The following security updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8 LTS:
DLA 1591-1: libphp-phpmailer security update
DLA 1592-1: otrs2 security update
Debian GNU/Linux 9:
DSA 4343-1: liblivemedia security update
Debian GNU/Linux 8 LTS:
DLA 1591-1: libphp-phpmailer security update
DLA 1592-1: otrs2 security update
Debian GNU/Linux 9:
DSA 4343-1: liblivemedia security update
DLA 1591-1: libphp-phpmailer security update
Package : libphp-phpmailer
Version : 5.2.9+dfsg-2+deb8u4
CVE IDs : CVE-2017-5223 CVE-2018-19296
It was discovered that there were two vulnerabilities libphp-phpmailer, an
email library for the PHP programming language:
* CVE-2017-5223: Local file disclosure vulnerability via relative path
HTML transformations.
* CVE-2018-19296: Object injection attack.
For Debian 8 "Jessie", this issue has been fixed in libphp-phpmailer version
5.2.9+dfsg-2+deb8u4.
We recommend that you upgrade your libphp-phpmailer packages.
DLA 1592-1: otrs2 security update
Package : otrs2
Version : 3.3.18-1+deb8u7
CVE ID : CVE-2018-19141 CVE-2018-19143
Two security vulnerabilities were discovered in OTRS, a Ticket Request
System, that may lead to privilege escalation or arbitrary file write.
CVE-2018-19141
An attacker who is logged into OTRS as an admin user may manipulate
the URL to cause execution of JavaScript in the context of OTRS.
CVE-2018-19143
An attacker who is logged into OTRS as a user may manipulate the
submission form to cause deletion of arbitrary files that the OTRS
web server user has write access to.
Please also read the upstream advisory for CVE-2018-19141. If you
think you might be affected then you should consider to run the
mentioned clean-up SQL statements to remove possible affected records.
https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework/
For Debian 8 "Jessie", these problems have been fixed in version
3.3.18-1+deb8u7.
We recommend that you upgrade your otrs2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4343-1: liblivemedia security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4343-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 23, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : liblivemedia
CVE ID : CVE-2018-4013
It was discovered that a buffer overflow in liveMedia, a set of C++
libraries for multimedia streaming could result in the execution of
arbitrary code when parsing a malformed RTSP stream.
For the stable distribution (stretch), this problem has been fixed in
version 2016.11.28-1+deb9u1.
We recommend that you upgrade your liblivemedia packages.
For the detailed security status of liblivemedia please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/liblivemedia
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/