Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-95-1 rsync security update

Debian GNU/Linux 8 LTS:
DLA 1725-1: rsync security update

Debian GNU/Linux 9:
DSA 4415-1: passenger security update
DSA 4416-1: wireshark security update
DSA 4417-1: firefox-esr security update



ELA-95-1 rsync security update


Package rsync
Version 3.0.9-4+deb7u3
Related CVE CVE-2016-9840 CVE-2016-9841 CVE-2016-9843
Trail of Bits used the automated vulnerability discovery tools developed for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast, versatile, remote (and local) file-copying tool, uses an embedded copy of zlib, those issues are also present in rsync.

CVE-2016-9840 In order to avoid undefined behavior, remove offset pointer optimization, as this is not compliant with the C standard.

CVE-2016-9841 Only use post-increment to be compliant with the C standard.

CVE-2016-9843 In order to avoid undefined behavior, do not pre-decrement a pointer in big-endian CRC calculation, as this is not compliant with the C standard.

For Debian 7 Wheezy, these problems have been fixed in version 3.0.9-4+deb7u3.

We recommend that you upgrade your rsync packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1725-1: rsync security update




Package : rsync
Version : 3.1.1-3+deb8u2
CVE ID : CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843
CVE-2018-5764


Trail of Bits used the automated vulnerability discovery tools developed
for the DARPA Cyber Grand Challenge to audit zlib. As rsync, a fast,
versatile, remote (and local) file-copying tool, uses an embedded copy of
zlib, those issues are also present in rsync.


CVE-2016-9840
In order to avoid undefined behavior, remove offset pointer
optimization, as this is not compliant with the C standard.

CVE-2016-9841
Only use post-increment to be compliant with the C standard.

CVE-2016-9842
In order to avoid undefined behavior, do not shift negative values,
as this is not compliant with the C standard.

CVE-2016-9843
In order to avoid undefined behavior, do not pre-decrement a pointer
in big-endian CRC calculation, as this is not compliant with the
C standard.

CVE-2018-5764
Prevent remote attackers from being able to bypass the
argument-sanitization protection mechanism by ignoring --protect-args
when already sent by client.


For Debian 8 "Jessie", these problems have been fixed in version
3.1.1-3+deb8u2.

We recommend that you upgrade your rsync packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4415-1: passenger security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4415-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : passenger
CVE ID : CVE-2017-16355
Debian Bug : 884463

An arbitrary file read vulnerability was discovered in passenger, a web
application server. A local user allowed to deploy an application to
passenger, can take advantage of this flaw by creating a symlink from
the REVISION file to an arbitrary file on the system and have its
content displayed through passenger-status.

For the stable distribution (stretch), this problem has been fixed in
version 5.0.30-1+deb9u1.

We recommend that you upgrade your passenger packages.

For the detailed security status of passenger please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/passenger

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4416-1: wireshark security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4416-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wireshark
CVE ID : CVE-2019-5716 CVE-2019-5717 CVE-2019-5718 CVE-2019-5719
CVE-2019-9208 CVE-2019-9209 CVE-2019-9214
Debian Bug : 923611

It was discovered that Wireshark, a network traffic analyzer, contained
several vulnerabilities in the dissectors for 6LoWPAN, P_MUL, RTSE,
ISAKMP, TCAP, ASN.1 BER and RPCAP, which could result in denial of
service.

For the stable distribution (stretch), these problems have been fixed in
version 2.6.7-1~deb9u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4417-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4417-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2019-9810 CVE-2019-9813

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the stable distribution (stretch), these problems have been fixed in
version 60.6.1esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/