[SECURITY] [DLA 1907-1] libav security update

Package : libav Version : 6:11.12-1deb8u8 CVE ID : CVE-2017-9987 CVE-2018-5766 CVE-2018-11102 CVE-2019-14372 CVE-2019-14442 Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. CVE-2017-9987 In Libav, there was a heap-based buffer overflow...

[SECURITY] [DSA 4511-1] nghttp2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4511-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 01, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1906-1] python2.7 security update

Package : python2.7 Version : 2.7.9-2+deb8u4 CVE ID : CVE-2018-20852 A vulnerability has been discovered in Python, an interactive high-level object-oriented language, that is relevant for cookie handling. By using a malicious server an attacker might steal cookies that are meant for other domain...

[SECURITY] [DLA 1905-1] gosa security update

Package : gosa Version : 2.7.4+reloaded2-1+deb8u5 CVE ID : CVE-2019-14466 GOsa² used unserialize to restore filter settings from a cookie. Since this cookie was supplied by the client, authenticated users could have passed arbitrary content to unserialized, which opened GOsa² up to a potential PH...

[SECURITY] [DLA 1904-1] libextractor security update

Package : libextractor Version : 1:1.3-2+deb8u5 CVE ID : CVE-2019-15531 jianglin found an issue in libextractor, a library that extracts meta-data from files of arbitrary type. A crafted file could result in a heap-buffer-overflow vulnerability in function EXTRACTORdviextractmethod in...

[SECURITY] [DLA 1903-1] subversion security update

Package : subversion Version : 1.8.10-6+deb8u7 CVE ID : CVE-2018-11782 CVE-2019-0203 Several vulnerabilities were discovered in Subversion, a version control system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-11782 Ace Olszowka reported that the...

[SECURITY] [DLA 1902-1] djvulibre security update

Package : djvulibre Version : 3.5.25.4-4+deb8u1 CVE ID : CVE-2019-15142 CVE-2019-15143 CVE-2019-15144 CVE-2019-15145 Hongxu Chen found several issues in djvulibre, a library and set of tools to handle images in the DjVu format. The issues are a heap-buffer-overflow, a stack-overflow, an infinite...

[SECURITY] [DLA 1901-1] dovecot security update

Package : dovecot Version : 1:2.2.13-12deb8u7 CVE ID : CVE-2019-11500 Nick Roessler and Rafi Rubin discovered that the IMAP and ManageSieve protocol parsers in the Dovecot email server do not properly validate input both pre- and post-login. A remote attacker can take advantage of this flaw to...

[SECURITY] [DLA 1900-1] apache2 security update

Package : apache2 Version : 2.4.10-10+deb8u15 CVE ID : CVE-2019-10092 CVE-2019-10098 Two security vulnerabilities were found in the Apache HTTP server. CVE-2019-10092 Matei "Mal" Badanoiu reported a limited cross-site scripting vulnerability in the modproxy error page. CVE-2019-10098 Yukitsugu...

[SECURITY] [DLA 1899-1] faad2 security update

Package : faad2 Version : 2.7-8+deb8u3 CVE ID : CVE-2018-19502 CVE-2018-20196 CVE-2018-20199 CVE-2018-20360 CVE-2019-6956 CVE-2019-15296 Debian Bug : 914641 Multiple vulnerabilities have been discovered in faad2, the Freeware Advanced Audio Coder: CVE-2018-19502 Heap buffer overflow in the functi...

[SECURITY] [DSA 4510-1] dovecot security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4510-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4510-1] dovecot security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4510-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4509-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4509-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 26, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4509-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4509-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 26, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1898-1] xymon security update

Package : xymon Version : 4.3.17-6+deb8u2 CVE ID : CVE-2019-13273 CVE-2019-13274 CVE-2019-13451 CVE-2019-13452 CVE-2019-13455 CVE-2019-13484 CVE-2019-13485 CVE-2019-13486 Multiple vulnerabilities have been found in xymon, the network monitoring application. Remote attackers might leverage these...

[SECURITY] [DLA 1897-1] tiff security update

Package : tiff Version : 4.0.3-12.3+deb8u9 CVE ID : CVE-2019-14973 Even Rouault found an issue in tiff, a library providing support for the Tag Image File Format. Wrong handling off integer overflow checks, that are based on undefined compiler behavior, might result in an application crash. For...

[SECURITY] [DLA 1896-1] commons-beanutils security update

Package : commons-beanutils Version : 1.9.2-1+deb8u1 CVE ID : CVE-2019-10086 It was discovered that there was a remote arbitrary code vulnerability in commons-beanutils, a set of utilities for manipulating JavaBeans code. For Debian 8 "Jessie", this issue has been fixed in commons-beanutils versi...

[SECURITY] [DSA 4508-1] h2o security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4508-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 24, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4507-1] squid security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4507-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 24, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4507-1] squid security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4507-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 24, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4506-1] qemu security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4506-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 24, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1895-1] libmspack security update

Package : libmspack Version : 0.5-1+deb8u4 CVE ID : CVE-2019-1010305 JsHuang found an issue in libmspack, a library for Microsoft compression format. Opening a crafted chm file might result in a buffer overflow which might disclose confidential information. For Debian 8 "Jessie", this problem has...

[SECURITY] [DLA 1894-1] libapache2-mod-auth-openidc security

Package : libapache2-mod-auth-openidc Version : 1.6.0-1+deb8u1 CVE ID : CVE-2019-1010247 Compass Security Schweiz AG discovered an issue in libapache2-mod-auth-openidc, an OpenID Connect authentication module for Apache. The OIDCRedirectURI page contains generated JavaScript code that uses a poll...

[SECURITY] [DLA 1886-2] openjdk-7 regression update

Package : openjdk-7 Version : 7u231-2.6.19-1deb8u2 Debian Bug : 935082 750400 The latest security update of openjdk-7 caused a regression when applications relied on elliptic curve algorithms to establish SSL connections. Several duplicate classes were removed from rt.jar by the upstream develope...

[SECURITY] [DLA 1893-1] cups security update

Package : cups Version : 1.7.5-11+deb8u5 CVE ID : CVE-2019-8675 CVE-2019-8696 Two issues have been found in cups, the Common UNIX Printing Systemtm. Basically both CVEs CVE-2019-8675 and CVE-2019-8696 are about stack-buffer-overflow in two functions of libcup. One happens in asn1gettype the other...

[SECURITY] [DSA 4505-1] nginx security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4505-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 22, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4504-1] vlc security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4504-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 20, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1892-1] flask security update

Package : flask Version : 0.10.1-2+deb8u1 CVE ID : CVE-2018-1000656 Flask, a micro web framework for Python contains a CWE-20: Improper Input Validation vulnerability that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via...

[SECURITY] [DLA 1891-1] openldap security update

Package : openldap Version : 2.4.40+dfsg-1+deb8u5 CVE ID : CVE-2019-13057 CVE-2019-13565 Debian Bug : 932997 932998 Several security vulnerabilities were discovered in openldap, a server and tools to provide a standalone directory service. CVE-2019-13057 When the server administrator delegates...

[SECURITY] [DLA 1890-1] kde4libs security update

Package : kde4libs Version : 4:4.14.2-5+deb8u3 CVE ID : CVE-2019-14744 Debian Bug : 934268 Dominik Penner discovered a flaw in how KConfig interpreted shell commands in desktop files and other configuration files. An attacker may trick users into installing specially crafted files which could the...

[SECURITY] [DSA 4503-1] golang-1.11 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4503-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 18, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1889-1] python3.4 security update

Package : python3.4 Version : 3.4.2-1+deb8u6 CVE ID : CVE-2018-20852 A vulnerability has been discovered in Python, an interactive high-level object-oriented language, that is relevant for cookie handling. By using a malicious server an attacker might steal cookies that are meant for other domain...

[SECURITY] [DSA 4502-1] ffmpeg security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4502-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1888-1] imagemagick security update

Package : imagemagick Version : 8:6.8.9.9-5+deb8u17 CVE ID : CVE-2019-12974 CVE-2019-13135 CVE-2019-13295 CVE-2019-13297 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 Multiple vulnerabilities have been found in imagemagick, an image processing toolkit. CVE-2019-12974 NULL pointer dereference in...

[SECURITY] [DLA 1886-1] openjdk-7 security update

Package : openjdk-7 Version : 7u231-2.6.19-1deb8u1 CVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, information disclosure or the...

[SECURITY] [DLA 1887-1] freetype security update

Package : freetype Version : 2.5.2-3+deb8u3 CVE ID : CVE-2015-9290 A buffer over-read in the t1-parser of freetype, a font engine, has been found and fixed by checking limits more sensible. For Debian 8 "Jessie", this problem has been fixed in version 2.5.2-3+deb8u3. We recommend that you upgrade...

[SECURITY] [DSA 4501-1] libreoffice security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4501-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 15, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1877-1] otrs2 security update

Package : otrs2 Version : 3.3.18-1+deb8u11 CVE ID : CVE-2018-11563 CVE-2019-12746 CVE-2019-13458 Several security issues have been fixed in otrs2, a well known trouble ticket system. CVE-2018-11563 An attacker who is logged into OTRS as a customer can use the ticket overview screen to disclose...

[SECURITY] [DLA 1885-1] linux-4.9 security update

Package : linux-4.9 Version : 4.9.168-1+deb9u5deb8u1 CVE ID : CVE-2017-18509 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284 Several vulnerabilities have...

[SECURITY] [DLA 1884-1] linux security update

Package : linux Version : 3.16.72-1 CVE ID : CVE-2017-18509 CVE-2018-20836 CVE-2019-1125 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-13631 CVE-2019-14283 CVE-2019-14284 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of...

[SECURITY] [DLA 1883-1] tomcat8 security update

Package : tomcat8 Version : 8.0.14-1+deb8u15 CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221 Debian Bug : 929895 898935 Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18...

[SECURITY] [DLA 1882-1] atril security update

Package : atril Version : 1.8.1+dfsg1-4+deb8u2 CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006 A few issues were found in Atril, the MATE document viewer. CVE-2017-1000159 When printing from DVI to PDF, the dvipdfm tool was called without properly sanitizing the filename, which could le...

[SECURITY] [DLA 1881-1] evince security update

Package : evince Version : 3.14.1-2+deb8u3 CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006 A few issues were found in the Evince document viewer. CVE-2017-1000159 When printing from DVI to PDF, the dvipdfm tool was called without properly sanitizing the filename, which could lead to a...

[SECURITY] [DLA 1880-1] ghostscript security update

Package : ghostscript Version : 9.26adfsg-0+deb8u4 CVE ID : CVE-2019-10216 Debian Bug : 934638 Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions ...

[SECURITY] [DSA 4500-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4500-1 [email protected] https://www.debian.org/security/ Michael Gilbert August 12, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4500-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4500-1 [email protected] https://www.debian.org/security/ Michael Gilbert August 12, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4497-1] linux security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4497-1 [email protected] https://www.debian.org/security/ Ben Hutchings August 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4497-1] linux security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4497-1 [email protected] https://www.debian.org/security/ Ben Hutchings August 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1879-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u8 CVE ID : CVE-2019-14379 CVE-2019-14439 Debian Bug : 933393 Deserialization flaws were discovered in jackson-databind relating to EHCache and logback/jndi, which could allow an unauthenticated user to perform remote code execution. The issue was...

[SECURITY] [DLA 1878-1] php5 security update

Package : php5 Version : 5.6.40+dfsg-0+deb8u5 CVE ID : CVE-2019-11041 CVE-2019-11042 Two heap buffer overflows were found in the EXIF parsing code of PHP, a widely-used open source general purpose scripting language. For Debian 8 "Jessie", these problems have been fixed in version...