Debian 10230 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1917-1: curl security update
DLA 1920-1: golang-go.crypto security update
DLA 1921-1: dnsmasq security update



DLA 1917-1: curl security update

Package : curl
Version : 7.38.0-4+deb8u16
CVE ID : CVE-2019-5482
Debian Bug : #940010

It was discovered that there was a heap buffer overflow vulnerability
in curl, the library and command-line tool for transferring data over
the internet.

For Debian 8 "Jessie", this issue has been fixed in curl version
7.38.0-4+deb8u16.

We recommend that you upgrade your curl packages.

DLA 1920-1: golang-go.crypto security update

Package : golang-go.crypto
Version : 0.0~hg190-1+deb8u2
CVE ID : CVE-2019-11841

This package ignored the value of the Hash header, which allows an
attacker to spoof it. An attacker can not only embed arbitrary Armor
Headers, but also prepend arbitrary text to cleartext messages
without invalidating the signatures.

For Debian 8 "Jessie", this problem has been fixed in version
0.0~hg190-1+deb8u2.

We recommend that you upgrade your golang-go.crypto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1921-1: dnsmasq security update

Package : dnsmasq
Version : 2.72-3+deb8u5
CVE ID : CVE-2019-14513


Samuel R Lovejoy discovered a security vulnerability in dnsmasq.
Carefully crafted packets by DNS servers might result in out of
bounds read operations, potentially leading to a crash and denial
of service.

For Debian 8 "Jessie", this problem has been fixed in version
2.72-3+deb8u5.

We recommend that you upgrade your dnsmasq packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS