The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-121-1 intel-microcode security update
ELA-122-1 curl security update
Debian GNZ/Linux 8 LTS:
DLA 1806-1: thunderbird security update
DLA 1807-1: vcftools security update
Debian GNU/Linux 7 Extended LTS:
ELA-121-1 intel-microcode security update
ELA-122-1 curl security update
Debian GNZ/Linux 8 LTS:
DLA 1806-1: thunderbird security update
DLA 1807-1: vcftools security update
ELA-121-1 intel-microcode security update
Package: intel-microcode
Version: 3.20190514.1~deb7u1
Related CVE: CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
This update ships updated CPU microcode for most types of Intel CPUs. It provides microcode support to implement mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware vulnerabilities.
To fully resolve these vulnerabilities it is also necessary to update the Linux kernel packages. An update for that will follow soon.
For Debian 7 Wheezy, these problems have been fixed in version 3.20190514.1~deb7u1.
We recommend that you upgrade your intel-microcode packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
ELA-122-1 curl security update
Package: curl
Version: 7.26.0-1+wheezy25+deb7u4
Related CVE: CVE-2019-5436
cURL, an URL transfer library, contains a heap buffer overflow in the function tftp_receive_packet() that receives data from a TFTP server. It calls recvfrom() with the default size for the buffer rather than with the size that was used to allocate it. Thus, the content that might overwrite the heap memory is entirely controlled by the server.
For Debian 7 Wheezy, these problems have been fixed in version 7.26.0-1+wheezy25+deb7u4.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1806-1: thunderbird security update
Package : thunderbird
Version : 1:60.7.0-1~deb8u1
CVE ID : CVE-2018-18511 CVE-2019-5798 CVE-2019-7317 CVE-2019-9797
CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819
CVE-2019-9820 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693
CVE-2019-11698
Multiple security issues have been found in Thunderbird: Multiple
vulnerabilities may lead to the execution of arbitrary code or denial of
service.
For Debian 8 "Jessie", these problems have been fixed in version
1:60.7.0-1~deb8u1.
We recommend that you upgrade your thunderbird packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1807-1: vcftools security update
Package : vcftools
Version : 0.1.12+dfsg-1+deb8u1
CVE ID : CVE-2018-11099 CVE-2018-11129 CVE-2018-11130
Webin security lab - dbapp security Ltd found three issues in vcftools, a
collection of tools to work with VCF files. Different functions in
header.cpp are vulnerable to denial of services due to use-after-free
issues or information disclosure due to heap-based buffer over-read.
For Debian 8 "Jessie", these problems have been fixed in version
0.1.12+dfsg-1+deb8u1.
We recommend that you upgrade your vcftools packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS