Debian 10260 Published by

The following two security updates has been released for Debian GNU/Linux 8 LTS:

DLA 1971-1: libarchive security update
DLA 1972-1: mosquitto security update



DLA 1971-1: libarchive security update

Package : libarchive
Version : 3.1.2-11+deb8u8
CVE ID : CVE-2019-18408


An issue has been found in libarchive, a multi-format archive and
compression library.

In case of a crafted archive containing several parts and one part being
corrupt, there would be an use-after-free for the next part of the
archive.


For Debian 8 "Jessie", this problem has been fixed in version
3.1.2-11+deb8u8.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1972-1: mosquitto security update

Package : mosquitto
Version : 1.3.4-2+deb8u4
CVE ID : CVE-2017-7655 CVE-2018-12550 CVE-2018-12551
CVE-2019-11779


Several issues have been found in mosquitto, a MQTT version 3.1/3.1.1
compatible message broker.

CVE-2017-7655

A Null dereference vulnerability in the Mosquitto library could
lead to crashes for those applications using the library.


CVE-2018-12550

An ACL file with no statements was treated as having a default
allow policy. The new behaviour of an empty ACL file is a default
policy of access denied.
(this is in compliance with all newer releases)


CVE-2018-12551

Malformed authentication data in the password file could allow
clients to circumvent authentication and get access to the broker.


CVE-2019-11779

Fix for processing a crafted SUBSCRIBE packet containing a topic
that consists of approximately 65400 or more '/' characters.
(setting TOPIC_HIERARCHY_LIMIT to 200)


For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u4.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS