The following updates for Debian GNU/Linux has been released:
Debian GNU/Linux 7 Extended LTS:
ELA-22-1 mutt security update
Debian GNU/Linux 8 LTS:
DLA 1414-2: mercurial regression update
DLA 1447-1: libidn security update
DLA 1449-1: openssl security update
DLA-1448-1: policykit-1 security update
Debian GNU/Linux 7 Extended LTS:
ELA-22-1 mutt security update
Debian GNU/Linux 8 LTS:
DLA 1414-2: mercurial regression update
DLA 1447-1: libidn security update
DLA 1449-1: openssl security update
DLA-1448-1: policykit-1 security update
ELA-22-1 mutt security update
Package: mutt
Version: 1.5.21-6.2+deb7u4
Related CVE: CVE-2018-14349 CVE-2018-14350 CVE-2018-14351 CVE-2018-14352 CVE-2018-14353 CVE-2018-14354 CVE-2018-14355 CVE-2018-14356 CVE-2018-14357 CVE-2018-14358 CVE-2018-14359 CVE-2018-14362
Several vulnerabilities have been discovered in mutt, a sophisticated text-based Mail User Agent, resulting in denial of service, stack-based buffer overflow, arbitrary command execution, and directory travesal flaws.
For Debian 7 Wheezy, these problems have been fixed in version 1.5.21-6.2+deb7u4.
We recommend that you upgrade your mutt packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1414-2: mercurial regression update
Package : mercurial
Version : 3.1.2-2+deb8u6
CVE ID : CVE-2017-17458
The fix for arbitrary code execution documented in CVE-2017-17458 was
incomplete in the previous upload. A more exhaustive change was
implemented upstream and completely disables non-Mercurial
subrepositories unless users changed the subrepos.allowed setting.
For Debian 8 "Jessie", this problem has been fixed in version
3.1.2-2+deb8u6.
We recommend that you upgrade your mercurial packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1447-1: libidn security update
Package : libidn
Version : 1.29-1+deb8u3
CVE ID : CVE-2017-14062
Debian Bug : 873903
An integer overflow vulnerability was discovered in libidn, the GNU library for
Internationalized Domain Names (IDNs), in its Punycode handling (a Unicode
characters to ASCII encoding) allowing a remote attacker to cause a denial of
service against applications using the library.
For Debian 8 "Jessie", this problem has been fixed in version
1.29-1+deb8u3.
We recommend that you upgrade your libidn packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1449-1: openssl security update
Package : openssl
Version : 1.0.1t-1+deb8u9
CVE ID : CVE-2018-0732 CVE-2018-0737
Debian Bug : 895844
Two issues were discovered in OpenSSL, the Secure Sockets Layer toolkit.
CVE-2018-0732
Denial of service by a malicious server that sends a very large
prime value to the client during TLS handshake.
CVE-2018-0737
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and
Luis Manuel Alvarez Tapia discovered that the OpenSSL RSA Key
generation algorithm has been shown to be vulnerable to a cache
timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process
could recover the private key.
For Debian 8 "Jessie", these problems have been fixed in version
1.0.1t-1+deb8u9.
We recommend that you upgrade your openssl packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA-1448-1: policykit-1 security update
Package : policykit-1
Version : 0.105-15~deb8u3
CVE ID : CVE-2018-1116
Debian Bug : #903563
It was discovered that there was a denial of service vulnerability in
policykit-1, a framework for managing administrative policies and
privileges.
For Debian 8 "Jessie", this issue has been fixed in policykit-1 version
0.105-15~deb8u3.
We recommend that you upgrade your policykit-1 packages.
