Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-101-1 tzdata new upstream version
ELA-102-1 libdatetime-timezone-perl new upstream version
ELA-103-1 cron security update

Debian GNU/Linux 8 LTS:
DLA 1744-1: tzdata new upstream version
DLA 1745-1: libdatetime-timezone-perl new upstream version
DLA 1746-1: drupal7 security update



ELA-101-1 tzdata new upstream version

Package: tzdata
Version: 2019a-0+deb7u1
Related CVE:
This update brings the timezone changes from the upstream 2019a release.

For Debian 7 Wheezy, these problems have been fixed in version 2019a-0+deb7u1.

We recommend that you upgrade your tzdata packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-102-1 libdatetime-timezone-perl new upstream version

Package: libdatetime-timezone-perl
Version: 1:1.58-1+2019a
Related CVE:
This update brings the Olson database changes from the 2019a version to the Perl bindings.

For Debian 7 Wheezy, these problems have been fixed in version 1:1.58-1+2019a.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-103-1 cron security update

Package: cron
Version: 3.0pl1-124+deb7u1
Related CVE: CVE-2017-9525 CVE-2019-9704 CVE-2019-9705 CVE-2019-9706
Various security problems have been discovered in Debian’s CRON scheduler.

CVE-2017-9525: Fix group crontab to root escalation via the Debian package’s postinst script as described by Alexander Peslyak (Solar Designer) in http://www.openwall.com/lists/oss-security/2017/06/08/3

CVE-2019-9704: DoS: Fix unchecked return of calloc(). Florian Weimer discovered that a missing check for the return value of calloc() could crash the daemon, which could be triggered by a very large crontab created by a user.

CVE-2019-9705: Enforce maximum crontab line count of 1000 to prevent a malicious user from creating an excessivly large crontab. The daemon will log a warning for existing files, and crontab(1) will refuse to create new ones.

CVE-2019-9706: A user reported a use-after-free condition in the cron daemon, leading to a possible Denial-of-Service scenario by crashing the daemon.

For Debian 7 Wheezy, these problems have been fixed in version 3.0pl1-124+deb7u1.

We recommend that you upgrade your cron packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1744-1: tzdata new upstream version




Package : tzdata
Version : 2019a-0+deb8u1

This update includes the changes in tzdata 2019a. Notable
changes are:

- Palestine started DST on 2019-03-30, instead of 2019-03-23
as previously predicted.
- Metlakatla ended its observance of Pacific standard time, rejoining
Alaska Time, on 2019-01-20 at 02:00.

For Debian 8 "Jessie", this problem has been fixed in version
2019a-0+deb8u1.

We recommend that you upgrade your tzdata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1745-1: libdatetime-timezone-perl new upstream version




Package : libdatetime-timezone-perl
Version : 1:1.75-2+2019a

This update includes the changes in tzdata 2019a for the
Perl bindings. For the list of changes, see DLA-1744-1.

For Debian 8 "Jessie", this problem has been fixed in version
1:1.75-2+2019a.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1746-1: drupal7 security update




Package : drupal7
Version : 7.32-1+deb8u16
CVE ID : CVE-2019-6341

It was discovered that missing input sanitising in the file module of
Drupal, a fully-featured content management framework, could result in
cross-site scripting.

For Debian 8 "Jessie", this problem has been fixed in version
7.32-1+deb8u16.

We recommend that you upgrade your drupal7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS