Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 and 9:
DSA 4132-1: libvpx security update

Debian GNU/Linux 9:
DSA 4131-1: xen security update



DSA 4131-1: xen security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4131-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 04, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2018-7540 CVE-2018-7541 CVE-2018-7542

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-7540

Jann Horn discovered that missing checks in page table freeing may
result in denial of service.

CVE-2018-7541

Jan Beulich discovered that incorrect error handling in grant table
checks may result in guest-to-host denial of service and potentially
privilege escalation.

CVE-2018-7542

Ian Jackson discovered that insufficient handling of x86 PVH guests
without local APICs may result in guest-to-host denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4132-1: libvpx security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4132-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 04, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2017-13194

It was discovered that incorrect validation of frame widths in the libvpx
multimedia library may result in denial of service and potentially the
execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.0-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.6.1-3+deb9u1.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/