Debian 10229 Published by

The following updates has been released for Debian GNU/Linux 9:

DSA 4287-1: firefox-esr security update
DSA 4288-1: ghostscript security update
DSA 4289-1: chromium-browser security update



DSA 4287-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4287-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 07, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2018-12376 CVE-2018-12377 CVE-2018-12378

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and use-after-frees may lead to
the execution of arbitrary code or denial of service.

Debian follows the extended support releases (ESR) of Firefox. Support
for the 52.x series has ended, so starting with this update we're now
following the 60.x releases.

Between 52.x and 60.x, Firefox has undergone significant internal
updates, which makes it incompatible with a number of extensions. For
more information please refer to
https://www.mozilla.org/en-US/firefox/60.0esr/releasenotes/

In addition, the new Firefox packages require Rust to build. A
compatible Rust toolchain has been backported to Debian stretch, but is
not available for all architectures which previously supported the
purely C++-based Firefox packages. Thus, the new Firefox packages
don't support the armel, armhf, mips, mips64el and mipsel architectures
at this point.

For the stable distribution (stretch), these problems have been fixed in
version 60.2.0esr-1~deb9u2.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4288-1: ghostscript security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4288-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 07, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ghostscript
CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911
CVE-2018-16511 CVE-2018-16513 CVE-2018-16539
CVE-2018-16540 CVE-2018-16541 CVE-2018-16542
CVE-2018-16543 CVE-2018-16585

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an
interpreter for the PostScript language, which could result in denial of
service, the creation of files or the execution of arbitrary code if a
malformed Postscript file is processed (despite the dSAFER sandbox being
enabled).

For the stable distribution (stretch), these problems have been fixed in
version 9.20~dfsg-3.2+deb9u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4289-1: chromium-browser security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4289-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
September 07, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068
CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16073
CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077
CVE-2018-16078 CVE-2018-16079 CVE-2018-16080 CVE-2018-16081
CVE-2018-16082 CVE-2018-16083 CVE-2018-16084 CVE-2018-16085

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-16065

Brendon Tiszka discovered an out-of-bounds write issue in the v8
javascript library.

CVE-2018-16066

cloudfuzzer discovered an out-of-bounds read issue in blink/webkit.

CVE-2018-16067

Zhe Jin discovered an out-of-bounds read issue in the WebAudio
implementation.

CVE-2018-16068

Mark Brand discovered an out-of-bounds write issue in the Mojo
message passing library.

CVE-2018-16069

Mark Brand discovered an out-of-bounds read issue in the swiftshader
library.

CVE-2018-16070

Ivan Fratric discovered an integer overflow issue in the skia library.

CVE-2018-16071

Natalie Silvanovich discovered a use-after-free issue in the WebRTC
implementation.

CVE-2018-16073

Jun Kokatsu discovered an error in the Site Isolation feature when
restoring browser tabs.

CVE-2018-16074

Jun Kokatsu discovered an error in the Site Isolation feature when
using a Blob URL.

CVE-2018-16075

Pepe Vila discovered an error that could allow remote sites to access
local files.

CVE-2018-16076

Aseksandar Nikolic discovered an out-of-bounds read issue in the pdfium
library.

CVE-2018-16077

Manuel Caballero discovered a way to bypass the Content Security Policy.

CVE-2018-16078

Cailan Sacks discovered that the Autofill feature could leak saved
credit card information.

CVE-2018-16079

Markus Vervier and Michele Orrù discovered a URL spoofing issue.

CVE-2018-16080

Khalil Zhani discovered a URL spoofing issue.

CVE-2018-16081

Jann Horn discovered that local files could be accessed in the developer
tools.

CVE-2018-16082

Omair discovered a buffer overflow issue in the swiftshader library.

CVE-2018-16083

Natalie Silvanovich discovered an out-of-bounds read issue in the WebRTC
implementation.

CVE-2018-16084

Jun Kokatsu discovered a way to bypass a user confirmation dialog.

CVE-2018-16085

Roman Kuksin discovered a use-after-free issue.

For the stable distribution (stretch), these problems have been fixed in
version 69.0.3497.81-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium-browser

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/