Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1523-1: asterisk security update
DLA 1524-1: libxml2 security update

Debian GNU/Linux 9:
DSA 4306-1: python2.7 security update



DLA 1523-1: asterisk security update




Package : asterisk
Version : 1:11.13.1~dfsg-2+deb8u6
CVE ID : CVE-2018-17281
Debian Bug : 909554

Sean Bright discovered that Asterisk, a PBX and telephony toolkit,
contained a stack overflow vulnerability in the res_http_websocket.so
module that allowed remote attackers to crash Asterisk via specially
crafted HTTP requests to upgrade the connection to a websocket.

For Debian 8 "Jessie", this problem has been fixed in version
1:11.13.1~dfsg-2+deb8u6.

We recommend that you upgrade your asterisk packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1524-1: libxml2 security update




Package : libxml2
Version : 2.9.1+dfsg1-5+deb8u7
CVE ID : CVE-2017-18258 CVE-2018-9251 CVE-2018-14404
CVE-2018-14567


CVE-2018-14404
Fix of a NULL pointer dereference which might result in a crash and
thus in a denial of service.

CVE-2018-14567 and CVE-2018-9251
Approvement in LZMA error handling which prevents an infinite loop.

CVE-2017-18258
Limit available memory to 100MB to avoid exhaustive memory
consumption by malicious files.


For Debian 8 "Jessie", these problems have been fixed in version
2.9.1+dfsg1-5+deb8u7.

We recommend that you upgrade your libxml2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4306-1: python2.7 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4306-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 27, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python2.7
CVE ID : CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
CVE-2018-1000802

Multiple security issues were discovered in Python: ElementTree failed
to initialise Expat's hash salt, two denial of service issues were found
in difflib and poplib and the shutil module was affected by a command
injection vulnerability.

For the stable distribution (stretch), these problems have been fixed in
version 2.7.13-2+deb9u3.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/