Debian Security Advisory

    • Offizieller Beitrag

    Package : moin

    CVE ID : CVE-2017-5934

    Debian Bug : 910776

    Nitin Venkatesh discovered a cross-site scripting vulnerability in moin,

    a Python clone of WikiWiki. A remote attacker can conduct cross-site

    scripting attacks via the GUI editor's link dialogue. This only affects

    installations which have set up fckeditor (not enabled by default).

    For the stable distribution (stretch), this problem has been fixed in

    version 1.9.9-1+deb9u1.

    We recommend that you upgrade your moin packages.

    For the detailed security status of moin please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/moin

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spice

    CVE ID : CVE-2018-10873

    Debian Bug : 906315

    Frediano Ziglio reported a missing check in the script to generate

    demarshalling code in the SPICE protocol client and server library. The

    generated demarshalling code is prone to multiple buffer overflows. An

    authenticated attacker can take advantage of this flaw to cause a denial

    of service (spice server crash), or possibly, execute arbitrary code.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.12.8-2.1+deb9u2.

    We recommend that you upgrade your spice packages.

    For the detailed security status of spice please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/spice

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : asterisk

    CVE ID : CVE-2018-7284 CVE-2018-7286 CVE-2018-12227 CVE-2018-17281

    Debian Bug : 891227 891228 902954 909554

    Multiple vulnerabilities have been discovered in Asterisk, an open source

    PBX and telephony toolkit, which may result in denial of service or

    information disclosure.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:13.14.1~dfsg-2+deb9u4.

    We recommend that you upgrade your asterisk packages.

    For the detailed security status of asterisk please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/asterisk

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : graphicsmagick

    CVE ID : CVE-2017-10794 CVE-2017-10799 CVE-2017-10800 CVE-2017-11102

    CVE-2017-11139 CVE-2017-11140 CVE-2017-11403 CVE-2017-11636

    CVE-2017-11637 CVE-2017-11638 CVE-2017-11641 CVE-2017-11642

    CVE-2017-11643 CVE-2017-11722 CVE-2017-12935 CVE-2017-12936

    CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13065

    CVE-2017-13134 CVE-2017-13737 CVE-2017-13775 CVE-2017-13776

    CVE-2017-13777 CVE-2017-14314 CVE-2017-14504 CVE-2017-14733

    CVE-2017-14994 CVE-2017-14997 CVE-2017-15238 CVE-2017-15277

    CVE-2017-15930 CVE-2017-16352 CVE-2017-16353 CVE-2017-16545

    CVE-2017-16547 CVE-2017-16669 CVE-2017-17498 CVE-2017-17500

    CVE-2017-17501 CVE-2017-17502 CVE-2017-17503 CVE-2017-17782

    CVE-2017-17783 CVE-2017-17912 CVE-2017-17913 CVE-2017-17915

    CVE-2017-18219 CVE-2017-18220 CVE-2017-18229 CVE-2017-18230

    CVE-2017-18231 CVE-2018-5685 CVE-2018-6799 CVE-2018-9018

    Several vulnerabilities have been discovered in GraphicsMagick, a set of

    command-line applications to manipulate image files, which could result

    in denial of service or the execution of arbitrary code if malformed

    image files are processed.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.3.30+hg15796-1~deb9u1.

    We recommend that you upgrade your graphicsmagick packages.

    For the detailed security status of graphicsmagick please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/graphicsmagick

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libssh

    CVE ID : CVE-2018-10933

    Debian Bug : 911149

    Peter Winter-Smith of NCC Group discovered that libssh, a tiny C SSH

    library, contains an authentication bypass vulnerability in the server

    code. An attacker can take advantage of this flaw to successfully

    authenticate without any credentials by presenting the server an

    SSH2_MSG_USERAUTH_SUCCESS message in place of the

    SSH2_MSG_USERAUTH_REQUEST message which the server would expect to

    initiate authentication.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.7.3-2+deb9u1.

    We recommend that you upgrade your libssh packages.

    For the detailed security status of libssh please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/libssh

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : drupal7

    CVE ID : not yet available

    Two vulnerabilities were found in Drupal, a fully-featured content

    management framework, which could result in arbitrary code execution or

    an open redirect. For additional information, please refer to the

    upstream advisory at https://www.drupal.org/sa-core-2018-006

    For the stable distribution (stretch), this problem has been fixed in

    version 7.52-2+deb9u5.

    We recommend that you upgrade your drupal7 packages.

    For the detailed security status of drupal7 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/drupal7

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2018-12389 CVE-2018-12390 CVE-2018-12392

    CVE-2018-12393 CVE-2018-12395 CVE-2018-12396

    CVE-2018-12397

    Multiple security issues have been found in the Mozilla Firefox web

    browser, which could result in the execution of arbitrary code,

    privilege escalation or information disclosure.

    For the stable distribution (stretch), these problems have been fixed in

    version 60.3.0esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mosquitto

    CVE ID : CVE-2017-7651 CVE-2017-7652 CVE-2017-7653 CVE-2017-7654

    Debian Bug : 911265 911266

    It was discovered that mosquitto, an MQTT broker, was vulnerable to

    remote denial-of-service attacks that could be mounted using various

    vectors.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.4.10-3+deb9u2.

    We recommend that you upgrade your mosquitto packages.

    For the detailed security status of mosquitto please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mosquitto

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-8

    CVE ID : CVE-2018-3136 CVE-2018-3139 CVE-2018-3149 CVE-2018-3169

    CVE-2018-3180 CVE-2018-3183 CVE-2018-3214

    Several vulnerabilities have been discovered in OpenJDK, an

    implementation of the Oracle Java platform, resulting in denial of

    service, sandbox bypass, incomplete TLS identity verification,

    information disclosure or the execution of arbitrary code.

    For the stable distribution (stretch), these problems have been fixed in

    version 8u181-b13-2~deb9u1.

    We recommend that you upgrade your openjdk-8 packages.

    For the detailed security status of openjdk-8 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-8

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2017-16541 CVE-2018-12376 CVE-2018-12377 CVE-2018-12378

    CVE-2018-12379 CVE-2018-12383 CVE-2018-12385

    Multiple security issues have been found in Thunderbird: Multiple memory

    safety errors and use-after-frees may lead to the execution of arbitrary

    code or denial of service.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:60.2.1-2~deb9u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2018-14665

    Narendra Shinde discovered that incorrect command-line parameter

    validation in the Xorg X server may result in arbitary file overwrite,

    which can result in privilege escalation.

    For the stable distribution (stretch), this problem has been fixed in

    version 2:1.19.2-1+deb9u4.

    We recommend that you upgrade your xorg-server packages.

    For the detailed security status of xorg-server please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/xorg-server

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : graphicsmagick

    The update of Graphicsmagick in DSA-4321-1 introduced a change in the

    handling of case-sensitivity in an internal API function which could

    affect some code built against the GraphicsMagick libraries. This update

    restores the previous behaviour.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.3.30+hg15796-1~deb9u2.

    We recommend that you upgrade your graphicsmagick packages.

    For the detailed security status of graphicsmagick please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/graphicsmagick

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : teeworlds

    CVE ID : CVE-2018-18541

    It was discovered that incorrect connection setup in the server for

    Teeworlds, an online multi-player platform 2D shooter, could result in

    denial of service via forged connection packets (rendering all game

    server slots occupied).

    For the stable distribution (stretch), this problem has been fixed in

    version 0.6.5+dfsg-1~deb9u1.

    We recommend that you upgrade your teeworlds packages.

    For the detailed security status of teeworlds please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/teeworlds

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium-browser

    CVE ID : CVE-2018-5179 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464

    CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468

    CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473

    CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-17477

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2018-5179

    Yannic Boneberger discovered an error in the ServiceWorker implementation.

    CVE-2018-17462

    Ned Williamson and Niklas Baumstark discovered a way to escape the sandbox.

    CVE-2018-17463

    Ned Williamson and Niklas Baumstark discovered a remote code execution

    issue in the v8 javascript library.

    CVE-2018-17464

    xisigr discovered a URL spoofing issue.

    CVE-2018-17465

    Lin Zuojian discovered a use-after-free issue in the v8 javascript

    library.

    CVE-2018-17466

    Omair discovered a memory corruption issue in the angle library.

    CVE-2018-17467

    Khalil Zhani discovered a URL spoofing issue.

    CVE-2018-17468

    Jams Lee discovered an information disclosure issue.

    CVE-2018-17469

    Zhen Zhou discovered a buffer overflow issue in the pdfium library.

    CVE-2018-17470

    Zhe Jin discovered a memory corruption issue in the GPU backend

    implementation.

    CVE-2018-17471

    Lnyas Zhang discovered an issue with the full screen user interface.

    CVE-2018-17473

    Khalil Zhani discovered a URL spoofing issue.

    CVE-2018-17474

    Zhe Jin discovered a use-after-free issue.

    CVE-2018-17475

    Vladimir Metnew discovered a URL spoofing issue.

    CVE-2018-17476

    Khalil Zhani discovered an issue with the full screen user interface.

    CVE-2018-17477

    Aaron Muir Hamilton discovered a user interface spoofing issue in the

    extensions pane.

    This update also fixes a buffer overflow in the embedded lcms library included

    with chromium.

    For the stable distribution (stretch), these problems have been fixed in

    version 70.0.3538.67-1~deb9u1.

    We recommend that you upgrade your chromium-browser packages.

    For the detailed security status of chromium-browser please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium-browser

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium-browser

    CVE ID : CVE-2018-5179 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464

    CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468

    CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473

    CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-17477

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2018-5179

    Yannic Boneberger discovered an error in the ServiceWorker implementation.

    CVE-2018-17462

    Ned Williamson and Niklas Baumstark discovered a way to escape the sandbox.

    CVE-2018-17463

    Ned Williamson and Niklas Baumstark discovered a remote code execution

    issue in the v8 javascript library.

    CVE-2018-17464

    xisigr discovered a URL spoofing issue.

    CVE-2018-17465

    Lin Zuojian discovered a use-after-free issue in the v8 javascript

    library.

    CVE-2018-17466

    Omair discovered a memory corruption issue in the angle library.

    CVE-2018-17467

    Khalil Zhani discovered a URL spoofing issue.

    CVE-2018-17468

    Jams Lee discovered an information disclosure issue.

    CVE-2018-17469

    Zhen Zhou discovered a buffer overflow issue in the pdfium library.

    CVE-2018-17470

    Zhe Jin discovered a memory corruption issue in the GPU backend

    implementation.

    CVE-2018-17471

    Lnyas Zhang discovered an issue with the full screen user interface.

    CVE-2018-17473

    Khalil Zhani discovered a URL spoofing issue.

    CVE-2018-17474

    Zhe Jin discovered a use-after-free issue.

    CVE-2018-17475

    Vladimir Metnew discovered a URL spoofing issue.

    CVE-2018-17476

    Khalil Zhani discovered an issue with the full screen user interface.

    CVE-2018-17477

    Aaron Muir Hamilton discovered a user interface spoofing issue in the

    extensions pane.

    This update also fixes a buffer overflow in the embedded lcms library included

    with chromium.

    For the stable distribution (stretch), these problems have been fixed in

    version 70.0.3538.67-1~deb9u1.

    We recommend that you upgrade your chromium-browser packages.

    For the detailed security status of chromium-browser please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium-browser

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby2.3

    CVE ID : CVE-2018-16395 CVE-2018-16396

    Several vulnerabilities have been discovered in the interpreter for the

    Ruby language. The Common Vulnerabilities and Exposures project

    identifies the following problems:

    CVE-2018-16395

    Tyler Eckstein reported that the equality check of

    OpenSSL::X509::Name could return true for non-equal objects. If a

    malicious X.509 certificate is passed to compare with an existing

    certificate, there is a possibility to be judged incorrectly that

    they are equal.

    CVE-2018-16396

    Chris Seaton discovered that tainted flags are not propagated in

    Array#pack and String#unpack with some directives.

    For the stable distribution (stretch), these problems have been fixed in

    version 2.3.3-1+deb9u4.

    We recommend that you upgrade your ruby2.3 packages.

    For the detailed security status of ruby2.3 please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/ruby2.3

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl

    CVE ID : CVE-2018-16839 CVE-2018-16842

    Two vulnerabilities were discovered in cURL, an URL transfer library.

    CVE-2018-16839

    Harry Sintonen discovered that, on systems with a 32 bit size_t, an

    integer overflow would be triggered when a SASL user name longer

    than 2GB is used. This would in turn cause a very small buffer to be

    allocated instead of the intended very huge one, which would trigger

    a heap buffer overflow when the buffer is used.

    CVE-2018-16842

    Brian Carpenter discovered that the logic in the curl tool to wrap

    error messages at 80 columns is flawed, leading to a read buffer

    overflow if a single word in the message is itself longer than 80

    bytes.

    For the stable distribution (stretch), these problems have been fixed in

    version 7.52.1-5+deb9u8.

    We recommend that you upgrade your curl packages.

    For the detailed security status of curl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/curl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : icecast2

    CVE ID : CVE-2018-18820

    Nick Rolfe discovered multiple buffer overflows in the Icecast multimedia

    streaming server which could result in the execution of arbitrary code.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.4.2-1+deb9u1.

    We recommend that you upgrade your icecast2 packages.

    For the detailed security status of icecast2 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/icecast2

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mupdf

    CVE ID : CVE-2017-17866 CVE-2018-5686 CVE-2018-6187 CVE-2018-6192

    CVE-2018-1000037 CVE-2018-1000040

    Multiple vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book

    viewer which could result in denial of service or the execution of

    arbitrary code if malformed documents are opened.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.9a+ds1-4+deb9u4.

    We recommend that you upgrade your mupdf packages.

    For the detailed security status of mupdf please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mupdf

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nginx

    CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

    Three vulnerabilities were discovered in Nginx, a high-performance web

    and reverse proxy server, which could in denial of service in processing

    HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in

    the ngx_http_mp4_module module (used for server-side MP4 streaming).

    For the stable distribution (stretch), these problems have been fixed in

    version 1.10.3-1+deb9u2.

    We recommend that you upgrade your nginx packages.

    For the detailed security status of nginx please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/nginx

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/