Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1932-1: openssl security update
DLA 1933-1: ruby-nokogiri security update

Debian GNU/Linux 10:
DSA 4533-1: lemonldap-ng security update



DLA 1932-1: openssl security update

Package : openssl
Version : 1.0.1t-1+deb8u12
CVE ID : CVE-2019-1547 CVE-2019-1563

Two security vulnerabilities were found in OpenSSL, the Secure Sockets
Layer toolkit.

CVE-2019-1547

Normally in OpenSSL EC groups always have a co-factor present and
this is used in side channel resistant code paths. However, in some
cases, it is possible to construct a group using explicit parameters
(instead of using a named curve). In those cases it is possible that
such a group does not have the cofactor present. This can occur even
where all the parameters match a known named curve. If such a curve
is used then OpenSSL falls back to non-side channel resistant code
paths which may result in full key recovery during an ECDSA
signature operation. In order to be vulnerable an attacker
would have to have the ability to time the creation of a large
number of signatures where explicit parameters with no co-factor
present are in use by an application using libcrypto. For the
avoidance of doubt libssl is not vulnerable because explicit
parameters are never used.

CVE-2019-1563

In situations where an attacker receives automated notification of
the success or failure of a decryption attempt an attacker, after
sending a very large number of messages to be decrypted, can recover
a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted
message that was encrypted with the public RSA key, using a
Bleichenbacher padding oracle attack. Applications are not affected
if they use a certificate together with the private RSA key to the
CMS_decrypt or PKCS7_decrypt functions to select the correct
recipient info to decrypt.

For Debian 8 "Jessie", these problems have been fixed in version
1.0.1t-1+deb8u12.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1933-1: ruby-nokogiri security update




Package : ruby-nokogiri
Version : 1.6.3.1+ds-1+deb8u1
CVE ID : CVE-2019-5477

A command injection vulnerability in Nokogiri allows commands to be executed in
a subprocess by Ruby's `Kernel.open` method.

For Debian 8 "Jessie", this problem has been fixed in version
1.6.3.1+ds-1+deb8u1.

We recommend that you upgrade your ruby-nokogiri packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4533-1: lemonldap-ng security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4533-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 25, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : lemonldap-ng
CVE ID : CVE-2019-15941

It was discovered that the Lemonldap::NG web SSO system did not restrict
OIDC authorization codes to the relying party.

For the stable distribution (buster), this problem has been fixed in
version 2.0.2+ds-7+deb10u2.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/