The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8 LTS:
DLA 1442-2: mailman regression update
DLA 1446-1: intel-microcode security update
Debian GNU/Linux 9:
DSA 4256-1: chromium-browser security update
Debian GNU/Linux 8 LTS:
DLA 1442-2: mailman regression update
DLA 1446-1: intel-microcode security update
Debian GNU/Linux 9:
DSA 4256-1: chromium-browser security update
DLA 1442-2: mailman regression update
Package : mailman
Version : 1:2.1.18-2+deb8u4
Debian Bug : 904680
The security update of mailman announced as DLA-1442-1 introduced a
regression due to an incomplete fix for CVE-2018-13796 that broke the
admin and listinfo overview pages.
For Debian 8 "Jessie", this problem has been fixed in version
1:2.1.18-2+deb8u4.
We recommend that you upgrade your mailman packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1446-1: intel-microcode security update
Package : intel-microcode
Version : 3.20180703.2~deb8u1
CVE ID : CVE-2018-3639 CVE-2018-3640
Security researchers identified two software analysis methods that, if
used for malicious purposes, have the potential to improperly gather
sensitive data from multiple types of computing devices with different
vendorsâ processors and operating systems.
This update requires an update to the intel-microcode package, which
is non-free. Users who have already installed the version from
jessie-backports-sloppy do not need to upgrade.
CVE-2018-3639 â Speculative Store Bypass (SSB) â also known as Variant 4
Systems with microprocessors utilizing speculative execution and
speculative execution of memory reads before the addresses of all
prior memory writes are known may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel
analysis.
CVE-2018-3640 â Rogue System Register Read (RSRE) â also known as
Variant 3a
Systems with microprocessors utilizing speculative execution and
that perform speculative reads of system registers may allow
unauthorized disclosure of system parameters to an attacker with
local user access via a side-channel analysis.
For Debian 8 "Jessie", these problems have been fixed in version
3.20180703.2~deb8u1.
We recommend that you upgrade your intel-microcode packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4256-1: chromium-browser security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4256-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
July 26, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium-browser
CVE ID : CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151
CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155
CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159
CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164
CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168
CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172
CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176
CVE-2018-6177 CVE-2018-6178 CVE-2018-6179
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2018-4117
AhsanEjaz discovered an information leak.
CVE-2018-6044
Rob Wu discovered a way to escalate privileges using extensions.
CVE-2018-6150
Rob Wu discovered an information disclosure issue (this problem was
fixed in a previous release but was mistakenly omitted from upstream's
announcement at the time).
CVE-2018-6151
Rob Wu discovered an issue in the developer tools (this problem was
fixed in a previous release but was mistakenly omitted from upstream's
announcement at the time).
CVE-2018-6152
Rob Wu discovered an issue in the developer tools (this problem was
fixed in a previous release but was mistakenly omitted from upstream's
announcement at the time).
CVE-2018-6153
Zhen Zhou discovered a buffer overflow issue in the skia library.
CVE-2018-6154
Omair discovered a buffer overflow issue in the WebGL implementation.
CVE-2018-6155
Natalie Silvanovich discovered a use-after-free issue in the WebRTC
implementation.
CVE-2018-6156
Natalie Silvanovich discovered a buffer overflow issue in the WebRTC
implementation.
CVE-2018-6157
Natalie Silvanovich discovered a type confusion issue in the WebRTC
implementation.
CVE-2018-6158
Zhe Jin discovered a use-after-free issue.
CVE-2018-6159
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6161
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6162
Omair discovered a buffer overflow issue in the WebGL implementation.
CVE-2018-6163
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6164
Jun Kokatsu discovered a way to bypass the same origin policy.
CVE-2018-6165
evil1m0 discovered a URL spoofing issue.
CVE-2018-6166
Lynas Zhang discovered a URL spoofing issue.
CVE-2018-6167
Lynas Zhang discovered a URL spoofing issue.
CVE-2018-6168
Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross
Origin Resource Sharing policy.
CVE-2018-6169
Sam P discovered a way to bypass permissions when installing
extensions.
CVE-2018-6170
A type confusion issue was discovered in the pdfium library.
CVE-2018-6171
A use-after-free issue was discovered in the WebBluetooth
implementation.
CVE-2018-6172
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6173
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6174
Mark Brand discovered an integer overflow issue in the swiftshader
library.
CVE-2018-6175
Khalil Zhani discovered a URL spoofing issue.
CVE-2018-6176
Jann Horn discovered a way to escalate privileges using extensions.
CVE-2018-6177
Ron Masas discovered an information leak.
CVE-2018-6178
Khalil Zhani discovered a user interface spoofing issue.
CVE-2018-6179
It was discovered that information about files local to the system
could be leaked to extensions.
This version also fixes a regression introduced in the previous security
update that could prevent decoding of particular audio/video codecs.
For the stable distribution (stretch), these problems have been fixed in
version 68.0.3440.75-1~deb9u1.
We recommend that you upgrade your chromium-browser packages.
For the detailed security status of chromium-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium-browser
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
