Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1654-1: libav security update
DLA 1660-1: rssh security update
DLA 1661-1: mumble security update
DLA 1662-1: libthrift-java security update
DLA 1664-1: golang security update
DLA 1665-1: netmask security update

Debian GNU/Linux 9:
DSA 4386-1: curl security update



DLA 1654-1: libav security update

Package : libav
Version : 6:11.12-1~deb8u5
CVE ID : CVE-2014-8542 CVE-2015-1207 CVE-2017-7863 CVE-2017-7865
CVE-2017-14169 CVE-2017-14223


Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library.

CVE-2014-8542

libavcodec/utils.c omitted a certain codec ID during enforcement of
alignment, which allowed remote attackers to cause a denial of ervice
(out-of-bounds access) or possibly have unspecified other impact via
crafted JV data.

CVE-2015-1207

Double-free vulnerability in libavformat/mov.c allowed remote
attackers to cause a denial of service (memory corruption and crash)
via a crafted .m4a file.

CVE-2017-7863

libav had an out-of-bounds write caused by a heap-based buffer
overflow related to the decode_frame_common function in
libavcodec/pngdec.c.

CVE-2017-7865

libav had an out-of-bounds write caused by a heap-based buffer
overflow related to the ipvideo_decode_block_opcode_0xA function in
libavcodec/interplayvideo.c and the avcodec_align_dimensions2
function in libavcodec/utils.c.

CVE-2017-14169

In the mxf_read_primer_pack function in libavformat/mxfdec.c in, an
integer signedness error might have occured when a crafted file,
claiming a large "item_num" field such as 0xffffffff, was provided.
As a result, the variable "item_num" turned negative, bypassing the
check for a large value.

CVE-2017-14223

In libavformat/asfdec_f.c a DoS in asf_build_simple_index() due to
lack of an EOF (End of File) check might have caused huge CPU
consumption. When a crafted ASF file, claiming a large "ict" field in
the header but not containing sufficient backing data, was provided,
the for loop would have consumed huge CPU and memory resources, since
there was no EOF check inside the loop.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u5.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1660-1: rssh security update

Package : rssh
Version : 2.3.4-4+deb8u2
CVE ID : CVE-2019-3463 CVE-2019-3464

More vulnerabilities were found by Nick Cleaton in the rssh code that
could lead to arbitrary code execution under certain circumstances.

CVE-2019-3463

reject rsync --daemon and --config command-line options; arbitrary
command execution

CVE-2019-3464

prevent popt to load a ~/.popt configuration file, leading to
arbitrary command execution

For Debian 8 "Jessie", these problems have been fixed in version
2.3.4-4+deb8u2.

We recommend that you upgrade your rssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

--



DLA 1661-1: mumble security update




Package : mumble
Version : 1.2.8-2+deb8u1
CVE ID : CVE-2018-20743
Debian Bug : 919249


It has been found that the mumble-server mishandles multiple
concurrent requests that are persisted in the database, which allows
remote attackers to cause a denial of service (daemon hang or crash)
via a message flood. With the new security update a rate limiter is
added with Leaky-Bucket algorithm.

For Debian 8 "Jessie", this problem has been fixed in version
1.2.8-2+deb8u1.

We recommend that you upgrade your mumble packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1662-1: libthrift-java security update




Package : libthrift-java
Version : 0.9.1-2+deb8u1
CVE ID : CVE-2018-1320
Debian Bug : 918736

It was discovered that it was possible to bypass SASL negotiation
isComplete validation in libthrift-java, Java language support for the
Apache Thrift software framework. An assert used to determine if the
SASL handshake had successfully completed could be disabled in
production settings making the validation incomplete.

For Debian 8 "Jessie", this problem has been fixed in version
0.9.1-2+deb8u1.

We recommend that you upgrade your libthrift-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1664-1: golang security update




Package : golang
Version : 2:1.3.3-1+deb8u1
CVE ID : CVE-2019-6486
Debian Bug : #920548

It was discovered that there was a denial of service vulnerability
or possibly even the ability to conduct private key recovery
attacks within in the elliptic curve cryptography handling in the
Go programming language libraries.

For Debian 8 "Jessie", this issue has been fixed in golang version
2:1.3.3-1+deb8u1.

We recommend that you upgrade your golang packages.




DLA 1665-1: netmask security update

Package : netmask
Version : 2.3.12+deb8u1
Debian Bug : 921565

A buffer overflow was found in netmask which would crash when called
with arbitrarily long inputs.

For Debian 8 "Jessie", this problem has been fixed in version
2.3.12+deb8u1.

We recommend that you upgrade your netmask packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4386-1: curl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4386-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
February 06, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-16890

Wenxiang Qian of Tencent Blade Team discovered that the function
handling incoming NTLM type-2 messages does not validate incoming
data correctly and is subject to an integer overflow vulnerability,
which could lead to an out-of-bounds buffer read.

CVE-2019-3822

Wenxiang Qian of Tencent Blade Team discovered that the function
creating an outgoing NTLM type-3 header is subject to an integer
overflow vulnerability, which could lead to an out-of-bounds write.

CVE-2019-3823

Brian Carpenter of Geeknik Labs discovered that the code handling
the end-of-response for SMTP is subject to an out-of-bounds heap
read.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u9.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/