Debian Security Advisory

    • Offizieller Beitrag

    Package: lucene-solr

    CVE ID: CVE-2017-3163 CVE-2017-12629

    Two vulnerabilities have been found in Solr, a search server based on

    Lucene, which could result in the execution of arbitrary code or

    path traversal.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 3.6.2+dfsg-5+deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 3.6.2+dfsg-10+deb9u1.

    We recommend that you upgrade your lucene-solr packages.

    For the detailed security status of lucene-solr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/lucene-solr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: wavpack

    CVE ID: CVE-2018-6767 CVE-2018-7253 CVE-2018-7254

    Debian Bug: 889274 889276 889559

    Joonun Jang discovered several problems in wavpack, an audio

    compression format suite. Incorrect processing of input resulted in

    several heap- and stack-based buffer overflows, leading to application

    crash or potential code execution.

    For the stable distribution (stretch), these problems have been fixed

    in version 5.0.0-2+deb9u1.

    We recommend that you upgrade your wavpack packages.

    For the detailed security status of wavpack please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/wavpack

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: xmltooling

    CVE ID: CVE-2018-0489

    Kelby Ludwig and Scott Cantor discovered that the Shibboleth service

    provider is vulnerable to impersonation attacks and information

    disclosure due to incorrect XML parsing. For additional details please

    refer to the upstream advisory at

    https://shibboleth.net/community/advi…dv_20180227.txt

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.5.3-2+deb8u3.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.6.0-4+deb9u1.

    We recommend that you upgrade your xmltooling packages.

    For the detailed security status of xmltooling please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/xmltooling

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: simplesamlphp

    CVE ID: CVE-2017-12867 CVE-2017-12869 CVE-2017-12873

    CVE-2017-12874 CVE-2017-18121 CVE-2017-18122

    CVE-2018-6519 CVE-2018-6521

    Debian Bug: 889286

    Several vulnerabilities have been discovered in SimpleSAMLphp, a

    framework for authentication, primarily via the SAML protocol.

    CVE-2017-12867

    Attackers with access to a secret token could extend its validity

    period by manipulating the prepended time offset.

    CVE-2017-12869

    When using the multiauth module, attackers can bypass authentication

    context restrictions and use any authentication source defined in

    the config.

    CVE-2017-12873

    Defensive measures have been taken to prevent the administrator

    from misconfiguring persistent NameIDs to avoid identifier clash.

    (Affects Debian 8 Jesse only.)

    CVE-2017-12874

    The InfoCard module could accept incorrectly signed XML messages

    in rare occasions.

    CVE-2017-18121

    The consentAdmin module was vulnerable to a Cross-Site Scripting

    attack, allowing an attacker to craft links that could execute

    arbitrary JavaScript code in the victim's browser.

    CVE-2017-18122

    The (deprecated) SAML 1.1 implementation would regard as valid any

    unsigned SAML response containing more than one signed assertion,

    provided that the signature of at least one of the assertions was

    valid, allowing an attacker that could obtain a valid signed

    assertion from an IdP to impersonate users from that IdP.

    CVE-2018-6519

    Regular expression denial of service when parsing extraordinarily

    long timestamps.

    CVE-2018-6521

    Change sqlauth module MySQL charset from utf8 to utf8mb to

    prevent theoretical query truncation that could allow remote

    attackers to bypass intended access restrictions

    SSPSA-201802-01 (no CVE yet)

    Critical signature validation vulnerability.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.13.1-2+deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.14.11-1+deb9u1.

    We recommend that you upgrade your simplesamlphp packages.

    For the detailed security status of simplesamlphp please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/simplesamlphp

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: trafficserver

    CVE ID: CVE-2017-5660 CVE-2017-7671

    Several vulnerabilities were discovered in Apache Traffic Server, a

    reverse and forward proxy server. They could lead to the use of an

    incorrect upstream proxy, or allow a remote attacker to cause a

    denial-of-service by application crash.

    For the stable distribution (stretch), these problems have been fixed in

    version 7.0.0-6+deb9u1.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: linux

    Debian Bug: 891249

    The security update announced as DSA-4120-1 caused regressions on the

    powerpc kernel architecture (random programs segfault, data corruption).

    Updated packages are now available to correct this issue.

    For the stable distribution (stretch), this problem has been fixed in

    version 4.9.82-1+deb9u3.

    We recommend that you upgrade your linux packages.

    For the detailed security status of linux please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/linux

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: freexl

    CVE ID: CVE-2018-7435 CVE-2018-7436 CVE-2018-7437 CVE-2018-7438

    CVE-2018-7439

    Multiple heap buffer over reads were discovered in freexl, a library to

    read Microsoft Excel spreadsheets, which could result in denial of

    service.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.0.0g-1+deb8u5.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.0.2-2+deb9u2.

    We recommend that you upgrade your freexl packages.

    For the detailed security status of freexl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/freexl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: dovecot

    CVE ID: CVE-2017-14461 CVE-2017-15130 CVE-2017-15132

    Debian Bug: 888432 891819 891820

    Several vulnerabilities have been discovered in the Dovecot email

    server. The Common Vulnerabilities and Exposures project identifies the

    following issues:

    CVE-2017-14461

    Aleksandar Nikolic of Cisco Talos and 'flxflndy' discovered that

    Dovecot does not properly parse invalid email addresses, which may

    cause a crash or leak memory contents to an attacker.

    CVE-2017-15130

    It was discovered that TLS SNI config lookups may lead to excessive

    memory usage, causing imap-login/pop3-login VSZ limit to be reached

    and the process restarted, resulting in a denial of service. Only

    Dovecot configurations containing local_name { } or local { }

    configuration blocks are affected.

    CVE-2017-15132

    It was discovered that Dovecot contains a memory leak flaw in the

    login process on aborted SASL authentication.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1:2.2.13-12~deb8u4.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:2.2.27-3+deb9u2.

    We recommend that you upgrade your dovecot packages.

    For the detailed security status of dovecot please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/dovecot

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: xen

    CVE ID: CVE-2018-7540 CVE-2018-7541 CVE-2018-7542

    Multiple vulnerabilities have been discovered in the Xen hypervisor:

    CVE-2018-7540

    Jann Horn discovered that missing checks in page table freeing may

    result in denial of service.

    CVE-2018-7541

    Jan Beulich discovered that incorrect error handling in grant table

    checks may result in guest-to-host denial of service and potentially

    privilege escalation.

    CVE-2018-7542

    Ian Jackson discovered that insufficient handling of x86 PVH guests

    without local APICs may result in guest-to-host denial of service.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5.

    We recommend that you upgrade your xen packages.

    For the detailed security status of xen please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/xen

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: libvpx

    CVE ID: CVE-2017-13194

    It was discovered that incorrect validation of frame widths in the libvpx

    multimedia library may result in denial of service and potentially the

    execution of arbitrary code.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.3.0-3+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.6.1-3+deb9u1.

    We recommend that you upgrade your libvpx packages.

    For the detailed security status of libvpx please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libvpx

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: isc-dhcp

    CVE ID: CVE-2017-3144 CVE-2018-5732 CVE-2018-5733

    Debian Bug: 887413 891785 891786

    Several vulnerabilities have been discovered in the ISC DHCP client,

    relay and server. The Common Vulnerabilities and Exposures project

    identifies the following issues:

    CVE-2017-3144

    It was discovered that the DHCP server does not properly clean up

    closed OMAPI connections, which can lead to exhaustion of the pool

    of socket descriptors available to the DHCP server, resulting in

    denial of service.

    CVE-2018-5732

    Felix Wilhelm of the Google Security Team discovered that the DHCP

    client is prone to an out-of-bound memory access vulnerability when

    processing specially constructed DHCP options responses, resulting

    in potential execution of arbitrary code by a malicious DHCP server.

    CVE-2018-5733

    Felix Wilhelm of the Google Security Team discovered that the DHCP

    server does not properly handle reference counting when processing

    client requests. A malicious client can take advantage of this flaw

    to cause a denial of service (dhcpd crash) by sending large amounts

    of traffic.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 4.3.1-6+deb8u3.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.3.5-3+deb9u1.

    We recommend that you upgrade your isc-dhcp packages.

    For the detailed security status of isc-dhcp please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/isc-dhcp

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : util-linux

    CVE ID : CVE-2018-7738

    Debian Bug : 892179

    Bjorn Bosselmann discovered that the umount bash completion from

    util-linux does not properly handle embedded shell commands in a

    mountpoint name. An attacker with rights to mount filesystems can take

    advantage of this flaw for privilege escalation if a user (in particular

    root) is tricked into using the umount completion while a specially

    crafted mount is present.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.29.2-1+deb9u1.

    We recommend that you upgrade your util-linux packages.

    For the detailed security status of util-linux please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/util-linux

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : samba

    CVE ID : CVE-2018-1050 CVE-2018-1057

    Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,

    print, and login server for Unix. The Common Vulnerabilities and

    Exposures project identifies the following issues:

    CVE-2018-1050

    It was discovered that Samba is prone to a denial of service

    attack when the RPC spoolss service is configured to be run as an

    external daemon.

    https://www.samba.org/samba/security/CVE-2018-1050.html

    CVE-2018-1057

    Bjoern Baumbach from Sernet discovered that on Samba 4 AD DC the

    LDAP server incorrectly validates permissions to modify passwords

    over LDAP allowing authenticated users to change any other users

    passwords, including administrative users.

    https://www.samba.org/samba/security/CVE-2018-1057.html

    https://wiki.samba.org/index.php/CVE-2018-1057

    For the oldstable distribution (jessie), CVE-2018-1050 will be addressed

    in a later update. Unfortunately the changes required to fix

    CVE-2018-1057 for Debian oldstable are too invasive to be backported.

    Users using Samba as an AD-compatible domain controller are encouraged

    to apply the workaround described in the Samba wiki and upgrade to

    Debian stretch.

    For the stable distribution (stretch), these problems have been fixed in

    version 2:4.5.12+dfsg-2+deb9u2.

    We recommend that you upgrade your samba packages.

    For the detailed security status of samba please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/samba

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl

    CVE ID : CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122

    Multiple vulnerabilities were discovered in cURL, an URL transfer library.

    CVE-2018-1000120

    Duy Phan Thanh discovered that curl could be fooled into writing a

    zero byte out of bounds when curl is told to work on an FTP URL with

    the setting to only issue a single CWD command, if the directory part

    of the URL contains a "%00" sequence.

    CVE-2018-1000121

    Dario Weisser discovered that curl might dereference a near-NULL

    address when getting an LDAP URL due to the ldap_get_attribute_ber()

    fuction returning LDAP_SUCCESS and a NULL pointer. A malicious server

    might cause libcurl-using applications that allow LDAP URLs, or that

    allow redirects to LDAP URLs to crash.

    CVE-2018-1000122

    OSS-fuzz, assisted by Max Dymond, discovered that curl could be

    tricked into copying data beyond the end of its heap based buffer

    when asked to transfer an RTSP URL.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 7.38.0-4+deb8u10.

    For the stable distribution (stretch), these problems have been fixed in

    version 7.52.1-5+deb9u5.

    We recommend that you upgrade your curl packages.

    For the detailed security status of curl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/curl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libvirt

    CVE ID : CVE-2018-1064 CVE-2018-5748 CVE-2018-6764

    Several vulnerabilities were discovered in Libvirt, a virtualisation

    abstraction library:

    CVE-2018-1064

    Denial Berrange discovered that the QEMU guest agent performed

    insufficient validationof incoming data, which allows a privileged

    user in the guest to exhaust resources on the virtualisation host,

    resulting in denial of service.

    CVE-2018-5748

    Daniel Berrange and Peter Krempa that the QEMU monitor was suspectible

    to denial of service by memory exhaustion. This was already fixed in

    Debian stretch and only affects Debian jessie.

    CVE-2018-6764

    Pedro Sampaio discovered that LXC containes detected the hostname

    insecurely. This only affects Debian stretch.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.2.9-9+deb8u5.

    For the stable distribution (stretch), these problems have been fixed in

    version 3.0.0-4+deb9u3.

    We recommend that you upgrade your libvirt packages.

    For the detailed security status of libvirt please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libvirt

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mbedtls

    CVE ID : CVE-2017-18187 CVE-2018-0487 CVE-2018-0488

    Debian Bug : 890287 890288

    Several vulnerabilities were discovered in mbed TLS, a lightweight

    crypto and SSL/TLS library, that allowed a remote attacker to either

    cause a denial-of-service by application crash, or execute arbitrary

    code.

    For the stable distribution (stretch), these problems have been fixed in

    version 2.4.2-1+deb9u2.

    We recommend that you upgrade your mbedtls packages.

    For the detailed security status of mbedtls please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mbedtls

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5130

    CVE-2018-5131 CVE-2018-5144 CVE-2018-5145

    Several security issues have been found in the Mozilla Firefox web

    browser: Multiple memory safety errors and other implementation errors

    may lead to the execution of arbitrary code, denial of service or

    information disclosure.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 52.7.1esr-1~deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 52.7.1esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libvorbis

    CVE ID : CVE-2018-5146

    Debian Bug : 893130

    Richard Zhu discovered that an out-of-bounds memory write in the

    codeboook parsing code of the Libvorbis multimedia library could result

    in the execution of arbitrary code.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.3.4-2+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.3.5-4+deb9u2.

    We recommend that you upgrade your libvorbis packages.

    For the detailed security status of libvorbis please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/libvorbis

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libvorbisidec

    CVE ID : CVE-2018-5147

    Debian Bug : 893132

    Huzaifa Sidhpurwala discovered that an out-of-bounds memory write in the

    codebook parsing code of the Libtremor multimedia library could result

    in the execution of arbitrary code if a malformed Vorbis file is opened.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.0.2+svn18153-1~deb8u2.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.0.2+svn18153-1+deb9u1.

    We recommend that you upgrade your libvorbisidec packages.

    For the detailed security status of libvorbisidec please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/libvorbisidec

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : uwsgi

    CVE ID : CVE-2018-7490

    Debian Bug : 891639

    Marios Nicolaides discovered that the PHP plugin in uWSGI, a fast,

    self-healing application container server, does not properly handle a

    DOCUMENT_ROOT check during use of the --php-docroot option, allowing a

    remote attacker to mount a directory traversal attack and gain

    unauthorized read access to sensitive files located outside of the web

    root directory.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 2.0.7-1+deb8u2. This update additionally includes the fix for

    CVE-2018-6758 which was aimed to be addressed in the upcoming jessie

    point release.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.0.14+20161117-3+deb9u2.

    We recommend that you upgrade your uwsgi packages.

    For the detailed security status of uwsgi please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/uwsgi

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/