Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1513-1: openafs security update
DLA 1514-1: texlive-bin security update

Debian GNU/Linux 9:
DSA 4299-1: texlive-bin security update



DLA 1513-1: openafs security update




Package : openafs
Version : 1.6.9-2+deb8u8
CVE ID : CVE-2018-16947 CVE-2018-16948 CVE-2018-16949
Debian Bug : 908616

Several security vulnerabilities were discovered in OpenAFS, a
distributed file system.

CVE-2018-16947

The backup tape controller process accepts incoming RPCs but does
not require (or allow for) authentication of those RPCs. Handling
those RPCs results in operations being performed with administrator
credentials, including dumping/restoring volume contents and
manipulating the backup database.

CVE-2018-16948

Several RPC server routines did not fully initialize their output
variables before returning, leaking memory contents from both the
stack and the heap. Because the OpenAFS cache manager functions as
an Rx server for the AFSCB service, clients are also susceptible to
information leakage.

CVE-2018-16949

Several data types used as RPC input variables were implemented as
unbounded array types, limited only by the inherent 32-bit length
field to 4GB. An unauthenticated attacker could send, or claim to
send, large input values and consume server resources waiting for
those inputs, denying service to other valid connections.


For Debian 8 "Jessie", these problems have been fixed in version
1.6.9-2+deb8u8.

We recommend that you upgrade your openafs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1514-1: texlive-bin security update

Package : texlive-bin
Version : 2014.20140926.35254-6+deb8u1
CVE ID : not yet available

Nick Roessler from the University of Pennsylvania has found a buffer overflow
in texlive-bin, the executables for TexLive, the popular distribution of TeX
document production system.

This buffer overflow can be used for arbitrary code execution by crafting a
special type1 font (.pfb) and provide it to users running pdf(la)tex, dvips or
luatex in a way that the font is loaded.

For Debian 8 "Jessie", this problem has been fixed in version
2014.20140926.35254-6+deb8u1.

We recommend that you upgrade your texlive-bin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

--
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams



DSA 4299-1: texlive-bin security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4299-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
September 21, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : texlive-bin
CVE : not yet available

Nick Roessler from the University of Pennsylvania has found a buffer overflow
in texlive-bin, the executables for TexLive, the popular distribution of TeX
document production system.

This buffer overflow can be used for arbitrary code execution by crafting a
special type1 font (.pfb) and provide it to users running pdf(la)tex, dvips or
luatex in a way that the font is loaded.

For the stable distribution (stretch), this problem has been fixed in
version 2016.20160513.41080.dfsg-2+deb9u1.

We recommend that you upgrade your texlive-bin packages.

For the detailed security status of texlive-bin please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/texlive-bin

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/