Debian Security Advisory

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2018-5146 CVE-2018-5147

    Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-bounds

    memory write when playing Vorbis media files could result in the

    execution of arbitrary code.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 52.7.2esr-1~deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 52.7.2esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-8

    CVE ID : CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599

    CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629

    CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641

    CVE-2018-2663 CVE-2018-2677 CVE-2018-2678

    Several vulnerabilities have been discovered in OpenJDK, an

    implementation of the Oracle Java platform, resulting in denial of

    service, sandbox bypass, execution of arbitrary code, incorrect

    LDAP/GSS authentication, insecure use of cryptography or bypass of

    deserialisation restrictions.

    For the stable distribution (stretch), these problems have been fixed in

    version 8u162-b12-1~deb9u1.

    We recommend that you upgrade your openjdk-8 packages.

    For the detailed security status of openjdk-8 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-8

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gitlab

    CVE ID : CVE-2017-0915 CVE-2017-0916 CVE-2017-0917 CVE-2017-0918

    CVE-2017-0925 CVE-2017-0926 CVE-2018-3710

    Several vulnerabilities have been discovered in Gitlab, a software

    platform to collaborate on code:

    CVE-2017-0915 / CVE-2018-3710

    Arbitrary code execution in project import.

    CVE-2017-0916

    Command injection via Webhooks.

    CVE-2017-0917

    Cross-site scripting in CI job output.

    CVE-2017-0918

    Insufficient restriction of CI runner for project cache access.

    CVE-2017-0925

    Information disclosure in Services API.

    CVE-2017-0926

    Restrictions for disabled OAuth providers could be bypassed.

    For the stable distribution (stretch), these problems have been fixed in

    version 8.13.11+dfsg1-8+deb9u1.

    We recommend that you upgrade your gitlab packages.

    For the detailed security status of gitlab please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/gitlab

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : plexus-utils

    CVE ID : CVE-2017-1000487

    Charles Duffy discovered that the Commandline class in the utilities for

    the Plexus framework performs insufficient quoting of double-encoded

    strings, which could result in the execution of arbitrary shell commands.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1:1.5.15-4+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 1:1.5.15-4+deb9u1.

    We recommend that you upgrade your plexus-utils packages.

    For the detailed security status of plexus-utils please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/plexus-utils

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : polarssl

    CVE ID : CVE-2017-18187 CVE-2018-0487 CVE-2018-0488

    Debian Bug : 890287 890288

    Several vulnerabilities were discovered in PolarSSL, a lightweight

    crypto and SSL/TLS library, that allowed a remote attacker to either

    cause a denial-of-service by application crash, or execute arbitrary

    code.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.3.9-2.1+deb8u3.

    We recommend that you upgrade your polarssl packages.

    For the detailed security status of polarssl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/polarssl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : kamailio

    CVE ID : CVE-2018-8828

    Alfred Farrugia and Sandro Gauci discovered an off-by-one heap overflow

    in the Kamailio SIP server which could result in denial of service and

    potentially the execution of arbitrary code.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 4.2.0-2+deb8u3.

    For the stable distribution (stretch), this problem has been fixed in

    version 4.4.4-2+deb9u1.

    We recommend that you upgrade your kamailio packages.

    For the detailed security status of kamailio please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/kamailio

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : plexus-utils2

    CVE ID : CVE-2017-1000487

    Charles Duffy discovered that the Commandline class in the utilities for

    the Plexus framework performs insufficient quoting of double-encoded

    strings, which could result in the execution of arbitrary shell commands.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 3.0.15-1+deb8u1.

    For the stable distribution (stretch), this problem has been prior to

    the initial release.

    We recommend that you upgrade your plexus-utils2 packages.

    For the detailed security status of plexus-utils2 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/plexus-utils2

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : icu

    CVE ID : CVE-2017-15422

    It was discovered that an integer overflow in the International

    Components for Unicode (ICU) library could result in denial of service

    and potentially the execution of arbitrary code.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 52.1-8+deb8u7.

    For the stable distribution (stretch), this problem has been fixed in

    version 57.1-6+deb9u2.

    We recommend that you upgrade your icu packages.

    For the detailed security status of icu please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/icu

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : librelp

    CVE ID : CVE-2018-1000140

    Bas van Schaik and Kevin Backhouse discovered a stack-based buffer

    overflow vulnerability in librelp, a library providing reliable event

    logging over the network, triggered while checking x509 certificates

    from a peer. A remote attacker able to connect to rsyslog can take

    advantage of this flaw for remote code execution by sending a specially

    crafted x509 certificate.

    Details can be found in the upstream advisory:

    http://www.rsyslog.com/cve-2018-1000140/

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.2.7-2+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.2.12-1+deb9u1.

    We recommend that you upgrade your librelp packages.

    For the detailed security status of librelp please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/librelp

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mupdf

    CVE ID : CVE-2018-6544 CVE-2018-1000051

    Debian Bug : 891245

    Two vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book

    viewer, which may result in denial of service or remote code execution.

    An attacker can craft a PDF document which, when opened in the victim

    host, might consume vast amounts of memory, crash the program, or, in

    some cases, execute code in the context in which the application is

    running.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.5-1+deb8u4.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.9a+ds1-4+deb9u3.

    We recommend that you upgrade your mupdf packages.

    For the detailed security status of mupdf please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mupdf

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2018-5148

    It was discovered that a use-after-free in the compositor of Firefox

    can result in the execution of arbitrary code.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 52.7.3esr-1~deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 52.7.3esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : net-snmp

    CVE ID : CVE-2015-5621 CVE-2018-1000116

    Debian Bug : 788964 894110

    A heap corruption vulnerability was discovered in net-snmp, a suite of

    Simple Network Management Protocol applications, triggered when parsing

    the PDU prior to the authentication process. A remote, unauthenticated

    attacker can take advantage of this flaw to crash the snmpd process

    (causing a denial of service) or, potentially, execute arbitrary code

    with the privileges of the user running snmpd.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 5.7.2.1+dfsg-1+deb8u1.

    For the stable distribution (stretch), these problems have been fixed

    before the initial release.

    We recommend that you upgrade your net-snmp packages.

    For the detailed security status of net-snmp please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/net-snmp

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5144

    CVE-2018-5145 CVE-2018-5146

    Multiple security issues have been found in Thunderbird, which may lead

    to the execution of arbitrary code, denial of service or information

    disclosure.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1:52.7.0-1~deb8u1.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:52.7.0-1~deb9u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : drupal7

    CVE ID : CVE-2018-7600

    Debian Bug : 894259

    A remote code execution vulnerability has been found in Drupal, a

    fully-featured content management framework. For additional information,

    please refer to the upstream advisory at

    https://www.drupal.org/sa-core-2018-002

    For the oldstable distribution (jessie), this problem has been fixed

    in version 7.32-1+deb8u11.

    For the stable distribution (stretch), this problem has been fixed in

    version 7.52-2+deb9u3.

    We recommend that you upgrade your drupal7 packages.

    For the detailed security status of drupal7 please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/drupal7

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl

    CVE ID : CVE-2017-3738 CVE-2018-0739

    Multiple vulnerabilities have been discovered in OpenSSL, a Secure

    Sockets Layer toolkit. The Common Vulnerabilities and Exposures project

    identifies the following issues:

    CVE-2017-3738

    David Benjamin of Google reported an overflow bug in the AVX2

    Montgomery multiplication procedure used in exponentiation with

    1024-bit moduli.

    CVE-2018-0739

    It was discovered that constructed ASN.1 types with a recursive

    definition could exceed the stack, potentially leading to a denial

    of service.

    Details can be found in the upstream advisory:

    https://www.openssl.org/news/secadv/20180327.txt

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected

    by CVE-2017-3738.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.1.0f-3+deb9u2.

    We recommend that you upgrade your openssl packages.

    For the detailed security status of openssl please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/openssl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl1.0

    CVE ID : CVE-2018-0739

    It was discovered that constructed ASN.1 types with a recursive

    definition could exceed the stack, potentially leading to a denial of

    service.

    Details can be found in the upstream advisory:

    https://www.openssl.org/news/secadv/20180327.txt

    For the stable distribution (stretch), this problem has been fixed in

    version 1.0.2l-2+deb9u3.

    We recommend that you upgrade your openssl1.0 packages.

    For the detailed security status of openssl1.0 please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/openssl1.0

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : remctl

    CVE ID : CVE-2018-0493

    Santosh Ananthakrishnan discovered a use-after-free in remctl, a server

    for Kerberos-authenticated command execution. If the command is

    configured with the sudo option, this could potentially result in the

    execution of arbitrary code.

    The oldstable distribution (jessie) is not affected.

    For the stable distribution (stretch), this problem has been fixed in

    version 3.13-1+deb9u1.

    We recommend that you upgrade your remctl packages.

    For the detailed security status of remctl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/remctl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libevt

    CVE ID : CVE-2018-8754

    It was discovered that insufficient input sanitising in libevt, a library

    to access the Windows Event Log (EVT) format, could result in denial of

    service or the execution of arbitrary code if a malformed EVT file is

    processed.

    For the stable distribution (stretch), this problem has been fixed in

    version 20170120-1+deb9u1.

    We recommend that you upgrade your libevt packages.

    For the detailed security status of libevt please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libevt

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-django

    CVE ID : CVE-2018-7536 CVE-2018-7537

    James Davis discovered two issues in Django, a high-level Python web

    development framework, that can lead to a denial-of-service attack.

    An attacker with control on the input of the django.utils.html.urlize()

    function or django.utils.text.Truncator's chars() and words() methods

    could craft a string that might stuck the execution of the application.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 1.7.11-1+deb8u3.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:1.10.7-2+deb9u1.

    We recommend that you upgrade your python-django packages.

    For the detailed security status of python-django please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/python-django

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : irssi

    CVE ID : CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208

    CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053

    CVE-2018-7054

    Multiple vulnerabilities have been discovered in Irssi, a terminal-based

    IRC client which can result in denial of service.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.0.7-1~deb9u1.

    We recommend that you upgrade your irssi packages.

    For the detailed security status of irssi please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/irssi

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/