Debian 10228 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-154-2 openjdk-7 regression update

Debian GNU/Linux 8 LTS:
DLA 1886-2: openjdk-7 regression update
DLA 1893-1: cups security update

Debian GNU/Linux 9 and 10:
DSA 4505-1: nginx security update



ELA-154-2: openjdk-7 regression update

Package: openjdk-7
Version: 7u231-2.6.19-1~deb7u2

The latest security update of openjdk-7 caused a regression when applications relied on elliptic curve algorithms to establish SSL connections. Several duplicate classes were removed from rt.jar by the upstream developers of OpenJDK because they were also present in sunec.jar. However Debian never shipped the SunEC security provider in OpenJDK 7.

The issue was resolved by building sunec.jar and its corresponding native library libsunec.so from source. In order to build these libraries from source, an update of nss to version 2:3.26-1+debu7u8 is required.

Updates for the amd64 architecture are already available, new packages for i386 will be available within the next 24 hours.

For Debian 7 Wheezy, these problems have been fixed in version 7u231-2.6.19-1~deb7u2.

We recommend that you upgrade your openjdk-7 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1886-2: openjdk-7 regression update

Package : openjdk-7
Version : 7u231-2.6.19-1~deb8u2
Debian Bug : 935082 750400

The latest security update of openjdk-7 caused a regression when
applications relied on elliptic curve algorithms to establish SSL
connections. Several duplicate classes were removed from rt.jar by the
upstream developers of OpenJDK because they were also present in
sunec.jar. However Debian never shipped the SunEC security provider in
OpenJDK 7.

The issue was resolved by building sunec.jar and its corresponding
native library libsunec.so from source. In order to build these
libraries from source, an update of nss to version 2:3.26-1+debu8u6 is
required.

Updates for the amd64 architecture are already available, new packages
for i386, armel and armhf will be available within the next 24 hours.

For Debian 8 "Jessie", this problem has been fixed in version
7u231-2.6.19-1~deb8u2.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1893-1: cups security update

Package : cups
Version : 1.7.5-11+deb8u5
CVE ID : CVE-2019-8675 CVE-2019-8696


Two issues have been found in cups, the Common UNIX Printing System(tm).

Basically both CVEs (CVE-2019-8675 and CVE-2019-8696) are about
stack-buffer-overflow in two functions of libcup. One happens in
asn1_get_type() the other one in asn1_get_packed().


For Debian 8 "Jessie", these problems have been fixed in version
1.7.5-11+deb8u5.

We recommend that you upgrade your cups packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4505-1: nginx security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4505-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 22, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nginx
CVE ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9516

Three vulnerabilities were discovered in the HTTP/2 code of Nginx, a
high-performance web and reverse proxy server, which could result in
denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.10.3-1+deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 1.14.2-2+deb10u1.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/