[SECURITY] [DSA 4559-1] proftpd-dfsg security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4559-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff November 05, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1981-1] cpio security update

Package : cpio Version : 2.11+dfsg-4.1+deb8u2 CVE ID : CVE-2019-14866 Debian Bug : 941412 A vulnerability was discovered in the cpio package. CVE-2019-14866 It is possible for an attacker to create a file so when backed up with cpio can generate arbitrary files in the resulting tar archive. When...

[SECURITY] [DLA 1980-1] wordpress security update

Package : wordpress Version : 4.1.28+dfsg-0+deb8u1 CVE ID : CVE-2019-17669 CVE-2019-17670 CVE-2019-17671 CVE-2019-17675 Debian Bug : 942459 Several vulnerabilities in wordpress, a web blogging tool, have been fixed. CVE-2019-17669 Server Side Request Forgery SSRF vulnerability because URL...

[SECURITY] [DSA 4558-1] webkit2gtk security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4558-1 [email protected] https://www.debian.org/security/ Alberto Garcia November 04, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4557-1] libarchive security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4557-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 31, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4556-1] qtbase-opensource-src security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4556-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 31, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1979-1] italc security update

Package : italc Version : 1:2.0.2+dfsg1-2+deb8u1 CVE ID : CVE-2014-6051 CVE-2014-6052 CVE-2014-6053 CVE-2014-6054 CVE-2014-6055 CVE-2016-9941 CVE-2016-9942 CVE-2018-6307 CVE-2018-7225 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023...

[SECURITY] [DLA 1978-1] python-ecdsa security update

Package : python-ecdsa Version : 0.11-1+deb8u1 CVE ID : CVE-2019-14853 CVE-2019-14859 It was discovered that python-ecdsa, a cryptographic signature library for Python, did not correctly verify DER encoded signatures. Malformed signatures could lead to unexpected exceptions and in some cases did...

[SECURITY] [DLA 1977-1] libvncserver security update

Package : libvncserver Version : 0.9.9+dfsg2-6.1+deb8u6 CVE ID : CVE-2019-15681 Debian Bug : 943793 LibVNC contained a memory leak CWE-655 in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. For Debian 8 "Jessie", this problem has bee...

[SECURITY] [DLA 1976-1] imapfilter security update

Package : imapfilter Version : 1:2.5.2-2+deb8u1 CVE ID : CVE-2016-10937 Debian Bug : 939702 The imapfilter tool, a utility for scripting IMAP operations in lua, lacked server name / certificate peer hostname validation support. For Debian 8 "Jessie", this problem has been fixed in version...

[SECURITY] [DSA 4555-1] pam-python security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4555-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 29, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4554-1] ruby-loofah security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4554-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1975-1] spip security update

Package : spip Version : 3.0.17-2+deb8u5 CVE ID : CVE-2019-16391 CVE-2019-16392 CVE-2019-16393 CVE-2019-16394 It was discovered that SPIP, a website engine for publishing, would allow unauthenticated users to modify published content and write to the database, perform cross-site request forgeries...

[SECURITY] [DSA 4553-1] php7.3 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4553-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4552-1] php7.0 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4552-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1973-1] libxslt security update

Package : libxslt Version : 1.1.28-2+deb8u6 CVE ID : CVE-2019-18197 Debian Bug : 942646 A security vulnerability was discovered in libxslt, a XSLT 1.0 processing library written in C. In xsltCopyText in transform.c, a pointer variable is not reset under certain circumstances. If the relevant memo...

[SECURITY] [DLA 1974-1] proftpd-dfsg security update

Package : proftpd-dfsg Version : 1.3.5e+r1.3.5-2+deb8u4 CVE ID : CVE-2019-18217 An issue has been found in proftp-dfsg, a versatile, virtual-hosting FTP daemon. Due to incorrect handling of overly long commands, a remote unauthenticated user could trigger a denial-of-service by reaching an endles...

[SECURITY] [DLA 1972-1] mosquitto security update

Package : mosquitto Version : 1.3.4-2+deb8u4 CVE ID : CVE-2017-7655 CVE-2018-12550 CVE-2018-12551 CVE-2019-11779 Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker. CVE-2017-7655 A Null dereference vulnerability in the Mosquitto library could lead to...

[SECURITY] [DLA 1971-1] libarchive security update

Package : libarchive Version : 3.1.2-11+deb8u8 CVE ID : CVE-2019-18408 An issue has been found in libarchive, a multi-format archive and compression library. In case of a crafted archive containing several parts and one part being corrupt, there would be an use-after-free for the next part of the...

[SECURITY] [DLA 1970-1] php5 security update

Package : php5 Version : 5.6.40+dfsg-0+deb8u7 CVE ID : CVE-2019-11043 Emil Lerner, beched and d90pwn found a buffer underflow in php5-fpm, a Fast Process Manager for the PHP language, which can lead to remote code execution. Instances are vulnerable depending on the web server configuration, in...

[SECURITY] [DSA 4551-1] golang-1.11 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4551-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4550-1] file security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4550-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4549-1] firefox-esr security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4549-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 24, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1969-1] file security update

Package : file Version : 1:5.22+15-2+deb8u6 CVE ID : CVE-2019-18218 An issue has been found in file, a tool to determine file types by using magic numbers. The number of CDFVECTOR elements had to be restricted in order to prevent a heap-based buffer overflow 4-byte out-of-bounds write. For Debian...

[SECURITY] [DSA 4548-1] openjdk-8 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4548-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 21, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4547-1] tcpdump security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4547-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 21, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1967-1] libpcap security update

Package : libpcap Version : 1.6.2-2+deb8u1 CVE ID : CVE-2019-15165 Debian Bug : 941697 libpcap Packet CAPture, a low-level network monitoring library, does not properly validate the PHB header length before allocating memory. This update added sanity checks for PHB header length. For Debian 8...

[SECURITY] [DLA 1962-1] graphite-web security update

Package : graphite-web Version : 0.9.12+debian-6+deb8u1 CVE ID : CVE-2017-18638 The sendemail function in graphite-web/webapp/graphite/composer/views.py in Graphite is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource...

[SECURITY] [DLA 1961-1] milkytracker security update

Package : milkytracker Version : 0.90.85+dfsg-2.2+deb8u1 CVE ID : CVE-2019-14464 CVE-2019-14496 CVE-2019-14497 Debian Bug : 933964 Fredric discovered a couple of buffer overflows in MilkyTracker, of which, a brief description is given below. CVE-2019-14464 XMFile::read in XMFile.cpp in milkyplay ...

[SECURITY] [DLA 1968-1] imagemagick security update

Package : imagemagick Version : 8:6.8.9.9-5+deb8u18 CVE ID : CVE-2019-11470 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 Multiple vulnerabilities have been found in imagemagick, an image processing toolkit. CVE-2019-11470 Uncontrolled resource consumption caused by insufficiently sanitized image...

[SECURITY] [DSA 4546-1] openjdk-11 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4546-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 20, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1966-1] aspell security update

Package : aspell Version : 0.60.720110707-1.3+deb8u1 CVE ID : CVE-2019-17544 It was discovered that Aspell, the GNU spell checker, incorrectly handled certain inputs which leads to a stack-based buffer over-read. An attacker could potentially access sensitive information. For Debian 8 "Jessie",...

[SECURITY] [DLA 1965-1] nfs-utils security update

Package : nfs-utils Version : 1.2.8-9+deb8u1 CVE ID : CVE-2019-3689 Debian Bug : 940848 In the nfs-utils package, providing support files for Network File System NFS including the rpc.statd daemon, the directory /var/lib/nfs is owned by statd:nogroup. This directory contains files owned and manag...

[SECURITY] [DSA 4545-1] mediawiki security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4545-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 18, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1963-2] poppler regression update

Package : poppler Version : 0.180.26.5-2+deb8u13 CVE ID : CVE-2019-10871 Debian Bug : 942503 The fix for CVE-2019-10871 broke xpdf. This change has been reverted until a better fix can be developed. For Debian 8 "Jessie", this problem has been fixed in version 0.180.26.5-2+deb8u13. We recommend...

[SECURITY] [DLA 1963-1] poppler security update

Package : poppler Version : 0.26.5-2+deb8u12 CVE ID : CVE-2019-9959 CVE-2019-10871 Two buffer allocation issues were identified in poppler. CVE-2019-9959 An unexpected negative length value can cause an integer overflow, which in turn making it possible to allocate a large memory chunk on the hea...

[SECURITY] [DLA 1960-1] wordpress security update

Package : wordpress Version : 4.1.27+dfsg-0+deb8u1 CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 Debian Bug : 939543 Several cross-site scripting XSS vulnerabilities were discovered in Wordpress, a popular content management...

[SECURITY] [DLA 1964-1] sudo security update

Package : sudo Version : 1.8.10p3-1+deb8u6 CVE ID : CVE-2019-14287 Debian Bug : 942322 In sudo, a program that provides limited super user privileges to specific users, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can caus...

[SECURITY] [DLA 1714-2] libsdl2 regression update

Package : libsdl2 Version : 2.0.2+dfsg1-6+deb8u2 CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 The update of libsdl2 released as DLA 1714-1 led to several regressions, as reported ...

[SECURITY] [DLA 1713-2] libsdl1.2 regression update

Package : libsdl1.2 Version : 1.2.15-10+deb8u2 CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 The update of libsdl1.2 released as DLA 1713-1 led to a regression, caused by an...

[SECURITY] [DSA 4544-1] unbound security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4544-1 [email protected] https://www.debian.org/security/ Sebastien Delafond October 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4544-1] unbound security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4544-1 [email protected] https://www.debian.org/security/ Sebastien Delafond October 16, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4509-3] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4509-3 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 15, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4509-3] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4509-3 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 15, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1959-1] xtrlock security update

Package : xtrlock Version : 2.6+deb8u1 CVE ID : CVE-2016-10894 Debian Bug : 830726 It was discovered that multitouch devices were not being disabled by the "xtrlock" screen locking utility. xtrlock did not block multitouch events so an attacker could still input and thus control various programs...

[SECURITY] [DSA 4543-1] sudo security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 14, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4543-1] sudo security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4543-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 14, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1953-2] clamav regression update

Package : clamav Version : 0.101.4+dfsg-0+deb8u2 CVE ID : CVE-2019-12625 CVE-2019-12900 Debian Bug : 942172 The update of clamav released as DLA 1953-1 led to permission issues on /var/run/clamav. This caused several users to experience issues restarting the clamav daemon. This regression is caus...

[SECURITY] [DLA 1958-1] libdatetime-timezone-perl new upstream version

Package : libdatetime-timezone-perl Version : 1:1.75-2+2019c This update includes the changes in tzdata 2019c for the Perl bindings. For the list of changes, see DLA-1957-1. For Debian 8 "Jessie", this problem has been fixed in version 1:1.75-2+2019c. We recommend that you upgrade your...

[SECURITY] [DLA 1957-1] tzdata new upstream version

Package : tzdata Version : 2019c-0+deb8u1 This update includes the changes in tzdata 2018c. Notable changes are: - Brazil has canceled DST and will stay on standard time indefinitely. - Fijis next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk...