Debian 10224 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-173-1: libpcap security update

Debian GNU/Linux 8 LTS:
DLA 1954-1: lucene-solr security update
DLA 1956-1: ruby-openid security update



ELA-173-1: libpcap security update

Package: libpcap
Version: 1.3.0-1+deb7u1
Related CVE: CVE-2019-15165

libpcap, a system interface for user-level packet capture, does not properly validate the PHB header length in .pcapng files before allocating memory.

For Debian 7 Wheezy, these problems have been fixed in version 1.3.0-1+deb7u1.

We recommend that you upgrade your libpcap packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1954-1: lucene-solr security update

Package : lucene-solr
Version : 3.6.2+dfsg-5+deb8u3
CVE ID : CVE-2019-0193

A security vulnerability was discovered in lucene-solr, an enterprise
search server.

The DataImportHandler, an optional but popular module to pull in data
from databases and other sources, has a feature in which the whole DIH
configuration can come from a request's "dataConfig" parameter. The
debug mode of the DIH admin screen uses this to allow convenient
debugging / development of a DIH config. Since a DIH config can contain
scripts, this parameter is a security risk. Starting from now on, use
of this parameter requires setting the Java System property
"enable.dih.dataConfigParam" to true. For example this can be achieved
with solr-tomcat by adding -Denable.dih.dataConfigParam=true to
JAVA_OPTS in /etc/default/tomcat7.

For Debian 8 "Jessie", this problem has been fixed in version
3.6.2+dfsg-5+deb8u3.

We recommend that you upgrade your lucene-solr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1956-1: ruby-openid security update

Package : ruby-openid
Version : 2.5.0debian-1+deb8u1
CVE ID : CVE-2019-11027

ruby-openid performed discovery first, and then verification. This allowed an
attacker to change the URL used for discovery and trick the server into
connecting to the URL. This server in turn could be a private server not
publicly accessible.

Furthermore, if the client that uses this library discloses connection errors,
this in turn could disclose information from the private server to the
attacker.

For Debian 8 "Jessie", this problem has been fixed in version
2.5.0debian-1+deb8u1.

We recommend that you upgrade your ruby-openid packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS