Debian Security Advisory

Package : hylafax

CVE ID : CVE-2018-17141

Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing

input sanitising in the Hylafax fax software could potentially result in

the execution of arbitrary code via a malformed fax message.

For the stable distribution (stretch), this problem has been fixed in

version 3:6.0.6-7+deb9u1.

We recommend that you upgrade your hylafax packages.

For the detailed security status of hylafax please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/hylafax

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : texlive-bin

CVE : not yet available

Nick Roessler from the University of Pennsylvania has found a buffer overflow

in texlive-bin, the executables for TexLive, the popular distribution of TeX

document production system.

This buffer overflow can be used for arbitrary code execution by crafting a

special type1 font (.pfb) and provide it to users running pdf(la)tex, dvips or

luatex in a way that the font is loaded.

For the stable distribution (stretch), this problem has been fixed in

version 2016.20160513.41080.dfsg-2+deb9u1.

We recommend that you upgrade your texlive-bin packages.

For the detailed security status of texlive-bin please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/texlive-bin

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : libarchive-zip-perl

CVE ID : CVE-2018-10860

Debian Bug : 902882

It was discovered that Archive::Zip, a perl module for manipulation of

ZIP archives, is prone to a directory traversal vulnerability. An

attacker able to provide a specially crafted archive for processing can

take advantage of this flaw to overwrite arbitrary files during archive

extraction.

For the stable distribution (stretch), this problem has been fixed in

version 1.59-1+deb9u1.

We recommend that you upgrade your libarchive-zip-perl packages.

For the detailed security status of libarchive-zip-perl please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/libarchive-zip-perl

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : mediawiki

CVE ID : CVE-2018-0503 CVE-2018-0504 CVE-2018-0505

Multiple security vulnerabilities have been discovered in MediaWiki, a

website engine for collaborative work, which result in incorrectly

configured rate limits, information disclosure in Special:Redirect/logid

and bypass of an account lock.

For the stable distribution (stretch), these problems have been fixed in

version 1:1.27.5-1~deb9u1.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : openafs

CVE ID : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949

Debian Bug : 908616

Several vulnerabilities were discovered in openafs, an implementation of

the distributed filesystem AFS. The Common Vulnerabilities and Exposures

project identifies the following problems:

CVE-2018-16947

Jeffrey Altman reported that the backup tape controller (butc)

process does accept incoming RPCs but does not require (or allow

for) authentication of those RPCs, allowing an unauthenticated

attacker to perform volume operations with administrator

credentials.

https://openafs.org/pages/security/OPENAFS-SA-2018-001.txt

CVE-2018-16948

Mark Vitale reported that several RPC server routines do not fully

initialize output variables, leaking memory contents (from both

the stack and the heap) to the remote caller for

otherwise-successful RPCs.

https://openafs.org/pages/security/OPENAFS-SA-2018-002.txt

CVE-2018-16949

Mark Vitale reported that an unauthenticated attacker can consume

large amounts of server memory and network bandwidth via

specially crafted requests, resulting in denial of service to

legitimate clients.

https://openafs.org/pages/security/OPENAFS-SA-2018-003.txt

For the stable distribution (stretch), these problems have been fixed in

version 1.6.20-2+deb9u2.

We recommend that you upgrade your openafs packages.

For the detailed security status of openafs please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/openafs

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : okular

CVE ID : CVE-2018-1000801

Joran Herve discovered that the Okular document viewer was susceptible

to directory traversal via malformed .okular files (annotated document

archives), which could result in the creation of arbitrary files.

For the stable distribution (stretch), this problem has been fixed in

version 4:16.08.2-1+deb9u1.

We recommend that you upgrade your okular packages.

For the detailed security status of okular please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/okular

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2018-12383 CVE-2018-12385

Two security issues have been found in the Mozilla Firefox web browser,

which could potentially result in the execution of arbitrary code and

local information disclosure.

For the stable distribution (stretch), these problems have been fixed in

version 60.2.1esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : strongswan

CVE ID : CVE-2018-16151 CVE-2018-16152

Sze Yiu Chau and his team from Purdue University and The University of Iowa

found several issues in the gmp plugin for strongSwan, an IKE/IPsec suite.

Problems in the parsing and verification of RSA signatures could lead to a

Bleichenbacher-style low-exponent signature forgery in certificates and during

IKE authentication.

While the gmp plugin doesn't allow arbitrary data after the ASN.1 structure

(the original Bleichenbacher attack), the ASN.1 parser is not strict enough and

allows data in specific fields inside the ASN.1 structure.

Only installations using the gmp plugin are affected (on Debian OpenSSL plugin

has priority over GMP one for RSA operations), and only when using keys and

certificates (including ones from CAs) using keys with an exponent e = 3, which

is usually rare in practice.

CVE-2018-16151

The OID parser in the ASN.1 code in gmp allows any number of random bytes

after a valid OID.

CVE-2018-16152

The algorithmIdentifier parser in the ASN.1 code in gmp doesn't enforce a

NULL value for the optional parameter which is not used with any PKCS#1

algorithm.

For the stable distribution (stretch), these problems have been fixed in

version 5.5.1-4+deb9u3.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : python2.7

CVE ID : CVE-2018-1060 CVE-2018-1061 CVE-2018-14647

CVE-2018-1000802

Multiple security issues were discovered in Python: ElementTree failed

to initialise Expat's hash salt, two denial of service issues were found

in difflib and poplib and the shutil module was affected by a command

injection vulnerability.

For the stable distribution (stretch), these problems have been fixed in

version 2.7.13-2+deb9u3.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/python2.7

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : python3.5

CVE ID : CVE-2017-1000158 CVE-2018-1060 CVE-2018-1061

CVE-2018-14647

Multiple security issues were discovered in Python: ElementTree failed

to initialise Expat's hash salt, two denial of service issues were found

in difflib and poplib and a buffer overflow in PyString_DecodeEscape.

For the stable distribution (stretch), these problems have been fixed in

version 3.5.3-1+deb9u1.

We recommend that you upgrade your python3.5 packages.

For the detailed security status of python3.5 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/python3.5

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : linux

CVE ID : CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363

CVE-2018-9516 CVE-2018-10902 CVE-2018-10938 CVE-2018-13099

CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678

CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276

CVE-2018-16658 CVE-2018-17182

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service or information

leaks.

CVE-2018-6554

A memory leak in the irda_bind function in the irda subsystem was

discovered. A local user can take advantage of this flaw to cause a

denial of service (memory consumption).

CVE-2018-6555

A flaw was discovered in the irda_setsockopt function in the irda

subsystem, allowing a local user to cause a denial of service

(use-after-free and system crash).

CVE-2018-7755

Brian Belleville discovered a flaw in the fd_locked_ioctl function

in the floppy driver in the Linux kernel. The floppy driver copies a

kernel pointer to user memory in response to the FDGETPRM ioctl. A

local user with access to a floppy drive device can take advantage

of this flaw to discover the location kernel code and data.

CVE-2018-9363

It was discovered that the Bluetooth HIDP implementation did not

correctly check the length of received report messages. A paired

HIDP device could use this to cause a buffer overflow, leading to

denial of service (memory corruption or crash) or potentially

remote code execution.

CVE-2018-9516

It was discovered that the HID events interface in debugfs did not

correctly limit the length of copies to user buffers. A local

user with access to these files could use this to cause a

denial of service (memory corruption or crash) or possibly for

privilege escalation. However, by default debugfs is only

accessible by the root user.

CVE-2018-10902

It was discovered that the rawmidi kernel driver does not protect

against concurrent access which leads to a double-realloc (double

free) flaw. A local attacker can take advantage of this issue for

privilege escalation.

CVE-2018-10938

Yves Younan from Cisco reported that the Cipso IPv4 module did not

correctly check the length of IPv4 options. On custom kernels with

CONFIG_NETLABEL enabled, a remote attacker could use this to cause

a denial of service (hang).

CVE-2018-13099

Wen Xu from SSLab at Gatech reported a use-after-free bug in the

F2FS implementation. An attacker able to mount a crafted F2FS

volume could use this to cause a denial of service (crash or

memory corruption) or possibly for privilege escalation.

CVE-2018-14609

Wen Xu from SSLab at Gatech reported a potential null pointer

dereference in the F2FS implementation. An attacker able to mount

a crafted F2FS volume could use this to cause a denial of service

(crash).

CVE-2018-14617

Wen Xu from SSLab at Gatech reported a potential null pointer

dereference in the HFS+ implementation. An attacker able to mount

a crafted HFS+ volume could use this to cause a denial of service

(crash).

CVE-2018-14633

Vincent Pelletier discovered a stack-based buffer overflow flaw in

the chap_server_compute_md5() function in the iSCSI target code. An

unauthenticated remote attacker can take advantage of this flaw to

cause a denial of service or possibly to get a non-authorized access

to data exported by an iSCSI target.

CVE-2018-14678

M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the

kernel exit code used on amd64 systems running as Xen PV guests.

A local user could use this to cause a denial of service (crash).

CVE-2018-14734

A use-after-free bug was discovered in the InfiniBand

communication manager. A local user could use this to cause a

denial of service (crash or memory corruption) or possible for

privilege escalation.

CVE-2018-15572

Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and

Nael Abu-Ghazaleh, from University of California, Riverside,

reported a variant of Spectre variant 2, dubbed SpectreRSB. A

local user may be able to use this to read sensitive information

from processes owned by other users.

CVE-2018-15594

Nadav Amit reported that some indirect function calls used in

paravirtualised guests were vulnerable to Spectre variant 2. A

local user may be able to use this to read sensitive information

from the kernel.

CVE-2018-16276

Jann Horn discovered that the yurex driver did not correctly limit

the length of copies to user buffers. A local user with access to

a yurex device node could use this to cause a denial of service

(memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

It was discovered that the cdrom driver does not correctly

validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user

with access to a cdrom device could use this to read sensitive

information from the kernel or to cause a denial of service

(crash).

CVE-2018-17182

Jann Horn discovered that the vmacache_flush_all function mishandles

sequence number overflows. A local user can take advantage of this

flaw to trigger a use-after-free, causing a denial of service

(crash or memory corruption) or privilege escalation.

For the stable distribution (stretch), these problems have been fixed in

version 4.9.110-3+deb9u5.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : strongswan

CVE ID : CVE-2018-17540

Google's OSS-Fuzz revealed an exploitable bug in the gmp plugin caused by the

patch that fixes CVE-2018-16151 and CVE-2018-16151 (DSA-4305-1).

An attacker could trigger it using crafted certificates with RSA keys with

very small moduli. Verifying signatures with such keys would cause an integer

underflow and subsequent heap buffer overflow resulting in a crash of the

daemon. While arbitrary code execution is not completely ruled out because of

the heap buffer overflow, due to the form of the data written to the buffer

it seems difficult to actually exploit it in such a way.

For the stable distribution (stretch), this problem has been fixed in

version 5.5.1-4+deb9u4.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/strongswan

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2018-12386 CVE-2018-12387

Two security issues have been found in the Mozilla Firefox web browser,

which could potentially result in the execution of arbitrary code inside

the sandboxed content process.

For the stable distribution (stretch), these problems have been fixed in

version 60.2.2esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : git

CVE ID : CVE-2018-17456

joernchen of Phenoelit discovered that git, a fast, scalable,

distributed revision control system, is prone to an arbitrary code

execution vulnerability via a specially crafted .gitmodules file in a

project cloned with --recurse-submodules.

For the stable distribution (stretch), this problem has been fixed in

version 1:2.11.0-3+deb9u4.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/git

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : tinc

CVE ID : CVE-2018-16738 CVE-2018-16758

Several vulnerabilities were discovered in tinc, a Virtual Private

Network (VPN) daemon. The Common Vulnerabilities and Exposures project

identifies the following problems:

CVE-2018-16738

Michael Yonli discovered a flaw in the implementation of the

authentication protocol that could allow a remote attacker to

establish an authenticated, one-way connection with another node.

CVE-2018-16758

Michael Yonli discovered that a man-in-the-middle that has

intercepted a TCP connection might be able to disable encryption of

UDP packets sent by a node.

For the stable distribution (stretch), these problems have been fixed in

version 1.0.31-1+deb9u1.

We recommend that you upgrade your tinc packages.

For the detailed security status of tinc please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/tinc

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : linux

CVE ID : CVE-2018-15471 CVE-2018-18021

Several vulnerabilities have been discovered in the Linux kernel that

may lead to a privilege escalation, denial of service or information

leaks.

CVE-2018-15471 (XSA-270)

Felix Wilhelm of Google Project Zero discovered a flaw in the hash

handling of the xen-netback Linux kernel module. A malicious or

buggy frontend may cause the (usually privileged) backend to make

out of bounds memory accesses, potentially resulting in privilege

escalation, denial of service, or information leaks.

https://xenbits.xen.org/xsa/advisory-270.html

CVE-2018-18021

It was discovered that the KVM subsystem on the arm64 platform does

not properly handle the KVM_SET_ON_REG ioctl. An attacker who can

create KVM based virtual machines can take advantage of this flaw

for denial of service (hypervisor panic) or privilege escalation

(arbitrarily redirect the hypervisor flow of control with full

register control).

For the stable distribution (stretch), these problems have been fixed in

version 4.9.110-3+deb9u6.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : net-snmp

CVE ID : CVE-2018-18065

Debian Bug : 910638

Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in

net-snmp, a suite of Simple Network Management Protocol applications,

allowing a remote, authenticated attacker to crash the snmpd process

(causing a denial of service).

For the stable distribution (stretch), this problem has been fixed in

version 5.7.3+dfsg-1.7+deb9u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : wireshark

CVE ID : CVE-2018-16056 CVE-2018-16057 CVE-2018-16058

Multiple vulnerabilities have been discovered in Wireshark, a network

protocol analyzer which could result in denial of service or the

execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in

version 2.6.3-1~deb9u1. This update upgrades Wireshark to the 2.6.x

release branch, future security upgrades will be based on this series.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : imagemagick

CVE ID : CVE-2018-16412 CVE-2018-16413 CVE-2018-16642 CVE-2018-16644

CVE-2018-16645

This update fixes several vulnerabilities in Imagemagick, a graphical

software suite. Various memory handling problems or incomplete input

sanitising have been found in the coders for BMP, DIB, PICT, DCM, CUT

and PSD.

For the stable distribution (stretch), these problems have been fixed in

version 8:6.9.7.4+dfsg-11+deb9u6.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : otrs2

CVE ID : CVE-2018-14593 CVE-2018-16586 CVE-2018-16587

Three vulnerabilities were discovered in the Open Ticket Request System

which could result in privilege escalation or denial of service.

For the stable distribution (stretch), these problems have been fixed in

version 5.0.16-1+deb9u6.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/otrs2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/