The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8 LTS:
DLA 1523-1: asterisk security update
DLA 1524-1: libxml2 security update
Debian GNU/Linux 9:
DSA 4306-1: python2.7 security update
Debian GNU/Linux 8 LTS:
DLA 1523-1: asterisk security update
DLA 1524-1: libxml2 security update
Debian GNU/Linux 9:
DSA 4306-1: python2.7 security update
DLA 1523-1: asterisk security update
Package : asterisk
Version : 1:11.13.1~dfsg-2+deb8u6
CVE ID : CVE-2018-17281
Debian Bug : 909554
Sean Bright discovered that Asterisk, a PBX and telephony toolkit,
contained a stack overflow vulnerability in the res_http_websocket.so
module that allowed remote attackers to crash Asterisk via specially
crafted HTTP requests to upgrade the connection to a websocket.
For Debian 8 "Jessie", this problem has been fixed in version
1:11.13.1~dfsg-2+deb8u6.
We recommend that you upgrade your asterisk packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1524-1: libxml2 security update
Package : libxml2
Version : 2.9.1+dfsg1-5+deb8u7
CVE ID : CVE-2017-18258 CVE-2018-9251 CVE-2018-14404
CVE-2018-14567
CVE-2018-14404
Fix of a NULL pointer dereference which might result in a crash and
thus in a denial of service.
CVE-2018-14567 and CVE-2018-9251
Approvement in LZMA error handling which prevents an infinite loop.
CVE-2017-18258
Limit available memory to 100MB to avoid exhaustive memory
consumption by malicious files.
For Debian 8 "Jessie", these problems have been fixed in version
2.9.1+dfsg1-5+deb8u7.
We recommend that you upgrade your libxml2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4306-1: python2.7 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4306-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 27, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : python2.7
CVE ID : CVE-2018-1060 CVE-2018-1061 CVE-2018-14647
CVE-2018-1000802
Multiple security issues were discovered in Python: ElementTree failed
to initialise Expat's hash salt, two denial of service issues were found
in difflib and poplib and the shutil module was affected by a command
injection vulnerability.
For the stable distribution (stretch), these problems have been fixed in
version 2.7.13-2+deb9u3.
We recommend that you upgrade your python2.7 packages.
For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/