Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1554-1: 389-ds-base security update
DLA 1554-2: 389-ds-base regression update

Debian GNU/Linux 9:
DSA 4326-1: openjdk-8
DSA 4327-1: thunderbird security update
DSA 4328-1: xorg-server security update



DLA 1554-1: 389-ds-base security update




Package : 389-ds-base
Version : 1.3.3.5-4+deb8u4
CVE ID : CVE-2018-14648

It was discovered that 389-ds-base (the 389 Directory Server) is vulnerable
to search queries with malformed values in the do_search() function
(servers/slapd/search.c). Attackers could leverage this vulnerability by
sending crafted queries in a loop to cause DoS.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u4.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1554-2: 389-ds-base regression update




Package : 389-ds-base
Version : 1.3.3.5-4+deb8u5

A regression was found in the recent security update for 389-ds-base
(the 389 Directory Server), announced as DLA-1554-2, caused by an
incomplete fix for CVE-2018-14648. The regression caused the server
to crash when processing requests with empty attributes.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u5.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4326-1: openjdk-8




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4326-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 25, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-8
CVE ID : CVE-2018-3136 CVE-2018-3139 CVE-2018-3149 CVE-2018-3169
CVE-2018-3180 CVE-2018-3183 CVE-2018-3214

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, incomplete TLS identity verification,
information disclosure or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 8u181-b13-2~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4327-1: thunderbird security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4327-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 25, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2017-16541 CVE-2018-12376 CVE-2018-12377 CVE-2018-12378
CVE-2018-12379 CVE-2018-12383 CVE-2018-12385

Multiple security issues have been found in Thunderbird: Multiple memory
safety errors and use-after-frees may lead to the execution of arbitrary
code or denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 1:60.2.1-2~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4328-1: xorg-server security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4328-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 25, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xorg-server
CVE ID : CVE-2018-14665

Narendra Shinde discovered that incorrect command-line parameter
validation in the Xorg X server may result in arbitary file overwrite,
which can result in privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.19.2-1+deb9u4.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/