Debian 10227 Published by

The following updates for Debian GNU/Linux has been released:

Debian GNU/Linux 7 Extended LTS:
ELA-22-1 mutt security update

Debian GNU/Linux 8 LTS:
DLA 1414-2: mercurial regression update
DLA 1447-1: libidn security update
DLA 1449-1: openssl security update
DLA-1448-1: policykit-1 security update



ELA-22-1 mutt security update


Package: mutt
Version: 1.5.21-6.2+deb7u4
Related CVE: CVE-2018-14349 CVE-2018-14350 CVE-2018-14351 CVE-2018-14352 CVE-2018-14353 CVE-2018-14354 CVE-2018-14355 CVE-2018-14356 CVE-2018-14357 CVE-2018-14358 CVE-2018-14359 CVE-2018-14362
Several vulnerabilities have been discovered in mutt, a sophisticated text-based Mail User Agent, resulting in denial of service, stack-based buffer overflow, arbitrary command execution, and directory travesal flaws.

For Debian 7 Wheezy, these problems have been fixed in version 1.5.21-6.2+deb7u4.

We recommend that you upgrade your mutt packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1414-2: mercurial regression update

Package : mercurial
Version : 3.1.2-2+deb8u6
CVE ID : CVE-2017-17458

The fix for arbitrary code execution documented in CVE-2017-17458 was
incomplete in the previous upload. A more exhaustive change was
implemented upstream and completely disables non-Mercurial
subrepositories unless users changed the subrepos.allowed setting.

For Debian 8 "Jessie", this problem has been fixed in version
3.1.2-2+deb8u6.

We recommend that you upgrade your mercurial packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1447-1: libidn security update

Package : libidn
Version : 1.29-1+deb8u3
CVE ID : CVE-2017-14062
Debian Bug : 873903


An integer overflow vulnerability was discovered in libidn, the GNU library for
Internationalized Domain Names (IDNs), in its Punycode handling (a Unicode
characters to ASCII encoding) allowing a remote attacker to cause a denial of
service against applications using the library.

For Debian 8 "Jessie", this problem has been fixed in version
1.29-1+deb8u3.

We recommend that you upgrade your libidn packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1449-1: openssl security update




Package : openssl
Version : 1.0.1t-1+deb8u9
CVE ID : CVE-2018-0732 CVE-2018-0737
Debian Bug : 895844

Two issues were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2018-0732

Denial of service by a malicious server that sends a very large
prime value to the client during TLS handshake.

CVE-2018-0737

Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and
Luis Manuel Alvarez Tapia discovered that the OpenSSL RSA Key
generation algorithm has been shown to be vulnerable to a cache
timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process
could recover the private key.

For Debian 8 "Jessie", these problems have been fixed in version
1.0.1t-1+deb8u9.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA-1448-1: policykit-1 security update




Package : policykit-1
Version : 0.105-15~deb8u3
CVE ID : CVE-2018-1116
Debian Bug : #903563

It was discovered that there was a denial of service vulnerability in
policykit-1, a framework for managing administrative policies and
privileges.

For Debian 8 "Jessie", this issue has been fixed in policykit-1 version
0.105-15~deb8u3.

We recommend that you upgrade your policykit-1 packages.