Debian Security Advisory

Package : openssh

CVE ID : CVE-2018-15473

Debian Bug : 906236

Dariusz Tytko, Michal Sajdak and Qualys Security discovered that

OpenSSH, an implementation of the SSH protocol suite, was prone to a

user enumeration vulnerability. This would allow a remote attacker to

check whether a specific user account existed on the target server.

For the stable distribution (stretch), this problem has been fixed in

version 1:7.4p1-10+deb9u4.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/openssh

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : linux

Debian Bug : 906769

The security update announced as DSA 4279-1 caused regressions on the ARM

architectures (boot failures on some systems). Updated packages are now

available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in

version 4.9.110-3+deb9u4.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : tomcat8

CVE ID : CVE-2018-1304 CVE-2018-1305 CVE-2018-1336 CVE-2018-8034

CVE-2018-8037

Debian Bug : 867247

Several issues were discovered in the Tomcat servlet and JSP

engine. They could lead to unauthorized access to protected resources,

denial-of-service, or information leak.

For the stable distribution (stretch), these problems have been fixed in

version 8.5.14-1+deb9u3.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/tomcat8

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : trafficserver

CVE ID : CVE-2018-1318 CVE-2018-8004 CVE-2018-8005 CVE-2018-8040

Several vulnerabilities were discovered in Apache Traffic Server, a

reverse and forward proxy server, which could result in denial of

service, cache poisoning or information disclosure.

For the stable distribution (stretch), these problems have been fixed in

version 7.0.0-6+deb9u2.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : ruby-json-jwt

CVE ID : CVE-2018-1000539

It was discovered that ruby-json-jwt, a Ruby implementation of JSON web

tokens performed insufficient validation of GCM auth tags.

For the stable distribution (stretch), this problem has been fixed in

version 1.6.2-1+deb9u1.

We recommend that you upgrade your ruby-json-jwt packages.

For the detailed security status of ruby-json-jwt please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/ruby-json-jwt

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : lcms2

CVE ID : CVE-2018-16435

Quang Nguyen discovered an integer overflow in the Little CMS 2 colour

management library, which could in denial of service and potentially the

execution of arbitrary code if a malformed IT8 calibration file is

processed.

For the stable distribution (stretch), this problem has been fixed in

version 2.8-4+deb9u1.

We recommend that you upgrade your lcms2 packages.

For the detailed security status of lcms2 please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/lcms2

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : sympa

CVE ID : CVE-2018-1000550

Michael Kaczmarczik discovered a vulnerability in the web interface

template editing function of Sympa, a mailing list manager. Owner and

listmasters could use this flaw to create or modify arbitrary files in

the server with privileges of sympa user or owner view list config files

even if edit_list.conf prohibits it.

For the stable distribution (stretch), this problem has been fixed in

version 6.2.16~dfsg-3+deb9u1.

We recommend that you upgrade your sympa packages.

For the detailed security status of sympa please refer to its security

tracker page at:

https://security-tracker.debian.org/tracker/sympa

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : curl

CVE ID : CVE-2018-14618

Zhaoyang Wu discovered that cURL, an URL transfer library, contains a

buffer overflow in the NTLM authentication code triggered by passwords

that exceed 2GB in length on 32bit systems.

See https://curl.haxx.se/docs/CVE-2018-14618.html for more information.

For the stable distribution (stretch), this problem has been fixed in

version 7.52.1-5+deb9u7.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2018-12376 CVE-2018-12377 CVE-2018-12378

Several security issues have been found in the Mozilla Firefox web

browser: Multiple memory safety errors and use-after-frees may lead to

the execution of arbitrary code or denial of service.

Debian follows the extended support releases (ESR) of Firefox. Support

for the 52.x series has ended, so starting with this update we're now

following the 60.x releases.

Between 52.x and 60.x, Firefox has undergone significant internal

updates, which makes it incompatible with a number of extensions. For

more information please refer to

https://www.mozilla.org/en-US/firefox/60.0esr/releasenotes/

In addition, the new Firefox packages require Rust to build. A

compatible Rust toolchain has been backported to Debian stretch, but is

not available for all architectures which previously supported the

purely C++-based Firefox packages. Thus, the new Firefox packages

don't support the armel, armhf, mips, mips64el and mipsel architectures

at this point.

For the stable distribution (stretch), these problems have been fixed in

version 60.2.0esr-1~deb9u2.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : ghostscript

CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911

CVE-2018-16511 CVE-2018-16513 CVE-2018-16539

CVE-2018-16540 CVE-2018-16541 CVE-2018-16542

CVE-2018-16543 CVE-2018-16585

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an

interpreter for the PostScript language, which could result in denial of

service, the creation of files or the execution of arbitrary code if a

malformed Postscript file is processed (despite the dSAFER sandbox being

enabled).

For the stable distribution (stretch), these problems have been fixed in

version 9.20~dfsg-3.2+deb9u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : chromium-browser

CVE ID : CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068

CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16073

CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077

CVE-2018-16078 CVE-2018-16079 CVE-2018-16080 CVE-2018-16081

CVE-2018-16082 CVE-2018-16083 CVE-2018-16084 CVE-2018-16085

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-16065

Brendon Tiszka discovered an out-of-bounds write issue in the v8

javascript library.

CVE-2018-16066

cloudfuzzer discovered an out-of-bounds read issue in blink/webkit.

CVE-2018-16067

Zhe Jin discovered an out-of-bounds read issue in the WebAudio

implementation.

CVE-2018-16068

Mark Brand discovered an out-of-bounds write issue in the Mojo

message passing library.

CVE-2018-16069

Mark Brand discovered an out-of-bounds read issue in the swiftshader

library.

CVE-2018-16070

Ivan Fratric discovered an integer overflow issue in the skia library.

CVE-2018-16071

Natalie Silvanovich discovered a use-after-free issue in the WebRTC

implementation.

CVE-2018-16073

Jun Kokatsu discovered an error in the Site Isolation feature when

restoring browser tabs.

CVE-2018-16074

Jun Kokatsu discovered an error in the Site Isolation feature when

using a Blob URL.

CVE-2018-16075

Pepe Vila discovered an error that could allow remote sites to access

local files.

CVE-2018-16076

Aseksandar Nikolic discovered an out-of-bounds read issue in the pdfium

library.

CVE-2018-16077

Manuel Caballero discovered a way to bypass the Content Security Policy.

CVE-2018-16078

Cailan Sacks discovered that the Autofill feature could leak saved

credit card information.

CVE-2018-16079

Markus Vervier and Michele Orrù discovered a URL spoofing issue.

CVE-2018-16080

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-16081

Jann Horn discovered that local files could be accessed in the developer

tools.

CVE-2018-16082

Omair discovered a buffer overflow issue in the swiftshader library.

CVE-2018-16083

Natalie Silvanovich discovered an out-of-bounds read issue in the WebRTC

implementation.

CVE-2018-16084

Jun Kokatsu discovered a way to bypass a user confirmation dialog.

CVE-2018-16085

Roman Kuksin discovered a use-after-free issue.

For the stable distribution (stretch), these problems have been fixed in

version 69.0.3497.81-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/chromium-browser

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : libextractor

CVE ID : CVE-2018-14346 CVE-2018-14347 CVE-2018-16430

Debian Bug : 904903 904905 907987

Several vulnerabilities were discovered in libextractor, a library to

extract arbitrary meta-data from files, which may lead to denial of

service or the execution of arbitrary code if a specially crafted file

is opened.

For the stable distribution (stretch), these problems have been fixed in

version 1:1.3-4+deb9u2.

We recommend that you upgrade your libextractor packages.

For the detailed security status of libextractor please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/libextractor

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : mgetty

CVE ID : CVE-2018-16741

Two input sanitization failures have been found in the faxrunq and faxq

binaries in mgetty, a smart modem getty replacement. An attacker could leverage

them to insert commands via shell metacharacters in jobs id and have them

executed with the privilege of the faxrunq/faxq user.

For the stable distribution (stretch), this problem has been fixed in

version 1.1.36-3+deb9u1.

We recommend that you upgrade your mgetty packages.

For the detailed security status of mgetty please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/mgetty

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : kamailio

CVE ID : CVE-2018-16657

Debian Bug : 908324

Henning Westerholt discovered a flaw related to the Via header

processing in kamailio, a very fast, dynamic and configurable SIP

server. An unauthenticated attacker can take advantage of this flaw to

mount a denial of service attack via a specially crafted SIP message

with an invalid Via header.

For the stable distribution (stretch), this problem has been fixed in

version 4.4.4-2+deb9u3.

We recommend that you upgrade your kamailio packages.

For the detailed security status of kamailio please refer to its

security tracker page at:

https://security-tracker.debian.org/tracker/kamailio

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : discount

CVE ID : CVE-2018-11468 CVE-2018-11503 CVE-2018-11504 CVE-2018-12495

Debian Bug : 901912

Several heap buffer overflows were found in discount, an implementation

of the Markdown markup language, that could be triggered witth specially

crafted Markdown data and would cause discount to read past the end of

internal buffers.

For the stable distribution (stretch), these problems have been fixed in

version 2.2.2-1+deb9u1.

We recommend that you upgrade your discount packages.

For the detailed security status of discount please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/discount

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : intel-microcode

CVE ID : CVE-2018-3639 CVE-2018-3640

This update ships updated CPU microcode for additional models of Intel

CPUs which were not yet covered by the Intel microcode update released

as DSA-4273-1 (and thus provides SSBD support (needed to address

"Spectre v4") and fixes for "Spectre v3a")).

For the stable distribution (stretch), these problems have been fixed in

version 3.20180807a.1~deb9u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ghostscript

CVE ID : CVE-2018-16509 CVE-2018-16802

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an

interpreter for the PostScript language, which could result in the

execution of arbitrary code if a malformed Postscript file is processed

(despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in

version 9.20~dfsg-3.2+deb9u5.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2018-5156 CVE-2018-5187 CVE-2018-12361 CVE-2018-12367

CVE-2018-12371

Multiple security issues have been found in Thunderbird: Multiple memory

safety errors and use-after-frees may lead to the execution of arbitrary

code or denial of service.

Debian follows the Thunderbird upstream releases. Support for the 52.x

series has ended, so starting with this update we're now following the

60.x releases.

Between 52.x and 60.x, Thunderbird has undergone significant internal

updates, which makes it incompatible with a number of extensions. For

more information please refer to

https://support.mozilla.org/en-US/kb/new-thunderbird-60

In addition, the new Thunderbird packages require Rust to build. A

compatible Rust toolchain has been backported to Debian stretch, but is

not available for all architectures which previously supported the

purely C++-based Thunderbird packages. Thus, the new Thunderbird packages

don't support the mips, mips64el and mipsel architectures at this point.

For the stable distribution (stretch), these problems have been fixed in

version 1:60.0-3~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : mbedtls

CVE ID : CVE-2018-0497 CVE-2018-0498

Two vulnerabilities were discovered in mbedtls, a lightweight crypto and

SSL/TLS library which could result in plain text recovery via

side-channel attacks.

For the stable distribution (stretch), these problems have been fixed in

version 2.4.2-1+deb9u3.

We recommend that you upgrade your mbedtls packages.

For the detailed security status of mbedtls please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/mbedtls

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/

Package : chromium-browser

Two vulnerabilities have been discovered in the chromium web browser.

Kevin Cheung discovered an error in the WebAssembly implementation and

evil1m0 discovered a URL spoofing issue.

For the stable distribution (stretch), this problem has been fixed in

version 69.0.3497.92-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to

its security tracker page at:

https://security-tracker.debian.org/tracker/chromium-browser

Further information about Debian Security Advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://www.debian.org/security/