The following updates has been released for Debian GNU/Linux:
DLA 1283-2: python-crypto security update
DLA 1342-1: ldap-account-manager security update
DLA 1283-2: python-crypto security update
DLA 1342-1: ldap-account-manager security update
DLA 1283-2: python-crypto security update
Package : python-crypto
Version : 2.6-4+deb7u8
This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue
described in CVE-2018-6594 is fixed. It turns out that the fix is partial and
upstream has decided not to fix the issue as it would break compatibility and
that ElGamal encryption was not intended to work on its own.
The recommendation is still to upgrade python-crypto packages. In addition
please take into account that the fix is not complete. If you have an
application using python-crypto is implementing ElGamal encryption you should
consider changing to some other encryption method.
There will be no further update to python-crypto for this specific CVE. A fix
would break compatibility, the problem has been ignored by regular Debian
Security team due to its minor nature and in addition to that we are close to
the end of life of the Wheezy security support.
CVE-2018-6594:
python-crypto generated weak ElGamal key parameters, which allowed attackers to
obtain sensitive information by reading ciphertext data (i.e., it did not have
semantic security in face of a ciphertext-only attack).
We recommend that you upgrade your python-crypto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1342-1: ldap-account-manager security update
Package : ldap-account-manager
Version : 3.7-2+deb7u1
CVE ID : CVE-2018-8763
Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web
front-end for LDAP directories.
CVE-2018-8763
The found Reflected Cross Site Scripting (XSS) vulnerability might
allow an attacker to execute JavaScript code in the browser of the
victim or to redirect her to a malicious website if the victim clicks
on a specially crafted link.
For Debian 7 "Wheezy", these problems have been fixed in version
3.7-2+deb7u1.
We recommend that you upgrade your ldap-account-manager packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS