Debian 10230 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-52-1 net-snmp security update

Debian GNU/Linux 8 LTS:
DLA 1545-1: tomcat8 security update
DLA 1546-1: moin security update

Debian GNU/Linux 9:
DSA 4318-1: moin security update
DSA 4319-1: spice security update



ELA-52-1 net-snmp security update

Package: net-snmp
Version: 5.4.3~dfsg-2.8+deb7u3
Related CVE: CVE-2018-18065
Magnus K. Stubman found that an authenticated remote attacker could crash an instance of Net-SNMP by sending a specially crafted UDP packet resulting in a denial-of-service.

For Debian 7 Wheezy, these problems have been fixed in version 5.4.3~dfsg-2.8+deb7u3.

We recommend that you upgrade your net-snmp packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1545-1: tomcat8 security update




Package : tomcat8
Version : 8.0.14-1+deb8u14
CVE ID : CVE-2018-11784

Sergey Bobrov discovered that when the default servlet returned a
redirect to a directory (e.g. redirecting to /foo/ when the user
requested /foo) a specially crafted URL could be used to cause the
redirect to be generated to any URI of the attackers choice.

For Debian 8 "Jessie", this problem has been fixed in version
8.0.14-1+deb8u14.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1546-1: moin security update




Package : moin
Version : 1.9.8-1+deb8u2
CVE ID : CVE-2017-5934
Debian Bug : 910776

Nitin Venkatesh discovered a cross-site scripting vulnerability in
moin, a Python clone of WikiWiki. A remote attacker can conduct
cross-site scripting attacks via the GUI editor's link dialogue.
This only affects installations which have set up fckeditor
(not enabled by default).

For Debian 8 "Jessie", this problem has been fixed in version
1.9.8-1+deb8u2.

We recommend that you upgrade your moin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4318-1: moin security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4318-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 15, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : moin
CVE ID : CVE-2017-5934
Debian Bug : 910776

Nitin Venkatesh discovered a cross-site scripting vulnerability in moin,
a Python clone of WikiWiki. A remote attacker can conduct cross-site
scripting attacks via the GUI editor's link dialogue. This only affects
installations which have set up fckeditor (not enabled by default).

For the stable distribution (stretch), this problem has been fixed in
version 1.9.9-1+deb9u1.

We recommend that you upgrade your moin packages.

For the detailed security status of moin please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/moin

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4319-1: spice security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4319-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 15, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : spice
CVE ID : CVE-2018-10873
Debian Bug : 906315

Frediano Ziglio reported a missing check in the script to generate
demarshalling code in the SPICE protocol client and server library. The
generated demarshalling code is prone to multiple buffer overflows. An
authenticated attacker can take advantage of this flaw to cause a denial
of service (spice server crash), or possibly, execute arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 0.12.8-2.1+deb9u2.

We recommend that you upgrade your spice packages.

For the detailed security status of spice please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/spice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/