Debian Security Advisory

  • Package : git

    CVE ID : CVE-2019-1348 CVE-2019-1349 CVE-2019-1352 CVE-2019-1353

    CVE-2019-1387 CVE-2019-19604


    Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system.


    CVE-2019-1348


    It was reported that the --export-marks option of git fast-import is

    exposed also via the in-stream command feature export-marks=...,

    allowing to overwrite arbitrary paths.


    CVE-2019-1387


    It was discovered that submodule names are not validated strictly

    enough, allowing very targeted attacks via remote code execution

    when performing recursive clones.


    CVE-2019-19604


    Joern Schneeweisz reported a vulnerability, where a recursive clone

    followed by a submodule update could execute code contained within

    the repository without the user explicitly having asked for that. It

    is now disallowed for `.gitmodules` to have entries that set

    `submodule.<name>.update=!command`.


    In addition this update addresses a number of security issues which are only an issue if git is operating on an NTFS filesystem (CVE-2019-1349,

    CVE-2019-1352 and CVE-2019-1353).


    For the oldstable distribution (stretch), these problems have been fixed in version 1:2.11.0-3+deb9u5.


    For the stable distribution (buster), these problems have been fixed in version 1:2.20.1-2+deb10u1.


    We recommend that you upgrade your git packages.


    For the detailed security status of git please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/git


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : intel-microcode

    CVE ID : CVE-2019-11135 CVE-2019-11139

    Debian Bug : 946515


    This update ships updated CPU microcode for CFL-S (Coffe Lake Desktop) models of Intel CPUs which were not yet included in the Intel microcode update released as DSA 4565-1. For details please refer to https://www.intel.com/content/…update-guidance-v1.01.pdf


    Additionally this update rolls back CPU microcode for HEDT and Xeon processors with signature 0x50654 which were affected by a regression causing hangs on warm reboots (Cf. #946515).


    For the oldstable distribution (stretch), these problems have been fixed in version 3.20191115.2~deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 3.20191115.2~deb10u1.


    We recommend that you upgrade your intel-microcode packages.


    For the detailed security status of intel-microcode please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/intel-microcode


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : davical

    CVE ID : CVE-2019-18345 CVE-2019-18346 CVE-2019-18347

    Debian Bug : 946343


    Multiple cross-site scripting and cross-site request forgery issues were discovered in the DAViCal CalDAV Server.


    For the oldstable distribution (stretch), these problems have been fixed in version 1.1.5-1+deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 1.1.8-1+deb10u1.


    We recommend that you upgrade your davical packages.


    For the detailed security status of davical please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/davical


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : spip

    CVE ID : not yet available


    A vulnerability was discovered in the SPIP publishing system, which could result in unauthorised writes to the database by authors.


    The oldstable distribution (stretch) is not affected.


    For the stable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u2.


    We recommend that you upgrade your spip packages.


    For the detailed security status of spip please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/spip


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : spamassassin

    CVE ID : CVE-2018-11805 CVE-2019-12420

    Debian Bug : 946652 946653


    Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis.


    CVE-2018-11805


    Malicious rule or configuration files, possibly downloaded from an

    updates server, could execute arbitrary commands under multiple

    scenarios.


    CVE-2019-12420


    Specially crafted mulitpart messages can cause spamassassin to use

    excessive resources, resulting in a denial of service.


    For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u2.


    For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u1.


    We recommend that you upgrade your spamassassin packages.


    For the detailed security status of spamassassin please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/spamassassin


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : thunderbird

    CVE ID : CVE-2019-17005 CVE-2019-17008 CVE-2019-17010

    CVE-2019-17011 CVE-2019-17012

    Debian Bug : 946588


    Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code.


    For the oldstable distribution (stretch), these problems have been fixed in version 1:68.3.0-2~deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 1:68.3.0-2~deb10u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : ruby2.5

    CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255


    Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code.


    For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u1.


    We recommend that you upgrade your ruby2.5 packages.


    For the detailed security status of ruby2.5 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ruby2.5


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : ruby2.3

    CVE ID : CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255


    Several vulnerabilities have been discovered in the interpreter for the Ruby language, which could result in unauthorized access by bypassing intended path matchings, denial of service, or the execution of arbitrary code.


    For the oldstable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u7.


    We recommend that you upgrade your ruby2.3 packages.


    For the detailed security status of ruby2.3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ruby2.3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : python-ecdsa

    CVE ID : CVE-2019-14853 CVE-2019-14859


    It was discovered that python-ecdsa, a cryptographic signature library for Python, incorrectly handled certain signatures. A remote attacker could use this issue to cause python-ecdsa to either not warn about incorrect signatures, or generate exceptions resulting in a denial-of-service.


    For the oldstable distribution (stretch), these problems have been fixed in version 0.13-2+deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 0.13-3+deb10u1.


    We recommend that you upgrade your python-ecdsa packages.


    For the detailed security status of python-ecdsa please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-ecdsa


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : debian-edu-config

    CVE ID : CVE-2019-3467

    Debian Bug : 946797


    It was discovered that debian-edu-config, a set of configuration files used for the Debian Edu blend, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals.


    For the oldstable distribution (stretch), this problem has been fixed in version 1.929+deb9u4.


    For the stable distribution (buster), this problem has been fixed in version 2.10.65+deb10u3.


    We recommend that you upgrade your debian-edu-config packages.


    For the detailed security status of debian-edu-config please refer to its security tracker page at:

    https://security-tracker.debia…tracker/debian-edu-config


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : cyrus-imapd

    CVE ID : CVE-2019-19783


    It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks.


    For the oldstable distribution (stretch), this problem has been fixed in version 2.5.10-3+deb9u2.


    For the stable distribution (buster), this problem has been fixed in version 3.0.8-6+deb10u3.


    We recommend that you upgrade your cyrus-imapd packages.


    For the detailed security status of cyrus-imapd please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/cyrus-imapd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : cyrus-sasl2

    CVE ID : CVE-2019-19906

    Debian Bug : 947043


    Stephan Zeisberg reported an out-of-bounds write vulnerability in the

    _sasl_add_string() function in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer. A remote attacker can take advantage of this issue to cause denial-of-service conditions for applications using the library.


    For the oldstable distribution (stretch), this problem has been fixed in version 2.1.27~101-g0780600+dfsg-3+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 2.1.27+dfsg-1+deb10u1.


    We recommend that you upgrade your cyrus-sasl2 packages.


    For the detailed security status of cyrus-sasl2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/cyrus-sasl2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : mediawiki

    CVE ID : CVE-2019-19709


    It was discovered that the Title blacklist functionality in MediaWiki, a website engine for collaborative work, could by bypassed.


    For the oldstable distribution (stretch), this problem has been fixed in version 1:1.27.7-1~deb9u3.


    For the stable distribution (buster), this problem has been fixed in version 1:1.31.6-1~deb10u1.


    We recommend that you upgrade your mediawiki packages.


    For the detailed security status of mediawiki please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mediawiki


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : freeimage

    CVE ID : CVE-2019-12211 CVE-2019-12213

    Debian Bug : 929597


    It was found that freeimage, a graphics library, was affected by the following two security issues:


    CVE-2019-12211


    Heap buffer overflow caused by invalid memcpy in PluginTIFF. This

    flaw might be leveraged by remote attackers to trigger denial of

    service or any other unspecified impact via crafted TIFF data.


    CVE-2019-12213


    Stack exhaustion caused by unwanted recursion in PluginTIFF. This

    flaw might be leveraged by remote attackers to trigger denial of

    service via crafted TIFF data.


    For the oldstable distribution (stretch), these problems have been fixed in version 3.17.0+ds1-5+deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 3.18.0+ds2-1+deb10u1.


    We recommend that you upgrade your freeimage packages.


    For the detailed security status of freeimage please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/freeimage


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : openssl1.0

    CVE ID : CVE-2019-1551


    Guido Vranken discovered an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli.


    For the oldstable distribution (stretch), this problem has been fixed in version 1.0.2u-1~deb9u1.


    We recommend that you upgrade your openssl1.0 packages.


    For the detailed security status of openssl1.0 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openssl1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : debian-lan-config

    CVE ID : CVE-2019-3467

    Debian Bug : 947459


    It was discovered that debian-lan-config, a FAI config space for the Debian-LAN system, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals.


    This update provides a fixed configuration for new deployments, for existing setups, the NEWS file shipped in this update provides advice to fix the configuration.


    For the oldstable distribution (stretch), this problem has been fixed in version 0.23+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 0.25+deb10u1.


    We recommend that you upgrade your debian-lan-config packages.


    For the detailed security status of debian-lan-config please refer to its security tracker page at:

    https://security-tracker.debia…tracker/debian-lan-config


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : tomcat8

    CVE ID : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221

    CVE-2019-12418 CVE-2019-17563


    Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects.


    For the oldstable distribution (stretch), these problems have been fixed in version 8.5.50-0+deb9u1. This update also requires an updated version of tomcat-native which has been updated to 1.2.21-1~deb9u1.


    We recommend that you upgrade your tomcat8 packages.


    For the detailed security status of tomcat8 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tomcat8


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : netty

    CVE ID : CVE-2019-16869

    Debian Bug : 941266


    It was reported that Netty, a Java NIO client/server framework, is prone to a HTTP request smuggling vulnerability due to mishandling whitespace before the colon in HTTP headers.


    For the oldstable distribution (stretch), this problem has been fixed in version 1:4.1.7-2+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 1:4.1.33-1+deb10u1.


    We recommend that you upgrade your netty packages.


    For the detailed security status of netty please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/netty


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : python-django

    CVE ID : CVE-2019-19844

    Debian Bug : 946937


    Simon Charette reported that the password reset functionality in Django, a high-level Python web development framework, uses a Unicode case-insensitive query to retrieve accounts matching the email address requesting the password reset. An attacker can take advantage of this flaw to potentially retrieve password reset tokens and hijack accounts.


    For details please refer to

    https://www.djangoproject.com/…dec/18/security-releases/


    For the oldstable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u7.


    For the stable distribution (buster), this problem has been fixed in version 1:1.11.27-1~deb10u1.


    We recommend that you upgrade your python-django packages.


    For the detailed security status of python-django please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-django


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

  • Package : wordpress

    CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220

    CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 CVE-2019-16780

    CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 CVE-2019-17672

    CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 CVE-2019-20041

    CVE-2019-20042 CVE-2019-20043

    Debian Bug : 939543 942459 946905


    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create open redirects, poison cache, and bypass authorization access and input sanitation.


    For the stable distribution (buster), these problems have been fixed in version 5.0.4+dfsg1-1+deb10u1.


    We recommend that you upgrade your wordpress packages.


    For the detailed security status of wordpress please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/wordpress


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/