[SECURITY] [DLA 1275-1] uwsgi security update

2018-02-1022:01:44

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.5%

JSON

Package : uwsgi
Version : 1.2.3+dfsg-5+deb7u2
CVE ID : CVE-2018-6758
Debian Bug : 889753

It was discovered that the uwsgi_expand_path function in utils.c in
Unbit uWSGI, an application container server, has a stack-based buffer
overflow via a large directory length that can cause a
denial-of-service (application crash) or stack corruption.

For Debian 7 "Wheezy", these problems have been fixed in version
1.2.3+dfsg-5+deb7u2.

We recommend that you upgrade your uwsgi packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8ppc64eluwsgi-plugin-ldap< 2.0.7-1+deb8u2uwsgi-plugin-ldap_2.0.7-1+deb8u2_ppc64el.deb
Debian9arm64uwsgi-plugin-rack-ruby2.3< 2.0.14+20161117-3+deb9u1uwsgi-plugin-rack-ruby2.3_2.0.14+20161117-3+deb9u1_arm64.deb
Debian9mipsuwsgi-plugin-ring-openjdk-8< 2.0.14+20161117-3+deb9u1uwsgi-plugin-ring-openjdk-8_2.0.14+20161117-3+deb9u1_mips.deb
Debian9mips64eluwsgi-core< 2.0.14+20161117-3+deb9u1uwsgi-core_2.0.14+20161117-3+deb9u1_mips64el.deb
Debian9s390xuwsgi-plugin-greenlet-python< 2.0.14+20161117-3+deb9u1uwsgi-plugin-greenlet-python_2.0.14+20161117-3+deb9u1_s390x.deb
Debian9ppc64eluwsgi< 2.0.14+20161117-3+deb9u1uwsgi_2.0.14+20161117-3+deb9u1_ppc64el.deb
Debian7amd64uwsgi-app-integration-plugins< 1.2.3+dfsg-5+deb7u2uwsgi-app-integration-plugins_1.2.3+dfsg-5+deb7u2_amd64.deb
Debian9amd64uwsgi-infrastructure-plugins< 2.0.14+20161117-3+deb9u1uwsgi-infrastructure-plugins_2.0.14+20161117-3+deb9u1_amd64.deb
Debian9i386uwsgi-plugin-php< 2.0.14+20161117-3+deb9u1uwsgi-plugin-php_2.0.14+20161117-3+deb9u1_i386.deb
Debian9amd64uwsgi-mongodb-plugins< 2.0.14+20161117-3+deb9u1uwsgi-mongodb-plugins_2.0.14+20161117-3+deb9u1_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	ppc64el	uwsgi-plugin-ldap	< 2.0.7-1+deb8u2	uwsgi-plugin-ldap_2.0.7-1+deb8u2_ppc64el.deb
Debian	9	arm64	uwsgi-plugin-rack-ruby2.3	< 2.0.14+20161117-3+deb9u1	uwsgi-plugin-rack-ruby2.3_2.0.14+20161117-3+deb9u1_arm64.deb
Debian	9	mips	uwsgi-plugin-ring-openjdk-8	< 2.0.14+20161117-3+deb9u1	uwsgi-plugin-ring-openjdk-8_2.0.14+20161117-3+deb9u1_mips.deb
Debian	9	mips64el	uwsgi-core	< 2.0.14+20161117-3+deb9u1	uwsgi-core_2.0.14+20161117-3+deb9u1_mips64el.deb
Debian	9	s390x	uwsgi-plugin-greenlet-python	< 2.0.14+20161117-3+deb9u1	uwsgi-plugin-greenlet-python_2.0.14+20161117-3+deb9u1_s390x.deb
Debian	9	ppc64el	uwsgi	< 2.0.14+20161117-3+deb9u1	uwsgi_2.0.14+20161117-3+deb9u1_ppc64el.deb
Debian	7	amd64	uwsgi-app-integration-plugins	< 1.2.3+dfsg-5+deb7u2	uwsgi-app-integration-plugins_1.2.3+dfsg-5+deb7u2_amd64.deb
Debian	9	amd64	uwsgi-infrastructure-plugins	< 2.0.14+20161117-3+deb9u1	uwsgi-infrastructure-plugins_2.0.14+20161117-3+deb9u1_amd64.deb
Debian	9	i386	uwsgi-plugin-php	< 2.0.14+20161117-3+deb9u1	uwsgi-plugin-php_2.0.14+20161117-3+deb9u1_i386.deb
Debian	9	amd64	uwsgi-mongodb-plugins	< 2.0.14+20161117-3+deb9u1	uwsgi-mongodb-plugins_2.0.14+20161117-3+deb9u1_amd64.deb