[SECURITY] [DLA 1953-2] clamav regression update

Package : clamav Version : 0.101.4+dfsg-0+deb8u2 CVE ID : CVE-2019-12625 CVE-2019-12900 Debian Bug : 942172 The update of clamav released as DLA 1953-1 led to permission issues on /var/run/clamav. This caused several users to experience issues restarting the clamav daemon. This regression is caus...

[SECURITY] [DLA 1958-1] libdatetime-timezone-perl new upstream version

Package : libdatetime-timezone-perl Version : 1:1.75-2+2019c This update includes the changes in tzdata 2019c for the Perl bindings. For the list of changes, see DLA-1957-1. For Debian 8 "Jessie", this problem has been fixed in version 1:1.75-2+2019c. We recommend that you upgrade your...

[SECURITY] [DLA 1957-1] tzdata new upstream version

Package : tzdata Version : 2019c-0+deb8u1 This update includes the changes in tzdata 2018c. Notable changes are: - Brazil has canceled DST and will stay on standard time indefinitely. - Fijis next DST transitions will be 2019-11-10 and 2020-01-12 instead of 2019-11-03 and 2020-01-19. - Norfolk...

[SECURITY] [DSA 4539-3] openssl regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4539-3 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4539-3] openssl regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4539-3 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 13, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1955-1] tcpdump security update

Package : tcpdump Version : 4.9.3-1deb8u1 CVE ID : CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462 CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466 CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470 CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882...

[SECURITY] [DLA 1956-1] ruby-openid security update

Package : ruby-openid Version : 2.5.0debian-1+deb8u1 CVE ID : CVE-2019-11027 ruby-openid performed discovery first, and then verification. This allowed an attacker to change the URL used for discovery and trick the server into connecting to the URL. This server in turn could be a private server n...

[SECURITY] [DLA 1954-1] lucene-solr security update

Package : lucene-solr Version : 3.6.2+dfsg-5+deb8u3 CVE ID : CVE-2019-0193 A security vulnerability was discovered in lucene-solr, an enterprise search server. The DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole...

[SECURITY] [DLA 1953-1] clamav security update

Package : clamav Version : 0.101.4+dfsg-0+deb8u1 CVE ID : CVE-2019-12625 CVE-2019-12900 Debian Bug : 34359 It was discovered that clamav, the open source antivirus engine, is affected by the following security vulnerabilities: CVE-2019-12625 Denial of Service DoS vulnerability, resulting from...

[SECURITY] [DLA 1952-1] rsyslog security update

Package : rsyslog Version : 8.4.2-1+deb8u3 CVE IDs : CVE-2019-17041 CVE-2019-17042 Debian Bugs : 942065 942067 It was discovered that there were two vulnerabilities in the rsyslog system/kernel logging daemon in the parsers for AIX and Cisco log messages respectfully. For Debian 8 "Jessie", these...

[SECURITY] [DLA 1951-1] libtomcrypt security update

Package : libtomcrypt Version : 1.17-6+deb8u1 CVE ID : CVE-2019-17362 It was discovered that there was a denial of service vulnerability in the libtomcrypt cryptographic library. An out-of-bounds read and crash could occur via carefully-crafted "DER" encoded data eg. by importing an X.509...

[SECURITY] [DLA 1950-1] openjpeg2 security update

Package : openjpeg2 Version : 2.1.0-2+deb8u8 CVE ID : CVE-2018-21010 Debian Bug : 939553 A heap buffer overflow vulnerability was discovered in openjpeg2, the open-source JPEG 2000 codec. This vulnerability is caused by insufficient validation of width and height of image components in...

[SECURITY] [DLA 1949-1] xen security update

Package : xen Version : 4.4.4lts5-0+deb8u1 CVE ID : CVE-2018-19961 CVE-2018-19962 CVE-2018-19966 XSA ID : XSA-275 XSA-280 XSA-285 XSA-287 XSA-288 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalatio...

[SECURITY] [DSA 4539-2] openssh regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4539-2 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 07, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4539-2] openssh regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4539-2 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 07, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1948-1] ruby-mini-magick security update

Package : ruby-mini-magick Version : 3.8.1-1+deb8u1 CVE ID : CVE-2019-13574 Debian Bug : 931932 In lib/minimagick/image.rb in ruby-mini-magick, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernelopen, which accepts a | charact...

[SECURITY] [DLA 1942-2] phpbb3 regression update

This is a follow-up to DLA-1942-1. There was some confusion about the correct fix for CVE-2019-13776. The correct announcement for this DLA should have been: Package : phpbb3 Version : 3.0.12-5+deb8u4 CVE ID : CVE-2019-13776 CVE-2019-16993 CVE-2019-16993 In phpBB, includes/acp/acpbbcodes.php had...

[SECURITY] [DLA 1947-1] libreoffice security update

Package : libreoffice Version : 1:4.3.3-2+deb8u13 CVE ID : CVE-2019-9848 CVE-2019-9849 CVE-2019-9850 CVE-2019-9851 CVE-2019-9852 CVE-2019-9853 CVE-2019-9854 Several vulnerabilities were discovered in LibreOffice, the office productivity suite. CVE-2019-9848 Nils Emmerich discovered that malicious...

[SECURITY] [DSA 4542-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4542-1 [email protected] https://www.debian.org/security/ Sebastien Delafond October 06, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4542-1] jackson-databind security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4542-1 [email protected] https://www.debian.org/security/ Sebastien Delafond October 06, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1946-1] novnc security update

Package : novnc Version : 1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1 CVE ID : CVE-2017-18635 An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server...

[SECURITY] [DSA 4541-1] libapreq2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4541-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 04, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4541-1] libapreq2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4541-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 04, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1945-1] openconnect security update

Package : openconnect Version : 6.00-2+deb8u1 CVE ID : CVE-2019-16239 Debian Bug : 940871 A vulnerability was discovered by Lukas Kupczyk of the Advanced Research Team at CrowdStrike Intelligence in OpenConnect, an open client for Cisco AnyConnect, Pulse, GlobalProtect VPN. A malicious HTTP serve...

[SECURITY] [DLA 1944-1] libapreq2 security update

Package : libapreq2 Version : 2.13-4+deb8u1 CVE ID : CVE-2019-12412 Debian Bug : 939937 It was discovered that there was a remotely-exploitable null pointer dereference in libapreq2, a library for manipulating HTTP requests. For Debian 8 "Jessie", this issue has been fixed in libapreq2 version...

[SECURITY] [DLA 1943-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u9 CVE ID : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 Debian Bug : 940498 941530 More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig,...

[SECURITY] [DSA 4509-2] subversion update

------------------------------------------------------------------------- Debian Security Advisory DSA-4509-2 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 2, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4540-1] openssl1.0 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4540-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 01, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4539-1] openssl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4539-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 01, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1940-1] linux-4.9 security update

Package : linux-4.9 Version : 4.9.189-3+deb9u1deb8u1 CVE ID : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-14821...

[SECURITY] [DLA 1942-1] phpbb3 security update

Package : phpbb3 Version : 3.0.12-5+deb8u4 CVE ID : CVE-2019-16993 In phpBB, includes/acp/acpbbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a...

[SECURITY] [DLA 1941-1] netty security update

Package : netty Version : 1:3.2.6.Final-2+deb8u1 CVE ID : CVE-2019-16869 Netty mishandled whitespace before the colon in HTTP headers such as a “Transfer-Encoding : chunked” line, which lead to HTTP request smuggling. For Debian 8 "Jessie", this problem has been fixed in version...

[SECURITY] [DLA 1900-2] apache2 regression update

Package : apache2 Version : 2.4.10-10+deb8u16 CVE ID : CVE-2019-10092 Debian Bug : 941202 The update of apache2 released as DLA-1900-1 contained an incomplete fix for CVE-2019-10092, a limited cross-site scripting issue affecting the modproxy error page. The old patch rather introduced a new CSRF...

[SECURITY] [DLA 1939-1] poppler security update

Package : poppler Version : 0.26.5-2+deb8u11 CVE ID : CVE-2018-20650 CVE-2018-21009 CVE-2019-12493 Several issues in poppler, a PDF rendering library, have been fixed. CVE-2018-20650 A missing check for the dict data type could lead to a denial of service. CVE-2018-21009 An integer overflow might...

[SECURITY] [DLA 1938-1] file-roller security update

Package : file-roller Version : 3.14.1-1+deb8u1 CVE ID : CVE-2019-16680 An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction. For Debian 8 "Jessie", this proble...

[SECURITY] [DSA 4538-1] wpa security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4538-1 [email protected] https://www.debian.org/security/ Yves-Alexis Perez September 29, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1937-1] httpie security update

Package : httpie Version : 0.8.0-1+deb8u1 CVE ID : CVE-2019-10751 Debian Bug : 940058 An open redirect, that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his o...

[SECURITY] [DSA 4537-1] file-roller security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4537-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4537-1] file-roller security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4537-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1936-1] cups security update

Package : cups Version : 1.7.5-11+deb8u6 CVE ID : CVE-2018-4300 An issue has been found in cups, the Common UNIX Printing Systemtm. While generating a session cookie for the CUPS web interface, a predictable random number seed was used. This could lead to unauthorized scripted access to the enabl...

[SECURITY] [DLA 1935-1] e2fsprogs security update

Package : e2fsprogs Version : 1.42.12-2+deb8u1 CVE ID : CVE-2019-5094 Lilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities. Running e2fsck on a malformed file system can result in the execution of arbitrary code. Fo...

[SECURITY] [DLA 1934-1] cimg security update

Package : cimg Version : 1.5.9+dfsg-1+deb8u1 CVE ID : CVE-2018-7588 CVE-2018-7589 CVE-2018-7637 CVE-2018-7638 CVE-2018-7639 CVE-2018-7640 CVE-2018-7641 CVE-2019-1010174 Several issues have been found in cimg, a powerful image processing library. CVE-2019-1010174 is related to a missing string...

[SECURITY] [DSA 4536-1] exim4 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4536-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4536-1] exim4 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4536-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 28, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4535-1] e2fsprogs security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4535-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 27, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4535-1] e2fsprogs security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4535-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 27, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DSA 4534-1] golang-1.11 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4534-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 27, 2019 https://www.debian.org/security/faq -...

[SECURITY] [DLA 1933-1] ruby-nokogiri security update

Package : ruby-nokogiri Version : 1.6.3.1+ds-1+deb8u1 CVE ID : CVE-2019-5477 A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess by Rubys Kernel.open method. For Debian 8 "Jessie", this problem has been fixed in version 1.6.3.1+ds-1+deb8u1. We recommend th...

[SECURITY] [DLA 1932-1] openssl security update

Package : openssl Version : 1.0.1t-1+deb8u12 CVE ID : CVE-2019-1547 CVE-2019-1563 Two security vulnerabilities were found in OpenSSL, the Secure Sockets Layer toolkit. CVE-2019-1547 Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths...

[SECURITY] [DSA 4533-1] lemonldap-ng security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4533-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 25, 2019 https://www.debian.org/security/faq -...