The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 LTS:
DLA 1265-1: krb5 security update
Debian GNU/Linux 9:
DSA 4103-1: chromium-browser security update
Debian GNU/Linux 7 LTS:
DLA 1265-1: krb5 security update
Debian GNU/Linux 9:
DSA 4103-1: chromium-browser security update
DLA 1265-1: krb5 security update
Package : krb5
Version : 1.10.1+dfsg-5+deb7u9
CVE ID : CVE-2013-1418 CVE-2014-5351 CVE-2014-5353
CVE-2014-5355 CVE-2016-3119 CVE-2016-3120
Debian Bug : 728845 762479 773226 778647 819468 832572
Kerberos, a system for authenticating users and services on a network,
was affected by several vulnerabilities. The Common Vulnerabilities
and Exposures project identifies the following issues.
CVE-2013-1418
Kerberos allows remote attackers to cause a denial of service
(NULL pointer dereference and daemon crash) via a crafted request
when multiple realms are configured.
CVE-2014-5351
Kerberos sends old keys in a response to a -randkey -keepold
request, which allows remote authenticated users to forge tickets by
leveraging administrative access.
CVE-2014-5353
When the KDC uses LDAP, allows remote authenticated users to cause a
denial of service (daemon crash) via a successful LDAP query with no
results, as demonstrated by using an incorrect object type for a
password policy.
CVE-2014-5355
Kerberos expects that a krb5_read_message data field is represented
as a string ending with a '\0' character, which allows remote
attackers to (1) cause a denial of service (NULL pointer
dereference) via a zero-byte version string or (2) cause a denial of
service (out-of-bounds read) by omitting the '\0' character,
CVE-2016-3119
Kerberos allows remote authenticated users to cause a denial of
service (NULL pointer dereference and daemon crash) via a crafted
request to modify a principal.
CVE-2016-3120
Kerberos allows remote authenticated users to cause a denial of
service (NULL pointer dereference and daemon crash) via an S4U2Self
request.
For Debian 7 "Wheezy", these problems have been fixed in version
1.10.1+dfsg-5+deb7u9.
We recommend that you upgrade your krb5 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4103-1: chromium-browser security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4103-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
January 31, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2017-15420 CVE-2017-15429 CVE-2018-6031 CVE-2018-6032
CVE-2018-6033 CVE-2018-6034 CVE-2018-6035 CVE-2018-6036
CVE-2018-6037 CVE-2018-6038 CVE-2018-6039 CVE-2018-6040
CVE-2018-6041 CVE-2018-6042 CVE-2018-6043 CVE-2018-6045
CVE-2018-6046 CVE-2018-6047 CVE-2018-6048 CVE-2018-6049
CVE-2018-6050 CVE-2018-6051 CVE-2018-6052 CVE-2018-6053
CVE-2018-6054
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2017-15420
Drew Springall discovered a URL spoofing issue.
CVE-2017-15429
A cross-site scripting issue was discovered in the v8 javascript
library.
CVE-2018-6031
A use-after-free issue was discovered in the pdfium library.
CVE-2018-6032
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6033
Juho Nurminen discovered a race condition when opening downloaded
files.
CVE-2018-6034
Tobias Klein discovered an integer overflow issue.
CVE-2018-6035
Rob Wu discovered a way for extensions to access devtools.
CVE-2018-6036
UK's National Cyper Security Centre discovered an integer overflow
issue.
CVE-2018-6037
Paul Stone discovered an issue in the autofill feature.
CVE-2018-6038
cloudfuzzer discovered a buffer overflow issue.
CVE-2018-6039
Juho Nurminen discovered a cross-site scripting issue in the
developer tools.
CVE-2018-6040
WenXu Wu discovered a way to bypass the content security policy.
CVE-2018-6041
Luan Herrera discovered a URL spoofing issue.
CVE-2018-6042
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6043
A character escaping issue was discovered.
CVE-2018-6045
Rob Wu discovered a way for extensions to access devtools.
CVE-2018-6046
Rob Wu discovered a way for extensions to access devtools.
CVE-2018-6047
Masato Kinugawa discovered an information leak issue.
CVE-2018-6048
Jun Kokatsu discoverd a way to bypass the referrer policy.
CVE-2018-6049
WenXu Wu discovered a user interface spoofing issue.
CVE-2018-6050
Jonathan Kew discovered a URL spoofing issue.
CVE-2018-6051
Anonio Sanso discovered an information leak issue.
CVE-2018-6052
Tanner Emek discovered that the referrer policy implementation
was incomplete.
CVE-2018-6053
Asset Kabdenov discoved an information leak issue.
CVE-2018-6054
Rob Wu discovered a use-after-free issue.
For the oldstable distribution (jessie), security support for chromium
has been discontinued.
For the stable distribution (stretch), these problems have been fixed in
version 64.0.3282.119-1~deb9u1.
We recommend that you upgrade your chromium-browser packages.
For the detailed security status of chromium-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium-browser
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
