Debian Security Advisory

  • Package: mpv


    CVE ID: CVE-2018-6360


    Debian Bug: 889892


    A regression was detected in the previously issued fix for CVE-2018-6360.


    The patch released with DSA 4105-1 broke the feature of invoking mpv with


    raw YouTube ids. This update fixes this functionality issue. For


    reference, the relevant part of the original advisory text follows.


    It was discovered that mpv, a media player, was vulnerable to remote code


    execution attacks. An attacker could craft a malicious web page that,


    when used as an argument in mpv, could execute arbitrary code in the host


    of the mpv user.


    For the stable distribution (stretch), this problem has been fixed in


    version 0.23.0-2+deb9u2.


    We recommend that you upgrade your mpv packages.


    For the detailed security status of mpv please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/mpv


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: libtasn1-6


    CVE ID: CVE-2017-10790 CVE-2018-6003


    Debian Bug: 867398


    Two vulnerabilities were discovered in Libtasn1, a library to manage


    ASN.1 structures, allowing a remote attacker to cause a denial of


    service against an application using the Libtasn1 library.


    For the stable distribution (stretch), these problems have been fixed in


    version 4.10-1.1+deb9u1.


    We recommend that you upgrade your libtasn1-6 packages.


    For the detailed security status of libtasn1-6 please refer to its


    security tracker page at:


    https://security-tracker.debian.org/tracker/libtasn1-6


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: django-anymail


    CVE ID: CVE-2018-6596


    Debian Bug: 889450


    It was discovered that the webhook validation of Anymail, a Django email


    backends for multiple ESPs, is prone to a timing attack. A remote


    attacker can take advantage of this flaw to obtain a


    WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.


    For the stable distribution (stretch), this problem has been fixed in


    version 0.8-2+deb9u1.


    We recommend that you upgrade your django-anymail packages.


    For the detailed security status of django-anymail please refer to its


    security tracker page at:


    https://security-tracker.debian.org/tracker/django-anymail


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: mailman


    CVE ID: CVE-2018-5950


    Debian Bug: 888201


    Calum Hutton and the Mailman team discovered a cross site scripting and


    information leak vulnerability in the user options page. A remote


    attacker could use a crafted URL to steal cookie information or to


    fish for whether a user is subscribed to a list with a private roster.


    For the oldstable distribution (jessie), this problem has been fixed


    in version 2.1.18-2+deb8u2.


    For the stable distribution (stretch), this problem has been fixed in


    version 2.1.23-1+deb9u2.


    We recommend that you upgrade your mailman packages.


    For the detailed security status of mailman please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/mailman


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: ruby-omniauth


    CVE ID: CVE-2017-18076


    Debian Bug: 888523


    Lalith Rallabhandi discovered that OmniAuth, a Ruby library for


    implementing multi-provider authentication in web applications,


    mishandled and leaked sensitive information. An attacker with access to


    the callback environment, such as in the case of a crafted web


    application, can request authentication services from this module and


    access to the CSRF token.


    For the oldstable distribution (jessie), this problem has been fixed


    in version 1.2.1-1+deb8u1.


    For the stable distribution (stretch), this problem has been fixed in


    version 1.3.1-1+deb9u1.


    We recommend that you upgrade your ruby-omniauth packages.


    For the detailed security status of ruby-omniauth please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/ruby-omniauth


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: exim4


    CVE ID: CVE-2018-6789


    Debian Bug: 890000


    Meh Chang discovered a buffer overflow flaw in a utility function used


    in the SMTP listener of Exim, a mail transport agent. A remote attacker


    can take advantage of this flaw to cause a denial of service, or


    potentially the execution of arbitrary code via a specially crafted


    message.


    For the oldstable distribution (jessie), this problem has been fixed


    in version 4.84.2-2+deb8u5.


    For the stable distribution (stretch), this problem has been fixed in


    version 4.89-2+deb9u3.


    We recommend that you upgrade your exim4 packages.


    For the detailed security status of exim4 please refer to its security


    tracker page at:


    https://security-tracker.debian.org/tracker/exim4


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: libreoffice


    CVE ID: CVE-2018-6871


    Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that


    missing restrictions in the implementation of the WEBSERVICE function


    in LibreOffice could result in the disclosure of arbitrary files


    readable by the user who opens a malformed document.


    For the stable distribution (stretch), this problem has been fixed in


    version 1:5.2.7-1+deb9u2.


    We recommend that you upgrade your libreoffice packages.


    For the detailed security status of libreoffice please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/libreoffice


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: libreoffice


    CVE ID: CVE-2018-6871


    Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that


    missing restrictions in the implementation of the WEBSERVICE function


    in LibreOffice could result in the disclosure of arbitrary files


    readable by the user who opens a malformed document.


    For the oldstable distribution (jessie), this problem has been fixed in


    version 1:4.3.3-2+deb8u10


    We recommend that you upgrade your libreoffice packages.


    For the detailed security status of libreoffice please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/libreoffice


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: xen


    CVE ID: CVE-2017-17563 CVE-2017-17564 CVE-2017-17565


    CVE-2017-17566


    Multiple vulnerabilities have been discovered in the Xen hypervisor:


    CVE-2017-17563


    Jan Beulich discovered that an incorrect reference count overflow


    check in x86 shadow mode may result in denial of service or


    privilege escalation.


    CVE-2017-17564


    Jan Beulich discovered that improper x86 shadow mode reference count


    error handling may result in denial of service or privilege


    escalation.


    CVE-2017-17565


    Jan Beulich discovered that an incomplete bug check in x86 log-dirty


    handling may result in denial of service.


    CVE-2017-17566


    Jan Beulich discovered that x86 PV guests may gain access to


    internally used pages which could result in denial of service or


    potential privilege escalation.


    In addition this update ships the "Comet" shim to address the Meltdown


    class of vulnerabilities for guests with legacy PV kernels. In addition,


    the package provides the "Xen PTI stage 1" mitigation which is built-in


    and enabled by default on Intel systems, but can be disabled with


    `xpti=false' on the hypervisor command line (It does not make sense to


    use both xpti and the Comet shim.)


    Please refer to the following URL for more details on how to configure


    individual mitigation strategies:


    https://xenbits.xen.org/xsa/advisory-254.html


    Additional information can also be found in README.pti and README.comet.


    For the stable distribution (stretch), these problems have been fixed in


    version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1.


    We recommend that you upgrade your xen packages.


    For the detailed security status of xen please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/xen


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: libvorbis


    CVE ID: CVE-2017-14632 CVE-2017-14633


    Two vulnerabilities were discovered in the libraries of the Vorbis audio


    compression codec, which could result in denial of service or the


    execution of arbitrary code if a malformed media file is processed.


    For the stable distribution (stretch), these problems have been fixed in


    version 1.3.5-4+deb9u1.


    We recommend that you upgrade your libvorbis packages.


    For the detailed security status of libvorbis please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/libvorbis


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: jackson-databind


    CVE ID: CVE-2017-17485 CVE-2018-5968


    Debian Bug: 888316 888318


    It was discovered that jackson-databind, a Java library used to parse


    JSON and other data formats, did not properly validate user input


    before attempting deserialization. This allowed an attacker to perform


    code execution by providing maliciously crafted input.


    For the oldstable distribution (jessie), these problems have been fixed


    in version 2.4.2-2+deb8u3.


    For the stable distribution (stretch), these problems have been fixed in


    version 2.8.6-1+deb9u3.


    We recommend that you upgrade your jackson-databind packages.


    For the detailed security status of jackson-databind please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/jackson-databind


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: quagga


    CVE ID: CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381


    Several vulnerabilities have been discovered in Quagga, a routing


    daemon. The Common Vulnerabilities and Exposures project identifies the


    following issues:


    CVE-2018-5378


    It was discovered that the Quagga BGP daemon, bgpd, does not


    properly bounds check data sent with a NOTIFY to a peer, if an


    attribute length is invalid. A configured BGP peer can take


    advantage of this bug to read memory from the bgpd process or cause


    a denial of service (daemon crash).


    https://www.quagga.net/security/Quagga-2018-0543.txt


    CVE-2018-5379


    It was discovered that the Quagga BGP daemon, bgpd, can double-free


    memory when processing certain forms of UPDATE message, containing


    cluster-list and/or unknown attributes, resulting in a denial of


    service (bgpd daemon crash).


    https://www.quagga.net/security/Quagga-2018-1114.txt


    CVE-2018-5380


    It was discovered that the Quagga BGP daemon, bgpd, does not


    properly handle internal BGP code-to-string conversion tables.


    https://www.quagga.net/security/Quagga-2018-1550.txt


    CVE-2018-5381


    It was discovered that the Quagga BGP daemon, bgpd, can enter an


    infinite loop if sent an invalid OPEN message by a configured peer.


    A configured peer can take advantage of this flaw to cause a denial


    of service (bgpd daemon not responding to any other events; BGP


    sessions will drop and not be reestablished; unresponsive CLI


    interface).


    https://www.quagga.net/security/Quagga-2018-1975.txt


    For the oldstable distribution (jessie), these problems have been fixed


    in version 0.99.23.1-1+deb8u5.


    For the stable distribution (stretch), these problems have been fixed in


    version 1.1.1-3+deb9u2.


    We recommend that you upgrade your quagga packages.


    For the detailed security status of quagga please refer to its security


    tracker page at: https://security-tracker.debian.org/tracker/quagga


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: plasma-workspace


    CVE ID: CVE-2018-6791


    Krzysztof Sieluzycki discovered that the notifier for removable devices


    in the KDE Plasma workspace performed insufficient sanitisation of


    FAT/VFAT volume labels, which could result in the execution of arbitrary


    shell commands if a removable device with a malformed disk label is


    mounted.


    For the stable distribution (stretch), this problem has been fixed in


    version 4:5.8.6-2.1+deb9u1.


    We recommend that you upgrade your plasma-workspace packages.


    For the detailed security status of plasma-workspace please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/plasma-workspace


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: gcc-4.9


    CVE ID: not applicable


    This update doesn't fix a vulnerability in GCC itself, but instead


    provides support for building retpoline-enabled Linux kernel updates.


    For the oldstable distribution (jessie), this problem has been fixed


    in version 4.9.2-10+deb8u1.


    We recommend that you upgrade your gcc-4.9 packages.


    For the detailed security status of gcc-4.9 please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/gcc-4.9


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: tomcat-native


    CVE ID: CVE-2017-15698


    Jonas Klempel reported that tomcat-native, a library giving Tomcat


    access to the Apache Portable Runtime (APR) library's network connection


    (socket) implementation and random-number generator, does not properly


    handle fields longer than 127 bytes when parsing the AIA-Extension field


    of a client certificate. If OCSP checks are used, this could result in


    client certificates that should have been rejected to be accepted.


    For the oldstable distribution (jessie), this problem has been fixed


    in version 1.1.32~repack-2+deb8u1.


    For the stable distribution (stretch), this problem has been fixed in


    version 1.2.12-2+deb9u1.


    We recommend that you upgrade your tomcat-native packages.


    For the detailed security status of tomcat-native please refer to its


    security tracker page at:


    https://security-tracker.debian.org/tracker/tomcat-native


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: libav


    CVE ID: CVE-2017-16803


    Several security issues have been corrected in multiple demuxers and


    decoders of the libav multimedia library. A full list of the changes is


    available at


    https://git.libav.org/?p=libav…gelog;hb=refs/tags/v11.12


    For the oldstable distribution (jessie), this problem has been fixed


    in version 6:11.12-1~deb8u1.


    We recommend that you upgrade your libav packages.


    For the detailed security status of libav please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/libav


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: linux


    CVE ID: CVE-2017-5715 CVE-2017-5754 CVE-2017-13166 CVE-2018-5750


    Several vulnerabilities have been discovered in the Linux kernel that may


    lead to a privilege escalation, denial of service or information leaks.


    CVE-2017-5715


    Multiple researchers have discovered a vulnerability in various


    processors supporting speculative execution, enabling an attacker


    controlling an unprivileged process to read memory from arbitrary


    addresses, including from the kernel and all other processes running on


    the system.


    This specific attack has been named Spectre variant 2 (branch target


    injection) and is mitigated in the Linux kernel for the Intel x86-64


    architecture by using the 'retpoline' compiler feature which allows


    indirect branches to be isolated from speculative execution.


    CVE-2017-5754


    Multiple researchers have discovered a vulnerability in Intel


    processors, enabling an attacker controlling an unprivileged process to


    read memory from arbitrary addresses, including from the kernel and all


    other processes running on the system.


    This specific attack has been named Meltdown and is addressed in the


    Linux kernel on the powerpc/ppc64el architectures by flushing the L1


    data cache on exit from kernel mode to user mode (or from hypervisor to


    kernel).


    This works on Power7, Power8 and Power9 processors.


    CVE-2017-13166


    A bug in the 32-bit compatibility layer of the v4l2 IOCTL handling code


    has been found. Memory protections ensuring user-provided buffers always


    point to userland memory were disabled, allowing . This bug could be


    exploited by an attacker to overwrite kernel memory from an unprivileged


    userland process, leading to privilege escalation.


    CVE-2018-5750


    An information leak has been found in the Linux kernel. The


    acpi_smbus_hc_add() prints a kernel address in the kernel log at every


    boot, which could be used by an attacker on the system to defeat kernel


    ASLR.


    Additionnaly to those vulnerability, some mitigations for CVE-2017-5753 are


    included in this release.


    CVE-2017-5753


    Multiple researchers have discovered a vulnerability in various


    processors supporting speculative execution, enabling an attacker


    controlling an unprivileged process to read memory from arbitrary


    addresses, including from the kernel and all other processes running on


    the system.


    This specific attack has been named Spectre variant 1 (bounds-check


    bypass) and is mitigated in the Linux kernel architecture by identifying


    vulnerable code sections (array bounds checking followed by array


    access) and replacing the array access with the speculation-safe


    array_index_nospec() function.


    More use sites will be added over time.


    For the stable distribution (stretch), these problems have been fixed in


    version 4.9.82-1+deb9u2.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/linux


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: gcc-6


    CVE ID: not applicable


    This update doesn't fix a vulnerability in GCC itself, but instead


    provides support for building retpoline-enabled Linux kernel updates.


    For the stable distribution (stretch), this problem has been fixed in


    version 6.3.0-18+deb9u1.


    We recommend that you upgrade your gcc-6 packages.


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: squid3


    CVE ID: CVE-2018-1000024 CVE-2018-1000027


    Debian Bug: 888719 888720


    Several vulnerabilities have been discovered in Squid3, a fully featured


    web proxy cache. The Common Vulnerabilities and Exposures project


    identifies the following issues:


    CVE-2018-1000024


    Louis Dion-Marcil discovered that Squid does not properly handle


    processing of certain ESI responses. A remote server delivering


    certain ESI response syntax can take advantage of this flaw to cause


    a denial of service for all clients accessing the Squid service.


    This problem is limited to the Squid custom ESI parser.


    http://www.squid-cache.org/Advisories/SQUID-2018_1.txt


    CVE-2018-1000027


    Louis Dion-Marcil discovered that Squid is prone to a denial of


    service vulnerability when processing ESI responses or downloading


    intermediate CA certificates. A remote attacker can take advantage


    of this flaw to cause a denial of service for all clients accessing


    the Squid service.


    http://www.squid-cache.org/Advisories/SQUID-2018_2.txt


    For the oldstable distribution (jessie), these problems have been fixed


    in version 3.4.8-6+deb8u5.


    For the stable distribution (stretch), these problems have been fixed in


    version 3.5.23-5+deb9u1.


    We recommend that you upgrade your squid3 packages.


    For the detailed security status of squid3 please refer to its security


    tracker page at:


    https://security-tracker.debian.org/tracker/squid3


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/

  • Package: drupal7


    CVE ID: not yet available


    Debian Bug: 891154 891153 891152 891150


    Multiple vulnerabilities have been found in the Drupal content management


    framework. For additional information, please refer to the upstream


    advisory at https://www.drupal.org/sa-core-2018-001


    For the oldstable distribution (jessie), this problem has been fixed


    in version 7.32-1+deb8u10.


    For the stable distribution (stretch), this problem has been fixed in


    version 7.52-2+deb9u2.


    We recommend that you upgrade your drupal7 packages.


    For the detailed security status of drupal7 please refer to


    its security tracker page at:


    https://security-tracker.debian.org/tracker/drupal7


    Further information about Debian Security Advisories, how to apply


    these updates to your system and frequently asked questions can be


    found at: https://www.debian.org/security/