Debian 10260 Published by

The following security updates has been released for Debian GNU/Linux:

DLA 1785-1: imagemagick security update
DSA 4443-1: samba security update
DSA 4444-1: linux security update
DSA 4445-1: drupal7 security update
DSA 4446-1: lemonldap-ng security update



DLA 1785-1: imagemagick security update




Package : imagemagick
Version : 8:6.8.9.9-5+deb8u16
CVE ID : CVE-2017-9500 CVE-2017-11446 CVE-2017-11523
CVE-2017-11537 CVE-2017-12140 CVE-2017-12430
CVE-2017-12432 CVE-2017-12435 CVE-2017-12563
CVE-2017-12587 CVE-2017-12643 CVE-2017-12670
CVE-2017-12674 CVE-2017-12691 CVE-2017-12692
CVE-2017-12693 CVE-2017-12875 CVE-2017-13133
CVE-2017-13142 CVE-2017-13145 CVE-2017-13658
CVE-2017-13768 CVE-2017-14060 CVE-2017-14172
CVE-2017-14173 CVE-2017-14174 CVE-2017-14175
CVE-2017-14249 CVE-2017-14341 CVE-2017-14400
CVE-2017-14505 CVE-2017-14532 CVE-2017-14624
CVE-2017-14625 CVE-2017-14626 CVE-2017-14739
CVE-2017-14741 CVE-2017-15015 CVE-2017-15017
CVE-2017-15281 CVE-2017-17682 CVE-2017-17914
CVE-2017-18271 CVE-2017-18273 CVE-2017-1000445
CVE-2017-1000476 CVE-2019-9956 CVE-2019-10650
CVE-2019-11597 CVE-2019-11598
Debian Bug : 867778 868950 869210 869712 873059 869727 870491 870504
870530 870526 870107 870107 870020 875338 872609 875339
875341 873871 875352 873100 870105 869830 870019 878506
875504 875503 875502 876099 876105 878546 878545 878541
877354 877355 878524 878547 878548 878555 878554 878579
885942 886584 928207 928206 925395


Numerous security vulnerabilities were fixed in Imagemagick. Various
memory handling problems and cases of missing or incomplete input
sanitizing may result in denial of service, memory or CPU exhaustion,
information disclosure or potentially the execution of arbitrary code
when a malformed image file is processed.

For Debian 8 "Jessie", these problems have been fixed in version
8:6.8.9.9-5+deb8u16.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4443-1: samba security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4443-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 14, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : samba
CVE ID : CVE-2018-16860

Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos
extension used in Samba's Active Directory support was susceptible to
man-in-the-middle attacks caused by incomplete checksum validation.

Details can be found in the upstream advisory at
https://www.samba.org/samba/security/CVE-2018-16860.html

For the stable distribution (stretch), this problem has been fixed in
version 2:4.5.16+dfsg-1+deb9u2.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4444-1: linux security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4444-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 14, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Debian Bug : 928125

Multiple researchers have discovered vulnerabilities in the way the
Intel processor designs have implemented speculative forwarding of data
filled into temporary microarchitectural structures (buffers). This
flaw could allow an attacker controlling an unprivileged process to
read sensitive information, including from the kernel and all other
processes running on the system or cross guest/host boundaries to read
host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
for more details.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode. An updated intel-microcode package (only
available in Debian non-free) will be provided via a separate DSA. The
updated CPU microcode may also be available as part of a system firmware
("BIOS") update.

In addition, this update includes a fix for a regression causing
deadlocks inside the loopback driver, which was introduced by the update
to 4.9.168 in the last Stretch point release.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.168-1+deb9u2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4445-1: drupal7 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4445-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : drupal7
CVE ID : CVE-2019-11831

It was discovered that incomplete validation in a Phar processing
library embedded in Drupal, a fully-featured content management
framework, could result in information disclosure.

For additional information, please refer to the upstream advisory
at https://www.drupal.org/sa-core-2019-007.

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u9.

We recommend that you upgrade your drupal7 packages.

For the detailed security status of drupal7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/drupal7

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4446-1: lemonldap-ng security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4446-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 14, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lemonldap-ng
CVE ID : CVE-2019-12046

It was discovered that the Lemonldap::NG web SSO system performed
insuffient validation of session tokens if the "tokenUseGlobalStorage"
option is enabled, which could grant users with access to the main
session database access to an anonymous session.

For the stable distribution (stretch), this problem has been fixed in
version 1.9.7-3+deb9u1.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/