Debian Security Advisory

    • Offizieller Beitrag

    Package: transmission

    CVE ID: not yet available

    Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent

    client; insecure RPC handling between the Transmission daemon and the

    client interface(s) may result in the execution of arbitrary code if a

    user visits a malicious website while Transmission is running.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 2.84-0.2+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.92-2+deb9u1.

    We recommend that you upgrade your transmission packages.

    For the detailed security status of transmission please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/transmission

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: gdk-pixbuf

    CVE ID: CVE-2017-1000422

    It was discovered that multiple integer overflows in the GIF image loader

    in the GDK Pixbuf library may result in denial of service and potentially

    the execution of arbitrary code if a malformed image file is opened.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 2.31.1-2+deb8u7.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.36.5-2+deb9u2. In addition this update provides fixes for

    CVE-2017-6312, CVE-2017-6313 and CVE-2017-6314.

    We recommend that you upgrade your gdk-pixbuf packages.

    For the detailed security status of gdk-pixbuf please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/gdk-pixbuf

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: bind9

    CVE ID: CVE-2017-3145

    Jayachandran Palanisamy of Cygate AB reported that BIND, a DNS server

    implementation, was improperly sequencing cleanup operations, leading in

    some cases to a use-after-free error, triggering an assertion failure

    and crash in named.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1:9.9.5.dfsg-9+deb8u15.

    For the stable distribution (stretch), this problem has been fixed in

    version 1:9.10.3.dfsg.P4-12.3+deb9u4.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: wordpress

    CVE ID: CVE-2017-9066 CVE-2017-16510 CVE-2017-17091 CVE-2017-17092

    CVE-2017-17093 CVE-2017-17094

    Debian Bug: 862816 883314 880528

    Several vulnerabilities were discovered in Wordpress, a web blogging

    tool. They allowed remote attackers to perform SQL injections and

    various Cross-Side Scripting (XSS) and Server-Side Request Forgery

    (SSRF) attacks, as well as bypass some access restrictions.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 4.1+dfsg-1+deb8u16.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.7.5+dfsg-2+deb9u2.

    We recommend that you upgrade your wordpress packages.

    For the detailed security status of wordpress please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/wordpress

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: mysql-5.5

    CVE ID: CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665

    CVE-2018-2668

    Several issues have been discovered in the MySQL database server. The

    vulnerabilities are addressed by upgrading MySQL to the new upstream

    version 5.5.59, which includes additional changes. Please see the MySQL

    5.5 Release Notes and Oracle's Critical Patch Update advisory for

    further details:

    https://dev.mysql.com/doc/relnotes/m…ews-5-5-59.html

    http://www.oracle.com/technetwork/se…18-3236628.html

    For the oldstable distribution (jessie), these problems have been fixed

    in version 5.5.59-0+deb8u1.

    We recommend that you upgrade your mysql-5.5 packages.

    For the detailed security status of mysql-5.5 please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/mysql-5.5

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: awstats

    CVE ID: CVE-2017-1000501

    Debian Bug: 885835

    The cPanel Security Team discovered that awstats, a log file analyzer,

    was vulnerable to path traversal attacks. A remote unauthenticated

    attacker could leverage that to perform arbitrary code execution.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 7.2+dfsg-1+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 7.6+dfsg-1+deb9u1.

    We recommend that you upgrade your awstats packages.

    For the detailed security status of awstats please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/awstats

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: openocd

    CVE ID: CVE-2018-5704

    Debian Bug: 887488

    Josef Gajdusek discovered that OpenOCD, a JTAG debugger for ARM and MIPS,

    was vulnerable to Cross Protocol Scripting attacks. An attacker could

    craft a HTML page that, when visited by a victim running OpenOCD, could

    execute arbitrary commands on the victims host.

    This fix also sets the OpenOCD default binding to localhost, instead of

    every network interfaces. This can be changed with the added "bindto"

    command argument.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 0.8.0-4+deb7u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.9.0-1+deb8u1.

    We recommend that you upgrade your openocd packages.

    For the detailed security status of openocd please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/openocd

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: smarty3

    CVE ID: CVE-2017-1000480

    Debian Bug: 886460

    It was discovered that Smarty, a PHP template engine, was vulnerable to

    code-injection attacks. An attacker was able to craft a filename in

    comments that could lead to arbitrary code execution on the host running

    Smarty.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 3.1.21-1+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u1.

    We recommend that you upgrade your smarty3 packages.

    For the detailed security status of smarty3 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/smarty3

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: gcab

    CVE ID: CVE-2018-5345

    Debian Bug: 887776

    It was discovered that gcab, a Microsoft Cabinet file manipulation tool,

    is prone to a stack-based buffer overflow vulnerability when extracting

    .cab files. An attacker can take advantage of this flaw to cause a

    denial-of-service or, potentially the execution of arbitrary code with

    the privileges of the user running gcab, if a specially crafted .cab

    file is processed.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.7-2+deb9u1.

    We recommend that you upgrade your gcab packages.

    For the detailed security status of gcab please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/gcab

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: firefox-esr

    CVE ID: CVE-2018-5089 CVE-2018-5091 CVE-2018-5095 CVE-2018-5096

    CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102

    CVE-2018-5103 CVE-2018-5104 CVE-2018-5117

    Several security issues have been found in the Mozilla Firefox web

    browser: Multiple memory safety errors, use-after-frees, integer

    overflows and other implementation errors may lead to the execution of

    arbitrary code, denial of service or URL spoofing.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 52.6.0esr-1~deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 52.6.0esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: poppler

    CVE ID: CVE-2017-14929 CVE-2017-1000456

    Multiple vulnerabilities were discovered in the poppler PDF rendering

    library, which could result in denial of service or the execution of

    arbitrary code if a malformed PDF file is processed.

    This update also fixes a regression in the handling of Type 3 fonts.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 0.26.5-2+deb8u3.

    For the stable distribution (stretch), these problems have been fixed in

    version 0.48.0-2+deb9u2.

    We recommend that you upgrade your poppler packages.

    For the detailed security status of poppler please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/poppler

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: curl

    CVE ID: CVE-2018-1000005 CVE-2018-1000007

    Two vulnerabilities were discovered in cURL, an URL transfer library.

    CVE-2018-1000005

    Zhouyihai Ding discovered an out-of-bounds read in the code

    handling HTTP/2 trailers. This issue doesn't affect the oldstable

    distribution (jessie).

    CVE-2018-1000007

    Craig de Stigter discovered that authentication data might be leaked

    to third parties when following HTTP redirects.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 7.38.0-4+deb8u9.

    For the stable distribution (stretch), these problems have been fixed in

    version 7.52.1-5+deb9u4.

    We recommend that you upgrade your curl packages.

    For the detailed security status of curl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/curl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: ffmpeg

    CVE ID: CVE-2017-17081

    Several vulnerabilities have been discovered in the FFmpeg multimedia

    framework, which could result in denial of service or potentially the

    execution of arbitrary code if malformed files/streams are processed.

    For the stable distribution (stretch), this problem has been fixed in

    version 7:3.2.10-1~deb9u1.

    We recommend that you upgrade your ffmpeg packages.

    For the detailed security status of ffmpeg please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/ffmpeg

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: tiff

    CVE ID: CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726

    CVE-2017-13727 CVE-2017-18013

    Multiple vulnerabilities have been discovered in the libtiff library and

    the included tools, which may result in denial of service or the

    execution of arbitrary code.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 4.0.3-12.3+deb8u5.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.0.8-2+deb9u2.

    We recommend that you upgrade your tiff packages.

    For the detailed security status of tiff please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/tiff

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: wireshark

    CVE ID: CVE-2018-5334 CVE-2018-5335 CVE-2018-5336

    It was discovered that wireshark, a network protocol analyzer, contained

    several vulnerabilities in the dissectors/file parsers for IxVeriWave,

    WCP, JSON, XML, NTP, XMPP and GDB, which could result in denial of

    dervice or the execution of arbitrary code.

    For the oldstable distribution (jessie), these problems have been fixed

    in version (1.12.1+g01b65bf-4+deb8u13.

    For the stable distribution (stretch), these problems have been fixed in

    version 2.2.6+g32dac6a-2+deb9u2.

    We recommend that you upgrade your wireshark packages.

    For the detailed security status of wireshark please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/wireshark

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: smarty3

    CVE ID: CVE-2017-1000480

    Debian Bug: 886460

    Côme Chilliet from the FusionDirectory team detected a regression in the

    previously issued fix for CVE-2017-1000480. This regression only affects

    the Jessie version of the patch. For reference, the relevant part of the

    original advisory text follows.

    It was discovered that Smarty, a PHP template engine, was vulnerable to

    code-injection attacks. An attacker was able to craft a filename in

    comments that could lead to arbitrary code execution on the host running

    Smarty.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 3.1.21-1+deb8u2.

    We recommend that you upgrade your smarty3 packages.

    For the detailed security status of smarty3 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/smarty3

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: thunderbird

    CVE ID: CVE-2018-5089 CVE-2018-5091 CVE-2018-5095 CVE-2018-5096

    CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102

    CVE-2018-5103 CVE-2018-5104 CVE-2018-5117

    Multiple security issues have been found in Thunderbird, which may lead

    to the execution of arbitrary code, denial of service or URL spoofing.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1:52.6.0-1~deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:52.6.0-1~deb9u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: chromium-browser

    CVE ID: CVE-2017-15420 CVE-2017-15429 CVE-2018-6031 CVE-2018-6032

    CVE-2018-6033 CVE-2018-6034 CVE-2018-6035 CVE-2018-6036

    CVE-2018-6037 CVE-2018-6038 CVE-2018-6039 CVE-2018-6040

    CVE-2018-6041 CVE-2018-6042 CVE-2018-6043 CVE-2018-6045

    CVE-2018-6046 CVE-2018-6047 CVE-2018-6048 CVE-2018-6049

    CVE-2018-6050 CVE-2018-6051 CVE-2018-6052 CVE-2018-6053

    CVE-2018-6054

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2017-15420

    Drew Springall discovered a URL spoofing issue.

    CVE-2017-15429

    A cross-site scripting issue was discovered in the v8 javascript

    library.

    CVE-2018-6031

    A use-after-free issue was discovered in the pdfium library.

    CVE-2018-6032

    Jun Kokatsu discovered a way to bypass the same origin policy.

    CVE-2018-6033

    Juho Nurminen discovered a race condition when opening downloaded

    files.

    CVE-2018-6034

    Tobias Klein discovered an integer overflow issue.

    CVE-2018-6035

    Rob Wu discovered a way for extensions to access devtools.

    CVE-2018-6036

    UK's National Cyper Security Centre discovered an integer overflow

    issue.

    CVE-2018-6037

    Paul Stone discovered an issue in the autofill feature.

    CVE-2018-6038

    cloudfuzzer discovered a buffer overflow issue.

    CVE-2018-6039

    Juho Nurminen discovered a cross-site scripting issue in the

    developer tools.

    CVE-2018-6040

    WenXu Wu discovered a way to bypass the content security policy.

    CVE-2018-6041

    Luan Herrera discovered a URL spoofing issue.

    CVE-2018-6042

    Khalil Zhani discovered a URL spoofing issue.

    CVE-2018-6043

    A character escaping issue was discovered.

    CVE-2018-6045

    Rob Wu discovered a way for extensions to access devtools.

    CVE-2018-6046

    Rob Wu discovered a way for extensions to access devtools.

    CVE-2018-6047

    Masato Kinugawa discovered an information leak issue.

    CVE-2018-6048

    Jun Kokatsu discoverd a way to bypass the referrer policy.

    CVE-2018-6049

    WenXu Wu discovered a user interface spoofing issue.

    CVE-2018-6050

    Jonathan Kew discovered a URL spoofing issue.

    CVE-2018-6051

    Anonio Sanso discovered an information leak issue.

    CVE-2018-6052

    Tanner Emek discovered that the referrer policy implementation

    was incomplete.

    CVE-2018-6053

    Asset Kabdenov discoved an information leak issue.

    CVE-2018-6054

    Rob Wu discovered a use-after-free issue.

    For the oldstable distribution (jessie), security support for chromium

    has been discontinued.

    For the stable distribution (stretch), these problems have been fixed in

    version 64.0.3282.119-1~deb9u1.

    We recommend that you upgrade your chromium-browser packages.

    For the detailed security status of chromium-browser please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium-browser

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: p7zip

    CVE ID: CVE-2017-17969

    Debian Bug: 888297

    'landave' discovered a heap-based buffer overflow vulnerability in the

    NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file

    archiver with high compression ratio. A remote attacker can take

    advantage of this flaw to cause a denial-of-service or, potentially the

    execution of arbitrary code with the privileges of the user running

    p7zip, if a specially crafted shrinked ZIP archive is processed.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 9.20.1~dfsg.1-4.1+deb8u3.

    For the stable distribution (stretch), this problem has been fixed in

    version 16.02+dfsg-3+deb9u1.

    We recommend that you upgrade your p7zip packages.

    For the detailed security status of p7zip please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/p7zip

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: mpv

    CVE ID: CVE-2018-6360

    Debian Bug: 888654

    It was discovered that mpv, a media player, was vulnerable to remote code

    execution attacks. An attacker could craft a malicious web page that,

    when used as an argument in mpv, could execute arbitrary code in the host

    of the mpv user.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.23.0-2+deb9u1.

    We recommend that you upgrade your mpv packages.

    For the detailed security status of mpv please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mpv

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/