[SECURITY] [DSA 4634-1] opensmtpd security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4634-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 26, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2120-1] rake security update

Package : rake Version : 10.3.2-2+deb8u1 CVE ID : CVE-2020-8130 There is an OS command injection vulnerability in Rake a ruby make-like utility 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |. For Debian 8 "Jessie", this problem has been fixed in version...

[SECURITY] [DLA 2119-1] python-pysaml2 security update

Package : python-pysaml2 Version : 2.0.0-1+deb8u3 CVE ID : CVE-2020-5390 Debian Bug : 949322 It was discovered that pysaml2, a Python implementation of SAML to be used in a WSGI environment, was susceptible to XML signature wrapping attacks, which could result in a bypass of signature verificatio...

[SECURITY] [DSA 4633-1] curl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4633-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini February 22, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2118-1] otrs2 security update

Package : otrs2 Version : 3.3.18-1+deb8u14 CVE ID : CVE-2019-11358 Debian Bug : 927385 It was discovered that the jQuery version embedded in OTRS, a ticket request system, was prone to a cross site scripting vulnerability in jQuery.extend. For Debian 8 "Jessie", this problem has been fixed in...

[SECURITY] [DLA 2116-1] libpam-radius-auth security update

Package : libpam-radius-auth Version : 1.3.16-4.4+deb8u1 CVE ID : CVE-2015-9542 Debian Bug : 951396 A vulnerability was found in pamradius: the password length check was done incorrectly in the addpassword function in pamradiusauth.c, resulting in a stack based buffer overflow. This could be used...

[SECURITY] [DSA 4632-1] ppp security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4632-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 22, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4632-1] ppp security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4632-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 22, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2115-1] proftpd-dfsg security update

Package : proftpd-dfsg Version : 1.3.5e+r1.3.5-2+deb8u6 CVE ID : CVE-2020-9273 It was discovered that there was a a use-after-free vulnerability in in the proftpd-dfsg FTP server. Exploitation of this vulnerability within the memory pool handling could have allowed a remote attacker to execute...

[SECURITY] [DSA 4631-1] pillow security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4631-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 21, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4630-1] python-pysaml2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4630-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 21, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2113-1] cloud-init security update

Package : cloud-init Version : 0.7.6bzr976-2+deb8u1 CVE ID : CVE-2020-8631 CVE-2020-8632 Debian Bug : 951362 951363 CVE-2020-8631 In cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because randstr in cloudinit/util.py calls t...

[SECURITY] [DLA 2111-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u11 CVE ID : CVE-2019-20330 CVE-2020-8840 It was found that jackson-databind, a Java library used to parse JSON and other data formats, could deserialize data without proper validation, allowing a maliciously client to perform remote code execution...

[SECURITY] [DLA 2112-1] python-reportlab security update

Package : python-reportlab Version : 3.1.8-3+deb8u2 CVE ID : CVE-2019-17626 Debian Bug : 942763 It was found that ReportLab, a Python library to create PDF documents, did not properly parse color strings, allowing an attacker to execute arbitrary code through a crafted input document. For Debian ...

[SECURITY] [DLA 2110-1] netty-3.9 security update

Package : netty-3.9 Version : 3.9.0.Final-1+deb8u1 CVE ID : CVE-2014-0193 CVE-2014-3488 CVE-2019-16869 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 Debian Bug : 746639 941266 950966 950967 Several vulnerabilities were discovered in Netty, a Java NIO client/server socket framework: CVE-2014-0193...

[SECURITY] [DLA 2109-1] netty security update

Package : netty Version : 1:3.2.6.Final-2+deb8u2 CVE ID : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 Debian Bug : 950966 950967 Several vulnerabilities were discovered in the HTTP server provided by Netty, a Java NIO client/server socket framework: CVE-2019-20444 HttpObjectDecoder.java allows an...

[SECURITY] [DSA 4629-1] python-django security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4629-1 [email protected] https://www.debian.org/security/ Sebastien Delafond February 19, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4629-1] python-django security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4629-1 [email protected] https://www.debian.org/security/ Sebastien Delafond February 19, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4628-1] php7.0 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4628-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 18, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2108-1] clamav security update

Package : clamav Version : 0.101.5+dfsg-0+deb8u1 CVE ID : CVE-2019-15961 Debian Bug : 945265 It was found that ClamAV, an antivirus software, was susceptible to a denial of service attack by unauthenticated users via inefficient MIME parsing of especially crafted email files. For Debian 8 "Jessie...

[SECURITY] [DLA 2107-1] spamassassin security update

Package : spamassassin Version : 3.4.2-0+deb8u3 CVE ID : CVE-2020-1930 CVE-2020-1931 Debian Bug : 950258 Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. Malicious rule or configuration files, possibly downloaded from an updates server, could...

[SECURITY] [DLA 2106-1] libgd2 security update

Package : libgd2 Version : 2.1.0-5+deb8u14 CVE ID : CVE-2018-14553 Debian Bug : 951287 A vulnerability was discovered in libgd2, the GD graphics library, whereby an attacker can employ a specific function call sequence to trigger a NULL pointer dereference, subsequently crash the application usin...

[SECURITY] [DSA 4627-1] webkit2gtk security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4627-1 [email protected] https://www.debian.org/security/ Alberto Garcia February 17, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4626-1] php7.3 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4626-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 17, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2105-1] postgresql-9.4 security update

Package : postgresql-9.4 Version : 9.4.26-0+deb8u1 CVE ID : CVE-2020-1720 Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks. For Debian 8 "Jessie", this problem has been fixed in version 9.4.26-0+deb8u1. We...

[SECURITY] [DLA 2104-1] thunderbird security update

Package : thunderbird Version : 1:68.5.0-1deb8u1 CVE ID : CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6798 CVE-2020-6800 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. For Debian 8 "Jessie", the...

[SECURITY] [DSA 4625-1] thunderbird security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4625-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 15, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4624-1] evince security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4624-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 14, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4624-1] evince security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4624-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 14, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2103-1] debian-security-support update: libqb and mysql-5.5 end

Package : debian-security-support Version : 2019.12.12deb8u2 debian-security-support, the Debian security support coverage checker, has been updated in jessie-security. This marks the end of life of the libqb package in jessie. A recently reported vulnerability against libqb which allows users to...

[SECURITY] [DSA 4623-1] postgresql-11 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4623-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 13, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4622-1] postgresql-9.6 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4622-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 13, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2102-1] firefox-esr security update

Package : firefox-esr Version : 68.5.0esr-1deb8u1 CVE ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For Debian 8 "Jessie", these problems have been fixe...

[SECURITY] [DSA 4621-1] openjdk-8 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4621-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 12, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4620-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4620-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 12, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2101-1] libemail-address-list-perl security update

Package : libemail-address-list-perl Version : 0.05-1+deb8u1 CVE ID : CVE-2018-18898 An denial of service via an algorithmic complexity attack on email address parsing have been identified in libemail-address-list-perl. For Debian 8 "Jessie", this problem has been fixed in version 0.05-1+deb8u1. ...

[SECURITY] [DLA 2099-1] checkstyle security update

Package : checkstyle Version : 5.9-1+deb8u2 CVE ID : CVE-2019-10782 Security researchers from Snyk discovered that the fix for CVE-2019-9658 was incomplete. Checkstyle, a development tool to help programmers write Java code that adheres to a coding standard, was still vulnerable to XML External...

[SECURITY] [DLA 2100-1] libexif security update

Package : libexif Version : 0.6.21-2+deb8u1 CVE ID : CVE-2019-9278 Debian Bug : 945948 an out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse exif files. This flaw might be leveraged by remote attackers to cause denial of service, or potentiall...

[SECURITY] [DLA 2098-1] ipmitool security update

Package : ipmitool Version : 1.8.14-4+deb8u1 CVE ID : CVE-2020-5208 Debian Bug : 950761 Christopher Ertl found that multiple functions in ipmitool neglect proper checking of the data received from a remote LAN party, which may lead to buffer overflows and potentially to remote code execution on t...

[SECURITY] [DLA 2097-1] ppp security update

Package : ppp Version : 2.4.6-3.1+deb8u1 CVE ID : CVE-2020-8597 Debian Bug : 950618 Ilja Van Sprundel discovered a buffer overflow vulnerability in ppp, the Point-to-Point Protocol daemon. When receiving an EAP Request message in client mode, an attacker was able to overflow the rhostname array b...

[SECURITY] [DSA 4619-1] libxmlrpc3-java security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4619-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4619-1] libxmlrpc3-java security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4619-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4618-1] libexif security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4618-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4618-1] libexif security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4618-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2096-1] ruby-rack-cors security update

Package : ruby-rack-cors Version : 0.2.9-1+deb8u1 CVE ID : CVE-2019-18978 This package allowed ../ directory traversal to access private resources because resource matching did not ensure that pathnames were in a canonical format. For Debian 8 "Jessie", this problem has been fixed in version...

[SECURITY] [DLA 2095-1] storebackup security update

Package : storebackup Version : 3.2.1-1+deb8u1 CVE ID : CVE-2020-7040 Debian Bug : 949393 storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation. Local users can also create a plain file named...

[SECURITY] [DSA 4617-1] qtbase-opensource-src security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4617-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 03, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4616-1] qemu security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4616-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 02, 2020 https://www.debian.org/security/faq -...

[SECURITY] [DLA 2094-1] sudo security update

Package : sudo Version : 1.8.10p3-1+deb8u7 CVE ID : CVE-2019-18634 A stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the pwfeedback option enabled. An unprivileged user can take...

[SECURITY] [DSA 4615-1] spamassassin security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4615-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq -...