Arch Linux 811 Published by

The following updates has been released for Arch Linux:

ASA-201902-23: thunderbird: multiple issues
ASA-201902-24: systemd: denial of service
ASA-201902-25: bind: multiple issues
ASA-201902-26: kibana: multiple issues
ASA-201902-27: elasticsearch: privilege escalation
ASA-201902-28: logstash: information disclosure



ASA-201902-23: thunderbird: multiple issues

Arch Linux Security Advisory ASA-201902-23
==========================================

Severity: Critical
Date : 2019-02-20
CVE-ID : CVE-2018-18335 CVE-2018-18356 CVE-2018-18509 CVE-2019-5785
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-908

Summary
=======

The package thunderbird before version 60.5.1-1 is vulnerable to
multiple issues including arbitrary code execution and insufficient
validation.

Resolution
==========

Upgrade to 60.5.1-1.

# pacman -Syu "thunderbird>=60.5.1-1"

The problems have been fixed upstream in version 60.5.1.

Workaround
==========

None.

Description
===========

- CVE-2018-18335 (arbitrary code execution)

A heap-based buffer overflow has been found in the Skia component of
chromium before 71.0.3578.80 and thunderbird before 60.5.1.

- CVE-2018-18356 (arbitrary code execution)

A use-after-free has been found in the Skia component of chromium
before 71.0.3578.80 and firefox before 65.0.1 and thunderbird before
60.5.1.

- CVE-2018-18509 (insufficient validation)

A flaw during verification of certain S/MIME signatures causes emails
to be shown in Thunderbird before 60.5.1 as having a valid digital
signature, even if the shown message contents aren't covered by the
signature. The flaw allows an attacker to reuse a valid S/MIME
signature to craft an email message with arbitrary content.

- CVE-2019-5785 (arbitrary code execution)

An integer overflow issue has been found in the Skia component of
firefox before 65.0.1 and thunderbird before 60.5.1.

Impact
======

A remote attacker can reuse a valid S/MIME signature to craft an e-mail
message with arbitrary content, and execute arbitrary code through
skia.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
https://bugs.chromium.org/p/chromium/issues/detail?id=895362
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2018-18335
https://bugzilla.mozilla.org/show_bug.cgi?id=1525815
https://bugs.chromium.org/p/chromium/issues/detail?id=883666
https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2018-18356
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2018-18356
https://bugzilla.mozilla.org/show_bug.cgi?id=1525817
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2018-18509
https://bugzilla.mozilla.org/show_bug.cgi?id=1507218
https://www.mozilla.org/en-US/security/advisories/mfsa2019-04/#CVE-2019-5785
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/#CVE-2019-5785
https://bugzilla.mozilla.org/show_bug.cgi?id=1525433
https://googleprojectzero.blogspot.com/2019/02/the-curious-case-of-convexity-confusion.html
https://security.archlinux.org/CVE-2018-18335
https://security.archlinux.org/CVE-2018-18356
https://security.archlinux.org/CVE-2018-18509
https://security.archlinux.org/CVE-2019-5785


ASA-201902-24: systemd: denial of service

Arch Linux Security Advisory ASA-201902-24
==========================================

Severity: High
Date : 2019-02-21
CVE-ID : CVE-2019-6454
Package : systemd
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-906

Summary
=======

The package systemd before version 241.7-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 241.7-1.

# pacman -Syu "systemd>=241.7-1"

The problem has been fixed upstream in version 241.7.

Workaround
==========

None.

Description
===========

It was found that bus_process_object() in bus-objects.c allocates a
buffer on the stack large enough to temporarily store the object path
specified in the incoming message. A malicious unprivileged local user
to send a message which results in the stack pointer moving outside of
the bounds of the currently mapped stack region, jumping over the stack
guard pages. A specifically crafted DBUS message could crash PID 1 and
result in a subsequent kernel panic.

Impact
======

A local attacker can cause a denial of service via a crafted DBUS
message.

References
==========

https://bugs.archlinux.org/task/61804
https://bugzilla.redhat.com/show_bug.cgi?id=1667032
https://www.openwall.com/lists/oss-security/2019/02/18/3
https://github.com/systemd/systemd/commit/612b74d32f970c43c14ad087ad086424792981b1
https://github.com/systemd/systemd/commit/61397a60d98e368a5720b37e83f3169e3eb511c4
https://github.com/systemd/systemd/commit/f519a19bcd5afe674a9b8fc462cd77d8bad403c1
https://security.archlinux.org/CVE-2019-6454


ASA-201902-25: bind: multiple issues

Arch Linux Security Advisory ASA-201902-25
==========================================

Severity: High
Date : 2019-02-25
CVE-ID : CVE-2018-5744 CVE-2018-5745 CVE-2019-6465
Package : bind
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-915

Summary
=======

The package bind before version 9.13.7-1 is vulnerable to multiple
issues including denial of service and access restriction bypass.

Resolution
==========

Upgrade to 9.13.7-1.

# pacman -Syu "bind>=9.13.7-1"

The problems have been fixed upstream in version 9.13.7.

Workaround
==========

None.

Description
===========

- CVE-2018-5744 (denial of service)

A failure to free memory can occur when processing messages having a
specific combination of EDNS options has been found in bind before
9.13.7. By exploiting this condition, an attacker can potentially cause
named's memory use to grow without bounds until all memory available to
the process is exhausted. Typically a server process is limited as to
the amount of memory it can use but if the named process is not limited
by the operating system all free memory on the server could be
exhausted.

- CVE-2018-5745 (denial of service)

"managed-keys" is a feature which allows a BIND resolver to
automatically maintain the keys used by trust anchors which operators
configure for use in DNSSEC validation. Before 9.13.7, due to an error
in the managed-keys feature, it is possible for a BIND server which
uses managed-keys to exit due to an assertion failure if, during key
rollover, a trust anchor's keys are replaced with keys which use an
unsupported algorithm.

- CVE-2019-6465 (access restriction bypass)

Controls for zone transfers may not be properly applied to Dynamically
Loadable Zones (DLZs) if the zones are writable in bind before 9.13.7.
A client exercising this defect can request and receive a zone transfer
of a DLZ even when not permitted to do so by the allow-transfer ACL.

Impact
======

A remote user can bypass the allow-transfer ACL to access sensitive
information in a DLZ, or crash the server.

References
==========

https://kb.isc.org/docs/cve-2018-5744
https://kb.isc.org/docs/cve-2018-5745
https://kb.isc.org/docs/cve-2019-6465
https://security.archlinux.org/CVE-2018-5744
https://security.archlinux.org/CVE-2018-5745
https://security.archlinux.org/CVE-2019-6465


ASA-201902-26: kibana: multiple issues

Arch Linux Security Advisory ASA-201902-26
==========================================

Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7608 CVE-2019-7609 CVE-2019-7610
Package : kibana
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-911

Summary
=======

The package kibana before version 6.6.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
==========

Upgrade to 6.6.1-1.

# pacman -Syu "kibana>=6.6.1-1"

The problems have been fixed upstream in version 6.6.1.

Workaround
==========

None.

Description
===========

- CVE-2019-7608 (information disclosure)

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting
(XSS) vulnerability that could allow an attacker to obtain sensitive
information from, or perform destructive actions on behalf of, other
Kibana users.

- CVE-2019-7609 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the Timelion visualizer. An attacker with access to
the Timelion application could send a request that will attempt to
execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on
the host system.

- CVE-2019-7610 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the security audit logger. If a Kibana instance has
the setting xpack.security.audit.enabled set to true, an attacker could
send a request that will attempt to execute javascript code. This could
possibly lead to an attacker executing arbitrary commands with
permissions of the Kibana process on the host system.

Impact
======

An authenticated malicious user can disclose sensitive information or
execute arbitrary code.

References
==========

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7608
https://security.archlinux.org/CVE-2019-7609
https://security.archlinux.org/CVE-2019-7610


ASA-201902-27: elasticsearch: privilege escalation

Arch Linux Security Advisory ASA-201902-27
==========================================

Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7611
Package : elasticsearch
Type : privilege escalation
Remote : Yes
Link : https://security.archlinux.org/AVG-912

Summary
=======

The package elasticsearch before version 6.6.1-1 is vulnerable to
privilege escalation.

Resolution
==========

Upgrade to 6.6.1-1.

# pacman -Syu "elasticsearch>=6.6.1-1"

The problem has been fixed upstream in version 6.6.1.

Workaround
==========

None.

Description
===========

A permission issue was found in Elasticsearch when Field Level Security
and Document Level Security are disabled and the _aliases, _shrink, or
_split endpoints are used . If the elasticsearch.yml file has
xpack.security.dls_fls.enabled set to false, certain permission checks
are skipped when users perform one of the actions mentioned above, to
make existing data available under a new index/alias name. This could
result in an attacker gaining additional permissions against a
restricted index.

Impact
======

An authenticated remote user can gain additional privileges on a index.

References
==========

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7611


ASA-201902-28: logstash: information disclosure

Arch Linux Security Advisory ASA-201902-28
==========================================

Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7612
Package : logstash
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-913

Summary
=======

The package logstash before version 6.6.1-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 6.6.1-1.

# pacman -Syu "logstash>=6.6.1-1"

The problem has been fixed upstream in version 6.6.1.

Workaround
==========

None.

Description
===========

A sensitive data disclosure flaw was found in the way Logstash logs
malformed URLs. If a malformed URL is specified as part of the Logstash
configuration, the credentials for the URL could be inadvertently
logged as part of the error message.

Impact
======

A local attacker is able to obtain URL credentials by reading the error
log.

References
==========

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7612