Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1326-1: php5 security update
DLA 1327-1: thunderbird security update
DLA 1328-1: xerces-c security update
DLA 1329-1: memcached security update

Debian GNU/Linux 8 and 9:
DSA 4157-1: openssl security update

Debian GNU/Linux 9:
DSA 4158-1: openssl1.0 security update



DLA 1326-1: php5 security update




Package : php5
Version : 5.4.45-0+deb7u13
CVE ID : CVE-2018-7584

Wei Lei and Liu Yang of Nanyang Technological University discovered a
stack-based buffer overflow in PHP5 when parsing a malformed HTTP
response which can be exploited to cause a denial-of-service.

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u13.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1327-1: thunderbird security update




Package : thunderbird
Version : 1:52.7.0-1~deb7u1
CVE ID : CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5144
CVE-2018-5145 CVE-2018-5146

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or information
disclosure.

For Debian 7 "Wheezy", these problems have been fixed in version
1:52.7.0-1~deb7u1.

We recommend that you upgrade your thunderbird packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1328-1: xerces-c security update




Package : xerces-c
Version : 3.1.1-3+deb7u5
CVE ID : CVE-2017-12627
Debian Bug : 894050

Alberto Garcia, Francisco Oca and Suleman Ali of Offensive Research
discovered that the Xerces-C XML parser mishandles certain kinds of
external DTD references, resulting in dereference of a NULL pointer
while processing the path to the DTD. The bug allows for a denial of
service attack in applications that allow DTD processing and do not
prevent external DTD usage, and could conceivably result in remote code
execution.

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.1-3+deb7u5.

We recommend that you upgrade your xerces-c packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1329-1: memcached security update

Package : memcached
Version : 1.4.13-0.2+deb7u4
CVE ID : CVE-2018-1000127
Debian Bug : #894404

memcached version prior to 1.4.37 contains an Integer Overflow
vulnerability that can result in data corruption and deadlocks. This
attack is exploitable via network connectivity to the memcached
service.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.13-0.2+deb7u4.

We recommend that you upgrade your memcached packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4157-1: openssl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4157-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 29, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2017-3738 CVE-2018-0739

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. The Common Vulnerabilities and Exposures project
identifies the following issues:

CVE-2017-3738

David Benjamin of Google reported an overflow bug in the AVX2
Montgomery multiplication procedure used in exponentiation with
1024-bit moduli.

CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive
definition could exceed the stack, potentially leading to a denial
of service.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20180327.txt

For the oldstable distribution (jessie), these problems have been fixed
in version 1.0.1t-1+deb8u8. The oldstable distribution is not affected
by CVE-2017-3738.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.0f-3+deb9u2.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4158-1: openssl1.0 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4158-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 29, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2018-0739

It was discovered that constructed ASN.1 types with a recursive
definition could exceed the stack, potentially leading to a denial of
service.

Details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20180327.txt

For the stable distribution (stretch), this problem has been fixed in
version 1.0.2l-2+deb9u3.

We recommend that you upgrade your openssl1.0 packages.

For the detailed security status of openssl1.0 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/openssl1.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/