[SECURITY] [DSA 4643-1] python-bleach security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4643-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 20, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2148-1] amd64-microcode security update

Package : amd64-microcode Version : 3.20181128.1deb8u1 CVE ID : CVE-2017-5715 Debian Bug : 886382 It was discovered that systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user acce...

[SECURITY] [DLA 2151-1] icu security update

Package : icu Version : 52.1-8+deb8u8 CVE ID : CVE-2020-10531 Debian Bug : 953747 It was discovered that an integer overflow in the International Components for Unicode ICU library could result in denial of service and potentially the execution of arbitrary code. For Debian 8 "Jessie", this probl...

[SECURITY] [DLA 2150-1] thunderbird security update

Package : thunderbird Version : 1:68.6.0-1deb8u1 CVE ID : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807. CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code. For Debian 8...

[SECURITY] [DLA 2149-1] rails security update

Package : rails Version : 2:4.1.8-1+deb8u6 CVE ID : CVE-2020-5267 Debian Bug : 954304 In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionViews JavaScript literal escape helpers. Views that use the j or escapejavascript methods may be susceptible to X...

[SECURITY] [DSA 4642-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4642-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 19, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2145-2] twisted security update

Package : twisted Version : 14.0.2-3+deb8u2 CVE IDs : CVE-2020-10108 CVE-2020-10109 Debian Bug : 953950 It was discovered that there were was a regression introduced in DLA-2145-1 due to the incorrect application of the upstream patch for CVE-2020-10108 & CVE-2020-10109 regarding a number of HTTP...

[SECURITY] [DLA 2147-1] gdal security update

Package : gdal Version : 1.10.1+dfsg-8+deb8u2 CVE ID : CVE-2019-17546 tifgetimage.c in LibTIFF, as used in GDAL has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition. For Debian 8 "Jessie", this problem...

[SECURITY] [DLA 2146-1] libvncserver security update

Package : libvncserver Version : 0.9.9+dfsg2-6.1+deb8u7 CVE ID : CVE-2019-15690 Debian Bug : 954163 In libvncserver, through libvncclient/cursor.c, there is a possibility of a heap overflow, as reported by Pavel Cheremushkin. For Debian 8 "Jessie", this problem has been fixed in version...

[SECURITY] [DLA 2145-1] twisted security update

Package : twisted Version : 14.0.2-3+deb8u1 CVE IDs : CVE-2020-10108 CVE-2020-10109 Debian Bug : 953950 It was discovered that there were a number of HTTP request splitting vulnerabilities in Twisted, an Python event-based framework for building various types of internet applications. For more...

[SECURITY] [DSA 4641-1] webkit2gtk security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4641-1 [email protected] https://www.debian.org/security/ Alberto Garcia March 16, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2144-1] qemu security update

Package : qemu Version : 1:2.1+dfsg-12+deb8u14 CVE ID : CVE-2020-1711 CVE-2020-8608 Two out-of-bounds heap buffer accesses were found in QEMU, a fast processor emulator, which could result in denial of service or abitrary code execution. For Debian 8 "Jessie", these problems have been fixed in...

[SECURITY] [DLA 2143-1] slurm-llnl security update

Package : slurm-llnl Version : 14.03.9-5+deb8u5 CVE ID : CVE-2019-6438 CVE-2019-12838 Debian Bug : 920997 931880 Several issue were found in Simple Linux Utility for Resource Management SLURM, a cluster resource management and job scheduling system. CVE-2019-6438 SchedMD Slurm mishandles 32-bit...

[SECURITY] [DSA 4640-1] graphicsmagick security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4640-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 15, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2142-1] slirp security update

Package : slirp Version : 1:1.0.17-7+deb8u2 CVE ID : CVE-2020-8608 It was discovered that there was a buffer overflow vulnerability in slirp, a SLIP/PPP emulator for using a dial up shell account. This was caused by the incorrect usage of return values from snprintf3. For Debian 8 "Jessie", this...

[SECURITY] [DLA 2141-1] yubikey-val security update

Package : yubikey-val Version : 2.27-1+deb8u1 CVE ID : CVE-2020-10184 CVE-2020-10185 The following CVEs were reported against yubikey-val. CVE-2020-10184 The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a...

[SECURITY] [DLA 2140-1] firefox-esr security update

Package : firefox-esr Version : 68.6.0esr-1deb8u1 CVE ID : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary...

[SECURITY] [DSA 4639-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4639-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 11, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2139-1] dojo security update

Package : dojo Version : 1.10.2+dfsg-1+deb8u3 CVE ID : CVE-2020-5258 CVE-2020-5259 Debian Bug : 953585 953587 The following CVEs were reported against dojo: CVE-2020-5258 In affected versions of dojo, the deepCopy method is vulnerable to Prototype Pollution. An attacker could manipulate these...

[SECURITY] [DLA 2137-1] sleuthkit security update

Package : sleuthkit Version : 4.1.3-4+deb8u2 CVE ID : CVE-2020-10232 In version 4.8.0 and earlier of The Sleuth Kit TSK, there is a stack buffer overflow vulnerability in the YAFFS file timestamp parsing logic in yaffsfsistat in fs/yaffs.c. For Debian 8 "Jessie", this problem has been fixed in...

[SECURITY] [DLA 2138-1] wpa security update

Package : wpa Version : 2.3-1+deb8u10 CVE ID : CVE-2019-10064 Similar to CVE-2016-10743 the host access point daemon, hostapd, in EAP mode used a low quality pseudorandom number generator that leads to insufficient entropy. The problem was resolved by using the osgetrandom function which provides...

[SECURITY] [DSA 4638-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4638-1 [email protected] https://www.debian.org/security/ Michael Gilbert March 10, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4637-1] network-manager-ssh security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4637-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 09, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4637-1] network-manager-ssh security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4637-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 09, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2136-1] libvpx security update

Package : libvpx Version : 1.3.0-3+deb8u3 CVE ID : CVE-2020-0034 It was discovered that there was an out-of-bounds buffer read vulnerability in libvpx, a library implementing the VP8 & VP9 video codecs. For Debian 8 "Jessie", this issue has been fixed in libvpx version 1.3.0-3+deb8u3. We recommen...

[SECURITY] [DLA 2135-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u12 CVE ID : CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 The following CVEs were reported for jackson-databind source package. CVE-2020-9546 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and...

[SECURITY] [DLA 2134-1] pdfresurrect security update

Package : pdfresurrect Version : 0.12-5+deb8u1 CVE ID : CVE-2020-9549 Debian Bug : 952948 It was discovered that there was an out-of-bounds write vulnerability in pdfresurrect, a tool for extracting or scrubbing versioning data from PDF documents. For Debian 8 "Jessie", this issue has been fixed ...

[SECURITY] [DLA 2133-1] tomcat7 security update

Package : tomcat7 Version : 7.0.56-3+really7.0.100-1 CVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2019-17569 The refactoring in 7.0.98 introduced a regression. The result of the regression was...

[SECURITY] [DLA 2132-1] libzypp security update

Package : libzypp Version : 14.29.1-2+deb8u1 CVE ID : CVE-2019-18900 It was discovered that there was an issue where incorrect default permissions on a HTTP cookie store could have allowed local attackers to read private credentials. For Debian 8 "Jessie", this issue has been fixed in libzypp...

[SECURITY] [DLA 2117-1] zsh security update

Package : zsh Version : 5.0.7-5+deb8u1 CVE ID : CVE-2019-20044 Debian Bug : 951458 A privilege escalation vulnerability was discovered in zsh, a shell with lots of features, whereby a user could regain a formerly elevated privelege level even when such an action should not be permitted. For Debia...

[SECURITY] [DLA 2131-2] rrdtool regression update

Package : rrdtool Version : 1.4.8-1.2+deb8u2 CVE ID : CVE-2014-6262 Debian Bug : 952958 It was discovered that there was a regression in a previous fix, which resulted in the following error: ERROR: cannot compile regular expression: Error while compiling regular expression ^?:^%+|%%%+-...

[SECURITY] [DLA 2115-2] proftpd-dfsg regression update

Package : proftpd-dfsg Version : 1.3.5e+r1.3.5-2+deb8u7 CVE ID : CVE-2020-9273 It was discovered that there was a regression in a previous fix for a use-after-free vulnerability in the proftpd-dfsg FTP server. Exploitation of the original vulnerability within the memory pool handling could have...

[SECURITY] [DLA 2114-1] linux-4.9 security update

Package : linux-4.9 Version : 4.9.210-1deb8u1 CVE ID : CVE-2018-13093 CVE-2018-13094 CVE-2018-20976 CVE-2018-21008 CVE-2019-0136 CVE-2019-2215 CVE-2019-10220 CVE-2019-14615 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-14901 CVE-2019-15098...

[SECURITY] [DLA 2131-1] rrdtool security update

Package : rrdtool Version : 1.4.8-1.2+deb8u1 CVE ID : CVE-2014-6262 Multiple format string vulnerabilities in RRDtool, as used in Zenoss Core before 4.2.5 and other products, allow remote attackers to execute arbitrary code or cause a denial of service application crash via a crafted third argume...

[SECURITY] [DLA 2130-1] libapache2-mod-auth-openidc security

Package : libapache2-mod-auth-openidc Version : 1.6.0-1+deb8u3 CVE ID : CVE-2019-20479 An issue has been found in libapache2-mod-auth-openidc, an OpenID Connect authentication module for Apache. Due to insufficient validatation of URLs an Open Redirect vulnerability for URLs beginning with a slas...

[SECURITY] [DLA 2129-1] firebird2.5 security update

Package : firebird2.5 Version : 2.5.3.26778.ds4-5+deb8u2 CVE ID : CVE-2017-11509 An issues has been found in firebird2.5, an RDBMS based on InterBase 6.0. As UDFs can be used for a remote authenticated code execution as user firebird, UDFs have been disabled in the default configuration which wil...

[SECURITY] [DLA 2128-1] openjdk-7 security update

Package : openjdk-7 Version : 7u251-2.6.21-1deb8u1 CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of...

[SECURITY] [DLA 2127-1] dojo security update

Package : dojo Version : 1.10.2+dfsg-1+deb8u2 CVE ID : CVE-2019-10785 Debian Bug : 952771 dojox was vulnerable to Cross-site Scripting. This was due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. For Debian 8 "Jessie", this problem has been fix...

[SECURITY] [DLA 2126-1] gst-plugins-base0.10 security update

Package : gst-plugins-base0.10 Version : 0.10.36-2+deb8u2 CVE ID : CVE-2016-9811 CVE-2017-5837 CVE-2017-5844 Some isses have been found in gst-plugins-base0.10, a package that provides GStreamer plugins from the "base" set. All issues are related to crafted ico-files that could result in an...

[SECURITY] [DLA 2125-1] collabtive security update

Package : collabtive Version : 2.0+dfsg-5+deb8u1 CVE ID : CVE-2015-0258 An issue has been found in collabtive, a web-based project management software. Due to missing checks an attacker could upload scripts, which would execute code on the server by accessing for example avatar images. For Debian...

[SECURITY] [DLA 2124-1] php5 security update

Package : php5 Version : 5.6.40+dfsg-0+deb8u9 CVE ID : CVE-2020-7059 CVE-2020-7060 Two issues have been found in php5, a server-side, HTML-embedded scripting language. Both issues are related to crafted data that could lead to reading after an allocated buffer and result in information disclosure...

[SECURITY] [DSA 4636-1] python-bleach security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4636-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 28, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4636-1] python-bleach security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4636-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 28, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2123-1] pure-ftpd security update

Package : pure-ftpd Version : 1.0.36-3.2+deb8u1 CVE ID : CVE-2020-9274 Debian Bug : 925666 An uninitialized pointer vulnerability was discovered in pure-ftpd, a secure and efficient FTP server, which could result in an out-of-bounds memory read and potential information disclosure. For Debian 8...

[SECURITY] [DLA 2122-1] libusbmuxd security update

Package : libusbmuxd Version : 1.0.9-1+deb8u1 CVE ID : CVE-2016-5104 Debian Bug : 825554 It was discovered that libusbmuxd incorrectly handled socket permissions. A remote attacker could use this issue to access services on iOS devices, contrary to expectations. For Debian 8 "Jessie", this proble...

[SECURITY] [DLA 2121-1] libimobiledevice security update

Package : libimobiledevice Version : 1.1.6+dfsg-3.1+deb8u1 CVE ID : CVE-2016-5104 Debian Bug : 825553 It was discovered that libimobiledevice incorrectly handled socket permissions. A remote attacker could use this issue to access services on iOS devices, contrary to expectations. For Debian 8...

[SECURITY] [DSA 4635-1] proftpd-dfsg security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4635-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 26, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4635-1] proftpd-dfsg security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4635-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 26, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4634-1] opensmtpd security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4634-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 26, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2120-1] rake security update

Package : rake Version : 10.3.2-2+deb8u1 CVE ID : CVE-2020-8130 There is an OS command injection vulnerability in Rake a ruby make-like utility 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |. For Debian 8 "Jessie", this problem has been fixed in version...