The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-87-1 bind9 security update

Debian GNU/Linux 8 LTS:
DLA 1694-1: qemu security update
DLA 1695-1: sox security update
DLA 1697-1: bind9 security updat
DLA 1698-1: file security update
DLA 1699-1: ldb security update

Debian GNU/Linux 9:
DSA 4397-1: ldb security update
DSA 4398-1: php7.0 security update
DSA 4399-1: ikiwiki security update
DSA 4400-1: openssl1.0 security update

ELA-87-1 bind9 security update

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u22
Related CVE: CVE-2018-5745 CVE-2019-6465
Two issues have been found in bind9, the Internet Domain Name Server.

CVE-2019-6465: Zone transfer for DLZs are executed though not permitted by ACLs.

CVE-2018-5745: Avoid assertion and thus causing named to deliberately exit when a trust anchor’s key is replaced with a key which uses an unsupported algorithm.

For Debian 7 Wheezy, these problems have been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u22.

We recommend that you upgrade your bind9 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1694-1: qemu security update

Package : qemu
Version : 1:2.1+dfsg-12+deb8u10
CVE ID : CVE-2018-12617 CVE-2018-16872 CVE-2019-6778
Debian Bug : 916397, 902725, 921525

Several vulnerabilities were found in QEMU, a fast processor emulator:

CVE-2018-12617

The qmp_guest_file_read function (qga/commands-posix.c) is affected
by an integer overflow and subsequent memory allocation failure. This
weakness might be leveraged by remote attackers to cause denial of
service (application crash).

CVE-2018-16872

The usb_mtp_get_object, usb_mtp_get_partial_object and
usb_mtp_object_readdir functions (hw/usb/dev-mtp.c) are affected by a
symlink attack. Remote attackers might leverage this vulnerability to
perform information disclosure.

CVE-2019-6778

The tcp_emu function (slirp/tcp_subr.c) is affected by a heap buffer
overflow caused by insufficient validation of available space in the
sc_rcv->sb_data buffer. Remote attackers might leverage this flaw to
cause denial of service, or any other unspecified impact.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u10.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1695-1: sox security update

Package : sox
Version : 14.4.1-5+deb8u2
CVE ID : CVE-2017-15370 CVE-2017-15372 CVE-2017-15642 CVE-2017-18189
Debian Bug : 878808, 878810, 882144, 881121

Multiple vulnerabilities have been discovered in SoX (Sound eXchange),
a sound processing program:

CVE-2017-15370

The ImaAdpcmReadBlock function (src/wav.c) is affected by a heap buffer
overflow. This vulnerability might be leveraged by remote attackers
using a crafted WAV file to cause denial of service (application crash).

CVE-2017-15372

The lsx_ms_adpcm_block_expand_i function (adpcm.c) is affected by a
stack based buffer overflow. This vulnerability might be leveraged by
remote attackers using a crafted audio file to cause denial of service
(application crash).

CVE-2017-15642

The lsx_aiffstartread function (aiff.c) is affected by a use-after-free
vulnerability. This flaw might be leveraged by remote attackers using a
crafted AIFF file to cause denial of service (application crash).

CVE-2017-18189

The startread function (xa.c) is affected by a null pointer dereference
vulnerability. This flaw might be leveraged by remote attackers using a
crafted Maxis XA audio file to cause denial of service (application
crash).

For Debian 8 "Jessie", these problems have been fixed in version
14.4.1-5+deb8u2.

We recommend that you upgrade your sox packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1697-1: bind9 security updat

Package : bind9
Version : 1:9.9.5.dfsg-9+deb8u17
CVE ID : CVE-2018-5745 CVE-2019-6465


Two issues have been found in bind9, the Internet Domain Name Server.

CVE-2019-6465
Zone transfer for DLZs are executed though not permitted by ACLs.

CVE-2018-5745
Avoid assertion and thus causing named to deliberately exit when a
trust anchor's key is replaced with a key which uses an unsupported
algorithm.


For Debian 8 "Jessie", these problems have been fixed in version
1:9.9.5.dfsg-9+deb8u17.

We recommend that you upgrade your bind9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1698-1: file security update

Package : file
Version : 1:5.22+15-2+deb8u5
CVE ID : CVE-2019-8905 CVE-2019-8907

Potential buffer over-reads in readelf.c have been found in file,
a popular file type guesser.

For Debian 8 "Jessie", these problems have been fixed in version
1:5.22+15-2+deb8u5.

We recommend that you upgrade your file packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1699-1: ldb security update

Package : ldb
Version : 2:1.1.20-0+deb8u2
CVE ID : CVE-2019-3824

Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare()
function of ldb, a LDAP-like embedded database, resulting in denial of
service.

For Debian 8 "Jessie", this problem has been fixed in version
2:1.1.20-0+deb8u2.

We recommend that you upgrade your ldb packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4397-1: ldb security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4397-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ldb
CVE ID : CVE-2019-3824

Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare()
function of ldb, a LDAP-like embedded database, resulting in denial of
service.

For the stable distribution (stretch), this problem has been fixed in
version 2:1.1.27-1+deb9u1.

We recommend that you upgrade your ldb packages.

For the detailed security status of ldb please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ldb

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4398-1: php7.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4398-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php7.0
CVE ID : CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023
CVE-2019-9024

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language: Multiple out-of-bounds memory
accesses were found in the xmlrpc, mbstring and phar extensions and
the dns_get_record() function.

For the stable distribution (stretch), these problems have been fixed in
version 7.0.33-0+deb9u2.

We recommend that you upgrade your php7.0 packages.

For the detailed security status of php7.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4399-1: ikiwiki security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4399-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ikiwiki
CVE ID : CVE-2019-9187

Joey Hess discovered that the aggregate plugin of the Ikiwiki wiki
compiler was susceptible to server-side request forgery, resulting in
information disclosure or denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 3.20170111.1.

We recommend that you upgrade your ikiwiki packages.

For the detailed security status of ikiwiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ikiwiki

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4400-1: openssl1.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4400-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2019-1559

Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding
oracle attack in OpenSSL.

For the stable distribution (stretch), this problem has been fixed in
version 1.0.2r-1~deb9u1.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/