Debian 10220 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-78-1 wireshark security update

Debian GNU/Linux 8 LTS:
DLA 1644-1: policykit-1 security update
DLA 1645-1: wireshark security update

Debian GNU/Linux 9:
DSA 4373-1: coturn security update
DSA 4374-1: qtbase-opensource-src security update



ELA-78-1 wireshark security update

Package: wireshark
Version: 1.12.1+g01b65bf-4+deb8u6~deb7u14
Related CVE: CVE-2019-5716 CVE-2019-5717 CVE-2019-5719
Several issues in wireshark, a network traffic analyzer, have been found. Dissectors of - ISAKMP, a Internet Security Association and Key Management Protocol - P_MUL, a reliable multicast transfer protocol - 6LoWPAN, IPv6 over Low power Wireless Personal Area Network are affected.

CVE-2019-5719 Mateusz Jurczyk found that a missing encryption block in a packet could crash the ISAKMP dissector.

CVE-2019-5717 It was found that the P_MUL dissector could crash when a malformed packet contains an illegal Data PDU sequence number of 0. Such a packet may not be analysed.

CVE-2019-5716 It was found that the 6LoWPAN dissector could crash when a malformed packet does not contain IPHC information though the header says it should.

For Debian 7 Wheezy, these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u6~deb7u14.

We recommend that you upgrade your wireshark packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1644-1: policykit-1 security update




Package : policykit-1
Version : 0.105-15~deb8u4
CVE ID : CVE-2018-19788 CVE-2019-6133

Two vulnerabilities were found in Policykit, a framework for managing
administrative policies and privileges:

CVE-2018-19788

It was discovered that incorrect processing of very high UIDs in
Policykit could result in authentication bypass.

CVE-2019-6133

Jann Horn of Google found that Policykit doesn't properly check
if a process is already authenticated, which can lead to an
authentication reuse by a different user.

For Debian 8 "Jessie", these problems have been fixed in version
0.105-15~deb8u4.

We recommend that you upgrade your policykit-1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1645-1: wireshark security update




Package : wireshark
Version : 1.12.1+g01b65bf-4+deb8u17
CVE ID : CVE-2019-5716 CVE-2019-5717 CVE-2019-5719


Several issues in wireshark, a network traffic analyzer, have been found.
Dissectors of
- ISAKMP, a Internet Security Association and Key Management Protocol
- P_MUL, a reliable multicast transfer protocol
- 6LoWPAN, IPv6 over Low power Wireless Personal Area Network
are affected.

CVE-2019-5719
Mateusz Jurczyk found that a missing encryption block in a packet could
crash the ISAKMP dissector.

CVE-2019-5717
It was found that the P_MUL dissector could crash when a malformed
packet contains an illegal Data PDU sequence number of 0. Such a packet
may not be analysed.

CVE-2019-5716
It was found that the 6LoWPAN dissector could crash when a malformed
packet does not contain IPHC information though the header says it
should.


For Debian 8 "Jessie", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u17.

We recommend that you upgrade your wireshark packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4373-1: coturn security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4373-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
January 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : coturn
CVE ID : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059

Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for
VoIP.

CVE-2018-4056

An SQL injection vulnerability was discovered in the coTURN administrator
web portal. As the administration web interface is shared with the
production, it is unfortunately not possible to easily filter outside
access and this security update completely disable the web interface. Users
should use the local, command line interface instead.

CVE-2018-4058

Default configuration enables unsafe loopback forwarding. A remote attacker
with access to the TURN interface can use this vulnerability to gain access
to services that should be local only.

CVE-2018-4059

Default configuration uses an empty password for the local command line
administration interface. An attacker with access to the local console
(either a local attacker or a remote attacker taking advantage of
CVE-2018-4058) could escalade privileges to administrator of the coTURN
server.

For the stable distribution (stretch), these problems have been fixed in
version 4.5.0.5-1+deb9u1.

We recommend that you upgrade your coturn packages.

For the detailed security status of coturn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/coturn

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4374-1: qtbase-opensource-src security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4374-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
January 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : qtbase-opensource-src
CVE ID : CVE-2018-15518 CVE-2018-19870 CVE-2018-19873
Debian Bug : 907139

Several issues were discovered in qtbase-opensource-src, a
cross-platform C++ application framework, which could lead to
denial-of-service via application crash. Additionally, this update
fixes a problem affecting vlc, where it would start without a GUI.

For the stable distribution (stretch), these problems have been fixed in
version 5.7.1+dfsg-3+deb9u1.

We recommend that you upgrade your qtbase-opensource-src packages.

For the detailed security status of qtbase-opensource-src please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qtbase-opensource-src

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/