[SECURITY] [DSA 4293-1] discount security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4293-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini September 14, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1504-1] ghostscript security update

Package : ghostscript Version : 9.06dfsg-2+deb8u8 CVE ID : CVE-2018-11645 CVE-2018-15908 CVE-2018-15909 CVE-2018-15910 CVE-2018-15911 CVE-2018-16509 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16585 CVE-2018-16802 Debian Bug : 907332 908305...

[SECURITY] [DLA 1500-2] openssh regression update

Package : openssh Version : 1:6.7p1-5+deb8u7 Debian Bug : 908652 The security update of OpenSSH announced as DLA 1500-1 introduced a bug in openssh-client: when X11 forwarding is enabled via system-wide configuration in sshconfig or via -X command line switch, but no DISPLAY is set, the client...

[SECURITY] [DLA 1503-1] kamailio security update

Package : kamailio Version : 4.2.0-2+deb8u5 CVE ID : CVE-2018-16657 Debian Bug : 908324 It was discovered that there was a denial of service and a potential arbitrary code execution vulnerability in the kamailio SIP server. A specially-crafted SIP message with an invalid "Via" header could cause ...

[SECURITY] [DLA 1502-1] mgetty security update

Package : mgetty Version : 1.1.36-2.1+deb8u1 CVE ID : CVE-2018-16741 Two input sanitization failures have been found in the faxrunq and faxq binaries in mgetty. An attacker could leverage them to insert commands via shell metacharacters in jobs id and have them executed with the privilege of the...

[SECURITY] [DSA 4292-1] kamailio security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4292-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 11, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4292-1] kamailio security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4292-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 11, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4291-1] mgetty security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4291-1 [email protected] https://www.debian.org/security/ Yves-Alexis Perez September 11, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1501-1] libextractor security update

Package : libextractor Version : 1:1.3-2+deb8u3 CVE ID : CVE-2018-16430 Debian Bug : 907987 It was discovered that there was an out-of-bounds read vulnerability in libextractor, a library to extract meta-data from files of arbitrary type. For Debian 8 "Jessie", this issue has been fixed in...

[SECURITY] [DSA 4290-1] libextractor security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4290-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4290-1] libextractor security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4290-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1500-1] openssh security update

Package : openssh Version : 1:6.7p1-5+deb8u6 CVE ID : CVE-2015-5352 CVE-2015-5600 CVE-2015-6563 CVE-2015-6564 CVE-2016-1908 CVE-2016-3115 CVE-2016-6515 CVE-2016-10009 CVE-2016-10011 CVE-2016-10012 CVE-2016-10708 CVE-2017-15906 Debian Bug : 790798 793616 795711 848716 848717 Several vulnerabilitie...

[SECURITY] [DLA 1499-1] discount security update

Package : discount Version : 2.1.7-1+deb8u1 CVE ID : CVE-2018-11468 CVE-2018-11503 CVE-2018-11504 CVE-2018-12495 Debian Bug : 901912 Several heap-based buffer over-reads were found in discount, an implementation of the Markdown markup language in C, that allowed remote attackers to cause a...

[SECURITY] [DLA 1498-1] curl security update

Package : curl Version : 7.38.0-4+deb8u12 CVE IDs : CVE-2018-14618 CVE-2018-14618 It was discovered that there was a an integer overflow vulnerability in curl, a command line tool for transferring data over HTTP, etc. For more information, please see: https://curl.haxx.se/docs/CVE-2018-14618.html...

[SECURITY] [DSA 4289-1] chromium-browser security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4289-1 [email protected] https://www.debian.org/security/ Michael Gilbert September 07, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4288-1] ghostscript security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4288-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 07, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4287-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4287-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 07, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1497-1] qemu security update

Package : qemu Version : 1:2.1+dfsg-12+deb8u7 CVE ID : CVE-2015-8666 CVE-2016-2198 CVE-2016-6833 CVE-2016-6835 CVE-2016-8576 CVE-2016-8667 CVE-2016-8669 CVE-2016-9602 CVE-2016-9603 CVE-2016-9776 CVE-2016-9907 CVE-2016-9911 CVE-2016-9914 CVE-2016-9915 CVE-2016-9916 CVE-2016-9921 CVE-2016-9922...

[SECURITY] [DLA 1493-1] xen security update

Package : xen Version : 4.4.4lts1-0+deb8u1 CVE ID : CVE-2016-4963 CVE-2017-14431 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8 "Jessie", these problems have been fixed in versi...

[SECURITY] [DLA 1496-1] lcms2 security update

Package : lcms2 Version : 2.6-3+deb8u2 CVE ID : CVE-2018-16435 Debian Bug : 907983 It was discovered that there was an integer overflow vulnerability in the "Little CMS 2" colour management library. A specially-crafted input file could lead to a heap-based buffer overflow. For Debian 8 "Jessie",...

[SECURITY] [DSA 4286-1] curl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4286-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini September 05, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4285-1] sympa security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4285-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 05, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4285-1] sympa security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4285-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 05, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1495-1] git-annex security update

Package : git-annex Version : 5.20141125+oops-1+deb8u2 CVE ID : CVE-2017-12976 CVE-2018-10857 CVE-2018-10859 Debian Bug : 873088 The git-annex package was found to have multiple vulnerabilities when operating on untrusted data that could lead to arbitrary command execution and encrypted data...

[SECURITY] [DLA 1494-1] gdm3 security update

Package : gdm3 Version : 3.14.1-7+deb8u1 CVE ID : CVE-2018-14424 The daemon in GDM does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulti...

[SECURITY] [DSA 4284-1] lcms2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4284-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 04, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1492-1] dojo security update

Package : dojo Version : 1.10.2+dfsg-1+deb8u1 CVE ID : CVE-2018-15494 Debian Bug : 906540 It was discovered that there was a string injection vulnerability in the "dojo" Javascript library. For Debian 8 "Jessie", this issue has been fixed in dojo version 1.10.2+dfsg-1+deb8u1 by Abhijith PA. We...

[SECURITY] [DLA 1491-1] tomcat8 security update

Package : tomcat8 Version : 8.0.14-1+deb8u13 CVE ID : CVE-2018-1336 CVE-2018-8034 Two security issues have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the...

[SECURITY] [DLA 1490-1] php5 security update

Package : php5 Version : 5.6.37+dfsg-0+deb8u1 CVE ID : CVE-2018-14851 CVE-2018-14883 Debian Bug : 890266 Two vulnerabilities have been discovered in php5, a server-side, HTML-embedded scripting language. One CVE-2018-14851 results in a potential denial of service out-of-bounds read and applicatio...

[SECURITY] [DLA 1489-1] spice-gtk security update

Package : spice-gtk Version : 0.25-1+deb8u1 CVE ID : CVE-2018-10873 Debian Bug : 906316 A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could...

[SECURITY] [DLA 1486-1] spice security update

Package : spice Version : 0.12.5-1+deb8u6 CVE ID : CVE-2018-10873 Debian Bug : 906315 A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could...

[SECURITY] [DLA 1488-1] mariadb-10.0 security update

Package : mariadb-10.0 Version : 10.0.36-0+deb8u1 CVE ID : CVE-2018-3058 CVE-2018-3063 CVE-2018-3064 CVE-2018-3066 Debian Bug : 904121 Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.36...

[SECURITY] [DSA 4283-1] ruby-json-jwt security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4283-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4282-1] trafficserver security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4282-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1488-1] spice security update

Package : spice Version : 0.12.5-1+deb8u6 CVE ID : CVE-2018-10873 Debian Bug : 906315 A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could...

[SECURITY] [DLA 1487-1] libtirpc security update

Package : libtirpc Version : 0.2.5-1+deb8u2 CVE ID : CVE-2018-14622 CVE-2018-14622 Fix for egmentation fault due to pointer becoming NULL. For Debian 8 "Jessie", this problem has been fixed in version 0.2.5-1+deb8u2. We recommend that you upgrade your libtirpc packages. Further information about...

[SECURITY] [DLA 1485-1] bind9 security update

Package : bind9 Version : 1:9.9.5.dfsg-9+deb8u16 CVE ID : CVE-2018-5740 CVE-2018-5740 The "deny-answer-aliases" feature in BIND has a flaw which can cause named to exit with an assertion failure. For Debian 8 "Jessie", this problem has been fixed in version 1:9.9.5.dfsg-9+deb8u16. We recommend th...

[SECURITY] [DLA 1483-1] 389-ds-base security update

Package : 389-ds-base Version : 1.3.3.5-4+deb8u2 CVE ID : CVE-2018-10871 CVE-2018-10935 Debian Bug : 906985 CVE-2018-10871 By default nsslapd-unhashed-pw-switch was set to on. So a copy of the unhashed password was kept in modifiers and was possibly logged in changelog and retroCL. Unless it is...

[SECURITY] [DLA 1484-1] squirrelmail security update

Package : squirrelmail Version : 2:1.4.23svn20120406-2+deb8u3 CVE IDs : CVE-2018-14950 CVE-2018-14951 CVE-2018-14952 CVE-2018-14953 CVE-2018-14954 CVE-2018-14955 Debian Bug : 905023 It was discovered that there were a number of Cross Site Scripting XSS vulnerabilities in the squirrelmail webmail...

[SECURITY] [DLA 1482-1] libx11 security update

Package : libx11 Version : 2:1.6.2-3+deb8u2 CVE ID : CVE-2018-14598 CVE-2018-14599 CVE-2018-14600 Several issues were discovered in libx11, the client interface to the X Windows System. The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicio...

[SECURITY] [DSA 4281-1] tomcat8 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1 [email protected] https://www.debian.org/security/ Sebastien Delafond August 29, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4281-1] tomcat8 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1 [email protected] https://www.debian.org/security/ Sebastien Delafond August 29, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1481-1] linux-4.9 security update

Package : linux-4.9 Version : 4.9.110-3+deb9u4deb8u1 CVE ID : CVE-2018-3620 CVE-2018-3646 Debian Bug : 906769 Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of...

[SECURITY] [DLA 1480-1] ruby2.1 security update

Package : ruby2.1 Version : 2.1.5-2+deb8u5 CVE ID : CVE-2016-2337 CVE-2018-1000073 CVE-2018-1000074 Debian Bug : 895778 851161 Several vulnerabilities were discovered in Ruby 2.1. CVE-2016-2337 Type confusion exists in canceleval Rubys TclTkIp class method. Attacker passing different type of obje...

[SECURITY] [DLA 1479-1] twitter-bootstrap3 security update

Package : twitter-bootstrap3 Version : 3.2.0+dfsg-1+deb7u1 CVE ID : CVE-2018-14040 Debian Bug : 907414 The Bootstrap framework was found to have cross-site scripting vulnerabilities in the "collapse" plugin. For Debian 8 "Jessie", this problem has been fixed in version 3.2.0+dfsg-1+deb7u1. We...

[SECURITY] [DLA 1476-1] dropbear security update

Package : dropbear Version : 2014.65-1+deb8u3 CVE ID : CVE-2018-15599 Debian Bug : 906890 A vulnerability in dropbear, a lightweight SSH2 server and client, making it possible to guess valid usernames has been found: CVE-2018-15599: The recvmsguserauthrequest function in svr-auth.c in is prone to...

[SECURITY] [DLA-1478-1] libextractor security update

Package : libextractor Version : 1:1.3-2+deb8u2 CVE ID : CVE-2018-14346 CVE-2018-14347 Debian Bug : 904903 904905 It was discovered that there were two vulnerabilities in libextractor, a library to obtain metadata from files of arbitrary type. A stack-based buffer overflow in unzip.c...

[SECURITY] [DLA 1477-1] libgit2 security update

Package : libgit2 Version : 0.21.1-3+deb8u1 CVE ID : CVE-2018-10887 CVE-2018-10888 CVE-2018-15501 CVE-2018-15501 A potential out-of-bounds read when processing a "ng" smart packet might lead to a Denial of Service. CVE-2018-10887 A flaw has been discovered that may lead to an integer overflow whi...

[SECURITY] [DSA 4279-2] linux regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4279-2 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 22, 2018 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4279-2] linux regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4279-2 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso August 22, 2018 https://www.debian.org/security/faq -...