Debian 10267 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-164-1 python2.7 security update
ELA-165-1 python2.6 security update

Debian GNU/Linux 8 LTS:
DLA 1922-1: wpa security update
DLA 1924-1: python3.4 security update
DLA 1925-1: python2.7 security update

Debian GNU/Linux 10:
DSA 4524-1: dino-im security update



ELA-164-1 python2.7 security update

Package: python2.7
Version: 2.7.3-6+deb7u8
Related CVE: CVE-2013-1753 CVE-2014-4616 CVE-2014-4650 CVE-2014-7185 CVE-2019-16056
Vulnerabilities have been discovered in Python, an interactive high-level object-oriented language.

CVE-2019-16056

The email module wrongly parses email addresses that contain
multiple @ characters. An application that uses the email module and
implements some kind of checks on the From/To headers of a message
could be tricked into accepting an email address that should be
denied.

CVE-2013-1753

A denial of service (resource exhaustion, excessive memory
consumption) can be triggered in the xmlrpc library by a specially
crafted HTTP request.

CVE-2014-4616

An attacker is able to read arbitrary process memory by a specially
crafted JSON string.

CVE-2014-4650

Information disclosure or arbirtary code execution is possible via a
specially crafted URL because of improper handling of URL-encoded
path separators in the CGIHTTPServer module.

CVE-2014-7185

A context-dependent attacker can take advantage of an integer
overflow to obtain sensitive information from process memory via a
large size and offset in a "buffer" function.
For Debian 7 Wheezy, these problems have been fixed in version 2.7.3-6+deb7u8.

We recommend that you upgrade your python2.7 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-165-1: python2.6 security update

Package: python2.6
Version: 2.6.8-1.1+deb7u4
Related CVE: CVE-2013-4238 CVE-2014-1912 CVE-2014-7185 CVE-2019-16056
Vulnerabilities have been discovered in Python, an interactive high-level object-oriented language.

CVE-2019-16056

The email module wrongly parses email addresses that contain
multiple @ characters. An application that uses the email module and
implements some kind of checks on the From/To headers of a message
could be tricked into accepting an email address that should be
denied.

CVE-2013-4238

A man-in-the-middle attack is possible by spoof of arbitrary SSL
servers via a crafted certificate resulting from improper handling
of '\0' characters in a domain name in the Subject Alternative Name
field of an X.509 certificate.

CVE-2014-1912

Arbitrary remote code execution is possible via a crafted string
resulting from a buffer overflow in the socket.recvfrom_into
function.

CVE-2014-7185

A context-dependent attacker can take advantage of an integer
overflow to obtain sensitive information from process memory via a
large size and offset in a "buffer" function.
For Debian 7 Wheezy, these problems have been fixed in version 2.6.8-1.1+deb7u4.

We recommend that you upgrade your python2.6 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1922-1: wpa security update

Package : wpa
Version : 2.3-1+deb8u9
CVE ID : CVE-2019-16275
Debian Bug : 940080

hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this
type of issues.

For Debian 8 "Jessie", this problem has been fixed in version
2.3-1+deb8u9.

We recommend that you upgrade your wpa packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1924-1: python3.4 security update

Package : python3.4
Version : 3.4.2-1+deb8u7
CVE ID : CVE-2019-16056

A vulnerability was discovered in Python, an interactive high-level
object-oriented language.

CVE-2019-16056

The email module wrongly parses email addresses that contain
multiple @ characters. An application that uses the email module and
implements some kind of checks on the From/To headers of a message
could be tricked into accepting an email address that should be
denied.

For Debian 8 "Jessie", this problem has been fixed in version
3.4.2-1+deb8u7.

We recommend that you upgrade your python3.4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1925-1: python2.7 security update

Package : python2.7
Version : 2.7.9-2+deb8u5
CVE ID : CVE-2019-16056


A vulnerability was discovered in Python, an interactive high-level
object-oriented language.

CVE-2019-16056

The email module wrongly parses email addresses that contain
multiple @ characters. An application that uses the email module and
implements some kind of checks on the From/To headers of a message
could be tricked into accepting an email address that should be
denied.

For Debian 8 "Jessie", this problem has been fixed in version
2.7.9-2+deb8u5.

We recommend that you upgrade your python2.7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4524-1: dino-im security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4524-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 16, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : dino-im
CVE ID : CVE-2019-16235 CVE-2019-16236 CVE-2019-16237

Multiple vulnerabilities have been discovered in the Dino XMPP client,
which could allow spoofing message, manipulation of a user's roster
(contact list) and unauthorised sending of message carbons.

For the stable distribution (buster), these problems have been fixed in
version 0.0.git20181129-1+deb10u1.

We recommend that you upgrade your dino-im packages.

For the detailed security status of dino-im please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dino-im

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/