The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-178-1: sudo security update
Debian GNU/Linux 8 LTS:
DLA 1960-1: wordpress security update
DLA 1963-1: poppler security update
DLA 1964-1: sudo security update
Debian GNU/Linux 7 Extended LTS:
ELA-178-1: sudo security update
Debian GNU/Linux 8 LTS:
DLA 1960-1: wordpress security update
DLA 1963-1: poppler security update
DLA 1964-1: sudo security update
ELA-178-1: sudo security update
Package: sudo
Version: 1.8.5p2-1+nmu3+deb7u5
Related CVE: CVE-2019-14287
In sudo, a program that provides limited super user privileges to specific users, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of (ALL,!root) configuration for a “sudo -u#-1” command.
See https://www.sudo.ws/alerts/minus_1_uid.html for further information.
For Debian 7 Wheezy, these problems have been fixed in version 1.8.5p2-1+nmu3+deb7u5.
We recommend that you upgrade your sudo packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1960-1: wordpress security update
Package : wordpress
Version : 4.1.27+dfsg-0+deb8u1
CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219
CVE-2019-16220 CVE-2019-16221 CVE-2019-16222
CVE-2019-16223
Debian Bug : 939543
Several cross-site scripting (XSS) vulnerabilities were discovered in
Wordpress, a popular content management framework. An attacker can use
these flaws to send malicious scripts to an unsuspecting user.
For Debian 8 "Jessie", these problems have been fixed in version
4.1.27+dfsg-0+deb8u1.
We recommend that you upgrade your wordpress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1963-1: poppler security update
Package : poppler
Version : 0.26.5-2+deb8u12
CVE ID : CVE-2019-9959 CVE-2019-10871
Two buffer allocation issues were identified in poppler.
CVE-2019-9959
An unexpected negative length value can cause an integer
overflow, which in turn making it possible to allocate a large
memory chunk on the heap with size controlled by an attacker.
CVE-2019-10871
The RGB data are considered CMYK data and hence it reads 4 bytes
instead of 3 bytes at the end of the image. The fixed version
defines SPLASH_CMYK which is the upstream recommended solution.
For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u12.
We recommend that you upgrade your poppler packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1964-1: sudo security update
Package : sudo
Version : 1.8.10p3-1+deb8u6
CVE ID : CVE-2019-14287
Debian Bug : 942322
In sudo, a program that provides limited super user privileges to
specific users, an attacker with access to a Runas ALL sudoer account
can bypass certain policy blacklists and session PAM modules, and can
cause incorrect logging, by invoking sudo with a crafted user ID. For
example, this allows bypass of (ALL,!root) configuration for a
"sudo -u#-1" command.
See https://www.sudo.ws/alerts/minus_1_uid.html for further
information.
For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u6.
We recommend that you upgrade your sudo packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
