Debian 10260 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1900-2: apache2 regression update
DLA 1939-1: poppler security update
DLA 1941-1: netty security update
DLA 1942-1: phpbb3 security update



DLA 1900-2: apache2 regression update

Package : apache2
Version : 2.4.10-10+deb8u16
CVE ID : CVE-2019-10092
Debian Bug : 941202

The update of apache2 released as DLA-1900-1 contained an incomplete
fix for CVE-2019-10092, a limited cross-site scripting issue affecting
the mod_proxy error page. The old patch rather introduced a new CSRF
protection which also caused a regression, an inability to dynamically
change the status of members in the balancer via the balancer-manager.
This update reverts the change and provides the correct upstream patch
to address CVE-2019-10092.

For Debian 8 "Jessie", this problem has been fixed in version
2.4.10-10+deb8u16.

We recommend that you upgrade your apache2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1939-1: poppler security update

Package : poppler
Version : 0.26.5-2+deb8u11
CVE ID : CVE-2018-20650 CVE-2018-21009 CVE-2019-12493


Several issues in poppler, a PDF rendering library, have been fixed.

CVE-2018-20650

A missing check for the dict data type could lead to a denial of
service.

CVE-2018-21009

An integer overflow might happen in Parser::makeStream.

CVE-2019-12493

A stack-based buffer over-read by a crafted PDF file might happen in
PostScriptFunction::transform because some functions mishandle tint
transformation.


For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u11.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1941-1: netty security update

Package : netty
Version : 1:3.2.6.Final-2+deb8u1
CVE ID : CVE-2019-16869


Netty mishandled whitespace before the colon in HTTP headers (such as a
“Transfer-Encoding : chunked” line), which lead to HTTP request
smuggling.

For Debian 8 "Jessie", this problem has been fixed in version
1:3.2.6.Final-2+deb8u1.

We recommend that you upgrade your netty packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1942-1: phpbb3 security update

Package : phpbb3
Version : 3.0.12-5+deb8u4
CVE ID : CVE-2019-16993


In phpBB, includes/acp/acp_bbcodes.php had improper verification of a
CSRF token on the BBCode page in the Administration Control Panel. An
actual CSRF attack was possible if an attacker also managed to retrieve
the session id of a reauthenticated administrator prior to targeting
them.

The description in this DLA does not match what has been documented in
the changelog.Debian.gz of this package version. After the upload of
phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet
been fixed. The correct fix for CVE-2019-13776 has been identified and
will be shipped in a soon-to-come follow-up security release of phpbb3.

For Debian 8 "Jessie", these problems have been fixed in version
3.0.12-5+deb8u4.

We recommend that you upgrade your phpbb3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS