Debian 10260 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1596-1: squid3 security update
DLA 1597-1: gnuplot security update
DLA 1588-1: icecast2 security update
DLA 1589-1: keepalived security update



DLA 1596-1: squid3 security update




Package : squid3
Version : 3.4.8-6+deb8u6
CVE ID : CVE-2018-19132
Debian Bug : 912294


It was discovered that there can be a denial of service (DoS)
vulnerability in squid3 due to a memory leak in SNMP query rejection
code when SNMP is enabled. In environments where per-process memory
restrictions are not enforced strictly, a remote attacker to consume
all memory available to the Squid process, causing it to crash.

For Debian 8 "Jessie", this problem has been fixed in version
3.4.8-6+deb8u6.

We recommend that you upgrade your squid3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1597-1: gnuplot security update




Package : gnuplot
Version : 4.6.6-2+deb8u1
CVE ID : CVE-2018-19490 CVE-2018-19491 CVE-2018-19492


gnuplot, a command-line driven interactive plotting program, has been
examined with fuzzing by Tim Blazytko, Cornelius Aschermann, Sergej
Schumilo and Nils Bars.
They found various overflow cases which might lead to the execution of
arbitrary code.

Due to special toolchain hardening in Debian, CVE-2018-19492 is not
security relevant, but it is a bug and the patch was applied for the sake
of completeness. Probably some downstream project does not have the same
toolchain settings.


For Debian 8 "Jessie", these problems have been fixed in version
4.6.6-2+deb8u1.

We recommend that you upgrade your gnuplot packages.



DLA 1588-1: icecast2 security update




Package : icecast2
Version : 2.4.0-1.1+deb8u2
CVE ID : CVE-2018-18820
Debian Bug : 912611


A buffer overflow was discovered in the URL-authentication backend of
the icecast2, the popular open source streaming media server. If the
backend is enabled, then any malicious HTTP client can send a request
for specific resource including a crafted header which can overwrite
the server's stack contents, leading to denial of service and
potentially remote code execution.

For Debian 8 "Jessie", this problem has been fixed in version
2.4.0-1.1+deb8u2.

We recommend that you upgrade your icecast2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1589-1: keepalived security update




Package : icecast2
Version : 1:1.2.13-1+deb8u1
CVE ID : CVE-2018-19115
Debian Bug : 914393


keepalived has a heap-based buffer overflow when parsing HTTP status
codes resulting in DoS or possibly unspecified other impact, because
extract_status_code in lib/html.c has no validation of the status code
and instead writes an unlimited amount of data to the heap.

For Debian 8 "Jessie", this problem has been fixed in version
1:1.2.13-1+deb8u1.

We recommend that you upgrade your keepalived packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS