Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-80-1 libsndfile security update
ELA-81-1 systemd security update

Debian GNU/linux 8 LTS:
DLA 1652-1: libvncserver security update
DLA 1653-1: postgis security update



ELA-80-1 libsndfile security update

Package: libsndfile
Version: 1.0.25-9.1+deb7u5
Related CVE: CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2017-17456 CVE-2017-17457 CVE-2018-13139 CVE-2018-19661 CVE-2018-19662 CVE-2018-19758
Several vulnerabilities were found in libsndfile, a library for reading and writing files containing sampled sound, that could cause denial of service or other unspecified impact via crafted input files.

For Debian 7 Wheezy, these problems have been fixed in version 1.0.25-9.1+deb7u5.

We recommend that you upgrade your libsndfile packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-81-1 systemd security update

Package: systemd
Version: 44-11+deb7u6
Related CVE: CVE-2018-1049 CVE-2018-15686
CVE-2018-15686

Jann Horn of Google discovered a vulnerability in unit_deserialize of
systemd that allows a local attacker to supply arbitrary state across
systemd re-execution via NotifyAccess. This can be used to improperly
influence systemd execution and possibly lead to root privilege escalation.
CVE-2018-1049

In systemd exists a race condition between .mount and .automount units such
that automount requests from kernel may not be serviced by systemd
resulting in kernel holding the mountpoint and any processes that try to
use said mount will hang. A race condition like this may lead to denial of
service, until mount points are unmounted.
For Debian 7 Wheezy, these problems have been fixed in version 44-11+deb7u6.

We recommend that you upgrade your systemd packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1652-1: libvncserver security update




Package : libvncserver
Version : 0.9.9+dfsg2-6.1+deb8u5
CVE ID : CVE-2018-15126 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750

A vulnerability was found by Kaspersky Lab in libvncserver, a C library
to implement VNC server/client functionalities. In addition, some of the
vulnerabilities addressed in DLA 1617-1 were found to have incomplete
fixes, and have been addressed in this update.

CVE-2018-15126

An attacker can cause denial of service or remote code execution via
a heap use-after-free issue in the tightvnc-filetransfer extension.

CVE-2018-20748
CVE-2018-20749
CVE-2018-20750

Some of the out of bound heap write fixes for CVE-2018-20019 and
CVE-2018-15127 were incomplete. These CVEs address those issues.

For Debian 8 "Jessie", these problems have been fixed in version
0.9.9+dfsg2-6.1+deb8u5.

We recommend that you upgrade your libvncserver packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1653-1: postgis security update




Package : postgis
Version : 2.1.4+dfsg-3+deb8u1
CVE ID : CVE-2017-18359

It was found that the function ST_AsX3D in PostGIS, a module that
adds spatial objects to the PostgreSQL object-relational database, did
not handle empty values properly, allowing malicious users to cause
denial of service or possibly other unspecified behaviour.

For Debian 8 "Jessie", this problem has been fixed in version
2.1.4+dfsg-3+deb8u1.

We recommend that you upgrade your postgis packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS