Debian 10218 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1591-1: libphp-phpmailer security update
DLA 1592-1: otrs2 security update

Debian GNU/Linux 9:
DSA 4343-1: liblivemedia security update



DLA 1591-1: libphp-phpmailer security update




Package : libphp-phpmailer
Version : 5.2.9+dfsg-2+deb8u4
CVE IDs : CVE-2017-5223 CVE-2018-19296

It was discovered that there were two vulnerabilities libphp-phpmailer, an
email library for the PHP programming language:

* CVE-2017-5223: Local file disclosure vulnerability via relative path
HTML transformations.

* CVE-2018-19296: Object injection attack.

For Debian 8 "Jessie", this issue has been fixed in libphp-phpmailer version
5.2.9+dfsg-2+deb8u4.

We recommend that you upgrade your libphp-phpmailer packages.




DLA 1592-1: otrs2 security update




Package : otrs2
Version : 3.3.18-1+deb8u7
CVE ID : CVE-2018-19141 CVE-2018-19143

Two security vulnerabilities were discovered in OTRS, a Ticket Request
System, that may lead to privilege escalation or arbitrary file write.

CVE-2018-19141

An attacker who is logged into OTRS as an admin user may manipulate
the URL to cause execution of JavaScript in the context of OTRS.

CVE-2018-19143

An attacker who is logged into OTRS as a user may manipulate the
submission form to cause deletion of arbitrary files that the OTRS
web server user has write access to.

Please also read the upstream advisory for CVE-2018-19141. If you
think you might be affected then you should consider to run the
mentioned clean-up SQL statements to remove possible affected records.

https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework/

For Debian 8 "Jessie", these problems have been fixed in version
3.3.18-1+deb8u7.

We recommend that you upgrade your otrs2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4343-1: liblivemedia security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4343-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 23, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : liblivemedia
CVE ID : CVE-2018-4013

It was discovered that a buffer overflow in liveMedia, a set of C++
libraries for multimedia streaming could result in the execution of
arbitrary code when parsing a malformed RTSP stream.

For the stable distribution (stretch), this problem has been fixed in
version 2016.11.28-1+deb9u1.

We recommend that you upgrade your liblivemedia packages.

For the detailed security status of liblivemedia please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/liblivemedia

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/