Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-178-1: sudo security update

Debian GNU/Linux 8 LTS:
DLA 1960-1: wordpress security update
DLA 1963-1: poppler security update
DLA 1964-1: sudo security update



ELA-178-1: sudo security update

Package: sudo
Version: 1.8.5p2-1+nmu3+deb7u5
Related CVE: CVE-2019-14287

In sudo, a program that provides limited super user privileges to specific users, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of (ALL,!root) configuration for a “sudo -u#-1” command.

See https://www.sudo.ws/alerts/minus_1_uid.html for further information.

For Debian 7 Wheezy, these problems have been fixed in version 1.8.5p2-1+nmu3+deb7u5.

We recommend that you upgrade your sudo packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1960-1: wordpress security update

Package : wordpress
Version : 4.1.27+dfsg-0+deb8u1
CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219
CVE-2019-16220 CVE-2019-16221 CVE-2019-16222
CVE-2019-16223
Debian Bug : 939543

Several cross-site scripting (XSS) vulnerabilities were discovered in
Wordpress, a popular content management framework. An attacker can use
these flaws to send malicious scripts to an unsuspecting user.

For Debian 8 "Jessie", these problems have been fixed in version
4.1.27+dfsg-0+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1963-1: poppler security update

Package : poppler
Version : 0.26.5-2+deb8u12
CVE ID : CVE-2019-9959 CVE-2019-10871

Two buffer allocation issues were identified in poppler.

CVE-2019-9959

An unexpected negative length value can cause an integer
overflow, which in turn making it possible to allocate a large
memory chunk on the heap with size controlled by an attacker.

CVE-2019-10871

The RGB data are considered CMYK data and hence it reads 4 bytes
instead of 3 bytes at the end of the image. The fixed version
defines SPLASH_CMYK which is the upstream recommended solution.

For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u12.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1964-1: sudo security update

Package : sudo
Version : 1.8.10p3-1+deb8u6
CVE ID : CVE-2019-14287
Debian Bug : 942322

In sudo, a program that provides limited super user privileges to
specific users, an attacker with access to a Runas ALL sudoer account
can bypass certain policy blacklists and session PAM modules, and can
cause incorrect logging, by invoking sudo with a crafted user ID. For
example, this allows bypass of (ALL,!root) configuration for a
"sudo -u#-1" command.

See https://www.sudo.ws/alerts/minus_1_uid.html for further
information.

For Debian 8 "Jessie", this problem has been fixed in version
1.8.10p3-1+deb8u6.

We recommend that you upgrade your sudo packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS