The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8 LTS:
DLA 1702-1: advancecomp security update
Debian GNU/Linux 9:
DSA 4387-2: openssh security update
Debian GNU/Linux 8 LTS:
DLA 1702-1: advancecomp security update
Debian GNU/Linux 9:
DSA 4387-2: openssh security update
DLA 1702-1: advancecomp security update
Package : advancecomp
Version : 1.19-1+deb8u1
CVE ID : CVE-2018-1056 CVE-2019-9210
Debian Bug : 889270 923416
Several vulnerabilities were discovered in advancecomp, a collection
of recompression utilities.
CVE-2018-1056
Joonun Jang discovered that the advzip tool was prone to a
heap-based buffer overflow. This might allow an attacker to cause a
denial-of-service (application crash) or other unspecified impact
via a crafted file.
CVE-2019-9210
The png_compress function in pngex.cc in advpng has an integer
overflow upon encountering an invalid PNG size, which results in
another heap based buffer overflow.
For Debian 8 "Jessie", these problems have been fixed in version
1.19-1+deb8u1.
We recommend that you upgrade your advancecomp packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4387-2: openssh security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4387-2 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
March 02, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openssh
CVE ID : CVE-2019-6111
Debian Bug : 923486
It was found that a security update (DSA-4387-1) of OpenSSH, an implementation
of the SSH protocol suite, was incomplete. This update did not completely fix
CVE-2019-6111, an arbitrary file overwrite vulnerability in the scp client
implementing the SCP protocol.
For the stable distribution (stretch), this problem has been fixed in
version 1:7.4p1-10+deb9u6.
We recommend that you upgrade your openssh packages.
For the detailed security status of openssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssh
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/