Debian 10216 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1718-1: sqlalchemy security update
DLA 1719-1: libjpeg-turbo security update
DLA 1720-1: liblivemedia security update

Debian GNU/Linux 9:
DSA 4409-1: neutron security update



DLA 1718-1: sqlalchemy security update




Package : sqlalchemy
Version : 0.9.8+dfsg-0.1+deb8u1
CVE ID : CVE-2019-7164 CVE-2019-7548
Debian Bug : 922669


Two vulnerabilities were discovered in SQLALchemy, a Python SQL
Toolkit and Object Relational Mapper.

CVE-2019-7164

SQLAlchemy allows SQL Injection via the order_by parameter.

CVE-2019-7548

SQLAlchemy has SQL Injection when the group_by parameter can be controlled.

The SQLAlchemy project warns that these security fixes break the
seldom-used text coercion feature.

For Debian 8 "Jessie", these problems have been fixed in version
0.9.8+dfsg-0.1+deb8u1.

We recommend that you upgrade your sqlalchemy packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1719-1: libjpeg-turbo security update




Package : libjpeg-turbo
Version : 1:1.3.1-12+deb8u2
CVE ID : CVE-2018-14498
Debian Bug : #924678

It was discovered that there was a denial of service vulnerability in
the libjpeg-turbo CPU-optimised JPEG image library. A heap-based
buffer over-read could be triggered by a specially-crafted bitmap
(BMP) file.

For Debian 8 "Jessie", this issue has been fixed in libjpeg-turbo
version 1:1.3.1-12+deb8u2.

We recommend that you upgrade your libjpeg-turbo packages.




DLA 1720-1: liblivemedia security update




Package : liblivemedia
Version : 2014.01.13-1+deb8u3
CVE ID : CVE-2019-9215
Debian Bug : 924655

It was discovered that liblivemedia, the LIVE555 RTSP server library,
is vulnerable to an invalid memory access when processing the
Authorization header field. Remote attackers could leverage this
vulnerability to possibly trigger code execution or denial of service
(OOB access and application crash) via a crafted HTTP header.

For Debian 8 "Jessie", this problem has been fixed in version
2014.01.13-1+deb8u3.

We recommend that you upgrade your liblivemedia packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4409-1: neutron security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4409-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 18, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : neutron
CVE ID : CVE-2019-9735

Erik Olof Gunnar Andersson discovered that incorrect validation of port
settings in the iptables security group driver of Neutron, the OpenStack
virtual network service, could result in denial of service in a multi
tenant setup.

For the stable distribution (stretch), this problem has been fixed in
version 2:9.1.1-3+deb9u1.

We recommend that you upgrade your neutron packages.

For the detailed security status of neutron please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/neutron

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/