Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1768-1: checkstyle security update
DLA 1769-1: gst-plugins-base0.10 security update
DLA 1770-1: gst-plugins-base1.0 security update

Debian GNU/Linux 9:
DSA 4436-1: imagemagick security update



DLA 1768-1: checkstyle security update




Package : checkstyle
Version : 5.9-1+deb8u1
CVE ID : CVE-2019-9658

checkstyle was loading external DTDs by default,
which is now disabled by default.

If needed it can be re-enabled by setting the system property
checkstyle.enableExternalDtdLoad to true.

For Debian 8 "Jessie", this problem has been fixed in version
5.9-1+deb8u1.

We recommend that you upgrade your checkstyle packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1769-1: gst-plugins-base0.10 security update




rom: Thorsten Alteholz
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1769-1] gst-plugins-base0.10 security update

Package : gst-plugins-base0.10
Version : 0.10.36-2+deb8u1
CVE ID : CVE-2019-9928
Debian Bug :


The RTSP connection parser in the base GStreamer packages version 0.10,
which is a streaming media framework, was vulnerable against an
heap-based buffer overflow by sending a longer than allowed session id in
a response and including a semicolon to change the maximum length. This
could result in a remote code execution.


For Debian 8 "Jessie", this problem has been fixed in version
0.10.36-2+deb8u1.

We recommend that you upgrade your gst-plugins-base0.10 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1770-1: gst-plugins-base1.0 security update




Package : gst-plugins-base1.0
Version : 1.4.4-2+deb8u2
CVE ID : CVE-2019-9928


The RTSP connection parser in the base GStreamer packages version 1.0,
which is a streaming media framework, was vulnerable against an
heap-based buffer overflow by sending a longer than allowed session id in
a response and including a semicolon to change the maximum length. This
could result in a remote code execution.


For Debian 8 "Jessie", this problem has been fixed in version
1.4.4-2+deb8u2.

We recommend that you upgrade your gst-plugins-base1.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4436-1: imagemagick security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4436-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2019-9956 CVE-2019-10650

This update fixes two vulnerabilities in Imagemagick: Memory handling
problems and missing or incomplete input sanitising may result in denial
of service, memory disclosure or the execution of arbitrary code if
malformed TIFF or Postscript files are processed.

For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u7.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/