Debian Security Advisory

Package : fribidi

CVE ID : CVE-2019-18397

Debian Bug : 944327

Alex Murray discovered a stack-based buffer overflow vulnerability in fribidi, an implementation of the Unicode Bidirectional Algorithm algorithm, which could result in denial of service or potentially the execution of arbitrary code, when processing a large number of unicode isolate directional characters.

For the stable distribution (buster), this problem has been fixed in version 1.0.5-3.1+deb10u1.

We recommend that you upgrade your fribidi packages.

For the detailed security status of fribidi please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/fribidi

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2019-5869 CVE-2019-5870 CVE-2019-5871 CVE-2019-5872

CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 CVE-2019-5877

CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-13659

CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663

CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667

CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671

CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676

CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680

CVE-2019-13681 CVE-2019-13682 CVE-2019-13683 CVE-2019-13685

CVE-2019-13686 CVE-2019-13687 CVE-2019-13688 CVE-2019-13691

CVE-2019-13692 CVE-2019-13693 CVE-2019-13694 CVE-2019-13695

CVE-2019-13696 CVE-2019-13697 CVE-2019-13699 CVE-2019-13700

CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704

CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708

CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713

CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717

CVE-2019-13718 CVE-2019-13719 CVE-2019-13720 CVE-2019-13721

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-5869

Zhe Jin discovered a use-after-free issue.

CVE-2019-5870

Guang Gong discovered a use-after-free issue.

CVE-2019-5871

A buffer overflow issue was discovered in the skia library.

CVE-2019-5872

Zhe Jin discovered a use-after-free issue.

CVE-2019-5874

James Lee discovered an issue with external Uniform Resource Identifiers.

CVE-2019-5875

Khalil Zhani discovered a URL spoofing issue.

CVE-2019-5876

Man Yue Mo discovered a use-after-free issue.

CVE-2019-5877

Guang Gong discovered an out-of-bounds read issue.

CVE-2019-5878

Guang Gong discovered an use-after-free issue in the v8 javascript

library.

CVE-2019-5879

Jinseo Kim discover that extensions could read files on the local

system.

CVE-2019-5880

Jun Kokatsu discovered a way to bypass the SameSite cookie feature.

CVE-2019-13659

Lnyas Zhang discovered a URL spoofing issue.

CVE-2019-13660

Wenxu Wu discovered a user interface error in full screen mode.

CVE-2019-13661

Wenxu Wu discovered a user interface spoofing issue in full screen mode.

CVE-2019-13662

David Erceg discovered a way to bypass the Content Security Policy.

CVE-2019-13663

Lnyas Zhang discovered a way to spoof Internationalized Domain Names.

CVE-2019-13664

Thomas Shadwell discovered a way to bypass the SameSite cookie feature.

CVE-2019-13665

Jun Kokatsu discovered a way to bypass the multiple file download

protection feature.

CVE-2019-13666

Tom Van Goethem discovered an information leak.

CVE-2019-13667

Khalil Zhani discovered a URL spoofing issue.

CVE-2019-13668

David Erceg discovered an information leak.

CVE-2019-13669

Khalil Zhani discovered an authentication spoofing issue.

CVE-2019-13670

Guang Gong discovered a memory corruption issue in the v8 javascript

library.

CVE-2019-13671

xisigr discovered a user interface error.

CVE-2019-13673

David Erceg discovered an information leak.

CVE-2019-13674

Khalil Zhani discovered a way to spoof Internationalized Domain Names.

CVE-2019-13675

Jun Kokatsu discovered a way to disable extensions.

CVE-2019-13676

Wenxu Wu discovered an error in a certificate warning.

CVE-2019-13677

Jun Kokatsu discovered an error in the chrome web store.

CVE-2019-13678

Ronni Skansing discovered a spoofing issue in the download dialog window.

CVE-2019-13679

Conrad Irwin discovered that user activation was not required for

printing.

CVE-2019-13680

Thijs Alkamade discovered an IP address spoofing issue.

CVE-2019-13681

David Erceg discovered a way to bypass download restrictions.

CVE-2019-13682

Jun Kokatsu discovered a way to bypass the site isolation feature.

CVE-2019-13683

David Erceg discovered an information leak.

CVE-2019-13685

Khalil Zhani discovered a use-after-free issue.

CVE-2019-13686

Brendon discovered a use-after-free issue.

CVE-2019-13687

Man Yue Mo discovered a use-after-free issue.

CVE-2019-13688

Man Yue Mo discovered a use-after-free issue.

CVE-2019-13691

David Erceg discovered a user interface spoofing issue.

CVE-2019-13692

Jun Kokatsu discovered a way to bypass the Same Origin Policy.

CVE-2019-13693

Guang Gong discovered a use-after-free issue.

CVE-2019-13694

banananapenguin discovered a use-after-free issue.

CVE-2019-13695

Man Yue Mo discovered a use-after-free issue.

CVE-2019-13696

Guang Gong discovered a use-after-free issue in the v8 javascript library.

CVE-2019-13697

Luan Herrera discovered an information leak.

CVE-2019-13699

Man Yue Mo discovered a use-after-free issue.

CVE-2019-13700

Man Yue Mo discovered a buffer overflow issue.

CVE-2019-13701

David Erceg discovered a URL spoofing issue.

CVE-2019-13702

Phillip Langlois and Edward Torkington discovered a privilege escalation

issue in the installer.

CVE-2019-13703

Khalil Zhani discovered a URL spoofing issue.

CVE-2019-13704

Jun Kokatsu discovered a way to bypass the Content Security Policy.

CVE-2019-13705

Luan Herrera discovered a way to bypass extension permissions.

CVE-2019-13706

pdknsk discovered an out-of-bounds read issue in the pdfium library.

CVE-2019-13707

Andrea Palazzo discovered an information leak.

CVE-2019-13708

Khalil Zhani discovered an authentication spoofing issue.

CVE-2019-13709

Zhong Zhaochen discovered a way to bypass download restrictions.

CVE-2019-13710

bernardo.mrod discovered a way to bypass download restrictions.

CVE-2019-13711

David Erceg discovered an information leak.

CVE-2019-13713

David Erceg discovered an information leak.

CVE-2019-13714

Jun Kokatsu discovered an issue with Cascading Style Sheets.

CVE-2019-13715

xisigr discovered a URL spoofing issue.

CVE-2019-13716

Barron Hagerman discovered an error in the service worker implementation.

CVE-2019-13717

xisigr discovered a user interface spoofing issue.

CVE-2019-13718

Khalil Zhani discovered a way to spoof Internationalized Domain Names.

CVE-2019-13719

Khalil Zhani discovered a user interface spoofing issue.

CVE-2019-13720

Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.

CVE-2019-13721

banananapenguin discovered a use-after-free issue in the pdfium library.

For the oldstable distribution (stretch), support for chromium has been discontinued. Please upgrade to the stable release (buster) to continue receiving chromium updates or switch to firefox, which continues to be supported in the oldstable release.

For the stable distribution (buster), these problems have been fixed in version 78.0.3904.97-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : linux

CVE ID : CVE-2018-12207 CVE-2019-0154 CVE-2019-0155 CVE-2019-11135

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2018-12207

It was discovered that on Intel CPUs supporting hardware

virtualisation with Extended Page Tables (EPT), a guest VM may

manipulate the memory management hardware to cause a Machine Check

Error (MCE) and denial of service (hang or crash).

The guest triggers this error by changing page tables without a

TLB flush, so that both 4 KB and 2 MB entries for the same virtual

address are loaded into the instruction TLB (iTLB). This update

implements a mitigation in KVM that prevents guest VMs from

loading 2 MB entries into the iTLB. This will reduce performance

of guest VMs.

Further information on the mitigation can be found at

<https://www.kernel.org/doc/html/lates…n/multihit.html>

or in the linux-doc-4.9 or linux-doc-4.19 package.

A qemu update adding support for the PSCHANGE_MC_NO feature, which

allows to disable iTLB Multihit mitigations in nested hypervisors

will be provided via DSA 4566-1.

Intel's explanation of the issue can be found at

<https://software.intel.com/security-softw…e-size-change-0>.

CVE-2019-0154

Intel discovered that on their 8th and 9th generation GPUs,

reading certain registers while the GPU is in a low-power state

can cause a system hang. A local user permitted to use the GPU

can use this for denial of service.

This update mitigates the issue through changes to the i915

driver.

The affected chips (gen8 and gen9) are listed at

<https://en.wikipedia.org/wiki/List_of_I…sing_units#Gen8>.

CVE-2019-0155

Intel discovered that their 9th generation and newer GPUs are

missing a security check in the Blitter Command Streamer (BCS). A

local user permitted to use the GPU could use this to access any

memory that the GPU has access to, which could result in a denial

of service (memory corruption or crash), a leak of sensitive

information, or privilege escalation.

This update mitigates the issue by adding the security check to

the i915 driver.

The affected chips (gen9 onward) are listed at

<https://en.wikipedia.org/wiki/List_of_I…sing_units#Gen9>.

CVE-2019-11135

It was discovered that on Intel CPUs supporting transactional

memory (TSX), a transaction that is going to be aborted may

continue to execute speculatively, reading sensitive data from

internal buffers and leaking it through dependent operations.

Intel calls this "TSX Asynchronous Abort" (TAA).

For CPUs affected by the previously published Microarchitectural

Data Sampling (MDS) issues (CVE-2018-12126, CVE-2018-12127,

CVE-2018-12130, CVE-2019-11091), the existing mitigation also

mitigates this issue.

For processors that are vulnerable to TAA but not MDS, this update

disables TSX by default. This mitigation requires updated CPU

microcode. An updated intel-microcode package (only available in

Debian non-free) will be provided via DSA 4565-1. The updated CPU

microcode may also be available as part of a system firmware

("BIOS") update.

Further information on the mitigation can be found at

<https://www.kernel.org/doc/html/lates…sync_abort.html>

or in the linux-doc-4.9 or linux-doc-4.19 package.

Intel's explanation of the issue can be found at

<https://software.intel.com/security-softw…nchronous-abort>.

For the oldstable distribution (stretch), these problems have been fixed in version 4.9.189-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 4.19.67-2+deb10u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : intel-microcode

CVE ID : CVE-2019-11135 CVE-2019-11139

This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the TAA (TSX Asynchronous Abort) vulnerability. For affected CPUs, to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages as released in DSA 4564-1.

For the oldstable distribution (stretch), these problems have been fixed in version 3.20191112.1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 3.20191112.1~deb10u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : qemu

Debian Bug : 944623

This update for QEMU, a fast processor emulator, backports support to passthrough the pschange-mc-no CPU flag. The virtualised MSR seen by a guest is set to show the bug as fixed, allowing to disable iTLB Multihit mitigations in nested hypervisors (cf. DSA 4564-1).

For the stable distribution (buster), this problem has been fixed in version 1:3.1+dfsg-8+deb10u3.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : dpdk

CVE ID : CVE-2019-14818

It was discovered that the vhost PMD in DPDK, a set of libraries for fast packet processing, was affected by memory and file descriptor leaks which could result in denial of service.

For the oldstable distribution (stretch), this problem has been fixed in version 16.11.9-1+deb9u2.

For the stable distribution (buster), this problem has been fixed in version 18.11.2-2+deb10u2.

We recommend that you upgrade your dpdk packages.

For the detailed security status of dpdk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/dpdk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2019-8812 CVE-2019-8814

These vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2019-8812

An anonymous researcher discovered that maliciously crafted web

content may lead to arbitrary code execution.

CVE-2019-8814

Cheolung Lee discovered that maliciously crafted web content may

lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in version 2.26.2-1~deb10+1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : postgresql-common

CVE ID : CVE-2019-3466

Rich Mirch discovered that the pg_ctlcluster script didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation.

For the oldstable distribution (stretch), this problem has been fixed in version 181+deb9u3.

For the stable distribution (buster), this problem has been fixed in version 200+deb10u3.

We recommend that you upgrade your postgresql-common packages.

For the detailed security status of postgresql-common please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/postgresql-common

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ghostscript

CVE ID : CVE-2019-14869

Manfred Paul and Lukas Schauer reported that the .charkeys procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox.

For the oldstable distribution (stretch), this problem has been fixed in version 9.26a~dfsg-0+deb9u6.

For the stable distribution (buster), this problem has been fixed in version 9.27~dfsg-2+deb10u3.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : mosquitto

CVE ID : CVE-2019-11779

Debian Bug : 940654

A vulnerability was discovered in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker, allowing a malicious MQTT client to cause a denial of service (stack overflow and daemon crash), by sending a specially crafted SUBSCRIBE packet containing a topic with a extremely deep hierarchy.

For the stable distribution (buster), this problem has been fixed in version 1.5.7-1+deb10u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2019-15903 CVE-2019-11764 CVE-2019-11763

CVE-2019-11762 CVE-2019-11761 CVE-2019-11760

CVE-2019-11759 CVE-2019-11757 CVE-2019-11755

Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code or denial of service.

Debian follows the Thunderbird upstream releases. Support for the 60.x series has ended, so starting with this update we're now following the 68.x releases.

For the oldstable distribution (stretch), this problem has been fixed in version 1:68.2.2-1~deb9u1.

For the stable distribution (buster), this problem has been fixed in version 1:68.2.2-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : slurm-llnl

CVE ID : CVE-2019-12838

It was discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system did not escape strings when importing an archive file into the accounting_storage/mysql backend, resulting in SQL injection.

For the stable distribution (buster), this problem has been fixed in version 18.08.5.2-1+deb10u1.

We recommend that you upgrade your slurm-llnl packages.

For the detailed security status of slurm-llnl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/slurm-llnl

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : symfony

CVE ID : CVE-2019-18887 CVE-2019-18888 CVE-2019-18889

Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization.

For the oldstable distribution (stretch), these problems have been fixed in version 2.8.7+dfsg-1.3+deb9u3.

For the stable distribution (buster), these problems have been fixed in version 3.4.22+dfsg-2+deb10u1.

We recommend that you upgrade your symfony packages.

For the detailed security status of symfony please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/symfony

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : enigmail

DSA 4571-1 updated Thunderbird to the 68.x series, which is incompatible with the Enigmail release shipped in Debian Buster.

For the stable distribution (buster), this problem has been fixed in version 2:2.1.3+ds1-4~deb10u2.

We recommend that you upgrade your enigmail packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2019-13723 CVE-2019-13724

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-13723

Yuxiang Li discovered a use-after-free issue in the bluetooth service.

CVE-2019-13724

Yuxiang Li discovered an out-of-bounds read issue in the bluetooth

service.

For the oldstable distribution (stretch), security support for the chromium package has been discontinued.

For the stable distribution (buster), these problems have been fixed in version 78.0.3904.108-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : php-imagick

CVE ID : CVE-2019-11037

Debian Bug : 928420

An out-of-bounds write vulnerability was discovered in php-imagick, a PHP extension to create and modify images using the ImageMagick API, which could result in denial of service, or potentially the execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed in version 3.4.3~rc2-2+deb9u1.

We recommend that you upgrade your php-imagick packages.

For the detailed security status of php-imagick please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/php-imagick

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : haproxy

CVE ID : CVE-2019-19330

Tim Düsterhus discovered that haproxy, a TCP/HTTP reverse proxy, did not properly sanitize HTTP headers when converting from HTTP/2 to HTTP/1. This would allow a remote user to perform CRLF injections.

For the stable distribution (buster), this problem has been fixed in version 1.8.19-1+deb10u1.

We recommend that you upgrade your haproxy packages.

For the detailed security status of haproxy please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/haproxy

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libvpx

CVE ID : CVE-2019-9232 CVE-2019-9325 CVE-2019-9433 CVE-2019-9371

Multiple security issues were found in libvpx multimedia library which could result in denial of service and potentially the execution of arbitrary code if malformed WebM files are processed.

For the oldstable distribution (stretch), these problems have been fixed in version 1.6.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 1.7.0-3+deb10u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libvpx

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : nss

CVE ID : CVE-2019-11745 CVE-2019-17007

Two vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service and potentially the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in version 2:3.42.1-1+deb10u2.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nss

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010

CVE-2019-17011 CVE-2019-17012

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed in version 68.3.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 68.3.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/