[SECURITY] [DSA 4440-1] bind9 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4440-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4439-1] postgresql-9.6 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4439-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1781-1] qemu security update

Package : qemu Version : 1:2.1+dfsg-12+deb8u11 CVE ID : CVE-2018-11806 CVE-2018-18849 CVE-2018-20815 CVE-2019-9824 Debian Bug : 901017 912535 Several vulnerabilities were found in QEMU, a fast processor emulator: CVE-2018-11806 It was found that the SLiRP networking implementation could use a wro...

[SECURITY] [DSA 4438-1] atftp security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4438-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4438-1] atftp security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4438-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1780-1] firefox-esr new upstream version

Package : firefox-esr Version : 60.6.2esr-1deb8u1 Debian Bug : 928415 928449 928509 Firefox 60.6.2 ESR repairs a certificate chain issue that caused extensions to be disabled in the past few days. More information, and details of known remaining issues, can be found at...

[SECURITY] [DLA 1779-1] 389-ds-base security update

Package : 389-ds-base Version : 1.3.3.5-4+deb8u6 CVE ID : CVE-2019-3883 Debian Bug : 927939 In 389-ds-base up to version 1.4.1.2, requests were handled by worker threads. Each socket had been waited for by the worker for at most ioblocktimeout seconds. However, this timeout applied only to...

[SECURITY] [DLA 1778-1] symfony security update

Package : symfony Version : 2.3.21+dfsg-4+deb8u5 CVE ID : CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-10913 Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Framework Bundle, Dependency Injection...

[SECURITY] [DLA 1777-1] jquery security update

Package : jquery Version : 1.7.2+dfsg-3.2+deb8u6 CVE ID : CVE-2019-11358 jQuery mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. For additional informatio...

[SECURITY] [DLA 1776-1] librecad security update

Package : librecad Version : 2.0.4-1+deb8u1 CVE ID : CVE-2018-19105 Debian Bug : 928477 A vulnerability was found in LibreCAD, a computer-aided design system, which could be exploited to crash the application or cause other unspecified impact when opening a specially crafted file. For Debian 8...

[SECURITY] [DLA 1775-1] phpbb3 security update

Package : phpbb3 Version : 3.0.12-5+deb8u3 CVE ID : CVE-2019-9826 Colin Snover discovered a denial-of-service vulnerability in phpBB3, a full-featured web forum. Previous versions allowed users to run searches that might result in long execution times and load on larger boards when using the...

[SECURITY] [DLA 1774-1] otrs2 security update

Package : otrs2 Version : 3.3.18-1+deb8u9 CVE ID : CVE-2019-9892 A flaw was discovered in OTRS, the Open Ticket Request System. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading o...

[SECURITY] [DLA 1771-1] linux-4.9 security update

Package : linux-4.9 Version : 4.9.168-1deb8u1 CVE ID : CVE-2018-14625 CVE-2018-16884 CVE-2018-19824 CVE-2018-19985 CVE-2018-20169 CVE-2018-1000026 CVE-2019-3459 CVE-2019-3460 CVE-2019-3701 CVE-2019-3819 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-8980 CVE-2019-9213 Debian Bug : 904385 9181...

[SECURITY] [DLA 1773-1] signing-party security update

Package : signing-party Version : 1.1.10-3+deb8u1 CVE ID : CVE-2019-11627 Debian Bug : 928256 An unsafe shell call enabling shell injection via a user ID was corrected in gpg-key2ps, a tool to generate a PostScript file with OpenPGP key fingerprint slips. For Debian 8 "Jessie", this problem has...

[SECURITY] [DLA 1753-2] proftpd-dfsg regression update

Package : proftpd-dfsg Version : 1.3.5e+r1.3.5-2+deb8u1 CVE ID : not available Debian Bug : 923926 926719 The update of proftpd-dfsg issued as DLA-1753-1 caused a regression when using the sftp module. Login to the sftp server was impossible when the SFTPPAMEngine option was turned on 926719. Thi...

[SECURITY] [DLA 1772-1] libvirt security update

Package : libvirt Version : 1.2.9-9+deb8u6 CVE ID : CVE-2016-10746 libvirt-domain.c in libvirt supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required. This could lead to could lead to potentially disclosing unintended...

[SECURITY] [DSA 4437-1] gst-plugins-base1.0 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4437-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 29, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1770-1] gst-plugins-base1.0 security update

Package : gst-plugins-base1.0 Version : 1.4.4-2+deb8u2 CVE ID : CVE-2019-9928 The RTSP connection parser in the base GStreamer packages version 1.0, which is a streaming media framework, was vulnerable against an heap-based buffer overflow by sending a longer than allowed session id in a response...

[SECURITY] [DLA 1769-1] gst-plugins-base0.10 security update

rom: Thorsten Alteholz [email protected] To: [email protected] Subject: SECURITY DLA 1769-1 gst-plugins-base0.10 security update Package : gst-plugins-base0.10 Version : 0.10.36-2+deb8u1 CVE ID : CVE-2019-9928 Debian Bug : The RTSP connection parser in the base GStreamer...

[SECURITY] [DSA 4436-1] imagemagick security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4436-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1768-1] checkstyle security update

Package : checkstyle Version : 5.9-1+deb8u1 CVE ID : CVE-2019-9658 checkstyle was loading external DTDs by default, which is now disabled by default. If needed it can be re-enabled by setting the system property checkstyle.enableExternalDtdLoad to true. For Debian 8 "Jessie", this problem has bee...

[SECURITY] [DSA 4435-1] libpng1.6 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4435-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4435-1] libpng1.6 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4435-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1767-1] monit security update

Package : monit Version : 1:5.9-1+deb8u2 CVE ID : CVE-2019-11454 CVE-2019-11455 Zack Flack found several issues in monit, a utility for monitoring and managing daemons or similar programs. CVE-2019-11454 An XSS vulnerabilitty has been reported that could be prevented by HTML escaping the log file...

[SECURITY] [DLA 1766-1] evolution security update

Package : evolution Version : 3.12.9git20141130.241663-1+deb8u1 CVE ID : CVE-2018-15587 Debian Bug : 924616 Hanno Böck discovered that GNOME Evolution is prone to OpenPGP signatures being spoofed for arbitrary messages using a specially crafted HTML email. This issue was mitigated by moving the...

[SECURITY] [DLA 1762-2] systemd regression update

Package : systemd Version : 215-17+deb8u13 In the recently uploaded systemd security update 215-17+deb8u12 via DLA-1762-1, a regression was discovered in the fix for CVE-2017-18078. The observation of Debian jessie LTS users was, that after upgrading to +deb8u12 temporary files would not have the...

[SECURITY] [DLA 1765-1] gpac security update

Package : gpac Version : 0.5.0+svn5324dfsg1-1+deb8u3 CVE ID : CVE-2019-11221 CVE-2019-11222 Several issues have been found for gpac, an Open Source multimedia framework. Using crafted files one can trigger buffer overflow issues that could be used to crash the application. For Debian 8 "Jessie",...

[SECURITY] [DLA 1764-1] mercurial security update

Package : mercurial Version : 3.1.2-2+deb8u7 CVE ID : CVE-2019-3902 Debian Bug : 927674 It was discovered that there was a path traversal vulnerability in the "mercurial" distributed revision version control system. Symbolic links and subrepositories could be used defeat Mercurials path-checking...

[SECURITY] [DLA 1763-1] putty security update

Package : putty Version : 0.63-10+deb8u2 CVE ID : CVE-2019-9894 CVE-2019-9897 CVE-2019-9898 Multiple vulnerabilities were found in the PuTTY SSH client, which could result in denial of service and potentially the execution of arbitrary code. In addition, in some situations random numbers could...

[SECURITY] [DLA 1762-1] systemd security update

Package : systemd Version : 215-17+deb8u12 CVE ID : CVE-2017-18078 CVE-2019-3842 Two vulnerabilities have been addressed in the systemd components systemd-tmpfiles and pamsystemd.so. CVE-2017-18078 systemd-tmpfiles in systemd attempted to support ownership/permission changes on hardlinked files...

[SECURITY] [DLA 1761-1] ghostscript security update

Package : ghostscript Version : 9.26adfsg-0+deb8u2 CVE ID : CVE-2019-3835 CVE-2019-3838 Debian Bug : 925256 925257 Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL PostScript/PDF interpreter, which could result in bypass of file system restrictions of the dSAFER sandbox. For...

[SECURITY] [DLA 1760-1] wget security update

Package : wget Version : 1.16-1+deb8u6 CVE ID : CVE-2019-5953 Kusano Kazuhiko discovered a buffer overflow vulnerability in the handling of Internationalized Resource Identifiers IRI in wget, a network utility to retrieve files from the web, which could result in the execution of arbitrary code o...

[SECURITY] [DLA 1759-1] clamav security update

Package : clamav Version : 0.100.3+dfsg-0+deb8u1 CVE ID : CVE-2019-1787 CVE-2019-1788 CVE-2019-1789 Debian Bug : Out-of-bounds read and write conditions have been fixed in clamav. CVE-2019-1787 An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to...

[SECURITY] [DLA 1758-1] debian-security-support update

Package : debian-security-support Version : 2019.02.02deb8u1 debian-security-support, the Debian security support coverage checker, has been updated in jessie. The jessie relevant changes are: Mark spice-xpi as end-of-life for Jessie. Add edk2 to security-support-ended.deb8 Add robocode to...

[SECURITY] [DSA 4434-1] drupal7 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4434-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4434-1] drupal7 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4434-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4433-1] ruby2.3 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4433-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4432-1] ghostscript security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4432-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4432-1] ghostscript security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4432-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1757-1] cacti security update

Package : cacti Version : 0.8.8b+dfsg-8+deb8u7 CVE ID : CVE-2019-11025 Debian Bug : 926700 It was discovered that there were a number of cross-site scripting vulnerabilities XSS in cacti, a web-based front-end for the RRDTool monitoring tool. For Debian 8 "Jessie", this issue has been fixed in...

[SECURITY] [DLA 1756-1] libxslt security update

Package : libxslt Version : 1.1.28-2+deb8u4 CVE ID : CVE-2019-11068 Debian Bug : 926895 It was discovered that there was a authentication bypass vulnerability in libxslt, a widely-used library for transforming files from XML to other arbitrary format. The xsltCheckRead and xsltCheckWrite routines...

[SECURITY] [DLA 1755-1] graphicsmagick security update

Package : graphicsmagick Version : 1.3.20-3+deb8u6 CVE ID : CVE-2017-10799 CVE-2019-11006 CVE-2019-11007 CVE-2019-11008 CVE-2019-11009 CVE-2019-11010 Debian Bug : 927029 Several security vulnerabilities were discovered in Graphicsmagick, a collection of image processing tools. Heap-based buffer...

[SECURITY] [DLA 1628-2] jasper regression update

Package : jasper Version : 1.900.1-debian1-2.4+deb8u6 The update of jasper issued as DLA-1628-1 caused a regression due to the fix for CVE-2018-19542, a NULL pointer dereference in the function jp2decode, which could lead to a denial-of-service. In some cases not only invalid jp2 files but also...

[SECURITY] [DSA 4431-1] libssh2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4431-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4431-1] libssh2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4431-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4430-1] wpa security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4430-1 [email protected] https://www.debian.org/security/ Yves-Alexis Perez April 10, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4429-1] spip security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4429-1 [email protected] https://www.debian.org/security/ Sebastien Delafond April 10, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4429-1] spip security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4429-1 [email protected] https://www.debian.org/security/ Sebastien Delafond April 10, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1754-1] samba security update

Package : samba Version : 2:4.2.14+dfsg-0+deb8u12 CVE ID : CVE-2017-9461 CVE-2018-1050 CVE-2018-1057 CVE-2019-3880 Various vulnerabilities were discovered in Samba, SMB/CIFS file, print, and login server/client for Unix CVE-2017-9461 smbd in Samba had a denial of service vulnerability fdopenatomi...

[SECURITY] [DLA 1753-1] proftpd-dfsg security update

Package : proftpd-dfsg Version : 1.3.5e-0+deb8u1 CVE ID : not-available Debian Bug : 923926 Several memory leaks were discovered in proftpd-dfsg, a versatile, virtual-hosting FTP daemon, when modfacl or modsftp is used which could lead to memory exhaustion and a denial-of-service. For Debian 8...