Debian 10225 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1405-1: libgcrypt20 security update
It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys

DLA 1406-1: firefox-esr security update
Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors and other implementation errors may lead to the execution of arbitrary code, denial of service, cross-site request forgery or information disclosure

DLA 1407-1: mariadb-10.0 security update
Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.35

DLA 1408-1: simplesamlphp security update
This address two security issues

DLA 1409-1: mosquitto security update
Fix to avoid extraordinary memory consumption by crafted CONNECT packet from unauthenticated client. In case all sockets/file descriptors are exhausted, this is a fix to avoid default config values after reloading configuration by SIGHUP signal



DLA 1405-1: libgcrypt20 security update




Package : libgcrypt20
Version : 1.6.3-2+deb8u5
CVE ID : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack
allowing recovery of ECDSA private keys.

For Debian 8 "Jessie", these problems have been fixed in version
1.6.3-2+deb8u5.

We recommend that you upgrade your libgcrypt20 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1406-1: firefox-esr security update




Package : firefox-esr
Version : 52.9.0esr-1~deb8u1
CVE ID : CVE-2018-5156 CVE-2018-5188 CVE-2018-12359 CVE-2018-12360
CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365
CVE-2018-12366

Several security issues have been found in the Mozilla Firefox web
browser: Multiple memory safety errors and other implementation errors may
lead to the execution of arbitrary code, denial of service, cross-site
request forgery or information disclosure.

For Debian 8 "Jessie", these problems have been fixed in version
52.9.0esr-1~deb8u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1407-1: mariadb-10.0 security update




Package : mariadb-10.0
Version : 10.0.35-0+deb8u1
CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2018-2562 CVE-2018-2612
CVE-2018-2622 CVE-2018-2640 CVE-2018-2665 CVE-2018-2668
CVE-2018-2755 CVE-2018-2761 CVE-2018-2766 CVE-2018-2771
CVE-2018-2781 CVE-2018-2782 CVE-2018-2784 CVE-2018-2787
CVE-2018-2813 CVE-2018-2817 CVE-2018-2819

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.35. Please see the MariaDB 10.0 Release Notes for further
details:

https://mariadb.com/kb/en/mariadb/mariadb-10033-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10034-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-10035-release-notes/

For Debian 8 "Jessie", these problems have been fixed in version
10.0.35-0+deb8u1.

We recommend that you upgrade your mariadb-10.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1408-1: simplesamlphp security update




Package : simplesamlphp
Version : 1.13.1-2+deb8u2
CVE ID : CVE-2017-12868 CVE-2017-12872


CVE-2017-12872 / CVE-2017-12868

The (1) Htpasswd authentication source in the authcrypt module and (2)
SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow
remote attackers to conduct timing side-channel attacks by leveraging
use of the standard comparison operator to compare secret material
against user input.

CVE-2017-12868 was a about an improper fix of CVE-2017-12872 in the
initial patch released by upstream. We have used the correct patch.


For Debian 8 "Jessie", these problems have been fixed in version
1.13.1-2+deb8u2.

We recommend that you upgrade your simplesamlphp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1409-1: mosquitto security update




Package : mosquitto
Version : 1.3.4-2+deb8u2
CVE ID : CVE-2017-7651 CVE-2017-7652


CVE-2017-7651
fix to avoid extraordinary memory consumption by crafted
CONNECT packet from unauthenticated client

CVE-2017-7652
in case all sockets/file descriptors are exhausted, this is a
fix to avoid default config values after reloading configuration
by SIGHUP signal


For Debian 8 "Jessie", these problems have been fixed in version
1.3.4-2+deb8u2.

We recommend that you upgrade your mosquitto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS