The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-36-1 curl security update
ELA-37-1 openssh security update
Debian GNU/Linux 8 LTS:
DLA 1505-1: zutils security update
Debian GNU/Linux 7 Extended LTS:
ELA-36-1 curl security update
ELA-37-1 openssh security update
Debian GNU/Linux 8 LTS:
DLA 1505-1: zutils security update
ELA-36-1 curl security update
Package: curl
Version: 7.26.0-1+wheezy25+deb7u2
Related CVE: CVE-2018-14618
Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems.
For Debian 7 Wheezy, these problems have been fixed in version 7.26.0-1+wheezy25+deb7u2.
We recommend that you upgrade your curl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
ELA-37-1 openssh security update
Package: openssh
Version: 6.0p1-4+deb7u8
Related CVE: CVE-2018-15473
It was discovered that there was a user enumeration vulnerability in OpenSSH. A remote attacker could test whether a certain user exists on a target server.
For Debian 7 Wheezy, these problems have been fixed in version 6.0p1-4+deb7u8.
We recommend that you upgrade your openssh packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1505-1: zutils security update
Package : zutils
Version : 1.3-4+deb8u1
CVE ID : CVE-2018-1000637
Debian Bug : 902936
zutils version prior to version 1.8-pre2 contains a buffer
overflow vulnerability in zcat which happened with some
input files when the '-v, --show-nonprinting' option was
used (or indirectly enabled). This can result in potential
denial of service or arbitrary code execution. This attack
appear is exploitable via the victim openning a crafted
compressed file and has been fixed in 1.8-pre2.
For Debian 8 "Jessie", this problem has been fixed in
version 1.3-4+deb8u1.
We recommend that you upgrade your zutils packages.
Further information about Debian LTS security advisories,
how to apply these updates to your system and frequently
asked questions can be found at: https://wiki.debian.org/LTS
