[SECURITY] [DLA 1855-1] exiv2 security update

Package : exiv2 Version : 0.24-4.1+deb8u4 CVE ID : CVE-2019-13504 It was discovered that there was an integer overflow vulnerability in exiv2, a tool to manipulate images containing eg. EXIF metadata. This could have resulted in a denial of service via a specially- crafted file. For Debian 8...

[SECURITY] [DLA 1833-2] bzip2 regression update

Package : bzip2 Version : 1.0.6-4+deb7u2 CVE ID : CVE-2019-12900 The original fix for CVE-2019-12900 in bzip2, a high-quality block-sorting file compressor, introduces regressions when extracting certain lbzip2 files which were created with a buggy libzip2. Please see https://bugs.debian.org/9312...

[SECURITY] [DLA 1854-1] libonig security update

Package : libonig Version : 5.9.5-3.2+deb8u2 CVE ID : CVE-2019-13224 Debian Bug : 931878 A use-after-free in onignewdeluxe in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacke...

[SECURITY] [DSA 4483-1] libreoffice security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4483-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4482-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4482-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 14, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1853-1] libspring-java security update

Package : libspring-java Version : 3.0.6.RELEASE-17+deb8u1 CVE ID : CVE-2014-3578 CVE-2014-3625 CVE-2015-3192 CVE-2015-5211 CVE-2016-9878 Debian Bug : 760733 769698 796137 849167 Vulnerabilities have been identified in libspring-java, a modular Java/J2EE application framework. CVE-2014-3578 A...

[SECURITY] [DSA 4481-1] ruby-mini-magick security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4481-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4481-1] ruby-mini-magick security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4481-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4480-1] redis security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4480-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 11, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4479-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4479-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 11, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1852-1] python3.4 security update

Package : python3.4 Version : 3.4.2-1+deb8u5 CVE ID : CVE-2019-9948 The urllib library in Python ships support for a second, not well known URL scheme for accessing local files "localfile://". This scheme can be used to circumvent protections that try to block local file access and only block the...

[SECURITY] [DSA 4478-1] dosbox security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4478-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 10, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1851-1] openjpeg2 security update

Package : openjpeg2 Version : 2.1.0-2+deb8u7 CVE ID : CVE-2016-9112 CVE-2018-20847 Debian Bug : 931294 844551 Two security vulnerabilities were discovered in openjpeg2, a JPEG 2000 image library. CVE-2016-9112 A floating point exception or divide by zero in the function opjpinextcprl may lead to ...

[SECURITY] [DLA 1850-1] redis security update

Package : redis Version : 2:2.8.17-1+deb8u7 CVE ID : CVE-2019-10192 Debian Bug : 931625 It was discovered that there were two heap buffer overflows in the Hyperloglog functionality provided by the Redis in-memory key-value database. For Debian 8 "Jessie", these issues have been fixed in redis...

[SECURITY] [DLA 1848-1] libspring-security-2.0-java security update

Package : libspring-security-2.0-java Version : 2.0.7.RELEASE-3+deb8u2 CVE ID : CVE-2019-11272 Spring Security support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null...

[SECURITY] [DLA 1849-1] zeromq3 security update

Package : zeromq3 Version : 4.0.5+dfsg-2+deb8u2 CVE ID : CVE-2019-13132 Fang-Pen Lin discovered a stack-based buffer-overflow flaw in ZeroMQ, a lightweight messaging kernel library. A remote, unauthenticated client connecting to an application using the libzmq library, running with a socket...

[SECURITY] [DSA 4477-1] zeromq3 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4477-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 08, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4477-1] zeromq3 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4477-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 08, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1847-1] squid3 security update

Package : squid3 Version : 3.4.8-6+deb8u7 CVE ID : CVE-2019-13345 Debian Bug : 931478 It was discovered that there were multiple cross-site scripting vulnerabilities in the squid3 caching proxy server. For Debian 8 "Jessie", these issues have been fixed in squid3 version 3.4.8-6+deb8u7. We...

[SECURITY] [DLA 1846-1] unzip security update

Package : unzip Version : 6.0-16+deb8u4 CVE ID : CVE-2019-13232 Debian Bug : 931433 David Fifield discovered a way to construct non-recursive "zip bombs" that achieve a high compression ratio by overlapping files inside the zip container. However the output size increases quadratically in the inp...

[SECURITY] [DLA 1845-1] dosbox security update

Package : dosbox Version : 0.74-4+deb8u1 CVE ID : CVE-2019-7165 CVE-2019-12594 Debian Bug : 931222 Several security vulnerabilities were discovered in DOSBox, an emulator for running old DOS programs. CVE-2019-7165 A very long line inside a bat file would overflow the parsing buffer which could b...

[SECURITY] [DSA 4476-1] python-django security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4476-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1844-1] lemonldap-ng security update

Package : lemonldap-ng Version : 1.3.3-1+deb8u2 CVE ID : CVE-2019-13031 Debian Bug : 931117 It was discovered that there was a XML external entity vulnerability in the lemonldap-ng single-sign on system. This may have led to the disclosure of confidential data, denial of service, server side...

[SECURITY] [DLA 1843-1] pdns security update

Package : pdns Version : 3.4.1-4+deb8u10 CVE ID : CVE-2019-10162 CVE-2019-10163 Two vulnerabilities have been discovered in pdns, an authoritative DNS server which may result in denial of service via malformed zone records and excessive NOTIFY packets in a master/slave setup. CVE-2019-10162 An...

[SECURITY] [DSA 4475-1] openssl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4475-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 01, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4474-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4474-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 01, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1842-1] python-django security update

Package : python-django Version : 1.7.11-1+deb8u6 CVE ID : CVE-2019-12308 Debian Bug : 931316 It was discovered that the Django Python web development framework did not correct identify HTTP connections when a reverse proxy connected via HTTPS. When deployed behind a reverse-proxy connecting to...

[SECURITY] [DLA 1837-2] rdesktop regression update

Package : rdesktop Version : 1.8.6-0+deb8u2 Debian Bug : 930511 The update for rdesktop released as 1.8.6-0+deb8u1 introduced a regression which broke RDP protocol negotiation. Updated rdesktop packages are now available to correct this issue. For Debian 8 "Jessie", this problem has been fixed in...

[SECURITY] [DLA 1841-1] gpac security update

Package : gpac Version : 0.5.0+svn5324dfsg1-1+deb8u4 CVE ID : CVE-2019-12481 CVE-2019-12482 CVE-2019-12483 Three issues have been found for gpac, an Open Source multimedia framework. Two of them are NULL pointer dereferences and one of them is a heap-based buffer overflow. For Debian 8 "Jessie",...

[SECURITY] [DLA 1840-1] golang-go.crypto security update

Package : golang-go.crypto Version : 0.0hg190-1+deb8u1 CVE ID : CVE-2019-11840 A flaw was found in the amd64 implementation of salsa20. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect...

[SECURITY] [DLA 1839-1] expat security update

Package : expat Version : 2.1.0-6+deb8u5 CVE ID : CVE-2018-20843 Debian Bug : 931031 It was discovered that Expat, an XML parsing C library, did not properly handle XML input including XML names that contain a large number of colons, potentially resulting in denial of service. For Debian 8...

[SECURITY] [DSA 4473-1] rdesktop security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4473-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4473-1] rdesktop security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4473-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1838-1] mupdf security update

Package : mupdf Version : 1.5-1+deb8u6 CVE ID : CVE-2018-5686 CVE-2019-6130 CVE-2018-6192 Debian Bug : 887130 888487 918971 Several minor issues have been fixed in mupdf, a lightweight PDF viewer tailored for display of high quality anti-aliased graphics. CVE-2018-5686 In MuPDF, there was an...

[SECURITY] [DSA 4472-1] expat security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4472-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4472-1] expat security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4472-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1835-2] python3.4 regression update

Package : python3.4 Version : 3.4.2-1+deb8u4 CVE ID : CVE-2019-9740 CVE-2019-9947 Debian Bug : 931044 The update issued as DLA-1835-1 caused a regression in the http.client library in Python 3.4 which was broken by the patch intended to fix CVE-2019-9740 and CVE-2019-9947. For Debian 8 "Jessie",...

[SECURITY] [DLA 1837-1] rdesktop security update

Package : rdesktop Version : 1.8.6-0+deb8u1 Debian Bug : 930387 Several security vulnerabilities were discovered in the rdesktop RDP client, which could result in buffer overflows and execution of arbitrary code. For Debian 8 "Jessie", this problem has been fixed in version 1.8.6-0+deb8u1. We...

[SECURITY] [DLA 1836-1] thunderbird security update

Package : thunderbird Version : 1:60.7.2-1deb8u1 CVE ID : CVE-2019-11707 CVE-2019-11708 Multiple security issues have been found in Thunderbird which may lead to the execution of arbitrary code if malformed email messages are read. For Debian 8 "Jessie", these problems have been fixed in version...

[SECURITY] [DLA 1835-1] python3.4 security update

Package : python3.4 Version : 3.4.2-1+deb8u3 CVE ID : CVE-2018-14647 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 Debian Bug : 921039 924072 Multiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language, including CVE-2018-14647 Pythons elementtree C...

[SECURITY] [DLA 1834-1] python2.7 security update

Package : python2.7 Version : 2.7.9-2+deb8u3 CVE ID : CVE-2018-14647 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 Debian Bug : 921039 921040 924073 Multiple vulnerabilities were discovered in Python, an interactive high-level object-oriented language,...

[SECURITY] [DSA 4471-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4471-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 24, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1833-1] bzip2 security update

Package : bzip2 Version : 1.0.6-7+deb8u1 CVE ID : CVE-2016-3189 CVE-2019-12900 Two issues in bzip2, a high-quality block-sorting file compressor, have been fixed. One, CVE-2019-12900, is a out-of-bounds write when using a crafted compressed file. The other, CVE-2016-3189, is a potential...

[SECURITY] [DLA 1832-1] libvirt security update

Package : libvirt Version : 1.2.9-9+deb8u7 CVE IDs : CVE-2019-10161 CVE-2019-10167 Two vulnerabilities were discovered in libvirt, an abstraction API for different underlying virtualisation mechanisms provided by the kernel, etc. CVE-2019-10161: Prevent an vulnerability where readonly clients cou...

[SECURITY] [DSA 4470-1] pdns security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4470-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 23, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4467-2] vim regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4467-2 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 23, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4469-1] libvirt security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4469-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4469-1] libvirt security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4469-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1831-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u7 CVE ID : CVE-2019-12384 CVE-2019-12814 Debian Bug : 930750 More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled either globally or for a specific property for an externally exposed JSON endpoint and...

[SECURITY] [DSA 4468-1] php-horde-form security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4468-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 21, 2019 https://www.debian.org/security/faq -...