Debian 10260 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1762-1: systemd security update
DLA 1763-1: putty security update



DLA 1762-1: systemd security update

Package : systemd
Version : 215-17+deb8u12
CVE ID : CVE-2017-18078 CVE-2019-3842


Two vulnerabilities have been addressed in the systemd components
systemd-tmpfiles and pam_systemd.so.

CVE-2017-18078

systemd-tmpfiles in systemd attempted to support ownership/permission
changes on hardlinked files even if the fs.protected_hardlinks sysctl
is turned off, which allowed local users to bypass intended access
restrictions via vectors involving a hard link to a file for which
the user lacked write access.

CVE-2019-3842

It was discovered that pam_systemd did not properly sanitize the
environment before using the XDG_SEAT variable. It was possible for
an attacker, in some particular configurations, to set a XDG_SEAT
environment variable which allowed for commands to be checked against
polkit policies using the "allow_active" element rather than
"allow_any".

For Debian 8 "Jessie", these problems have been fixed in version
215-17+deb8u12.

We recommend that you upgrade your systemd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1763-1: putty security update




Package : putty
Version : 0.63-10+deb8u2
CVE ID : CVE-2019-9894 CVE-2019-9897 CVE-2019-9898


Multiple vulnerabilities were found in the PuTTY SSH client, which could
result in denial of service and potentially the execution of arbitrary
code. In addition, in some situations random numbers could potentially be
re-used.


For Debian 8 "Jessie", these problems have been fixed in version
0.63-10+deb8u2.

We recommend that you upgrade your putty packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS