Debian Security Advisory

Package : curl

CVE ID : CVE-2018-1000301

Debian Bug : 898856

OSS-fuzz, assisted by Max Dymond, discovered that cURL, an URL transfer

library, could be tricked into reading data beyond the end of a heap

based buffer when parsing invalid headers in an RTSP response.

For the oldstable distribution (jessie), this problem has been fixed

in version 7.38.0-4+deb8u11.

For the stable distribution (stretch), this problem has been fixed in

version 7.52.1-5+deb9u6.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : vlc

CVE ID : CVE-2017-17670

Hans Jerry Illikainen discovered a type conversion vulnerability in the

MP4 demuxer of the VLC media player, which could result in the execution

of arbitrary code if a malformed media file is played.

This update upgrades VLC in stretch to the new 3.x release series (as

security fixes couldn't be sensibly backported to the 2.x series). In

addition two packages needed to be rebuild to ensure compatibility with

VLC 3; phonon-backend-vlc (0.9.0-2+deb9u1) and goldencheetah

(4.0.0~DEV1607-2+deb9u1).

VLC in jessie cannot be migrated to version 3 due to incompatible

library changes with reverse dependencies and is thus now declared

end-of-life for jessie. We recommend to upgrade to stretch or pick a

different media player if that's not an option.

For the stable distribution (stretch), this problem has been fixed in

version 3.0.2-0+deb9u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/vlc

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : imagemagick

CVE ID : CVE-2017-10995 CVE-2017-11533 CVE-2017-11535 CVE-2017-11639

CVE-2017-13143 CVE-2017-17504 CVE-2017-17879 CVE-2018-5248

Debian Bug : 867748 869827 869834 870012 870065 885125 885340 886588

This update fixes several vulnerabilities in imagemagick, a graphical

software suite. Various memory handling problems or issues about

incomplete input sanitizing would result in denial of service or

memory disclosure.

For the oldstable distribution (jessie), these problems have been fixed

in version 8:6.8.9.9-5+deb8u12.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

This is an advance notice that regular security support for Debian

GNU/Linux 8 (code name "jessie") will be terminated on the 17th of

June.

As with previous releases additional LTS support will be provided for

a reduced set of architectures and packages, a separate announcement

will be available in due time.

Mailing list: debian-security-announce@lists.debian.org

Package : gitlab

CVE ID : CVE-2017-0920 CVE-2018-8971

Several vulnerabilities have been discovered in Gitlab, a software

platform to collaborate on code:

CVE-2017-0920

It was discovered that missing validation of merge requests allowed

users to see names to private projects, resulting in information

disclosure.

CVE-2018-8971

It was discovered that the Auth0 integration was implemented

incorrectly.

For the stable distribution (stretch), these problems have been fixed in

version 8.13.11+dfsg1-8+deb9u2. The fix for CVE-2018-8971 also requires

ruby-omniauth-auth0 to be upgraded to version 2.0.0-0+deb9u1.

We recommend that you upgrade your gitlab packages.

For the detailed security status of gitlab please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/gitlab

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : packagekit

CVE ID : CVE-2018-1106

Debian Bug : 896703

Matthias Gerstner discovered that PackageKit, a DBus abstraction layer

for simple software management tasks, contains an authentication bypass

flaw allowing users without privileges to install local packages.

For the stable distribution (stretch), this problem has been fixed in

version 1.1.5-2+deb9u1.

We recommend that you upgrade your packagekit packages.

For the detailed security status of packagekit please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/packagekit

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : procps

CVE ID : CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125

CVE-2018-1126

Debian Bug : 899170

The Qualys Research Labs discovered multiple vulnerabilities in procps,

a set of command line and full screen utilities for browsing procfs. The

Common Vulnerabilities and Exposures project identifies the following

problems:

CVE-2018-1122

top read its configuration from the current working directory if no

$HOME was configured. If top were started from a directory writable

by the attacker (such as /tmp) this could result in local privilege

escalation.

CVE-2018-1123

Denial of service against the ps invocation of another user.

CVE-2018-1124

An integer overflow in the file2strvec() function of libprocps could

result in local privilege escalation.

CVE-2018-1125

A stack-based buffer overflow in pgrep could result in denial

of service for a user using pgrep for inspecting a specially

crafted process.

CVE-2018-1126

Incorrect integer size parameters used in wrappers for standard C

allocators could cause integer truncation and lead to integer

overflow issues.

For the oldstable distribution (jessie), these problems have been fixed

in version 2:3.3.9-9+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 2:3.3.12-3+deb9u1.

We recommend that you upgrade your procps packages.

For the detailed security status of procps please refer to its security

tracker page at: https://security-tracker.debian.org/tracker/procps

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2018-5150 CVE-2018-5154 CVE-2018-5155 CVE-2018-5159

CVE-2018-5161 CVE-2018-5162 CVE-2018-5168 CVE-2018-5170

CVE-2018-5178 CVE-2018-5183 CVE-2018-5184 CVE-2018-5185

Multiple security issues have been found in Thunderbird, which may lead

to the execution of arbitrary code, denial of service or attacks on

encrypted emails.

For the oldstable distribution (jessie), these problems have been fixed

in version 1:52.8.0-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 1:52.8.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : xen

CVE ID : CVE-2018-3639

This update provides mitigations for the Spectre v4 variant in x86-based

micro processors. On Intel CPUs this requires updated microcode which

is currently not released publicly (but your hardware vendor may have

issued an update). For servers with AMD CPUs no microcode update is

needed, please refer to https://xenbits.xen.org/xsa/advisory-263.html

for further information.

For the stable distribution (stretch), this problem has been fixed in

version 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : gitlab

Debian Bug : 900066

The gitlab security update announced as DSA-4206-1 caused regressions

when creating merge requests (returning 500 Internal Server Errors) due

to an issue in the patch to address CVE-2017-0920. Updated packages are

now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in

version 8.13.11+dfsg1-8+deb9u3.

We recommend that you upgrade your gitlab packages.

For the detailed security status of gitlab please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/gitlab

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : xdg-utils

CVE ID : CVE-2017-18266

Debian Bug : 898317

Gabriel Corona discovered that xdg-utils, a set of tools for desktop

environment integration, is vulnerable to argument injection attacks. If

the environment variable BROWSER in the victim host has a "%s" and the

victim opens a link crafted by an attacker with xdg-open, the malicious

party could manipulate the parameters used by the browser when opened.

This manipulation could set, for example, a proxy to which the network

traffic could be intercepted for that particular execution.

For the oldstable distribution (jessie), this problem has been fixed

in version 1.1.0~rc1+git20111210-7.4+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 1.1.1-1+deb9u1.

We recommend that you upgrade your xdg-utils packages.

For the detailed security status of xdg-utils please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/xdg-utils

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : git

CVE ID : CVE-2018-11235

Etienne Stalmans discovered that git, a fast, scalable, distributed

revision control system, is prone to an arbitrary code execution

vulnerability exploitable via specially crafted submodule names in a

.gitmodules file.

For the oldstable distribution (jessie), this problem has been fixed

in version 1:2.1.4-2.1+deb8u6.

For the stable distribution (stretch), this problem has been fixed in

version 1:2.11.0-3+deb9u3.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/git

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : qemu

CVE ID : CVE-2017-5715 CVE-2017-15038 CVE-2017-15119 CVE-2017-15124

CVE-2017-15268 CVE-2017-15289 CVE-2017-16845 CVE-2017-17381

CVE-2017-18043 CVE-2018-5683 CVE-2018-7550

Debian Bug : 877890 880832 880836 882136 883399 883625 884806 886532

887392 892041

Several vulnerabilities were discovered in qemu, a fast processor

emulator.

CVE-2017-15038

Tuomas Tynkkynen discovered an information leak in 9pfs.

CVE-2017-15119

Eric Blake discovered that the NBD server insufficiently restricts

large option requests, resulting in denial of service.

CVE-2017-15124

Daniel Berrange discovered that the integrated VNC server

insufficiently restricted memory allocation, which could result in

denial of service.

CVE-2017-15268

A memory leak in websockets support may result in denial of service.

CVE-2017-15289

Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics

adaptor which could result in denial of service.

CVE-2017-16845

Cyrille Chatras discovered an information leak in PS/2 mouse and

keyboard emulation which could be exploited during instance

migration.

CVE-2017-17381

Dengzhan Heyuandong Bijunhua and Liweichao discovered that an

implementation error in the virtio vring implementation could result

in denial of service.

CVE-2017-18043

Eric Blake discovered an integer overflow in an internally used

macro which could result in denial of service.

CVE-2018-5683

Jiang Xin and Lin ZheCheng discovered an OOB memory access in the

emulated VGA adaptor which could result in denial of service.

CVE-2018-7550

Cyrille Chatras discovered that an OOB memory write when using

multiboot could result in the execution of arbitrary code.

This update also backports a number of mitigations against the Spectre

v2 vulnerability affecting modern CPUs (CVE-2017-5715). For additional

information please refer to

https://www.qemu.org/2018/01/04/spectre/

For the stable distribution (stretch), these problems have been fixed in

version 1:2.8+dfsg-6+deb9u4.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : zookeeper

CVE ID : CVE-2018-8012

It was discovered that Zookeeper, a service for maintaining configuration

information, enforced no authentication/authorisation when a server

attempts to join a Zookeeper quorum.

This update backports authentication support. Additional configuration

steps are needed, please see

https://cwiki.apache.org/confluence/dis…+authentication

for additional information.

For the oldstable distribution (jessie), this problem has been fixed

in version 3.4.9-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in

version 3.4.9-3+deb9u1.

We recommend that you upgrade your zookeeper packages.

For the detailed security status of zookeeper please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/zookeeper

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : batik

CVE ID : CVE-2017-5662 CVE-2018-8013

Debian Bug : 860566 899374

Man Yue Mo, Lars Krapf and Pierre Ernst discovered that Batik, a

toolkit for processing SVG images, did not properly validate its

input. This would allow an attacker to cause a denial-of-service,

mount cross-site scripting attacks, or access restricted files on the

server.

For the oldstable distribution (jessie), these problems have been fixed

in version 1.7+dfsg-5+deb8u1.

For the stable distribution (stretch), these problems have been fixed in

version 1.8-4+deb9u1.

We recommend that you upgrade your batik packages.

For the detailed security status of batik please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/batik

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : redmine

Debian Bug : 900283

The redmine security update announced as DSA-4191-1 caused regressions

with multi-value fields while doing queries on project issues due to an

bug in the patch to address CVE-2017-15569. Updated packages are now

available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in

version 3.3.1-4+deb9u2.

We recommend that you upgrade your redmine packages.

For the detailed security status of redmine please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/redmine

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : prosody

CVE ID : CVE-2018-10847

Debian Bug : 900524

It was discovered that Prosody, a lightweight Jabber/XMPP server, does

not properly validate client-provided parameters during XMPP stream

restarts, allowing authenticated users to override the realm associated

with their session, potentially bypassing security policies and allowing

impersonation.

Details can be found in the upstream advisory at

https://prosody.im/security/advisory_20180531/

For the oldstable distribution (jessie), this problem has been fixed

in version 0.9.7-2+deb8u4.

For the stable distribution (stretch), this problem has been fixed in

version 0.9.12-2+deb9u2.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/prosody

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : wireshark

CVE ID : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335

CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358

CVE-2018-11360 CVE-2018-11362

It was discovered that Wireshark, a network protocol analyzer, contained

several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC,

IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial

of service or the execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed

in version 1.12.1+g01b65bf-4+deb8u14.

For the stable distribution (stretch), these problems have been fixed in

version 2.2.6+g32dac6a-2+deb9u3.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/wireshark

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : memcached

CVE ID : CVE-2017-9951 CVE-2018-1000115 CVE-2018-1000127

Debian Bug : 868701 894404

Several vulnerabilities were discovered in memcached, a high-performance

memory object caching system. The Common Vulnerabilities and Exposures

project identifies the following problems:

CVE-2017-9951

Daniel Shapira reported a heap-based buffer over-read in memcached

(resulting from an incomplete fix for CVE-2016-8705) triggered by

specially crafted requests to add/set a key and allowing a remote

attacker to cause a denial of service.

CVE-2018-1000115

It was reported that memcached listens to UDP by default. A remote

attacker can take advantage of it to use the memcached service as a

DDoS amplifier.

Default installations of memcached in Debian are not affected by

this issue as the installation defaults to listen only on localhost.

This update disables the UDP port by default. Listening on the UDP

can be re-enabled in the /etc/memcached.conf (cf.

/usr/share/doc/memcached/NEWS.Debian.gz).

CVE-2018-1000127

An integer overflow was reported in memcached, resulting in resource

leaks, data corruption, deadlocks or crashes.

For the oldstable distribution (jessie), these problems have been fixed

in version 1.4.21-1.1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in

version 1.4.33-1+deb9u1.

We recommend that you upgrade your memcached packages.

For the detailed security status of memcached please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/memcached

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : jruby

CVE ID : CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076

CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079

Debian Bug : 895778

Several vulnerabilities were discovered in jruby, a Java

implementation of the Ruby programming language. They would allow an

attacker to use specially crafted gem files to mount cross-site

scripting attacks, cause denial of service through an infinite loop,

write arbitrary files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in

version 1.7.26-1+deb9u1.

We recommend that you upgrade your jruby packages.

In addition, this message serves as an announcement that security

support for jruby in the Debian 8 oldstable release (jessie) is now

discontinued.

Users of jruby in Debian 8 that want security updates are strongly

encouraged to upgrade now to the current Debian 9 stable release

(stretch).

For the detailed security status of jruby please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/jruby

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/