The following updates has been released for Debian GNU/Linux 8 LTS:
DLA 1917-1: curl security update
DLA 1920-1: golang-go.crypto security update
DLA 1921-1: dnsmasq security update
DLA 1917-1: curl security update
DLA 1920-1: golang-go.crypto security update
DLA 1921-1: dnsmasq security update
DLA 1917-1: curl security update
Package : curl
Version : 7.38.0-4+deb8u16
CVE ID : CVE-2019-5482
Debian Bug : #940010
It was discovered that there was a heap buffer overflow vulnerability
in curl, the library and command-line tool for transferring data over
the internet.
For Debian 8 "Jessie", this issue has been fixed in curl version
7.38.0-4+deb8u16.
We recommend that you upgrade your curl packages.
DLA 1920-1: golang-go.crypto security update
Package : golang-go.crypto
Version : 0.0~hg190-1+deb8u2
CVE ID : CVE-2019-11841
This package ignored the value of the Hash header, which allows an
attacker to spoof it. An attacker can not only embed arbitrary Armor
Headers, but also prepend arbitrary text to cleartext messages
without invalidating the signatures.
For Debian 8 "Jessie", this problem has been fixed in version
0.0~hg190-1+deb8u2.
We recommend that you upgrade your golang-go.crypto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1921-1: dnsmasq security update
Package : dnsmasq
Version : 2.72-3+deb8u5
CVE ID : CVE-2019-14513
Samuel R Lovejoy discovered a security vulnerability in dnsmasq.
Carefully crafted packets by DNS servers might result in out of
bounds read operations, potentially leading to a crash and denial
of service.
For Debian 8 "Jessie", this problem has been fixed in version
2.72-3+deb8u5.
We recommend that you upgrade your dnsmasq packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
