Debian 10228 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1500-2: openssh regression update
DLA 1502-1: mgetty security update
DLA 1503-1: kamailio security update



DLA 1500-2: openssh regression update

Package : openssh
Version : 1:6.7p1-5+deb8u7
Debian Bug : 908652


The security update of OpenSSH announced as DLA 1500-1 introduced a bug in
openssh-client: when X11 forwarding is enabled (via system-wide
configuration in ssh_config or via -X command line switch), but no DISPLAY
is set, the client produces a "DISPLAY "(null)" invalid; disabling X11
forwarding" warning. These bug was introduced by the patch set to fix the
CVE-2016-1908 issue. For reference, the following is the relevant section
of the original announcement:

CVE-2016-1908

OpenSSH mishandled untrusted X11 forwarding when the X server disables
the SECURITY extension. Untrusted connections could obtain trusted X11
forwarding privileges. Reported by Thomas Hoger.

For Debian 8 "Jessie", this problem has been fixed in version
1:6.7p1-5+deb8u7.

We recommend that you upgrade your openssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1502-1: mgetty security update




Package : mgetty
Version : 1.1.36-2.1+deb8u1
CVE ID : CVE-2018-16741


Two input sanitization failures have been found in the faxrunq and faxq
binaries in mgetty. An attacker could leverage them to insert commands
via shell metacharacters in jobs id and have them executed with the
privilege of the faxrunq/faxq user.

For Debian 8 "Jessie", this problem has been fixed in version
1.1.36-2.1+deb8u1.

We recommend that you upgrade your mgetty packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1503-1: kamailio security update




Package : kamailio
Version : 4.2.0-2+deb8u5
CVE ID : CVE-2018-16657
Debian Bug : #908324

It was discovered that there was a denial of service and a potential
arbitrary code execution vulnerability in the kamailio SIP server.

A specially-crafted SIP message with an invalid "Via" header could cause a
segmentation fault and crash Kamailio due to missing input validation.

For Debian 8 "Jessie", this issue has been fixed in kamailio version
4.2.0-2+deb8u5.

We recommend that you upgrade your kamailio packages.