Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-83-1 php5 security update

Debian GNU/Linux 8 LTS:
DLA 1670-1: ghostscript security update
DLA 1671-1: coturn security update
DLA 1672-1: curl security update
DLA 1673-1: wordpress security update
DLA 1674-1: php5 security update

Debian GNU/Linux 9:
DSA 4377-2: rssh regression update
DSA 4389-1: libu2f-host security update



ELA-83-1 php5 security update

Package: php5
Version: 5.4.45-0+deb7u18
Related: CVE
Several heap-based buffer overflows were found in PHP, the widely-used general-purpose scripting language, which may lead to information disclosure, memory corruption or other unspecified impact if a malformed file or other input is processed.

At the moment no CVE numbers have been assigned yet but PHP upstream intends to announce them later.

For Debian 7 Wheezy, these problems have been fixed in version 5.4.45-0+deb7u18.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1670-1: ghostscript security update




Package : ghostscript
Version : 9.26a~dfsg-0+deb8u1
CVE ID : CVE-2019-6116

Tavis Ormandy discovered a vulnerability in Ghostscript, the GPL
PostScript/PDF interpreter, which may result in denial of service or the
execution of arbitrary code if a malformed Postscript file is processed
(despite the -dSAFER sandbox being enabled).

For Debian 8 "Jessie", this problem has been fixed in version
9.26a~dfsg-0+deb8u1.

We recommend that you upgrade your ghostscript packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1671-1: coturn security update




Package : coturn
Version : 4.2.1.2-1+deb8u1
CVE ID : CVE-2018-4056 CVE-2018-4058 CVE-2018-4059

Multiple vulnerabilities were discovered in coTURN, a TURN and STUN server for
VoIP.

CVE-2018-4056

An SQL injection vulnerability was discovered in the coTURN administrator
web portal. As the administration web interface is shared with the
production, it is unfortunately not possible to easily filter outside
access and this security update completely disables the web interface. Users
should use the local, command line interface instead.

CVE-2018-4058

Default configuration enables unsafe loopback forwarding. A remote attacker
with access to the TURN interface can use this vulnerability to gain access
to services that should be local only.

CVE-2018-4059

Default configuration uses an empty password for the local command line
administration interface. An attacker with access to the local console
(either a local attacker or a remote attacker taking advantage of
CVE-2018-4058) could escalade privileges to administrator of the coTURN
server.

For Debian 8 "Jessie", these problems have been fixed in version
4.2.1.2-1+deb8u1.

We recommend that you upgrade your coturn packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1672-1: curl security update




Package : curl
Version : 7.38.0-4+deb8u14
CVE IDs : CVE-2018-16890 CVE-2019-3822 CVE-2019-3823

It was discovered that there were three vulnerabilities in the curl
command-line HTTP (etc.) client:

* CVE-2018-16890: A heap buffer out-of-bounds read vulnerability in
the handling of NTLM type-2 messages.

* CVE-2019-3822: Stack-based buffer overflow in the handling of
outgoing NTLM type-3 headers.

* CVE-2019-3823: Heap out-of-bounds read in code handling
the end of a response in the SMTP protocol.

For Debian 8 "Jessie", this issue has been fixed in curl version
7.38.0-4+deb8u14.

We recommend that you upgrade your curl packages.




DLA 1673-1: wordpress security update




Package : wordpress
Version : 4.1.25+dfsg-1+deb8u1
CVE ID : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149
CVE-2018-20150 CVE-2018-20151 CVE-2018-20152
CVE-2018-20153
Debian Bug : 916403


CVE-2018-20147

Authors could modify metadata to bypass intended restrictions on
deleting files.

CVE-2018-20148
Contributors could conduct PHP object injection attacks via crafted
metadata in a wp.getMediaItem XMLRPC call. This is caused by
mishandling of serialized data at phar:// URLs in the
wp_get_attachment_thumb_file function in wp-includes/post.php.

CVE-2018-20149

When the Apache HTTP Server is used, authors could upload crafted
files that bypass intended MIME type restrictions, leading to XSS,
as demonstrated by a .jpg file without JPEG data.

CVE-2018-20150

Crafted URLs could trigger XSS for certain use cases involving
plugins.

CVE-2018-20151

The user-activation page could be read by a search engine's web
crawler if an unusual configuration were chosen. The search engine
could then index and display a user's e-mail address and (rarely)
the password that was generated by default.

CVE-2018-20152

Authors could bypass intended restrictions on post types via crafted
input.

CVE-2018-20153

Contributors could modify new comments made by users with greater
privileges, possibly causing XSS.


For Debian 8 "Jessie", these problems have been fixed in version
4.1.25+dfsg-1+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1674-1: php5 security update




Package : php5
Version : 5.6.39+dfsg-0+deb8u2
CVE ID : CVE-2018-1000888


php-pear in php5 contains CWE-502 (Deserialization of Untrusted Data)
and CWE-915 (Improperly Controlled Modification of
Dynamically-Determined Object Attributes) vulnerabilities in its
Archive_Tar class. When extract is called without a specific prefix
path, can trigger unserialization by crafting a tar file with
`phar://[path_to_malicious_phar_file]` as path. Object injection can
be used to trigger destruct in the loaded PHP classes, all with
possible remote code execution that can result in files being deleted
or possibly modified.

For Debian 8 "Jessie", this problem has been fixed in version
5.6.39+dfsg-0+deb8u2.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4377-2: rssh regression update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4377-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 11, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rssh
Debian Bug : 921655

The update for rssh issued as DSA 4377-1 introduced a regression that
blocked scp of multiple files from a server using rssh. Updated packages
are now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 2.3.4-5+deb9u3.

We recommend that you upgrade your rssh packages.

For the detailed security status of rssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/rssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4389-1: libu2f-host security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4389-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
February 11, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libu2f-host
CVE ID : CVE-2018-20340
Debian Bug : 921725

Christian Reitter discovered that libu2f-host, a library implementing
the host-side of the U2F protocol, failed to properly check for a
buffer overflow. This would allow an attacker with a custom made
malicious USB device masquerading as a security key, and physical
access to a computer where PAM U2F or an application with libu2f-host
integrated, to potentially execute arbitrary code on that computer.

For the stable distribution (stretch), this problem has been fixed in
version 1.1.2-2+deb9u1.

We recommend that you upgrade your libu2f-host packages.

For the detailed security status of libu2f-host please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libu2f-host

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/