Debian Security Advisory

    • Offizieller Beitrag

    Package : qtbase-opensource-src

    CVE ID : CVE-2018-15518 CVE-2018-19870 CVE-2018-19873

    Debian Bug : 907139

    Several issues were discovered in qtbase-opensource-src, a

    cross-platform C++ application framework, which could lead to

    denial-of-service via application crash. Additionally, this update

    fixes a problem affecting vlc, where it would start without a GUI.

    For the stable distribution (stretch), these problems have been fixed in

    version 5.7.1+dfsg-3+deb9u1.

    We recommend that you upgrade your qtbase-opensource-src packages.

    For the detailed security status of qtbase-opensource-src please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/qtbase-opensource-src

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spice

    CVE ID : CVE-2019-3813

    Debian Bug : 920762

    Christophe Fergeau discovered an out-of-bounds read vulnerability in

    spice, a SPICE protocol client and server library, which might result in

    denial of service (spice server crash), or possibly, execution of

    arbitrary code.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.12.8-2.1+deb9u3.

    We recommend that you upgrade your spice packages.

    For the detailed security status of spice please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/spice

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505

    Multiple security issues have been found in the Mozilla Firefox web

    browser, which could potentially result in the execution of arbitrary

    code or privilege escalation.

    For the stable distribution (stretch), these problems have been fixed in

    version 60.5.0esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : rssh

    CVE ID : CVE-2019-1000018

    Debian Bug : 919623

    The ESnet security team discovered a vulnerability in rssh, a restricted

    shell that allows users to perform only scp, sftp, cvs, svnserve

    (Subversion), rdist and/or rsync operations. Missing validation in the

    scp support could result in the bypass of this restriction, allowing the

    execution of arbitrary shell commands.

    Please note that with the update applied, the "-3" option of scp can no

    longer be used.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.3.4-5+deb9u1.

    We recommend that you upgrade your rssh packages.

    For the detailed security status of rssh please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/rssh

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php-pear

    CVE ID : CVE-2018-1000888

    Debian Bug : 919147

    Fariskhi Vidyan discovered that the PEAR Archive_Tar package for

    handling tar files in PHP is prone to a PHP object injection

    vulnerability, potentially allowing a remote attacker to execute

    arbitrary code.

    For the stable distribution (stretch), this problem has been fixed in

    version 1:1.10.1+submodules+notgz-9+deb9u1.

    We recommend that you upgrade your php-pear packages.

    For the detailed security status of php-pear please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/php-pear

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : golang-1.7

    CVE ID : CVE-2018-7187 CVE-2019-6486

    A vulnerability was discovered in the implementation of the P-521 and

    P-384 elliptic curves, which could result in denial of service and in

    some cases key recovery.

    In addition this update fixes a vulnerability in "go get", which could

    result in the execution of arbitrary shell commands.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.7.4-2+deb9u1.

    We recommend that you upgrade your golang-1.7 packages.

    For the detailed security status of golang-1.7 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/golang-1.7

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : golang-1.8

    CVE ID : CVE-2018-6574 CVE-2018-7187 CVE-2019-6486

    A vulnerability was discovered in the implementation of the P-521 and

    P-384 elliptic curves, which could result in denial of service and in

    some cases key recovery.

    In addition this update fixes two vulnerabilities in "go get", which

    could result in the execution of arbitrary shell commands.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.8.1-1+deb9u1.

    We recommend that you upgrade your golang-1.8 packages.

    For the detailed security status of golang-1.8 please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/golang-1.8

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libreoffice

    CVE ID : CVE-2018-16858

    Alex Infuehr discovered a directory traversal vulnerability which could

    result in the execution of Python script code when opening a malformed

    document.

    For the stable distribution (stretch), this problem has been fixed in

    version 1:5.2.7-1+deb9u5. In addition this update fixes a bug in the

    validation of signed PDFs; it would display an incomplete status message

    when dealing with a partial signature.

    We recommend that you upgrade your libreoffice packages.

    For the detailed security status of libreoffice please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libreoffice

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : rssh

    CVE ID : CVE-2019-3463 CVE-2019-3464

    Nick Cleaton discovered two vulnerabilities in rssh, a restricted shell

    that allows users to perform only scp, sftp, cvs, svnserve (Subversion),

    rdist and/or rsync operations. Missing validation in the rsync support

    could result in the bypass of this restriction, allowing the execution

    of arbitrary shell commands.

    For the stable distribution (stretch), these problems have been fixed in

    version 2.3.4-5+deb9u2.

    We recommend that you upgrade your rssh packages.

    For the detailed security status of rssh please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/rssh

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libvncserver

    CVE ID : CVE-2018-6307 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019

    CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023

    CVE-2018-20024

    Debian Bug : 916941

    Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a

    library to implement VNC server/client functionalities, which might result in

    the execution of arbitrary code, denial of service or information disclosure.

    For the stable distribution (stretch), these problems have been fixed in

    version 0.9.11+dfsg-1.3~deb9u1.

    We recommend that you upgrade your libvncserver packages.

    For the detailed security status of libvncserver please refer to its

    security tracker page at:

    https://security-tracker.debian.org/tracker/libvncserver

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libgd2

    CVE ID : CVE-2019-6977 CVE-2019-6978

    Debian Bug : 920645 920728

    Multiple vulnerabilities have been discovered in libgd2, a library for

    programmatic graphics creation and manipulation, which may result in

    denial of service or potentially the execution of arbitrary code if a

    malformed file is processed.

    For the stable distribution (stretch), these problems have been fixed in

    version 2.2.4-2+deb9u4.

    We recommend that you upgrade your libgd2 packages.

    For the detailed security status of libgd2 please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/libgd2

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : dovecot

    CVE ID : CVE-2019-3814

    halfdog discovered an authentication bypass vulnerability in the Dovecot

    email server. Under some configurations Dovecot mistakenly trusts the

    username provided via authentication instead of failing. If there is no

    additional password verification, this allows the attacker to login as

    anyone else in the system. Only installations using:

    auth_ssl_require_client_cert = yes

    auth_ssl_username_from_cert = yes

    are affected by this flaw.

    For the stable distribution (stretch), this problem has been fixed in

    version 1:2.2.27-3+deb9u3.

    We recommend that you upgrade your dovecot packages.

    For the detailed security status of dovecot please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/dovecot

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl

    CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

    Multiple vulnerabilities were discovered in cURL, an URL transfer library.

    CVE-2018-16890

    Wenxiang Qian of Tencent Blade Team discovered that the function

    handling incoming NTLM type-2 messages does not validate incoming

    data correctly and is subject to an integer overflow vulnerability,

    which could lead to an out-of-bounds buffer read.

    CVE-2019-3822

    Wenxiang Qian of Tencent Blade Team discovered that the function

    creating an outgoing NTLM type-3 header is subject to an integer

    overflow vulnerability, which could lead to an out-of-bounds write.

    CVE-2019-3823

    Brian Carpenter of Geeknik Labs discovered that the code handling

    the end-of-response for SMTP is subject to an out-of-bounds heap

    read.

    For the stable distribution (stretch), these problems have been fixed in

    version 7.52.1-5+deb9u9.

    We recommend that you upgrade your curl packages.

    For the detailed security status of curl please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/curl

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssh

    CVE ID : CVE-2018-20685 CVE-2019-6109 CVE-2019-6111

    Debian Bug : 793412 919101

    Harry Sintonen from F-Secure Corporation discovered multiple vulnerabilities in

    OpenSSH, an implementation of the SSH protocol suite. All the vulnerabilities

    are in found in the scp client implementing the SCP protocol.

    CVE-2018-20685

    Due to improper directory name validation, the scp client allows servers to

    modify permissions of the target directory by using empty or dot directory

    name.

    CVE-2019-6109

    Due to missing character encoding in the progress display, the object name

    can be used to manipulate the client output, for example to employ ANSI

    codes to hide additional files being transferred.

    CVE-2019-6111

    Due to scp client insufficient input validation in path names sent by

    server, a malicious server can do arbitrary file overwrites in target

    directory. If the recursive (-r) option is provided, the server can also

    manipulate subdirectories as well.

    .

    The check added in this version can lead to regression if the client and

    the server have differences in wildcard expansion rules. If the server is

    trusted for that purpose, the check can be disabled with a new -T option to

    the scp client.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:7.4p1-10+deb9u5.

    We recommend that you upgrade your openssh packages.

    For the detailed security status of openssh please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/openssh

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mosquitto

    CVE ID : CVE-2018-12546 CVE-2018-12550 CVE-2018-12551

    Three vulnerabilities were discovered in the Mosquitto MQTT broker, which

    could result in authentication bypass. Please refer to

    https://mosquitto.org/blog/2019/02/version-1-5-6-released/ for additional

    information.

    For the stable distribution (stretch), these problems have been fixed in

    version 1.4.10-3+deb9u3.

    We recommend that you upgrade your mosquitto packages.

    For the detailed security status of mosquitto please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/mosquitto

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libu2f-host

    CVE ID : CVE-2018-20340

    Debian Bug : 921725

    Christian Reitter discovered that libu2f-host, a library implementing

    the host-side of the U2F protocol, failed to properly check for a

    buffer overflow. This would allow an attacker with a custom made

    malicious USB device masquerading as a security key, and physical

    access to a computer where PAM U2F or an application with libu2f-host

    integrated, to potentially execute arbitrary code on that computer.

    For the stable distribution (stretch), this problem has been fixed in

    version 1.1.2-2+deb9u1.

    We recommend that you upgrade your libu2f-host packages.

    For the detailed security status of libu2f-host please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/libu2f-host

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : rssh

    Debian Bug : 921655

    The update for rssh issued as DSA 4377-1 introduced a regression that

    blocked scp of multiple files from a server using rssh. Updated packages

    are now available to correct this issue.

    For the stable distribution (stretch), this problem has been fixed in

    version 2.3.4-5+deb9u3.

    We recommend that you upgrade your rssh packages.

    For the detailed security status of rssh please refer to its security

    tracker page at:

    https://security-tracker.debian.org/tracker/rssh

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : flatpak

    CVE ID : not yet available

    Debian Bug : 922059

    It was discovered that Flatpak, an application deployment framework for

    desktop apps, insufficiently restricted the execution of "apply_extra"

    scripts which could potentially result in privilege escalation.

    For the stable distribution (stretch), this problem has been fixed in

    version 0.8.9-0+deb9u2.

    We recommend that you upgrade your flatpak packages.

    For the detailed security status of flatpak please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/flatpak

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2018-18356 CVE-2019-5785

    Multiple security issues have been found in the Mozilla Firefox web

    browser, which could potentially result in the execution of arbitrary

    code.

    For the stable distribution (stretch), these problems have been fixed in

    version 60.5.1esr-1~deb9u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2018-18356 CVE-2018-18500 CVE-2018-18501

    CVE-2018-18505 CVE-2018-18509 CVE-2019-5785

    Multiple security issues have been found in the Thunderbird mail client,

    which could lead to the execution of arbitrary code, denial of service

    or spoofing of S/MIME signatures.

    For the stable distribution (stretch), these problems have been fixed in

    version 1:60.5.1-1~deb9u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to

    its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply

    these updates to your system and frequently asked questions can be

    found at: https://www.debian.org/security/