Debian 10261 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-160-1: exim4 security update
ELA-161-1: expat security update

Debian GNU/Linux 8 LTS:
DLA 1910-1: firefox-esr security update
DLA 1911-1: exim4 security update
DLA 1912-1: expat security update

Debian GNU/Linux 9 and 10:
DSA 4517-1: exim4 security update



ELA-160-1: exim4 security update

Package: exim4
Version: 4.80-7+deb7u7
Related CVE: CVE-2019-15846
Zerons and Qualys discovered that a buffer overflow triggerable in the TLS negotiation code of the Exim mail transport agent could result in the execution of arbitrary code with root privileges.

For Debian 7 Wheezy, these problems have been fixed in version 4.80-7+deb7u7.

We recommend that you upgrade your exim4 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-161-1: expat security update

Package: expat
Version: 2.1.0-1+deb7u7
Related CVE: CVE-2019-15903
A heap-based buffer overread vulnerability in expat, an XML parsing library.

A specially-crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer overread.

For Debian 7 Wheezy, these problems have been fixed in version 2.1.0-1+deb7u7.

We recommend that you upgrade your expat packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1910-1: firefox-esr security update

Package : firefox-esr
Version : 60.9.0esr-1~deb8u1
CVE ID : CVE-2019-9812 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743
CVE-2019-11744 CVE-2019-11746 CVE-2019-11752

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, cross-site scripting, bypass of the same-origin policy, sandbox
escape, information disclosure or denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
60.9.0esr-1~deb8u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1911-1: exim4 security update

Package : exim4
Version : 4.84.2-2+deb8u6
CVE ID : CVE-2019-15846


"Zerons" and Qualys discovered that a buffer overflow triggerable in the
TLS negotiation code of the Exim mail transport agent could result in the
execution of arbitrary code with root privileges.


For Debian 8 "Jessie", this problem has been fixed in version
4.84.2-2+deb8u6.

We recommend that you upgrade your exim4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1912-1: expat security update

Package : expat
Version : 2.1.0-6+deb8u6
CVE IDs : CVE-2019-15903
Debian Bug : #939394

It was discovered that there was a heap-based buffer overread
vulnerability in expat, an XML parsing library.

A specially-crafted XML input could fool the parser into changing
from DTD parsing to document parsing too early; a consecutive call to
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then
resulted in a heap-based buffer overread.

For Debian 8 "Jessie", this issue has been fixed in expat version
2.1.0-6+deb8u6.

We recommend that you upgrade your expat packages.

DSA 4517-1: exim4 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4517-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 06, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : exim4
CVE ID : CVE-2019-15846

"Zerons" and Qualys discovered that a buffer overflow triggerable in the
TLS negotiation code of the Exim mail transport agent could result in the
execution of arbitrary code with root privileges.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.89-2+deb9u6.

For the stable distribution (buster), this problem has been fixed in
version 4.92-8+deb10u2.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/