Debian 10219 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1646-1: qemu security update
DLA 1647-1: apache2 security update

Debian GNU/Linux 9:
DSA 4375-1: spice security update



DLA 1646-1: qemu security update




Package : qemu
Version : 1:2.1+dfsg-12+deb8u9
CVE ID : CVE-2018-17958 CVE-2018-19364 CVE-2018-19489

Several vulnerabilities were found in QEMU, a fast processor emulator:

CVE-2018-17958

The rtl8139 emulator is affected by an integer overflow and subsequent
buffer overflow. This vulnerability might be triggered by remote
attackers with crafted packets to perform denial of service (via OOB
stack buffer access).

CVE-2018-19364

The 9pfs subsystem is affected by a race condition allowing threads to
modify an fid path while it is being accessed by another thread,
leading to (for example) a use-after-free outcome. This vulnerability
might be triggered by local attackers to perform denial of service.

CVE-2018-19489

The 9pfs subsystem is affected by a race condition during file
renaming. This vulnerability might be triggered by local attackers to
perform denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u9.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1647-1: apache2 security update




Package : apache2
Version : 2.4.10-10+deb8u13
CVE ID : CVE-2018-17199


Diego Angulo from ImExHS discovered an issue in the webserver apache2.
The module mod_session ignored the expiry time of sessions handled by
mod_session_cookie, because the expiry time is available only after
decoding the session and the check was already done before.


For Debian 8 "Jessie", this problem has been fixed in version
2.4.10-10+deb8u13.

We recommend that you upgrade your apache2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4375-1: spice security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4375-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 29, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : spice
CVE ID : CVE-2019-3813
Debian Bug : 920762

Christophe Fergeau discovered an out-of-bounds read vulnerability in
spice, a SPICE protocol client and server library, which might result in
denial of service (spice server crash), or possibly, execution of
arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 0.12.8-2.1+deb9u3.

We recommend that you upgrade your spice packages.

For the detailed security status of spice please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/spice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/