Debian 10230 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1696-1: ceph security update
DLA 1700-1: uw-imap security update
DLA 1701-1: openssl security update

Debian GNU/Linux 9:
DSA 4401-1: wordpress security update



DLA 1696-1: ceph security update




Package : ceph
Version : 0.80.7-2+deb8u3
CVE ID : CVE-2018-14662 CVE-2018-16846
Debian Bug : 921948 921947

Several vulnerabilities were discovered in Ceph, a distributed storage
and file system.

CVE-2018-14662

It was found that authenticated ceph users with read only
permissions could steal dm-crypt encryption keys used in ceph disk
encryption.

CVE-2018-16846

It was found that authenticated ceph RGW users can cause a denial of
service against OMAPs holding bucket indices.

For Debian 8 "Jessie", these problems have been fixed in version
0.80.7-2+deb8u3.

We recommend that you upgrade your ceph packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1700-1: uw-imap security update

Package : uw-imap
Version : 8:2007f~dfsg-4+deb8u1
CVE ID : CVE-2018-19518
Debian Bug : 914632


A vulnerability was discovered in uw-imap, the University of Washington
IMAP Toolkit, that might allow remote attackers to execute arbitrary OS
commands if the IMAP server name is untrusted input (e.g., entered by a
user of a web application) and if rsh has been replaced by a program
with different argument semantics.

This update disables access to IMAP mailboxes through running imapd over
rsh, and therefore ssh for users of the client application. Code which
uses the library can still enable it with tcp_parameters() after making
sure that the IMAP server name is sanitized.

For Debian 8 "Jessie", this problem has been fixed in version
8:2007f~dfsg-4+deb8u1.

We recommend that you upgrade your uw-imap packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1701-1: openssl security update




Package : openssl
Version : 1.0.1t-1+deb8u11
CVE ID : CVE-2019-1559

Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding
oracle attack in OpenSSL.

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive
one) then OpenSSL can respond differently to the calling application
if a 0 byte record is received with invalid padding compared to if a 0
byte record is received with an invalid MAC. If the application then
behaves differently based on that in a way that is detectable to the
remote peer, then this amounts to a padding oracle that could be used
to decrypt data.

In order for this to be exploitable "non-stitched" ciphersuites must
be in use. Stitched ciphersuites are optimised implementations of
certain commonly used ciphersuites. Also the application must call
SSL_shutdown() twice even if a protocol error has occurred
(applications should not do this but some do anyway).
AEAD ciphersuites are not impacted.

For Debian 8 "Jessie", this problem has been fixed in version
1.0.1t-1+deb8u11.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4401-1: wordpress security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4401-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
March 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149 CVE-2018-20150
CVE-2018-20151 CVE-2018-20152 CVE-2018-20153 CVE-2019-8942
Debian Bug : 916403

Several vulnerabilities were discovered in Wordpress, a web blogging
tool. They allowed remote attackers to perform various Cross-Side
Scripting (XSS) and PHP injections attacks, delete files, leak
potentially sensitive data, create posts of unauthorized types, or
cause denial-of-service by application crash.

For the stable distribution (stretch), these problems have been fixed in
version 4.7.5+dfsg-2+deb9u5.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/