The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-149-1: freetype security update
Debian GNU/Linux 8 LTS:
DLA 1866-1: glib2.0 security update
DLA 1867-1: wpa security update
Debian GNU/Linux 9:
DSA 4490-1: subversion security update
Debian GNU/Linux 7 Extended LTS:
ELA-149-1: freetype security update
Debian GNU/Linux 8 LTS:
DLA 1866-1: glib2.0 security update
DLA 1867-1: wpa security update
Debian GNU/Linux 9:
DSA 4490-1: subversion security update
ELA-149-1: freetype security update
Package: freetype
Version: 2.4.9-1.1+deb7u8
Related CVE: CVE-2015-9290
In FreeType a buffer over-read occured in type1/t1parse.c on function T1_Get_Private_Dict. The fix assures that ‘cur’ in the parser code doesn’t point to the end of the file buffer.
For Debian 7 Wheezy, these problems have been fixed in version 2.4.9-1.1+deb7u8.
We recommend that you upgrade your freetype packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1866-1: glib2.0 security update
Package : glib2.0
Version : 2.42.1-1+deb8u2
CVE ID : CVE-2018-16428 CVE-2018-16429 CVE-2019-13012
Debian Bug : 931234
Various minor issues have been addressed in the GLib library. GLib is a
useful general-purpose C library used by projects such as GTK+, GIMP,
and GNOME.
CVE-2018-16428
In GNOME GLib, g_markup_parse_context_end_parse() in gmarkup.c
had a NULL pointer dereference.
CVE-2018-16429
GNOME GLib had an out-of-bounds read vulnerability in
g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().
CVE-2019-13012
The keyfile settings backend in GNOME GLib (aka glib2.0) before
created directories using g_file_make_directory_with_parents
(kfsb->dir, NULL, NULL) and files using g_file_replace_contents
(kfsb->file, contents, length, NULL, FALSE,
G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently,
it did not properly restrict directory (and file) permissions.
Instead, for directories, 0777 permissions were used; for files,
default file permissions were used. This issue is similar to
CVE-2019-12450.
For Debian 8 "Jessie", these problems have been fixed in version
2.42.1-1+deb8u2.
We recommend that you upgrade your glib2.0 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1867-1: wpa security update
Package : wpa
Version : 2.3-1+deb8u8
CVE ID : CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499
CVE-2019-11555
Debian Bug : 927463
Several vulnerabilities were discovered in WPA supplicant / hostapd. Some
of them could only partially be mitigated, please read below for details.
CVE-2019-9495
Cache-based side-channel attack against the EAP-pwd implementation:
an attacker able to run unprivileged code on the target machine
(including for example javascript code in a browser on a smartphone)
during the handshake could deduce enough information to discover the
password in a dictionary attack.
This issue has only very partially been mitigated against by reducing
measurable timing differences during private key operations. More
work is required to fully mitigate this vulnerability.
CVE-2019-9497
Reflection attack against EAP-pwd server implementation: a lack of
validation of received scalar and elements value in the
EAP-pwd-Commit messages could have resulted in attacks that would
have been able to complete EAP-pwd authentication exchange without
the attacker having to know the password. This did not result in the
attacker being able to derive the session key, complete the following
key exchange and access the network.
CVE-2019-9498
EAP-pwd server missing commit validation for scalar/element: hostapd
didn't validate values received in the EAP-pwd-Commit message, so an
attacker could have used a specially crafted commit message to
manipulate the exchange in order for hostapd to derive a session key
from a limited set of possible values. This could have resulted in an
attacker being able to complete authentication and gain access to the
network.
This issue could only partially be mitigated.
CVE-2019-9499
EAP-pwd peer missing commit validation for scalar/element:
wpa_supplicant didn't validate values received in the EAP-pwd-Commit
message, so an attacker could have used a specially crafted commit
message to manipulate the exchange in order for wpa_supplicant to
derive a session key from a limited set of possible values. This
could have resulted in an attacker being able to complete
authentication and operate as a rogue AP.
This issue could only partially be mitigated.
CVE-2019-11555
The EAP-pwd implementation did't properly validate fragmentation
reassembly state when receiving an unexpected fragment. This could
have lead to a process crash due to a NULL pointer derefrence.
An attacker in radio range of a station or access point with EAP-pwd
support could cause a crash of the relevant process (wpa_supplicant
or hostapd), ensuring a denial of service.
For Debian 8 "Jessie", these problems have been fixed in version
2.3-1+deb8u8.
We recommend that you upgrade your wpa packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4490-1: subversion security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4490-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : subversion
CVE ID : CVE-2018-11782 CVE-2019-0203
Several vulnerabilities were discovered in Subversion, a version control
system. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2018-11782
Ace Olszowka reported that the Subversion's svnserve server process
may exit when a well-formed read-only request produces a particular
answer, leading to a denial of service.
CVE-2019-0203
Tomas Bortoli reported that the Subversion's svnserve server process
may exit when a client sends certain sequences of protocol commands.
If the server is configured with anonymous access enabled this could
lead to a remote unauthenticated denial of service.
For the oldstable distribution (stretch), these problems have been fixed
in version 1.9.5-1+deb9u4.
For the stable distribution (buster), these problems have been fixed in
version 1.10.4-1+deb10u1.
We recommend that you upgrade your subversion packages.
For the detailed security status of subversion please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/subversion
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
