Debian Security Advisory

Package : beep

CVE ID : CVE-2018-0492

It was discovered that a race condition in beep (if configured as setuid

via debconf) allows local privilege escalation.

For the oldstable distribution (jessie), this problem has been fixed

in version 1.3-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 1.3-4+deb9u1.

We recommend that you upgrade your beep packages.

For the detailed security status of beep please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/beep

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : apache2

CVE ID : CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301

CVE-2018-1303 CVE-2018-1312

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2017-15710

Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if

configured with AuthLDAPCharsetConfig, could cause an of bound write

if supplied with a crafted Accept-Language header. This could

potentially be used for a Denial of Service attack.

CVE-2017-15715

Elar Lang discovered that expression specified in <FilesMatch> could

match '$' to a newline character in a malicious filename, rather

than matching only the end of the filename. This could be exploited

in environments where uploads of some files are are externally

blocked, but only by matching the trailing portion of the filename.

CVE-2018-1283

When mod_session is configured to forward its session data to CGI

applications (SessionEnv on, not the default), a remote user could

influence their content by using a "Session" header.

CVE-2018-1301

Robert Swiecki reported that a specially crafted request could have

crashed the Apache HTTP Server, due to an out of bound access after

a size limit is reached by reading the HTTP header.

CVE-2018-1303

Robert Swiecki reported that a specially crafted HTTP request header

could have crashed the Apache HTTP Server if using

mod_cache_socache, due to an out of bound read while preparing data

to be cached in shared memory.

CVE-2018-1312

Nicolas Daniels discovered that when generating an HTTP Digest

authentication challenge, the nonce sent by mod_auth_digest to

prevent reply attacks was not correctly generated using a

pseudo-random seed. In a cluster of servers using a common Digest

authentication configuration, HTTP requests could be replayed across

servers by an attacker without detection.

For the oldstable distribution (jessie), these problems have been fixed

in version 2.4.10-10+deb8u12.

For the stable distribution (stretch), these problems have been fixed in

version 2.4.25-3+deb9u4.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : ldap-account-manager

CVE ID : CVE-2018-8763 CVE-2018-8764

Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web

front-end for LDAP directories.

CVE-2018-8763

The found Reflected Cross Site Scripting (XSS) vulnerability might

allow an attacker to execute JavaScript code in the browser of the

victim or to redirect her to a malicious website if the victim clicks

on a specially crafted link.

CVE-2018-8764

The application leaks the CSRF token in the URL, which can be use by

an attacker to perform a Cross-Site Request Forgery attack, in which

a victim logged in LDAP Account Manager might performed unwanted

actions in the front-end by clicking on a link crafted by the

attacker.

For the oldstable distribution (jessie), these problems have been fixed

in version 4.7.1-1+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 5.5-1+deb9u1.

We recommend that you upgrade your ldap-account-manager packages.

For the detailed security status of ldap-account-manager please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/ldap-account-manager

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : openjdk-7

CVE ID : CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602

CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633

CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663

CVE-2018-2677 CVE-2018-2678

Several vulnerabilities have been discovered in OpenJDK, an

implementation of the Oracle Java platform, resulting in denial of

service, sandbox bypass, execution of arbitrary code, incorrect

LDAP/GSS authentication, insecure use of cryptography or bypass of

deserialisation restrictions.

For the oldstable distribution (jessie), these problems have been fixed

in version 7u171-2.6.13-1~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

For the detailed security status of openjdk-7 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/openjdk-7

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : sharutils

CVE ID : CVE-2018-1000097

Debian Bug : 893525

A buffer-overflow vulnerability was discovered in Sharutils, a set of

utilities handle Shell Archives. An attacker with control on the input of

the unshar command, could crash the application or execute arbitrary code

in the its context.

For the oldstable distribution (jessie), this problem has been fixed

in version 4.14-2+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 1:4.15.2-2+deb9u1.

We recommend that you upgrade your sharutils packages.

For the detailed security status of sharutils please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/sharutils

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : squirrelmail

CVE ID : CVE-2018-8741

Debian Bug : 893202

Florian Grunow und Birk Kauer of ERNW discovered a path traversal

vulnerability in SquirrelMail, a webmail application, allowing an

authenticated remote attacker to retrieve or delete arbitrary files

via mail attachment.

For the oldstable distribution (jessie), this problem has been fixed

in version 2:1.4.23~svn20120406-2+deb8u2.

We recommend that you upgrade your squirrelmail packages.

For the detailed security status of squirrelmail please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/squirrelmail

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : pjproject

CVE ID : CVE-2017-16872 CVE-2017-16875 CVE-2018-1000098

CVE-2018-1000099

Multiple vulnerabilities have been discovered in the PJSIP/PJProject

multimedia communication which may result in denial of service during

the processing of SIP and SDP messages and ioqueue keys.

For the stable distribution (stretch), these problems have been fixed in

version 2.5.5~dfsg-6+deb9u1.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/pjproject

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : pcs

CVE ID : CVE-2018-1086

Debian Bug : 895313

Cédric Buissart from Red Hat discovered an information disclosure bug in pcs, a

pacemaker command line interface and GUI. The REST interface normally doesn't

allow passing --debug parameter to prevent information leak, but the check

wasn't sufficient.

For the stable distribution (stretch), this problem has been fixed in

version 0.9.155+dfsg-2+deb9u1.

We recommend that you upgrade your pcs packages.

For the detailed security status of pcs please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/pcs

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : ruby-loofah

CVE ID : CVE-2018-8048

Debian Bug : 893596

The Shopify Application Security Team reported that ruby-loofah, a

general library for manipulating and transforming HTML/XML documents and

fragments, allows non-whitelisted attributes to be present in sanitized

output when input with specially-crafted HTML fragments. This might

allow to mount a code injection attack into a browser consuming

sanitized output.

For the stable distribution (stretch), this problem has been fixed in

version 2.0.3-2+deb9u1.

We recommend that you upgrade your ruby-loofah packages.

For the detailed security status of ruby-loofah please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/ruby-loofah

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : poppler

CVE ID : CVE-2017-9776

Debian Bug : 890826

It was discovered that the poppler upload for the oldstable distribution

(jessie), released as DSA-4079-1, did not correctly address

CVE-2017-9776 and additionally caused regressions when rendering PDFs

embedding JBIG2 streams. Updated packages are now available to correct

this issue.

For the oldstable distribution (jessie), this problem has been fixed

in version 0.26.5-2+deb8u4.

We recommend that you upgrade your poppler packages.

For the detailed security status of poppler please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/poppler

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : perl

CVE ID : CVE-2018-6797 CVE-2018-6798 CVE-2018-6913

Multiple vulnerabilities were discovered in the implementation of the

Perl programming language. The Common Vulnerabilities and Exposures

project identifies the following problems:

CVE-2018-6797

Brian Carpenter reported that a crafted regular expression

could cause a heap buffer write overflow, with control over the

bytes written.

CVE-2018-6798

Nguyen Duc Manh reported that matching a crafted locale dependent

regular expression could cause a heap buffer read overflow and

potentially information disclosure.

CVE-2018-6913

GwanYeong Kim reported that 'pack()' could cause a heap buffer write

overflow with a large item count.

For the oldstable distribution (jessie), these problems have been fixed

in version 5.20.2-3+deb8u10. The oldstable distribution (jessie) update

contains only a fix for CVE-2018-6913.

For the stable distribution (stretch), these problems have been fixed in

version 5.24.1-3+deb9u3.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/perl

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : r-cran-readxl

CVE ID : CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12110

CVE-2017-12111

Marcin Noga discovered multiple vulnerabilities in readxl, a GNU R

package to read Excel files (via the integrated libxls library), which

could result in the execution of arbitrary code if a malformed

spreadsheet is processed.

For the stable distribution (stretch), these problems have been fixed in

version 0.1.1-1+deb9u1.

We recommend that you upgrade your r-cran-readxl packages.

For the detailed security status of r-cran-readxl please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/r-cran-readxl

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : corosync

CVE ID : CVE-2018-1084

Debian Bug : 895653

The Citrix Security Response Team discovered that corosync, a cluster

engine implementation, allowed an unauthenticated user to cause a

denial-of-service by application crash.

For the stable distribution (stretch), this problem has been fixed in

version 2.4.2-3+deb9u1.

We recommend that you upgrade your corosync packages.

For the detailed security status of corosync please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/corosync

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : freeplane

CVE ID : CVE-2018-1000069

Debian Bug : 893663

Wojciech Regula discovered an XML External Entity vulnerability in the

XML Parser of the mindmap loader in freeplane, a Java program for

working with mind maps, resulting in potential information disclosure if

a malicious mind map file is opened.

For the oldstable distribution (jessie), this problem has been fixed

in version 1.3.12-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 1.5.18-1+deb9u1.

We recommend that you upgrade your freeplane packages.

For the detailed security status of freeplane please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/freeplane

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : mysql-5.5

CVE ID : CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773

CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818

CVE-2018-2819

Several issues have been discovered in the MySQL database server. The

vulnerabilities are addressed by upgrading MySQL to the new upstream

version 5.5.60, which includes additional changes. Please see the MySQL

5.5 Release Notes and Oracle's Critical Patch Update advisory for

further details:

https://dev.mysql.com/doc/relnotes/m…ews-5-5-60.html

http://www.oracle.com/technetwork/se…18-3678067.html

For the oldstable distribution (jessie), these problems have been fixed

in version 5.5.60-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

For the detailed security status of mysql-5.5 please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/mysql-5.5

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : libsdl2-image

CVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441

CVE-2017-14442 CVE-2017-14448 CVE-2017-14449 CVE-2017-14450

CVE-2018-3837 CVE-2018-3838 CVE-2018-3839

Multiple vulnerabilities have been discovered in the image loading

library for Simple DirectMedia Layer 2, which could result in denial of

service or the execution of arbitrary code if malformed image files are

opened.

For the oldstable distribution (jessie), these problems have been fixed

in version 2.0.0+dfsg-3+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 2.0.1+dfsg-2+deb9u1.

We recommend that you upgrade your libsdl2-image packages.

For the detailed security status of libsdl2-image please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/libsdl2-image

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : libreoffice

CVE ID : CVE-2018-10119 CVE-2018-10120

Two vulnerabilities were discovered in LibreOffice's code to parse

MS Word and Structured Storage files, which could result in denial of

service and potentially the execution of arbitrary code if a malformed

file is opened.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:4.3.3-2+deb8u11.

For the stable distribution (stretch), these problems have been fixed in

version 1:5.2.7-1+deb9u4.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : linux-tools

This update doesn't fix a vulnerability in linux-tools, but provides

support for building Linux kernel modules with the "retpoline"

mitigation for CVE-2017-5715 (Spectre variant 2).

This update also includes bug fixes from the upstream Linux 3.16 stable

branch up to and including 3.16.56.

For the oldstable distribution (jessie), this problem has been fixed

in version 3.16.56-1.

We recommend that you upgrade your linux-tools packages.

For the detailed security status of linux-tools please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/linux-tools

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : drupal7

CVE ID : CVE-2018-7602

Debian Bug : 896701

A remote code execution vulnerability has been found in Drupal, a

fully-featured content management framework. For additional information,

please refer to the upstream advisory at

https://www.drupal.org/sa-core-2018-004

For the oldstable distribution (jessie), this problem has been fixed

in version 7.32-1+deb8u12.

For the stable distribution (stretch), this problem has been fixed in

version 7.52-2+deb9u4.

We recommend that you upgrade your drupal7 packages.

For the detailed security status of drupal7 please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/drupal7

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : roundcube

CVE ID : CVE-2018-9846

Debian Bug : 895184

Andrea Basile discovered that the 'archive' plugin in roundcube, a

skinnable AJAX based webmail solution for IMAP servers, does not

properly sanitize a user-controlled parameter, allowing a remote

attacker to inject arbitrary IMAP commands and perform malicious

actions.

For the stable distribution (stretch), this problem has been fixed in

version 1.2.3+dfsg.1-4+deb9u2.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/