[SECURITY] [DLA 2181-1] shiro security update

Package : shiro Version : 1.2.3-1+deb8u1 CVE ID : CVE-2020-1957 Debian Bug : 955018 It was discovered that there was a path-traversal issue in Apache Shiro, a security framework for the Java programming language. A specially-crafted request could cause an authentication bypass. For Debian 8...

[SECURITY] [DLA 2180-1] file-roller security update

Package : file-roller Version : 3.14.1-1+deb8u2 CVE ID : CVE-2020-11736 Debian Bug : 956638 fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a files parent is a symlink to a directory outside of the intend...

[SECURITY] [DLA 2179-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u14 CVE ID : CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11619 CVE-2020-11620 Following CVEs were reported against the jackson-databind source package : CVE-2020-10968 FasterXML jackson-databind 2.x before...

[SECURITY] [DLA 2178-1] awl security update

Package : awl Version : 0.55-1+deb8u1 CVE ID : CVE-2020-11728 CVE-2020-11729 Debian Bug : 956650 Following CVEs were reported against the awl source package: CVE-2020-11728 An issue was discovered in DAViCal Andrews Web Libraries AWL through 0.60. Session management does not use a sufficiently...

[SECURITY] [DSA 4658-1] webkit2gtk security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4658-1 [email protected] https://www.debian.org/security/ Alberto Garcia April 16, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2177-1] git security update

Package : git Version : 1:2.1.4-2.1+deb8u9 CVE ID : CVE-2020-5260 Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential...

[SECURITY] [DLA 2175-1] php-horde-trean security update

Package : php-horde-trean Version : 1.1.1-2+deb8u1 CVE ID : CVE-2020-8865 Debian Bug : 955019 A directory traversal vulnerability resulting from insufficient input sanitization was discovered in the Horde Application Framework. An authenticated remote attacker could use this flaw to execute code ...

[SECURITY] [DLA 2174-1] php-horde-data security update

Package : php-horde-data Version : 2.1.0-5+deb8u1 CVE ID : CVE-2020-8518 Debian Bug : 951537 A remote code execution vulnerability was discovered in the Horde Application Framework. An authenticated remote attacker could use this flaw to cause execution of uploaded CSV data. For Debian 8 "Jessie"...

[SECURITY] [DLA 2173-1] graphicsmagick security update

Package : graphicsmagick Version : 1.3.20-3+deb8u10 CVE ID : CVE-2020-10938 A vulnerability was discovered in graphicsmagick, a collection of image processing tools, that results in a heap overflow in 32-bit applications because of a signed overflow on range check in the HuffmanDecodeImage...

[SECURITY] [DSA 4657-1] git security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4657-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 14, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4657-1] git security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4657-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 14, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2172-1] thunderbird security update

Package : thunderbird Version : 1:68.7.0-1deb8u1 CVE ID : CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. For Debian 8 "Jessie",...

[SECURITY] [DSA 4656-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4656-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 13, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2171-1] ceph security update

Package : ceph Version : 0.80.7-2+deb8u4 CVE ID : CVE-2020-1760 Debian Bug : 956142 It was discovered that there was a header-splitting vulnerability in ceph, a distributed storage and file system. For Debian 8 "Jessie", this issue has been fixed in ceph version 0.80.7-2+deb8u4. We recommend that...

[SECURITY] [DSA 4655-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4655-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 08, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2170-1] firefox-esr security update

Package : firefox-esr Version : 68.7.0esr-1deb8u1 CVE ID : CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For Debian 8 "Jessie",...

[SECURITY] [DSA 4654-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4654-1 [email protected] https://www.debian.org/security/ Michael Gilbert April 07, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2169-1] libmtp security update

Package : libmtp Version : 1.1.8-1+deb8u1 CVE ID : CVE-2017-9831 CVE-2017-9832 libmtp is a library for communicating with MTP aware devices. The Media Transfer Protocol commonly referred to as MTP is a devised set of custom extensions to support the transfer of music files on USB digital audio...

[SECURITY] [DSA 4653-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4653-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 04, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4652-1] gnutls28 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4652-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 04, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4652-1] gnutls28 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4652-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 04, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4650-1] qbittorrent security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4650-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 02, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4650-1] qbittorrent security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4650-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 02, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4651-1] mediawiki security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4651-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 02, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4649-1] haproxy security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4649-1 [email protected] https://www.debian.org/security/ Sebastien Delafond April 02, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4649-1] haproxy security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4649-1 [email protected] https://www.debian.org/security/ Sebastien Delafond April 02, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2168-1] libplist security update

Package : libplist Version : 1.11-3+deb8u1 CVE ID : CVE-2017-5209 CVE-2017-5545 CVE-2017-5834 CVE-2017-5835 CVE-2017-6435 CVE-2017-6436 CVE-2017-6439 CVE-2017-7982 Debian Bug : 851196 852385 854000 860945 libplist is a library for reading and writing the Apple binary and XML property lists format...

[SECURITY] [DLA 2167-1] python-bleach security update

Package : python-bleach Version : 1.4-1+deb8u1 CVE ID : CVE-2020-6817 Debian Bug : 955388 A vulnerability was discovered in python-bleach, a whitelist-based HTML-sanitizing library. Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to a regular expression...

[SECURITY] [DLA 2166-1] libpam-krb5 security update

Package : libpam-krb5 Version : 4.6-3+deb8u1 CVE ID : CVE-2020-10595 The krb5 PAM module pamkrb5.so had a buffer overflow that might have caused remote code execution in situations involving supplemental prompting by a Kerberos library. It might have overflown a buffer provided by the underlying...

[SECURITY] [DLA 2165-1] apng2gif security update

Package : apng2gif Version : 1.5-3+deb8u1 CVE ID : CVE-2017-6960 An issue has been found in apng2gif, a tool for converting APNG images to animated GIF format. One of the function contained an integer overflow resulting in a heap-based buffer over-read. For Debian 8 "Jessie", this problem has bee...

[SECURITY] [DSA 4648-1] libpam-krb5 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4648-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 31, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2164-1] gst-plugins-bad0.10 security update

Package : gst-plugins-bad0.10 Version : 0.10.23-7.4+deb8u3 CVE ID : CVE-2015-0797 CVE-2016-9809 CVE-2017-5843 CVE-2017-5848 Several issues have been found in gst-plugins-bad0.10, a package containing GStreamer plugins from the "bad" set. All issues are about use-after-free, out of bounds reads or...

[SECURITY] [DLA 2163-1] tinyproxy security update

Package : tinyproxy Version : 1.8.3-3+deb8u1 CVE ID : CVE-2017-11747 Debian Bug : 870307 948283 A minor security issue and a severe packaging bug have been fixed in tinyproxy, a lightweight http proxy daemon. CVE-2017-11747 main.c in Tinyproxy created a /var/run/tinyproxy/tinyproxy.pid file after...

[SECURITY] [DLA 2162-1] php-horde-form security update

Package : php-horde-form Version : 2.0.8-2+deb8u2 CVE ID : CVE-2020-8866 Debian Bug : 955020 A remote code execution vulnerability was discovered in the Form API component of the Horde Application Framework. An authenticated remote attacker could use this flaw to upload arbitrary content to an...

[SECURITY] [DLA 2161-1] tika security update

Package : tika Version : 1.5-1+deb8u1 CVE ID : CVE-2020-1950 CVE-2020-1951 Debian Bug : 954302 954303 Two security issues have been detected in tika and fixed. CVE-2020-1950: carefully crafted or corrupt PSD file can cause excessive memory usage in Apache. CVE-2020-1951: Infinite Loop DoS...

[SECURITY] [DSA 4647-1] bluez security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4647-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 26, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4647-1] bluez security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4647-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 26, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2160-1] php5 security update

Package : php5 Version : 5.6.40+dfsg-0+deb8u10 CVE ID : CVE-2020-7062 CVE-2020-7063 Two security issues have been identified and fixed in php5, a server-side, HTML-embedded scripting language. CVE-2020-7062 is about a possible null pointer derefernce, which would likely lead to a crash, during a...

[SECURITY] [DLA 2159-1] okular security update

Package : okular Version : 4:4.14.2-2+deb8u2 CVE ID : CVE-2020-9359 Debian Bug : 954891 Mickael Karatekin from Sysdream Labs discovered that the Okular document viewer allows code execution via an action link in a PDF document. For Debian 8 "Jessie", this problem has been fixed in version...

[SECURITY] [DSA 4646-1] icu security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4646-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 25, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4646-1] icu security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4646-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 25, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2158-1] ruby2.1 security update

Package : ruby2.1 Version : 2.1.5-2+deb8u9 CVE ID : CVE-2016-2338 An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer "head" allocation is made based on tags array length. Specially constructe...

[SECURITY] [DLA 2157-1] weechat security update

Package : weechat Version : 1.0.1-1+deb8u3 CVE ID : CVE-2020-8955 CVE-2020-9759 CVE-2020-9760 Several issues have been found in weechat, a fast, light and extensible chat client. All issues are about crafted messages, that could result in a buffer overflow and application crash. This could cause ...

[SECURITY] [DLA 2156-1] e2fsprogs security update

Package : e2fsprogs Version : 1.42.12-2+deb8u2 CVE ID : CVE-2019-5188 An issue has been found in e2fsprogs, a package that contains ext2/ext3/ext4 file system utilities. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can...

[SECURITY] [DLA 2155-1] tomcat8 security update

Package : tomcat8 Version : 8.0.14-1+deb8u16 CVE ID : CVE-2019-12418 Tomcat8 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture...

[SECURITY] [DSA 4645-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4645-1 [email protected] https://www.debian.org/security/ Michael Gilbert March 22, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4645-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4645-1 [email protected] https://www.debian.org/security/ Michael Gilbert March 22, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2154-1] phpmyadmin security update

Package : phpmyadmin Version : 4:4.2.12-2+deb8u9 CVE ID : CVE-2020-10802 CVE-2020-10803 Debian Bug : 954665 954666 The following packages CVEs were reported against phpmyadmin. CVE-2020-10802 In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability has been discovered where certain parameter...

[SECURITY] [DLA 2153-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u13 CVE ID : CVE-2020-10672 CVE-2020-10673 The following CVEs were reported against jackson-databind. CVE-2020-10672 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to...

[SECURITY] [DLA 2152-1] graphicsmagick security update

Package : graphicsmagick Version : 1.3.20-3+deb8u9 CVE ID : CVE-2019-12921 A vulnerability was discovered in graphicsmagick, a collection of image processing tools, that allows allows an attacker to read arbitrary files via a crafted image because of TranslateTextEx for SVG. For Debian 8 "Jessie"...