Debian 10261 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1648-1: firefox-esr security update
DLA 1649-1: spice security update
DLA 1650-1: rssh security update
DLA 1651-1: libgd2 security update

Debian GNU/Linux 9:
DSA 4376-1: firefox-esr security update
DSA 4377-1: rssh security update
DSA 4378-1: php-pear security update



DLA 1648-1: firefox-esr security update




Package : firefox-esr
Version : 60.5.0esr-1~deb8u1
CVE ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or privilege escalation.

For Debian 8 "Jessie", these problems have been fixed in version
60.5.0esr-1~deb8u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1649-1: spice security update




Package : spice
Version : 0.12.5-1+deb8u7
CVE ID : CVE-2019-3813
Debian Bug : 920762

Christophe Fergeau discovered an out-of-bounds read vulnerability in
spice, a SPICE protocol client and server library, which might result in
denial of service (spice server crash), or possibly, execution of
arbitrary code.

For Debian 8 "Jessie", this problem has been fixed in version
0.12.5-1+deb8u7.

We recommend that you upgrade your spice packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1650-1: rssh security update




Package : rssh
Version : 2.3.4-4+deb8u1
CVE ID : CVE-2019-1000018
Debian Bug : 919623

The ESnet security team discovered a vulnerability in rssh, a restricted
shell that allows users to perform only scp, sftp, cvs, svnserve
(Subversion), rdist and/or rsync operations. Missing validation in the
scp support could result in the bypass of this restriction, allowing the
execution of arbitrary shell commands.

Please note that with the update applied, the "-3" option of scp can no
longer be used.

For Debian 8 "Jessie", this problem has been fixed in version
2.3.4-4+deb8u1.

We recommend that you upgrade your rssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1651-1: libgd2 security update




Package : libgd2
Version : 2.1.0-5+deb8u12
CVE ID : CVE-2018-5711 CVE-2018-1000222 CVE-2019-6977
CVE-2019-6978


Several issues in libgd2, a graphics library that allows to quickly draw
images, have been found.

CVE-2019-6977
A potential double free in gdImage*Ptr() has been reported by Solmaz
Salimi (aka. Rooney).

CVE-2019-6978
Simon Scannell found a heap-based buffer overflow, exploitable with
crafted image data.

CVE-2018-1000222
A new double free vulnerabilities in gdImageBmpPtr() has been
reported by Solmaz Salimi (aka. Rooney).

CVE-2018-5711
Due to an integer signedness error the GIF core parsing function can
enter an infinite loop. This will lead to a Denial of Service and
exhausted server resources.


For Debian 8 "Jessie", these problems have been fixed in version
2.1.0-5+deb8u12.

We recommend that you upgrade your libgd2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4376-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4376-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 30, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2018-18500 CVE-2018-18501 CVE-2018-18505

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or privilege escalation.

For the stable distribution (stretch), these problems have been fixed in
version 60.5.0esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4377-1: rssh security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4377-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 30, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rssh
CVE ID : CVE-2019-1000018
Debian Bug : 919623

The ESnet security team discovered a vulnerability in rssh, a restricted
shell that allows users to perform only scp, sftp, cvs, svnserve
(Subversion), rdist and/or rsync operations. Missing validation in the
scp support could result in the bypass of this restriction, allowing the
execution of arbitrary shell commands.

Please note that with the update applied, the "-3" option of scp can no
longer be used.

For the stable distribution (stretch), this problem has been fixed in
version 2.3.4-5+deb9u1.

We recommend that you upgrade your rssh packages.

For the detailed security status of rssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4378-1: php-pear security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4378-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 30, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php-pear
CVE ID : CVE-2018-1000888
Debian Bug : 919147

Fariskhi Vidyan discovered that the PEAR Archive_Tar package for
handling tar files in PHP is prone to a PHP object injection
vulnerability, potentially allowing a remote attacker to execute
arbitrary code.

For the stable distribution (stretch), this problem has been fixed in
version 1:1.10.1+submodules+notgz-9+deb9u1.

We recommend that you upgrade your php-pear packages.

For the detailed security status of php-pear please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/php-pear

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/