Debian 10230 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-168-1 netty security update

Debian GNU/Linux 9 and 10:
DSA 4535-1: e2fsprogs security update

Debian GNU/Linux 10:
DSA 4534-1: golang-1.11 security update



ELA-168-1: netty security update

Package: netty
Version: 3.2.6.Final-2+deb7u1
Related CVE: CVE-2019-16869

Netty mishandled whitespace before the colon in HTTP headers (such as a “Transfer-Encoding : chunked” line), which lead to HTTP request smuggling.

For Debian 7 Wheezy, these problems have been fixed in version 3.2.6.Final-2+deb7u1.

We recommend that you upgrade your netty packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DSA 4534-1: golang-1.11 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4534-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 27, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : golang-1.11
CVE ID : CVE-2019-16276

It was discovered that the Go programming language did accept and
normalize invalid HTTP/1.1 headers with a space before the colon, which
could lead to filter bypasses or request smuggling in some setups.

For the stable distribution (buster), this problem has been fixed in
version 1.11.6-1+deb10u2.

We recommend that you upgrade your golang-1.11 packages.

For the detailed security status of golang-1.11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4535-1: e2fsprogs security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4535-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 27, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : e2fsprogs
CVE ID : CVE-2019-5094
Debian Bug : 941139

Lilith of Cisco Talos discovered a buffer overflow flaw in the quota
code used by e2fsck from the ext2/ext3/ext4 file system utilities.
Running e2fsck on a malformed file system can result in the execution of
arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.43.4-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.44.5-1+deb10u2.

We recommend that you upgrade your e2fsprogs packages.

For the detailed security status of e2fsprogs please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/e2fsprogs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/