PwnyuxltGIN4RAgwL9bJ0LX6bpHO 063RPWJTTkEZ5kq6M4azRd/FA2159aiBHsW4RF8tJkkMs7qfVlt6VTEySTkGz7nd /7Exf0eH6C0HTdQ3axQMbOztbtQclw1TOcw1CmsDLFQtQUKEXcDZ/TKrcXHPYAR4 Q98Psq6FNA7o0GjInnJAcrLyuT9W2jdwJfbmOgkyCkuTj7huyFazDFtBhLlQ/yAD jJ8V5dfJHuG301X45St4elgY601scx9s47t6+eA+kDDndChbYd4azUeQgU2FoUUL bHk4S03ZMDJgmM3z8TSjVJTTYVtQSg== =Qo1p -END PGP SIGNATURE-
[SECURITY] [DLA 1705-1] sox security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sox Version: 14.4.1-5+deb8u3 CVE ID : CVE-2017-11332 CVE-2017-11358 CVE-2017-11359 CVE-2017-15371 Debian Bug : 878809 870328 Multiple vulnerabilities have been discovered in SoX (Sound eXchange), a sound processing program: CVE-2017-11332 The startread function (wav.c) is affected by a divide-by-zero vulnerability when processing WAV file with zero channel count. This flaw might be leveraged by remote attackers using a crafted WAV file to perform denial of service (application crash). CVE-2017-11358 The read_samples function (hcom.c) is affected by an invalid memory read vulnerability when processing HCOM files with invalid dictionnaries. This flaw might be leveraged by remote attackers using a crafted HCOM file to perform denial of service (application crash). CVE-2017-11359 The wavwritehdr function (wav.c) is affected by a divide-by-zero vulnerability when processing WAV files with invalid channel count over 16 bits. This flaw might be leveraged by remote attackers using a crafted WAV file to perform denial of service (application crash). CVE-2017-15371 The sox_append_comment() function (formats.c) is vulnerable to a reachable assertion when processing FLAC files with metadata declaring more comments than provided. This flaw might be leveraged by remote attackers using crafted FLAC data to perform denial of service (application crash). For Debian 8 "Jessie", these problems have been fixed in version 14.4.1-5+deb8u3. We recommend that you upgrade your sox packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx+uIsACgkQZYVUZx9w 0DQowQf/acsaPafRmR+T9N0zY38y6eFXMOARkQDIttwXVSVHCowNUmlZqTGFb3fx I3gWc93lqY0Mn3G0bB3RF0Ndtgk5BkYLLYWFBi4UBxbke3wUX5qzDU7PVIojr6u2 UJGhdnVnPzF34JxpAo70FsStaR52q/7ebbB6373HoCRyMfOt++9gmyoEVIWLOcnN P5chAdG9w7Y8lq2iY+IwZAHci0NxkVVD7FEOqJtm7wBbJKorh17ZGgLNAYz5WLFw xIE4A6frMhtT2z3QIRaN8HAL0pK/MAp0RLaxZSKIoNcZimpJN7rJAp/RJIMp3WKh Yed196mMuUzfEiPNN6AZM0ZLDDRvUQ== =opAI -END PGP SIGNATURE-
[SECURITY] [DLA 1694-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: qemu Version: 1:2.1+dfsg-12+deb8u10 CVE ID : CVE-2018-12617 CVE-2018-16872 CVE-2019-6778 Debian Bug : 916397, 902725, 921525 Several vulnerabilities were found in QEMU, a fast processor emulator: CVE-2018-12617 The qmp_guest_file_read function (qga/commands-posix.c) is affected by an integer overflow and subsequent memory allocation failure. This weakness might be leveraged by remote attackers to cause denial of service (application crash). CVE-2018-16872 The usb_mtp_get_object, usb_mtp_get_partial_object and usb_mtp_object_readdir functions (hw/usb/dev-mtp.c) are affected by a symlink attack. Remote attackers might leverage this vulnerability to perform information disclosure. CVE-2019-6778 The tcp_emu function (slirp/tcp_subr.c) is affected by a heap buffer overflow caused by insufficient validation of available space in the sc_rcv->sb_data buffer. Remote attackers might leverage this flaw to cause denial of service, or any other unspecified impact. For Debian 8 "Jessie", these problems have been fixed in version 1:2.1+dfsg-12+deb8u10. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx3nrgACgkQZYVUZx9w 0DRI+QgAkfsQUegInTTeJQpptCHey+NYMdMfehEBUzvMh7AX6vRX1SV/W98liyaL P52oCDngc31tADsZpRbO4PCk4LLUfGMva0dSJWK9eJOBVWDZpVhHvqxIBJhaLyrG ieHO2TZ+79s56idbEc1mTOO78Ot4Ysv/UKq8OBc64VtMdkV6JFhqHCAVP6lZuDKQ pEtlSAq1TRZRxKC/XSyEO+dV3bBCFC0unR3jOpP+XEJy2b+DrbImj875nlir3vQX 8Nch3HQleUSY2rYNZSkHiUPlskBm1hesoZaXm8WbZyO6FYtd3Vo98yKGDb7QaZjp xEQDRooLmOMxvJDhE+KIvMK1mXuYMA== =71bv -END PGP SIGNATURE-
[SECURITY] [DLA 1720-1] liblivemedia security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: liblivemedia Version: 2014.01.13-1+deb8u3 CVE ID : CVE-2019-9215 Debian Bug : 924655 It was discovered that liblivemedia, the LIVE555 RTSP server library, is vulnerable to an invalid memory access when processing the Authorization header field. Remote attackers could leverage this vulnerability to possibly trigger code execution or denial of service (OOB access and application crash) via a crafted HTTP header. For Debian 8 "Jessie", this problem has been fixed in version 2014.01.13-1+deb8u3. We recommend that you upgrade your liblivemedia packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlyP98kACgkQZYVUZx9w 0DQ/dAgAl7x/KjMZpvuL1MiK6PSDQUwMxGRS4vnSTOyw0svg+/fDh0jzmcZG2HOp 5NdX0fjfqsfkRLw46BLHwF65rDXhEuxJ8c1GqxxMZ/uZOnXkbfpQFELNYyqpigm7 SkE51CCS1mJILmAuBKuRequ1rrhl7v+lbvoiMOlC99g4o8XJsin3kVmdTdoyZRSc F6SE63IoXJGMf/JyFWt4aLqaX5VOhBMbjDle/5JJieXr1oNNbtgOfcPzqUzQ1/zg 9KHrV/1KOjOx/bwlupP8oTKEtua4N57k/3WuYskKhApZyVNTXPABEjZnJ5DXUeDm gn8EfA+F2KTB5jORXx3DrzAUxcW9bw== =sXeH -END PGP SIGNATURE-
[SECURITY] [DLA 1646-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: qemu Version: 1:2.1+dfsg-12+deb8u9 CVE ID : CVE-2018-17958 CVE-2018-19364 CVE-2018-19489 Several vulnerabilities were found in QEMU, a fast processor emulator: CVE-2018-17958 The rtl8139 emulator is affected by an integer overflow and subsequent buffer overflow. This vulnerability might be triggered by remote attackers with crafted packets to perform denial of service (via OOB stack buffer access). CVE-2018-19364 The 9pfs subsystem is affected by a race condition allowing threads to modify an fid path while it is being accessed by another thread, leading to (for example) a use-after-free outcome. This vulnerability might be triggered by local attackers to perform denial of service. CVE-2018-19489 The 9pfs subsystem is affected by a race condition during file renaming. This vulnerability might be triggered by local attackers to perform denial of service. For Debian 8 "Jessie", these problems have been fixed in version 1:2.1+dfsg-12+deb8u9. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlxQjc0ACgkQZYVUZx9w 0DQoAAgAjbsSs3747Qh++exkEVdHZVzwkZVJrEGnvfM6SpVjDhH7qw3/vJ6dOpMr 8QNkLrSKmd94wWEXawKbCKQOuys40FevGiPAlQyjVwQf3wdbxl+8pT93y6vtYpe4 o69bwGodh6x5hrRVI27OS4XuqwnPhPzW7720tWT/hsdABpdI/TQFsLqAW/Gkmp2s +4bJOjglN4W+4/ARgFLrYptXMGWm9ojgOOI0UeT6AF4C4r8UXCAQcqKwdW3Y062V g9mT/zB+mXSUCk6J/iK+lbzUOnIjtfRCrH5mq6AKycoaQdPQLc5E+LOrIutSySBu vORujrAFLroahHamdNiNiahPv7CFSg== =Me5S -END PGP SIGNATURE-
[SECURITY] [DLA 1802-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wireshark Version: 1.12.1+g01b65bf-4+deb8u19 CVE ID : CVE-2019-10894 CVE-2019-10895 CVE-2019-10899 CVE-2019-10901 CVE-2019-10903 Debian Bug : 926718 Several vulnerabilities have been found in wireshark, a network traffic analyzer. CVE-2019-10894 Assertion failure in dissect_gssapi_work (packet-gssapi.c) leading to crash of the GSS-API dissector. Remote attackers might leverage this vulnerability to trigger DoS via a packet containing crafted GSS-API payload. CVE-2019-10895 Insufficient data validation leading to large number of heap buffer overflows read and write in the NetScaler trace handling module (netscaler.c). Remote attackers might leverage these vulnerabilities to trigger DoS, or any other unspecified impact via crafted packets. CVE-2019-10899 Heap-based buffer under-read vulnerability in the Service Location Protocol dissector. Remote attackers might leverage these vulnerabilities to trigger DoS, or any other unspecified impact via crafted SRVLOC packets. CVE-2019-10901 NULL pointer dereference in the Local Download Sharing Service protocol dissector. Remote attackers might leverage these flaws to trigger DoS via crafted LDSS packets. CVE-2019-10903 Missing boundary checks leading to heap out-of-bounds read vulnerability in the Microsoft Spool Subsystem protocol dissector. Remote attackers might leverage these vulnerabilities to trigger DoS, or any other unspecified impact via crafted SPOOLSS packets. For Debian 8 "Jessie", these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u19. We recommend that you upgrade your wireshark packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzo2PkACgkQZYVUZx9w 0DRlwwf+L49dVzkhsvHzwrMZkHXJiYE1Jvuve6tr0FO/d3ZgYzT6W0E6vo17MrIG lZRhyuatjiUe7KPZ4IGfqRYXuZSmK9+ApHziWon+5HhPpz3dDX0tjUMbmm6qh7eO 2Rz5u1NGKBoK4hiQaMXMc1M6U6F+Ome/iuSuI/YQFkfvf+YuHrnMRPotSkPfB3TO bCPv9LCFE3fkvoIFtGaGfA+jgWGu7VCflSXKDxdq7pBvKS+wYyTjdqXJ1COONoH4 CpN3AMFD1nPqCp5+0WqCrUYZzHtfsgIlDgO/ACZyTSvRCbRUc1dqmw3HTsHuGSHM 8YYvvUG06nSPDnVgBTXzI0OUhbNrmQ== =tdK7 -END PGP SIGNATURE-
[SECURITY] [DLA 1791-1] faad2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: faad2 Version: 2.7-8+deb8u2 CVE ID : CVE-2018-20194 CVE-2018-20197 CVE-2018-20198 CVE-2018-20362 Multiple vulnerabilities have been found in faad2, the Freeware Advanced Audio Coder: CVE-2018-20194 CVE-2018-20197 Improper handling of implicit channel mapping reconfiguration leads to multiple heap based buffer overflow issues. These flaws might be leveraged by remote attackers to cause DoS. CVE-2018-20198 CVE-2018-20362 Insufficient user input validation in the sbr_hfadj module leads to stack-based buffer underflow issues. These flaws might be leveraged by remote attackers to cause DoS or any other unspecified impact. For Debian 8 "Jessie", these problems have been fixed in version 2.7-8+deb8u2. We recommend that you upgrade your faad2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzhXiYACgkQZYVUZx9w 0DSd7AgAnx+bcGQQ52QVsGN9pp7pNXewl2T2e0u9T9FnJtBEULdps/FOBcX7hD73 WXFuJ8KKB8fnYmvyaqEH4YBJfLK+oBZltafogg23Y8vU4X9b1w0RaMQUI0kfYVwy 7sxEX5j45I9N10gW0g0aBpHo0Clan2N8Yp7JaOyDgQ5oT/IHp0T9QH5n7B3sU0No xNCtJ4WpCC0BRUVKYiyN2eRNOFW+MZ1w8Z2JCuF1fxtMWNWJ5vLn0UbYgGbSNrqn PQbA92rFi/riY8oFGBhgoDaOIoygdAl0+0nagAmQEb0gn1A1GBfoIBzPKd81xrL4 Sd5hfA0xD2MBG6K3jr9pu9hNjIdVEw== =rojk -END PGP SIGNATURE-
[SECURITY] [DLA 1795-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: graphicsmagick Version: 1.3.20-3+deb8u7 CVE ID : CVE-2019-11473 CVE-2019-11474 CVE-2019-11505 CVE-2019-11506 Multiple vulnerabilities have been discovered in graphicsmagick, the image processing toolkit: CVE-2019-11473 The WriteMATLABImage function (coders/mat.c) is affected by a heap-based buffer overflow. Remote attackers might leverage this vulnerability to cause denial of service or any other unspecified impact via crafted Matlab matrices. CVE-2019-11474 The WritePDBImage function (coders/pdb.c) is affected by a heap-based buffer overflow. Remote attackers might leverage this vulnerability to cause denial of service or any other unspecified impact via a crafted Palm Database file. CVE-2019-11505 CVE-2019-11506 The XWD module (coders/xwd.c) is affected by multiple heap-based buffer overflows and arithmetic exceptions. Remote attackers might leverage these various flaws to cause denial of service or any other unspecified impact via crafted XWD files. For Debian 8 "Jessie", these problems have been fixed in version 1.3.20-3+deb8u7. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzieVcACgkQZYVUZx9w 0DTI4AgAsXVth5VMdXxTIOF4IQmDyF97wYwPIbTGbt98/z5TTfI47SSiCdINZhfd 9NEjV1dQsErtpCh5HEtQzbHyUtt0ONtNA6H3Pol00qiQ8xjhN71+NI4U+MbMyFVH nP+Rw8dtAN8o7RT0TUMxzD+mtnab+mp2NM/EjZXoeS/jxpxySUCugVAlQqGpt2PS OQH2h7ocOC4yL9dE4b0drCkA+hMm0SXFCFGHgPtUrBGBH52oJHyK6ne4YEcef2ux P+cFtr42JdR5sNiRDuv0bw5JmKgygV7UOnWOLh2RbPhp8eIcCoOvgSV82QM2HgB/ EEiSI7CUXiYnXt5dD+eMQahoGuQ0AA== =EBdo -END PGP SIGNATURE-
[SECURITY] [DLA 1888-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: imagemagick Version: 8:6.8.9.9-5+deb8u17 CVE ID : CVE-2019-12974 CVE-2019-13135 CVE-2019-13295 CVE-2019-13297 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 Multiple vulnerabilities have been found in imagemagick, an image processing toolkit. CVE-2019-12974 NULL pointer dereference in ReadPANGOImage and ReadVIDImage (coders/pango.c and coders/vid.c). This vulnerability might be leveraged by remote attackers to cause denial of service via crafted image data. CVE-2019-13135 Multiple use of uninitialized values in ReadCUTImage, UnpackWPG2Raster and UnpackWPGRaster (coders/wpg.c and coders/cut.c). These vulnerabilities might be leveraged by remote attackers to cause denial of service or unauthorized disclosure or modification of information via crafted image data. CVE-2019-13295, CVE-2019-13297 Multiple heap buffer over-reads in AdaptiveThresholdImage (magick/threshold.c). These vulnerabilities might be leveraged by remote attackers to cause denial of service or unauthorized disclosure or modification of information via crafted image data. CVE-2019-13304, CVE-2019-13305, CVE-2019-13306 Multiple stack buffer overflows in WritePNMImage (coders/pnm.c), leading to stack buffer over write up to ten bytes. Remote attackers might leverage these flaws to potentially perform code execution or denial of service. For Debian 8 "Jessie", these problems have been fixed in version 8:6.8.9.9-5+deb8u17. We recommend that you upgrade your imagemagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1WubkACgkQEeMFjl5E GkJK5gv/ea/suYbbgYuXTRO7A9M/aet27uhn/U/81KEQWf6LlAXL93JvkwOR9Y0/ UvxSWbbm4grWsgg1X60Gy8Ffprf3xOLgpNfkgS9MBMzx+t+kTiw8XpVxycfp6j4N ovmJWiJq8m7bXCx41mDlOLyGKg8grfA+boINpDKEArHnkXA7F/C3aI4yEtZWqGKT wH9wBNKu5otRub9ezc/Hd3TNE60Cw7Ahi1xDpBHPHsEladPJ16C9Ae+Fs5UZQutM LIE48uTfaXyCl+mN53K5RITx43R2KZ61YquaTL8iLltWEqiL9uRVrrwyL+h1gBcd 33G+pzZ3pkJ6FfbRatufA+0g5yy9MjPkkiLQPIsgkQMl8Ul2VvO/o9MESP/Z/iIG 7ho+yBgmEpBGbFZ9M1m1mj0Yh/ZhysRSSSGqU5ZGu/FSZGOHzqXSFWiWcMcpt/U6 BAI1F5RACiYhSy8VUXY6zBWlMdxVUGGgIcAnLIuukp/oZn4lPbPJeL8DRZG1L1My 0XogYx28 =edCG -END PGP SIGNATURE-
[SECURITY] [DLA 1899-1] faad2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: faad2 Version: 2.7-8+deb8u3 CVE ID : CVE-2018-19502 CVE-2018-20196 CVE-2018-20199 CVE-2018-20360 CVE-2019-6956 CVE-2019-15296 Debian Bug : 914641 Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced Audio Coder: CVE-2018-19502 Heap buffer overflow in the function excluded_channels (libfaad/syntax.c). This vulnerability might allow remote attackers to cause denial of service via crafted MPEG AAC data. CVE-2018-20196 Stack buffer overflow in the function calculate_gain (libfaad/br_hfadj.c). This vulnerability might allow remote attackers to cause denial of service or any unspecified impact via crafted MPEG AAC data. CVE-2018-20199 CVE-2018-20360 NULL pointer dereference in the function ifilter_bank (libfaad/filtbank.c). This vulnerability might allow remote attackers to cause denial of service via crafted MPEG AAC data. CVE-2019-6956 Global buffer overflow in the function ps_mix_phase (libfaad/ps_dec.c). This vulnerability might allow remote attackers to cause denial of service or any other unspecified impact via crafted MPEG AAC data. CVE-2019-15296 Buffer overflow in the function faad_resetbits (libfaad/bits.c). This vulnerability might allow remote attackers to cause denial of service via crafted MPEG AAC data. For Debian 8 "Jessie", these problems have been fixed in version 2.7-8+deb8u3. We recommend that you upgrade your faad2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1m1gQACgkQEeMFjl5E GkJaVQv/W48503HIzAfOvNfvM/7715Ap1txzTGjIM+mdPeWPm9FtnZDczkWQRK5S 2YZ+vYS5trLI85byyETZ47PnhOHk6txT8LZsN9oNySYPZgcHA0VIenZIfi75Zx90 f1ZgodovmK0ZfiGedZjy1wveCrn9GwLtCnH7Ob01M0aC4yAVEO+2DP0y8hjGp8Gb g4aGEbETo5GIHCdWtIQ6azdUdxBMxjQL6Go1VIWueGQstacs1SGC3p26V1h/ZQSZ ZA8Cwk9wxl+sV6E0W3l59jE8VINW7oLcU3FeGAnMXz6FD8kl4g9D2r+QemqoTNVF 1bhpS75vqDsT1uzMfO8Fc6kXGVgmBMdNVSAVFnPsR4JOifhfNQZt81eikaXN3+x7 ZU/9sMeTov7dggZva/ub7lvc2Iegv99xabeM2l1LAA6ISeuC7j5r4C+6G27EOqOQ fM4gtrAxCkhfUfF3iPpAa6H+XyL5Y9M+PONfo1j6cWDPYa/Tu5Cxy3Usk2yZYtxV DV/HSA1S =y/B2 -END PGP SIGNATURE-
[SECURITY] [DLA 1861-1] libsdl2-image security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libsdl2-image Version: 2.0.0+dfsg-3+deb8u2 CVE ID : CVE-2018-3977 CVE-2019-5052 CVE-2019-7635 CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 CVE-2019-12221 CVE-2019-1 Debian Bug : 932754, 932755 The following issues have been found in libsdl2-image, the image file loading library. CVE-2018-3977 Heap buffer overflow in IMG_xcf.c. This vulnerability might be leveraged by remote attackers to cause remote code execution or denial of service via a crafted XCF file. CVE-2019-5052 Integer overflow and subsequent buffer overflow in IMG_pcx.c. This vulnerability might be leveraged by remote attackers to cause remote code execution or denial of service via a crafted PCX file. CVE-2019-7635 Heap buffer overflow affecting Blit1to4, in IMG_bmp.c. This vulnerability might be leveraged by remote attackers to cause denial of service or any other unspecified impact via a crafted BMP file. CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-1 Multiple out-of-bound read and write accesses affecting IMG_LoadPCX_RW, in IMG_pcx.c. These vulnerabilities might be leveraged by remote attackers to cause denial of service or any other unspecified impact via a crafted PCX file. For Debian 8 "Jessie", these problems have been fixed in version 2.0.0+dfsg-3+deb8u2. We recommend that you upgrade your libsdl2-image packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl02EU0ACgkQEeMFjl5E GkLZ+Av/Syo6qR4z18viJ7PSsczhO2eZQP4uk3BbtqSc2nfRTmU84gvaQscFtuSO L3BDgTgnzeN4CVZuzZAPuLQknav37nHQ/wzjrzGqCjqYh1zruZgwcZXPtyXjAjBp O31bKpbwJ6H1szKanCOZ0JOUpDAdWQ9q5zvktw/f1HGcFPHOum/1fDyUnghG9h/V 9L+8Fh12Kx2yifExw6gFRaAVEUftUnibr0iff8XUZFul4b4hB6N01yrkEXgRaZZH VoRXU32y0gpkbkOhuGq05mkY+Ds0o8/xG59yvqmLNQ75zcdFjfkQrwddmo/huciH v2TvBe4AssPrDamxoPl8N0VikFPo9D3Z+XGExAVNgy+59JO8Da18vUbUGze6hNHh Z28YDU/u0dNzsElnP87HCsZ/nDeaxRaPR6jH/qMEPKrVEPulS71vE+dX7BqrSoFD qx0A4SOOl56FxeFudNQv3jGsivsCdlAQKh2L8jmvrHrCv4Vs4Vg7QRZ2BjDhRtXo qEyQJQyC =79YB -END PGP SIGNATURE-
[SECURITY] [DLA 2000-1] pam-python security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pam-python Version: 1.0.4-1.1+deb8u1 CVE ID : CVE-2019-16729 Debian Bug : 942514 It was discovered that pam-python, a PAM Module that runs the Python interpreter, has an issue in regard to the default environment variable handling of Python. This issue could allow for local root escalation in certain PAM setups. For Debian 8 "Jessie", this problem has been fixed in version 1.0.4-1.1+deb8u1. We recommend that you upgrade your pam-python packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl3Y89sACgkQEeMFjl5E GkIJugv/YPnAlABsiePx5eepDYO2Qom5l8/ARczass379gkl/0p1wd3TfFD103yI 33SAgIItRkGoloMxErcZHfSfltDBMzs5hvC5m4VuoYwPpbekMMPptDpYoEx9K0aw dZt6p7u9LMjprU6kbvcwbs75qtjCx2fe5ZHXdQN8cdgWr7mJMkcQ5EYtvFk1rUBJ ldHJkOMIy5Ge9lAJCrYsps2LTv2HmEbQ60W3GRV1ohaLeNfiBFg2XnWk7Qu+VBEd nIAximBlAOT1QQz60U8Z4ifhdYl00fQistHZyssvWkCZI78YhMTh0QpkSlnUUXOA yRXUNGRvw7QjGaCuJSIQNy8DNvQdvrczM++H8HJuVqe3PVTUH0XkW7dUEfSWM29m OTnXWZQSU6ViiqrTyi9jA3/35xJdD/9Y+2tP/f6QvG7+xMxMn3gqFegXEks7Tdcu 8gpzITKOaeu1li5rwdpeaES9gPj5NwcUBT1IKZLZFW5Aj3owHQv/eQOBZy1BRTg7 eg1+2bLS =0OMh -END PGP SIGNATURE-
[SECURITY] [DLA 2031-1] freeimage security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: freeimage Version: 3.15.4-4.2+deb8u2 CVE ID : CVE-2019-12211 CVE-2019-12213 Debian Bug : 929597 It was found that freeimage, a graphics library, was affected by the following two security issues: CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data. For Debian 8 "Jessie", these problems have been fixed in version 3.15.4-4.2+deb8u2. We recommend that you upgrade your freeimage packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl3vylAACgkQEeMFjl5E GkJAjQwAmsgpg0WZCWgPBEEwsHI6lJQZ7YUbqTdxXfuA/TqZrsWvtjT9I7ZR9InY zGG7Yi1cAsuWCT7WOhlX+/QNFxkVBv0to4Bhv3JoOIMY/RK6HImD9ej9M2WdkLRr enPjAAwouHIZyfTt2ld9ODC5XX+Gy5Mz0TyoCZDaDQ8UbLkYJQZG3bvAOttzgQaA 3oZtncEbcs5UVbpFtxDewuR2Zf9pJnUmVWRmxVEE5jxiWDrlbish5PeuteL16HeY pnT1ClZBo1jrAy5asKUohYKLl6WwuoQoCMjy31VYChjVikH5qtub5NJTh5jXnnoQ 2A58bEAJK64swb4Anq/tttKwIwAb53rJJbn5PtIonDAr5BYeywZZXmbRBMRtu51b rnvrU1pJrNFFzUaf09ek4Duvrk9rH8Kz2ZADBjeXQYi477M8IvfxWAA2Ky4GryCS pN4xz4HQPlNO2crA38OtlH2HdYnhosuqfHUkwLI/IvaBeqvhfpd4PyvhfJLyVPcs Lp46A9qi =EXjY -END PGP SIGNATURE-
[SECURITY] [DLA 1968-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: imagemagick Version: 8:6.8.9.9-5+deb8u18 CVE ID : CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 Multiple vulnerabilities have been found in imagemagick, an image processing toolkit. CVE-2019-11470 Uncontrolled resource consumption caused by insufficiently sanitized image size in ReadCINImage (coders/cin.c). This vulnerability might be leveraged by remote attackers to cause denial of service via a crafted Cineon image. CVE-2019-14981 Divide-by-zero vulnerability in MeanShiftImage (magick/feature.c). This vulnerability might be leveraged by remote attackers to cause denial of service via crafted image data. CVE-2019-15139 Out-of-bounds read in ReadXWDImage (coders/xwd.c). This vulnerability might be leveraged by remote attackers to cause denial of service via a crafted XWD (X Window System window dumping file) image file. CVE-2019-15140 Bound checking issue in ReadMATImage (coders/mat.c), potentially leading to use-after-free. This vulnerability might be leveraged by remote attackers to cause denial of service or any other unspecified impact via a crafted MAT image file. For Debian 8 "Jessie", these problems have been fixed in version 8:6.8.9.9-5+deb8u18. We recommend that you upgrade your imagemagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2tdIcACgkQEeMFjl5E GkKTPwwAqtQhPT+Fko3ii29cesbysIQguLqqm7u2rhVGPzGSa2HWdRa0U/Cr+xlQ SKXpQkAYIlX7laXJO4qQupYEC/rYabhL+MzTe+YNHFe7hQlGLfS+8B7alIMdOc4Y sOGZ0l/utplAT2ms4OFz6wY/h8iCAIVkgtMG5etmcx9DHLjN5kUb8+JfnGjuxQ7E 1iRK9ZGFkk82MRyB2E/HgrOHFOeLDiwUyQeRisrNTNf/yt+Sy88MXFCJ1AEQvWSl Q8oztTRxw3yKxXyn3AiBm6vR/8f41YJR6hL9MdX8cfQ/HWgMLqTqsTgcjYCeGVM1 gWjlbxWDC6Ym12opo5epO6T0fXi6NHNJtyNuiHOHg1ieZVRD5d2OIhNxxv9xFhI8 5FVUJ7IjEioNopYYOFq3AvhI20aW2VuUMTBuLuWpoYsE5J2DbNpaSX82EsBQbI8J 1jqSFY99W8cyKnq2xdD3MVyHlcrMdS/Ubf38zfFRTzXup95zGdDhqkuQkl1kEyOY nPXApiw4 =bf8B -END PGP SIGNATURE-
[SECURITY] [DLA 1713-2] libsdl1.2 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libsdl1.2 Version: 1.2.15-10+deb8u2 CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 The update of libsdl1.2 released as DLA 1713-1 led to a regression, caused by an incomplete fix for CVE-2019-7637. This issue was known upstream and resulted, among others, in windows versions from libsdl1.2 failing to set video mode. For Debian 8 "Jessie", this problem has been fixed in version 1.2.15-10+deb8u2. We recommend that you upgrade your libsdl1.2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2oNm0ACgkQEeMFjl5E GkLTbgv/TrCtLsPxJArNkyfjlqJUyTU2DHcXjSKfF7KdMwO28CZGGd+wIwTVw8sN w70UkOOiCUrBEvKV3voLsvYrrVftnxlt3UmPm2CWNVqFtYrSowPS/8aXKwVKfIJQ 2Eon7mNZDOayPy+A9AM2h90hdcik+RooIr5QSWQa1VkJZAOZeKx97td3eUnnsrMd 98ZMnxGmw9lhcqWbmGr5yp8Cyf13xs/o+Ex2IcGmT2lSGX7gAXqL6kEwBSdK1JEd MGtwuEF37yHYyGfFf61d5J8tB2S3S5SjvR7tvjqefVpjGv4HMTquGYOtKQ4sP1vY CdEKIazdN92GBfq/xPsXGtJQoPqGPirlZzoeyuXj6ho1KlY3Ww0wGc1IyIoXhYp/ qoFr+9zVnE78MQqr4UhSJnZ7Z2+pl677zWKC2N0tdEGYLWEHOhCFjrqjsMQSOCK1 muPzkWWXzYXKnpIvPEpROFhgXbAimjEyOFGWXlZX/KVLBYKoyRrC3QBW2/0pAgng WV+T1eXK =GYKi -END PGP SIGNATURE-
[SECURITY] [DLA 1714-2] libsdl2 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libsdl2 Version: 2.0.2+dfsg1-6+deb8u2 CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 The update of libsdl2 released as DLA 1714-1 led to several regressions, as reported by Avital Ostromich. These regressions are caused by libsdl1.2 patches for CVE-2019-7637, CVE-2019-7635, CVE-2019-7638 and CVE-2019-7636 being applied to libsdl2 without adaptations. For Debian 8 "Jessie", this problem has been fixed in version 2.0.2+dfsg1-6+deb8u2. We recommend that you upgrade your libsdl2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2oOB0ACgkQEeMFjl5E GkKENAv/e+hV6i2H3cUMCanBNA92jnMUqmg/GPpjXQjVczk6N/fu1vZddWj9HNiH lIX4+8rdZpzacuQkmGCzJ7UJRgHBe8ynSUjevSeyT5NySOEOdkjqCt50vGHB5NFF C6PxIwGlL5WUjT05dHCj9d5dlT9JjOH88V2HExIZ/MvirObLZHqAYUo1Enb80ou3 Cswiuz1wWXzYTXGe1QdIU2EIquJEbLzI6M3QN1n1UVrTqzXaCKAQgg4H0KW7s0uR eRH8aOLQAuNh84iqOrdL3nII95sqnkILRHvn1sAij+mGcnGjS2PnzFwD3SBStFzv LF6ku31AaET9+zZ9OG1mZeyXf2WNlEpteeTKIoPNDnVPnMqBO7aZ9ksufMFkA0YT wQyx3Ig1q+mkVVPSY3Juxj8cn5Axguyyg6GILC+ViyYRVsFLiHK1mVzgann3iBci acZpEISfIXNIuPWdReq28L3ZqwC0+UTB4aMhRgVQLj7Rba0kKkeMCt4e3GkwlqnD yY83+FZT =MSWo -END PGP SIGNATURE-
[SECURITY] [DLA 1950-1] openjpeg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openjpeg2 Version: 2.1.0-2+deb8u8 CVE ID : CVE-2018-21010 Debian Bug : 939553 A heap buffer overflow vulnerability was discovered in openjpeg2, the open-source JPEG 2000 codec. This vulnerability is caused by insufficient validation of width and height of image components in color_apply_icc_profile (src/bin/common/color.c). Remote attackers might leverage this vulnerability via a crafted JP2 file, leading to denial of service (application crash) or any other undefined behavior. For Debian 8 "Jessie", this problem has been fixed in version 2.1.0-2+deb8u8. We recommend that you upgrade your openjpeg2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2cmK4ACgkQEeMFjl5E GkJV4gv+ILr9iKuvrc6dyINgKyIhmPjyAFv9Y4+VvTpj8ezQtvgFlcA90mhvcDDa 02ib0BLmo8VFdT0ObIxc8wd4H9qw+9M0M+9nppflKVoCsRLYswQeVohgoMPNXnoV s/9RVis5t/HGrbEGX6mXohdRmA3U8VC4Ja+sXwwYjpQH2+yRX0vB7joIt92yOdtE HLG/IBfXUidywacNr/acv/pXvAT3l2f2xqYk66s+6i56G2FK1V0bEdg4hmaoiWpQ mEYr2UYNB4q+p8gdfUtMa7H155iR+9oa7YXO8cQyGqneMZUn5FmOlHDRyKulFKuB sv5yCjVgsweeqgkV9+H1AjqFtfspZLHF+W7Qt9iASSgitzC44/xVcwCZpXnPRlAP b1xHHi55zFwL+UpE9UpbEs/fOabDBc/NmYkQPpljzS5pnn5DwoY3SDu6o7pmIY79 TC6FYcK4326WISEkrpjUoSW2FbX/8vxB7WvwXoT67ViIoUw6NOoYxx1nn87mIPwg rqLBYrhW =Rgi3 -END PGP SIGNATURE-
[SECURITY] [DLA 1953-2] clamav regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: clamav Version: 0.101.4+dfsg-0+deb8u2 CVE ID : CVE-2019-12625 CVE-2019-12900 Debian Bug : 942172 The update of clamav released as DLA 1953-1 led to permission issues on /var/run/clamav. This caused several users to experience issues restarting the clamav daemon. This regression is caused by a mistakenly backported patch from the stretch package, upon which this update was based. For Debian 8 "Jessie", this problem has been fixed in version 0.101.4+dfsg-0+deb8u2. We recommend that you upgrade your clamav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl2kW3MACgkQEeMFjl5E GkKr7wv/YEYv+JEQtyZjni/qD9WyM0wdlIi7u0P7pYx5TyBWtymMJxaICnkGyRzC CvUuqinlkhwPVw0Wl0bzWKbo8w/CeEdA9ZK9neTeBmxXoF3rvBKZkHOCjI2g4h4x ji/o06bLJVu0wDsCc4usyONBtmIUnGQJcXzrGRIhWNzZnUmlqqv7mF+fRo2g5gdt hJOVQPPJdIZxq2HmitnAxCz31ghGo6xgLSdqUrt9hlwIu1TlMbkV/OY+cFx9zjrh XUirqnhmzy7GLAQS1/i7NlkVDqDQ8yUnIaeRfovR8luje+dfuZvRmMZAbhDaDvWa vlJiS1mdnZZhEyAUh+ey0Rxw1W3qjBElNvFsXy9zcP3Y5DejSXRX2AdwebUIx3Nj iDzhqAt4icZllGF7GRqct97C2/HHfinHDnesYzdyTgfZrXD9cbWeo3l1enalFap0 6T04uzpTSO9q33WJ84XgbKWcXCqafCptTikN8Xfb9tdKpDY0VLjfqQDr/Rrsc/Mp tQhfGsXj =YgzF -END PGP SIGNATURE-
[SECURITY] [DLA 2100-1] libexif security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libexif Version: 0.6.21-2+deb8u1 CVE ID : CVE-2019-9278 Debian Bug : 945948 an out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse exif files. This flaw might be leveraged by remote attackers to cause denial of service, or potentially execute arbitrary code via crafted image files. For Debian 8 "Jessie", this problem has been fixed in version 0.6.21-2+deb8u1. We recommend that you upgrade your libexif packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl5BZVIACgkQEeMFjl5E GkIgNAv/fEKz4nsXhd8E3BMfeuMBKS/mdIem9sfXr4wdl7sddv5zw4VANygkQUFE FVAIN1xLl5XoZujwcgh73enMjbwOvpJaGeGe/P+BxhiNu8mpDW6hYwuQKZuE0HB3 OlZTLOtqGthzdqBoh8hzmnpAXjT8SYqi97RMGy4SdSKUdwhNdIuhkCBiJNN0/TxF E0TriZlqL2X6o4g9Xd02vSlJ11MBIfgH9RMl8NUd/hF7l5fXS8S3V27XGmywuQWi YT4o24/9PBg9CutryfCEjNs/g8QCjZno0oTKet49gmgf1pRWzMIYBupFdASoOQk+ mOSPQxSYwrWXwt28zlvN9ZQT/7MQ9bBq3nm9BKMSus+5Gjz6iQ1XpkSlf0AETI2Z qFHzktdDUExf+8uwJA6LWlp50mzdy6GN83DcJgEkYZH2D02GW0npp9WmcfnNgKe4 +kqWWo9pd0dptkPqp9/oLZuhcSSjNjGBSg5hOZYGIkc1STyofFbAc1qJz6kGTt1M LL8x8JtA =28Gp -END PGP SIGNATURE-
[SECURITY] [DLA 2049-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: imagemagick Version: 8:6.8.9.9-5+deb8u19 CVE ID : CVE-2019-19948 CVE-2019-19949 Debian Bug : 947309 947308 Multiple vulnerabilities have been found in imagemagick, an image processing toolkit. CVE-2019-19948 Heap-buffer-overflow in WriteSGIImage (coders/sgi.c) caused by insufficient validation of row and column sizes. This vulnerability might be leveraged by remote attackers to cause denial of service or any other unspecified impact via crafted image data. CVE-2019-19949 Heap-based buffer over-read (off-by-one) in WritePNGImage (coders/png.c) caused by missing length check prior pointer dereference. This vulnerability might be leveraged by remote attackers to cause denial of service via crafted image data. For Debian 8 "Jessie", these problems have been fixed in version 8:6.8.9.9-5+deb8u19. We recommend that you upgrade your imagemagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl4InAcACgkQEeMFjl5E GkJrbAv/eWOqkyABBeozgLK0wt5ckcRkkFus8h1mAxM+a+isfUF19gM6sBqIB1AW R/HZFcyavNm1CKzkbjUAT7ACP4Y32M4gK1MBsWK0TqSQYiGVxVwcSMPRa+GGbhgl c9+Bdv4/ntYvikhkbrxbJ4DkqrpUfz6bsWTKKSsUoQ//ntlY/Yv8QqwjOLpLVQ5H sHrv8qC5NcAnuRn3ae9v5epSxlLe8H6v1CEDu/yoYT5j7k0YEMoYV4MK74GdPdXp qXryn+Hgm0dKgsucFRJRMHKqnElu0E3hP2peMJt2a3oVwEF6wnvrDBHMFN/49eG+ HVgbsfRGto8qAiHqORRW/6ms2/BaynE9HDYl12XMaC/A1qv8xLKCB0rg1BUtJkHC xBChp+EPpzHg3DfDJFznR3Zg8i3UrT29znxkOym+jO/ta6BiKJt/BL8mMJgJZWYg zO7BpFu1/zeIazB2+SxHB7ZZfhr2mnlh6Th/yP8Vohlw7+FffYEC50uSJQT3xX6v QdGdVwKL =5vMR -END PGP SIGNATURE-