Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1593-1: phpbb3 security update
DLA 1594-1: xml-security-c security update

Debian GNU/Linux 9:
DSA 4344-1: roundcube security update



DLA 1593-1: phpbb3 security update




Package : phpbb3
Version : 3.0.12-5+deb8u2
CVE ID : CVE-2018-19274

Simon Scannell and Robin Peraglie of RIPS Technologies discovered that
passing an absolute path to a file_exists check in phpBB, a full
featured web forum, allows remote code execution through Object
Injection by employing Phar deserialization when an attacker has access
to the Admin Control Panel with founder permissions.

The fix for this issue resulted in the removal of setting the
ImageMagick path. The GD image library can be used as a replacement
and a new event to generate thumbnails was added, so it is possible to
write an extension that uses a different image library to generate
thumbnails.

For Debian 8 "Jessie", this problem has been fixed in version
3.0.12-5+deb8u2.

We recommend that you upgrade your phpbb3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1594-1: xml-security-c security update




Package : xml-security-c
Version : 1.7.2-3+deb8u2


A vulnerability in xml-security-c, a library for the XML Digital Security
specification, has been found. Different KeyInfo combinations, like
signatures without public key, result in incomplete DSA structures that
crash openssl during verification.

This vulnerability does not have a CVE identifier yet.


For Debian 8 "Jessie", this problem has been fixed in version
1.7.2-3+deb8u2.

We recommend that you upgrade your xml-security-c packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4344-1: roundcube security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4344-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 24, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
CVE ID : CVE-2018-19206

Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to a cross-site scripting
vulnerability in handling invalid style tag content.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.3+dfsg.1-4+deb9u3.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/