Debian Security Advisory

    • Offizieller Beitrag

    Package: mpv

    CVE ID: CVE-2018-6360

    Debian Bug: 889892

    A regression was detected in the previously issued fix for CVE-2018-6360.

    The patch released with DSA 4105-1 broke the feature of invoking mpv with

    raw YouTube ids. This update fixes this functionality issue. For

    reference, the relevant part of the original advisory text follows.

    It was discovered that mpv, a media player, was vulnerable to remote code

    execution attacks. An attacker could craft a malicious web page that,

    when used as an argument in mpv, could execute arbitrary code in the host

    of the mpv user.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.23.0-2+deb9u2.

    We recommend that you upgrade your mpv packages.

    For the detailed security status of mpv please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mpv

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: libtasn1-6

    CVE ID: CVE-2017-10790 CVE-2018-6003

    Debian Bug: 867398

    Two vulnerabilities were discovered in Libtasn1, a library to manage

    ASN.1 structures, allowing a remote attacker to cause a denial of

    service against an application using the Libtasn1 library.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.10-1.1+deb9u1.

    We recommend that you upgrade your libtasn1-6 packages.

    For the detailed security status of libtasn1-6 please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/libtasn1-6

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: django-anymail

    CVE ID: CVE-2018-6596

    Debian Bug: 889450

    It was discovered that the webhook validation of Anymail, a Django email

    backends for multiple ESPs, is prone to a timing attack. A remote

    attacker can take advantage of this flaw to obtain a

    WEBHOOK_AUTHORIZATION secret and post arbitrary email tracking events.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.8-2+deb9u1.

    We recommend that you upgrade your django-anymail packages.

    For the detailed security status of django-anymail please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/django-anymail

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: mailman

    CVE ID: CVE-2018-5950

    Debian Bug: 888201

    Calum Hutton and the Mailman team discovered a cross site scripting and

    information leak vulnerability in the user options page. A remote

    attacker could use a crafted URL to steal cookie information or to

    fish for whether a user is subscribed to a list with a private roster.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 2.1.18-2+deb8u2.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.1.23-1+deb9u2.

    We recommend that you upgrade your mailman packages.

    For the detailed security status of mailman please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mailman

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: ruby-omniauth

    CVE ID: CVE-2017-18076

    Debian Bug: 888523

    Lalith Rallabhandi discovered that OmniAuth, a Ruby library for

    implementing multi-provider authentication in web applications,

    mishandled and leaked sensitive information. An attacker with access to

    the callback environment, such as in the case of a crafted web

    application, can request authentication services from this module and

    access to the CSRF token.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.2.1-1+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.3.1-1+deb9u1.

    We recommend that you upgrade your ruby-omniauth packages.

    For the detailed security status of ruby-omniauth please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/ruby-omniauth

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: exim4

    CVE ID: CVE-2018-6789

    Debian Bug: 890000

    Meh Chang discovered a buffer overflow flaw in a utility function used

    in the SMTP listener of Exim, a mail transport agent. A remote attacker

    can take advantage of this flaw to cause a denial of service, or

    potentially the execution of arbitrary code via a specially crafted

    message.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 4.84.2-2+deb8u5.

    For the stable distribution (stretch), this problem has been fixed in

    version 4.89-2+deb9u3.

    We recommend that you upgrade your exim4 packages.

    For the detailed security status of exim4 please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/exim4

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: libreoffice

    CVE ID: CVE-2018-6871

    Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that

    missing restrictions in the implementation of the WEBSERVICE function

    in LibreOffice could result in the disclosure of arbitrary files

    readable by the user who opens a malformed document.

    For the stable distribution (stretch), this problem has been fixed in

    version 1:5.2.7-1+deb9u2.

    We recommend that you upgrade your libreoffice packages.

    For the detailed security status of libreoffice please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libreoffice

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: libreoffice

    CVE ID: CVE-2018-6871

    Mikhail Klementev, Ronnie Goodrich and Andrew Krasichkov discovered that

    missing restrictions in the implementation of the WEBSERVICE function

    in LibreOffice could result in the disclosure of arbitrary files

    readable by the user who opens a malformed document.

    For the oldstable distribution (jessie), this problem has been fixed in

    version 1:4.3.3-2+deb8u10

    We recommend that you upgrade your libreoffice packages.

    For the detailed security status of libreoffice please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libreoffice

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: xen

    CVE ID: CVE-2017-17563 CVE-2017-17564 CVE-2017-17565

    CVE-2017-17566

    Multiple vulnerabilities have been discovered in the Xen hypervisor:

    CVE-2017-17563

    Jan Beulich discovered that an incorrect reference count overflow

    check in x86 shadow mode may result in denial of service or

    privilege escalation.

    CVE-2017-17564

    Jan Beulich discovered that improper x86 shadow mode reference count

    error handling may result in denial of service or privilege

    escalation.

    CVE-2017-17565

    Jan Beulich discovered that an incomplete bug check in x86 log-dirty

    handling may result in denial of service.

    CVE-2017-17566

    Jan Beulich discovered that x86 PV guests may gain access to

    internally used pages which could result in denial of service or

    potential privilege escalation.

    In addition this update ships the "Comet" shim to address the Meltdown

    class of vulnerabilities for guests with legacy PV kernels. In addition,

    the package provides the "Xen PTI stage 1" mitigation which is built-in

    and enabled by default on Intel systems, but can be disabled with

    `xpti=false' on the hypervisor command line (It does not make sense to

    use both xpti and the Comet shim.)

    Please refer to the following URL for more details on how to configure

    individual mitigation strategies:

    https://xenbits.xen.org/xsa/advisory-254.html

    Additional information can also be found in README.pti and README.comet.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1.

    We recommend that you upgrade your xen packages.

    For the detailed security status of xen please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/xen

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: libvorbis

    CVE ID: CVE-2017-14632 CVE-2017-14633

    Two vulnerabilities were discovered in the libraries of the Vorbis audio

    compression codec, which could result in denial of service or the

    execution of arbitrary code if a malformed media file is processed.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.3.5-4+deb9u1.

    We recommend that you upgrade your libvorbis packages.

    For the detailed security status of libvorbis please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libvorbis

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: jackson-databind

    CVE ID: CVE-2017-17485 CVE-2018-5968

    Debian Bug: 888316 888318

    It was discovered that jackson-databind, a Java library used to parse

    JSON and other data formats, did not properly validate user input

    before attempting deserialization. This allowed an attacker to perform

    code execution by providing maliciously crafted input.

    For the oldstable distribution (jessie), these problems have been fixed

    in version 2.4.2-2+deb8u3.

    For the stable distribution (stretch), these problems have been fixed in

    version 2.8.6-1+deb9u3.

    We recommend that you upgrade your jackson-databind packages.

    For the detailed security status of jackson-databind please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/jackson-databind

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: quagga

    CVE ID: CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381

    Several vulnerabilities have been discovered in Quagga, a routing

    daemon. The Common Vulnerabilities and Exposures project identifies the

    following issues:

    CVE-2018-5378

    It was discovered that the Quagga BGP daemon, bgpd, does not

    properly bounds check data sent with a NOTIFY to a peer, if an

    attribute length is invalid. A configured BGP peer can take

    advantage of this bug to read memory from the bgpd process or cause

    a denial of service (daemon crash).

    https://www.quagga.net/security/Quagga-2018-0543.txt

    CVE-2018-5379

    It was discovered that the Quagga BGP daemon, bgpd, can double-free

    memory when processing certain forms of UPDATE message, containing

    cluster-list and/or unknown attributes, resulting in a denial of

    service (bgpd daemon crash).

    https://www.quagga.net/security/Quagga-2018-1114.txt

    CVE-2018-5380

    It was discovered that the Quagga BGP daemon, bgpd, does not

    properly handle internal BGP code-to-string conversion tables.

    https://www.quagga.net/security/Quagga-2018-1550.txt

    CVE-2018-5381

    It was discovered that the Quagga BGP daemon, bgpd, can enter an

    infinite loop if sent an invalid OPEN message by a configured peer.

    A configured peer can take advantage of this flaw to cause a denial

    of service (bgpd daemon not responding to any other events; BGP

    sessions will drop and not be reestablished; unresponsive CLI

    interface).

    https://www.quagga.net/security/Quagga-2018-1975.txt

    For the oldstable distribution (jessie), these problems have been fixed

    in version 0.99.23.1-1+deb8u5.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.1.1-3+deb9u2.

    We recommend that you upgrade your quagga packages.

    For the detailed security status of quagga please refer to its security

    tracker page at: https://security-tracker.debian.org/tracker/quagga

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: plasma-workspace

    CVE ID: CVE-2018-6791

    Krzysztof Sieluzycki discovered that the notifier for removable devices

    in the KDE Plasma workspace performed insufficient sanitisation of

    FAT/VFAT volume labels, which could result in the execution of arbitrary

    shell commands if a removable device with a malformed disk label is

    mounted.

    For the stable distribution (stretch), this problem has been fixed in

    version 4:5.8.6-2.1+deb9u1.

    We recommend that you upgrade your plasma-workspace packages.

    For the detailed security status of plasma-workspace please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/plasma-workspace

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: gcc-4.9

    CVE ID: not applicable

    This update doesn't fix a vulnerability in GCC itself, but instead

    provides support for building retpoline-enabled Linux kernel updates.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 4.9.2-10+deb8u1.

    We recommend that you upgrade your gcc-4.9 packages.

    For the detailed security status of gcc-4.9 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/gcc-4.9

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: tomcat-native

    CVE ID: CVE-2017-15698

    Jonas Klempel reported that tomcat-native, a library giving Tomcat

    access to the Apache Portable Runtime (APR) library's network connection

    (socket) implementation and random-number generator, does not properly

    handle fields longer than 127 bytes when parsing the AIA-Extension field

    of a client certificate. If OCSP checks are used, this could result in

    client certificates that should have been rejected to be accepted.

    For the oldstable distribution (jessie), this problem has been fixed

    in version 1.1.32~repack-2+deb8u1.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.2.12-2+deb9u1.

    We recommend that you upgrade your tomcat-native packages.

    For the detailed security status of tomcat-native please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/tomcat-native

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: libav

    CVE ID: CVE-2017-16803

    Several security issues have been corrected in multiple demuxers and

    decoders of the libav multimedia library. A full list of the changes is

    available at

    https://git.libav.org/?p=libav.git;a…efs/tags/v11.12

    For the oldstable distribution (jessie), this problem has been fixed

    in version 6:11.12-1~deb8u1.

    We recommend that you upgrade your libav packages.

    For the detailed security status of libav please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libav

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: linux

    CVE ID: CVE-2017-5715 CVE-2017-5754 CVE-2017-13166 CVE-2018-5750

    Several vulnerabilities have been discovered in the Linux kernel that may

    lead to a privilege escalation, denial of service or information leaks.

    CVE-2017-5715

    Multiple researchers have discovered a vulnerability in various

    processors supporting speculative execution, enabling an attacker

    controlling an unprivileged process to read memory from arbitrary

    addresses, including from the kernel and all other processes running on

    the system.

    This specific attack has been named Spectre variant 2 (branch target

    injection) and is mitigated in the Linux kernel for the Intel x86-64

    architecture by using the 'retpoline' compiler feature which allows

    indirect branches to be isolated from speculative execution.

    CVE-2017-5754

    Multiple researchers have discovered a vulnerability in Intel

    processors, enabling an attacker controlling an unprivileged process to

    read memory from arbitrary addresses, including from the kernel and all

    other processes running on the system.

    This specific attack has been named Meltdown and is addressed in the

    Linux kernel on the powerpc/ppc64el architectures by flushing the L1

    data cache on exit from kernel mode to user mode (or from hypervisor to

    kernel).

    This works on Power7, Power8 and Power9 processors.

    CVE-2017-13166

    A bug in the 32-bit compatibility layer of the v4l2 IOCTL handling code

    has been found. Memory protections ensuring user-provided buffers always

    point to userland memory were disabled, allowing . This bug could be

    exploited by an attacker to overwrite kernel memory from an unprivileged

    userland process, leading to privilege escalation.

    CVE-2018-5750

    An information leak has been found in the Linux kernel. The

    acpi_smbus_hc_add() prints a kernel address in the kernel log at every

    boot, which could be used by an attacker on the system to defeat kernel

    ASLR.

    Additionnaly to those vulnerability, some mitigations for CVE-2017-5753 are

    included in this release.

    CVE-2017-5753

    Multiple researchers have discovered a vulnerability in various

    processors supporting speculative execution, enabling an attacker

    controlling an unprivileged process to read memory from arbitrary

    addresses, including from the kernel and all other processes running on

    the system.

    This specific attack has been named Spectre variant 1 (bounds-check

    bypass) and is mitigated in the Linux kernel architecture by identifying

    vulnerable code sections (array bounds checking followed by array

    access) and replacing the array access with the speculation-safe

    array_index_nospec() function.

    More use sites will be added over time.

    For the stable distribution (stretch), these problems have been fixed in

    version 4.9.82-1+deb9u2.

    We recommend that you upgrade your linux packages.

    For the detailed security status of linux please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/linux

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: gcc-6

    CVE ID: not applicable

    This update doesn't fix a vulnerability in GCC itself, but instead

    provides support for building retpoline-enabled Linux kernel updates.

    For the stable distribution (stretch), this problem has been fixed in

    version 6.3.0-18+deb9u1.

    We recommend that you upgrade your gcc-6 packages.

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: squid3

    CVE ID: CVE-2018-1000024 CVE-2018-1000027

    Debian Bug: 888719 888720

    Several vulnerabilities have been discovered in Squid3, a fully featured

    web proxy cache. The Common Vulnerabilities and Exposures project

    identifies the following issues:

    CVE-2018-1000024

    Louis Dion-Marcil discovered that Squid does not properly handle

    processing of certain ESI responses. A remote server delivering

    certain ESI response syntax can take advantage of this flaw to cause

    a denial of service for all clients accessing the Squid service.

    This problem is limited to the Squid custom ESI parser.

    http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

    CVE-2018-1000027

    Louis Dion-Marcil discovered that Squid is prone to a denial of

    service vulnerability when processing ESI responses or downloading

    intermediate CA certificates. A remote attacker can take advantage

    of this flaw to cause a denial of service for all clients accessing

    the Squid service.

    http://www.squid-cache.org/Advisories/SQUID-2018_2.txt

    For the oldstable distribution (jessie), these problems have been fixed

    in version 3.4.8-6+deb8u5.

    For the stable distribution (stretch), these problems have been fixed in

    version 3.5.23-5+deb9u1.

    We recommend that you upgrade your squid3 packages.

    For the detailed security status of squid3 please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/squid3

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package: drupal7

    CVE ID: not yet available

    Debian Bug: 891154 891153 891152 891150

    Multiple vulnerabilities have been found in the Drupal content management

    framework. For additional information, please refer to the upstream

    advisory at https://www.drupal.org/sa-core-2018-001

    For the oldstable distribution (jessie), this problem has been fixed

    in version 7.32-1+deb8u10.

    For the stable distribution (stretch), this problem has been fixed in

    version 7.52-2+deb9u2.

    We recommend that you upgrade your drupal7 packages.

    For the detailed security status of drupal7 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/drupal7

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/