Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1344-1: squirrelmail security update
DLA 1348-1: patch security update
DLA 1349-1: linux-tools security update

Debian GNU/Linux 9:
DSA 4173-1: r-cran-readxl security update



DLA 1344-1: squirrelmail security update




Package : squirrelmail
Version : 2:1.4.23~svn20120406-2+deb7u2
CVE ID : CVE-2018-8741
Debian Bug : 893202

Florian Grunow and Birk Kauer of ERNW discovered a path traversal
vulnerability in SquirrelMail, a webmail application, allowing an
authenticated remote attacker to retrieve or delete arbitrary files
via mail attachment.

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.4.23~svn20120406-2+deb7u2.

We recommend that you upgrade your squirrelmail packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1348-1: patch security update




Package : patch
Version : 2.6.1-3+deb7u1
CVE ID : CVE-2018-1000156
Debian Bug : #894993

It was discovered that there was an input validation vulnerability in the
patch(1) utility where an ed(1) script embedded in a regular input file
could result in arbitrary code execution. This was reported by Rachel
Kroll [0] et al.

For Debian 7 "Wheezy", this issue has been fixed in patch version
2.6.1-3+deb7u1.

We recommend that you upgrade your patch packages.

[0] https://rachelbythebay.com/w/2018/04/05/bangpatch/




DLA 1349-1: linux-tools security update

Package : linux-tools
Version : 3.2.101-1
Debian Bug : 693667 696957 708994

This update doesn't fix a vulnerability in linux-tools, but provides
support for building Linux kernel modules with the "retpoline"
mitigation for CVE-2017-5715 (Spectre variant 2).

This update also includes bug fixes from the upstream Linux 3.2 stable
branch up to and including 3.2.101.

For Debian 7 "Wheezy", these problems have been fixed in version
3.2.101-1.

We recommend that you upgrade your linux-tools packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4173-1: r-cran-readxl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4173-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 16, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : r-cran-readxl
CVE ID : CVE-2017-2896 CVE-2017-2897 CVE-2017-2919 CVE-2017-12110
CVE-2017-12111

Marcin Noga discovered multiple vulnerabilities in readxl, a GNU R
package to read Excel files (via the integrated libxls library), which
could result in the execution of arbitrary code if a malformed
spreadsheet is processed.

For the stable distribution (stretch), these problems have been fixed in
version 0.1.1-1+deb9u1.

We recommend that you upgrade your r-cran-readxl packages.

For the detailed security status of r-cran-readxl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/r-cran-readxl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/