CVE-2016-6811: Apache Hadoop Privilege escalation vulnerability
CVE-2016-6811: Apache Hadoop Privilege escalation vulnerability Severity: Critical Vendor: The Apache Software Foundation Versions Affected: All the Apache Hadoop versions from 2.2.0 to 2.7.3 Description: A user who can escalate to yarn user can possibly run arbitrary commands as root user. Mitigation: Users should upgrade to 2.7.4 or upper. If you are using the affected version of Apache Hadoop and there are any users who can escalate to yarn user and cannot escalate to root user, remove the permission to escalate to yarn user from them. Credit: This issue was discovered by Freddie Rice.
[slackware-security] libwmf (SSA:2018-120-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] libwmf (SSA:2018-120-01) New libwmf packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/libwmf-0.2.8.4-i586-7_slack14.1.txz: Rebuilt. Patched denial of service and possible execution of arbitrary code security issues. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6362 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libwmf-0.2.8.4-i486-5_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libwmf-0.2.8.4-x86_64-5_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libwmf-0.2.8.4-i486-6_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libwmf-0.2.8.4-x86_64-6_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libwmf-0.2.8.4-i486-6_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libwmf-0.2.8.4-x86_64-6_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libwmf-0.2.8.4-i486-6_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libwmf-0.2.8.4-x86_64-6_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libwmf-0.2.8.4-i486-6_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libwmf-0.2.8.4-x86_64-6_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libwmf-0.2.8.4-i586-7_slack14.1.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libwmf-0.2.8.4-x86_64-7_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libwmf-0.2.8.4-i586-8.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libwmf-0.2.8.4-x86_64-8.txz MD5 signatures: +-+ Slackware 13.0 package: 6d0143e7e105188714f767aea522f4cb libwmf-0.2.8.4-i486-5_slack13.0.txz Slackware x86_64 13.0 package: 3f47383d824d93c4518f8fc738c0c820 libwmf-0.2.8.4-x86_64-5_slack13.0.txz Slackware 13.1 package: 871f2ed8d5b43a139607a4d6f959ff93 libwmf-0.2.8.4-i486-6_slack13.1.txz Slackware x86_64 13.1 package: a8cff7e3b53153589eab0a0bab9209de libwmf-0.2.8.4-x86_64-6_slack13.1.txz Slackware 13.37 package: 5db38178040f541080caf9776256331d libwmf-0.2.8.4-i486-6_slack13.37.txz Slackware x86_64 13.37 package: 5d308a63d03d940622ec21d870b01cde libwmf-0.2.8.4-x86_64-6_slack13.37.txz Slackware 14.0 package: c806e42bd0498db0f3b70957c7c3a401 libwmf-0.2.8.4-i486-6_slack14.0.txz Slackware x86_64 14.0 package: 376835bf78178bb15bb3c56cee454eb4 libwmf-0.2.8.4-x86_64-6_slack14.0.txz Slackware 14.1 package: 8a30446ddb36004db6d5ce10728807af libwmf-0.2.8.4-i486-6_slack14.1.txz Slackware x86_64 14.1 package: ceb7fa835645c9d55c3
[slackware-security] mozilla-firefox (SSA:2018-120-02)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2018-120-02) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/mozilla-firefox-52.7.4esr-i586-1_slack14.2.txz: Upgraded. This release contains security fixes and improvements. For more information, see: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-firefox-52.7.4esr-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-firefox-52.7.4esr-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-59.0.3-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-59.0.3-x86_64-1.txz MD5 signatures: +-+ Slackware 14.2 package: f771cbfaa2e5c5f9aafe7a1178793a8c mozilla-firefox-52.7.4esr-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 84ca962341ea54ea19571ceff7583ba5 mozilla-firefox-52.7.4esr-x86_64-1_slack14.2.txz Slackware -current package: e63ef401d44ed9ade8db2c918bfe27bd xap/mozilla-firefox-59.0.3-i686-1.txz Slackware x86_64 -current package: 56195edec5cdc6071bd9b214e990d2fa xap/mozilla-firefox-59.0.3-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg mozilla-firefox-52.7.4esr-i586-1_slack14.2.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAlrnmusACgkQakRjwEAQIjMhtgCeOWtCCXNPbg49iQxl2mYoBWvM pKcAn25sNX+3IaTBByUVx0d/Z420Uc8P =XOAc -END PGP SIGNATURE-
Advisory - Sourcetree for Windows - CVE-2018-5226
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/ERyUO . CVE ID: * CVE-2018-5226. Product: Sourcetree for Windows. Affected Sourcetree for Windows product versions: version < 2.5.5.0 Fixed Sourcetree for Windows product versions: * Sourcetree for Windows 2.5.5.0 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Sourcetree for Windows before version 2.5.5.0 are affected by this vulnerability. Customers who have upgraded Sourcetree for Windows to version 2.5.5.0 are not affected. Customers using Sourcetree for Mac are not affected. Customers who have downloaded and installed Sourcetree for Windows less than 2.5.5.0 please upgrade your Sourcetree for Windows installations immediately to fix this vulnerability. SourceTree for Windows - Argument injection via Mercurial tag names - CVE-2018-5226 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. Versions of Sourcetree for Windows before version 2.5.5.0 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREEWIN-8509 . Fix: To address this issue, we've released the following versions containing a fix: * Sourcetree for Windows version 2.5.5.0 Remediation: Upgrade Sourcetree for Windows to version 2.5.5.0 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. For a full description of the latest version of Sourcetree for Windows, see the release notes found at https://www.sourcetreeapp.com/update/windows/ga/ReleaseNotes_2.5.5.html. You can download the latest version of Sourcetree for Windows from the download centre found at https://www.sourcetreeapp.com/. Acknowledgements: Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us. -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlrmhqAXHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqC8ww/+ORjM/G+atnsDvMBUfM58HBXm COJcgTZz6Q9iLRSmHnVeCTANphlZX3UB+HQdlXKntnOF6muSJ+VxvHYdIOLxuAdf aOLkN8LJehN07bjRpcoN8XBt3T0srEJvIcllth9mR013r2LwsZL6jzcaoU2M300G 2dPJpBK/NIZYWA/TOcdmNx88cJ+Vfc/WvqpHCfNd84ePu2jpN8lWvBuLgbwuWktG LFkCQYMnxnY1XEe8TwppX3NHdYT1ARdi0eEnyVGM5YzRSGpzgoCOASfcUibi4FcW Ux53XlC/G9yx+66tLiA3hE132Jb0iTe++x5OgskmLiyvYzenHoQCb3wnFGQVvxgl B8XPVPHEL2siT5o44dLP7pdHLHtPAeB0ZbeiXSzLSyBe5PhA3JCs/DzcpDvbB8B4 1g8Fr09hazUh0PiBidqw/C5NzdIxX7q4ydrxs/nMgG+hEw+unmdkvqLF2Eajjkf2 KtsKRzxXufL9oq7+DONsmf2fZS5XKhZpKJvEFcl5Ua/zrJOosFJcPggreD5TWH0E VbQEnDPGhopNf6RtrXduFvuR1XlioyREKUfJ5cn3NiZKQ/jnRwdyfaV42pwi87eo NiGQyPYV3kYxch60h/jn9nkvD48uppb9xjxZFz7ZnVQX3+cWijPX/Iwj2Djz5f/X n5qLhlW+VeOAIMyA3z0= =fjvl -END PGP SIGNATURE-
[SECURITY] [DSA 4186-1] gunicorn security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4186-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2018https://www.debian.org/security/faq - - Package: gunicorn CVE ID : CVE-2018-1000164 It was discovered that gunicorn, an event-based HTTP/WSGI server was susceptible to HTTP Response splitting. For the oldstable distribution (jessie), this problem has been fixed in version 19.0-1+deb8u1. We recommend that you upgrade your gunicorn packages. For the detailed security status of gunicorn please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gunicorn Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrk2isACgkQEMKTtsN8 TjaT/w/+N34ee57xmDo2pLHuLyipQ4UJFRi9BoiIDL8TPIl4HhSlnXPuzwQN/qpd Ljk7poFQA9clMb/rgxWM1wA5LghEsYVv9/Jhb8eDoV9aQIP5vX+D+CqGhOrJe7fi 36C5CcI0PfH5QkbputOvmD5wR/XgAaf1zNXtJAamgCDucbTDPRz7ygOB4gtHHrFR P+F4P9sDj8VUg45sbCARymNBq+cCmnBxfU0+8v6hMSknia348RQOTD/u4rhEnKN3 APGP+UEppS/0ceXBzl9DSbvwvR06VOaol8o4RwciFbnV3T151mYQubT+N7faNBVD WfyWMJzkA3X74UwjMyDa6FszmSGNrrKpWJ4LudvV1MZ8YvAREuSAL9FxS+pfOABq 6AfiUYGdHlfxkqKHfqsloT5T6Wcb0dy9osvoccnXvhRq4RhjehoxjPxGQIVv13En eiPj0ko9mEi5iUNHpLIKu4RU73bpaQYLka5lvXau95EB6icG6p/ltwa9kULfJAwh Eo0E2cYAJLNv0V0x2KLICwS9mlDUi69XckBnHPoDfCcoLVFPuuCCBtsFx1PiyTdb ncCltnWv7sR2ecxIHcnvjMLVnArzJdM61VCtu3Ffdnw5EIF93qbAohYc3uETOC/i CAuxmCd3W0SxfpVYj6QoI2XTNp6ZI23wmOpc1yn+3/H42NXe1v0= =P2ZF -END PGP SIGNATURE-
[SECURITY] [DSA 4184-1] sdl-image1.2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4184-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018https://www.debian.org/security/faq - - Package: sdl-image1.2 CVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 CVE-2018-3837 CVE-2018-3838 CVE-2018-3839 Debian Bug : 878267 Multiple vulnerabilities have been discovered in the image loading library for Simple DirectMedia Layer 1.2, which could result in denial of service or the execution of arbitrary code if malformed image files are opened. For the oldstable distribution (jessie), these problems have been fixed in version 1.2.12-5+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1.2.12-5+deb9u1. We recommend that you upgrade your sdl-image1.2 packages. For the detailed security status of sdl-image1.2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sdl-image1.2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrkyb1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TZog//ayJ8Vts0SVEvs7XESknn5WiaV5vVQrXolV/TtAgE/P44dIsSWc69KF9H Ekow/khSG+IAWmDsvTPNQhuzaukmdANGwSmr5zBU0mrnAI8k+yGzsGEGcN6WntUx O2hVSxN1VwpuPwFKll0Xcl4gESFwGE9b/67frQVj7ESoAzJ+Ox7Z6Y7I24DOvSbr 86Sxw6cD3X6gm33qKsvwq2cQX/ra1VLQGNiMvxgt0m5c0Nfru4kjwLIOu2dJtaJG WBqag5uwJxYxQJg9tll3Fb5oSqcTRAeLjkK3ucNbiMqmOotGekMY139wKkUJikrD ZQNAdm1pmRwBJUy37eKIU9ZdF0pYAiOVDozrlGHVdxuijwLpMOAgE7AAmnFw86pS TOIBekAZghasNIt+fUhgV5clg2FE+g4sz34QYu8d4tavnQstcTJB2mn/LqVKvB7T asX+WbxjtNTZ7tqhGYYNlfGFC6LfVzULowK0ESDttuuKajUqLWqvWh/16E5LpP8L GIQYqq21jDTtKNiCjiqpgYOD4oQKxpvxG9htbIzEznjZwvpnuUlcf+MQiXirYTzM fXBRGAmo1Bsh9fQDZJqiuG7SZ7cMpvgXdiV1cAHqgFrskqJJd85FsCgyVqbDa1fv amJNEe+EkEsKitITbzKsty2CxeseEauTJtui0TGqtOL9Uhj8xFo= =oVng -END PGP SIGNATURE-
[SECURITY] [DSA 4183-1] tor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4183-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018https://www.debian.org/security/faq - - Package: tor CVE ID : CVE-2018-0490 It has been discovered that Tor, a connection-based low-latency anonymous communication system, contains a protocol-list handling bug that could be used to remotely crash directory authorities with a null-pointer exception (TROVE-2018-001). For the stable distribution (stretch), this problem has been fixed in version 0.2.9.15-1. We recommend that you upgrade your tor packages. For the detailed security status of tor please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tor Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrkGXFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TpCA//fKRGHY+MMVk7QAkWJZgxSovG7R9J1mcq5c29kvzaYJRFxmRH5/ru91t1 /Hr4UCSTKfVwyVhb6soV9hvgTf+Zr6/fJSa1cX3zIqKrlEnZfwby6ssE4vO22YYQ 8pJKucGqPcuE3SmzxX+zuEFhrbINzru3vfB0NXeZRnrGrbUUdyBIcL/gllXMdFIF jVREw3Ma74/DpsMrzft6kdXwEyYyFckBScYkhmU0b2d8u/qp0LyKpiOrx6dIWBlX s4LX8H+JLEcvjuCub/uiy8CiZFGwW/6L/zIAx8j1ozhbYleGychN8U3GL4Mp0NWe hxu+7gZME+KMPubR5PcMECcB+JTz2kUKGb3zwkoZRVKeuBr70/7Pl0h+upBLOKcB rEr3ucuTl+57edh2uHWaPtzFg26KNX6ZmMCR+j7OAo01j0btfybmJ1TtxLqVCAaz cAkT1gPE5xUoGoXJv/JaAj2yubmBf1pU7YYOxAf+XD+6weN8zfb+sPFv2RwZ6llj GNPNavaK48bG8Gdb3tTwa/xyov51vSyurvaEQkTtnrmsZTRQrYU3enb7hqoTYIM8 tN2wl8BnseQMhKc2XSRvqTpel0fyJngMy5cyEgsSiFvNrnXxLkQo8/t8EMvb96lY q7xM9X67thDv90FR7SmjJvdykEkgKefuL/tw4Ls5NoIgzNpVyzA= =3Nub -END PGP SIGNATURE-
[SECURITY] [DSA 4185-1] openjdk-8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4185-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2018https://www.debian.org/security/faq - - Package: openjdk-8 CVE ID : CVE-2018-2790 CVE-2018-2794 CVE-2018-2795 CVE-2018-2796 CVE-2018-2797 CVE-2018-2798 CVE-2018-2799 CVE-2018-2800 CVE-2018-2814 CVE-2018-2815 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation. For the stable distribution (stretch), these problems have been fixed in version 8u171-b11-1~deb9u1. We recommend that you upgrade your openjdk-8 packages. For the detailed security status of openjdk-8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-8 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlrk2jwACgkQEMKTtsN8 TjY9+BAAs4wrU7VUSpAZEfTQZg/Fdt1op3hndWIGmu5DuCuY82hjYOuIeWgNFxS0 aXxmgDrzsLcXHX33ngX1LxVhzNmna+jjCLj++s/E5rsORRXM1ICpUSDHQg096MHb o5KAqnqduWK32KsxMzqgR0JMsXXMJUJGlALIU7z/Dzpg8lJGhBIqdsQQlvvWl0SB eFAzCjCyKj3MtWN7GJDW9+0QHgw0LZjB8NidGD71SiiOTv/O5xHDeaGaCzfRMc9p cABTiQoDCl91n1st2iz0ulZJnXbn5b1nojhAtb4R9KVGNP0UI0JWfo3kfrCHyk6E RiDMF2HnW9H5ZluAGWTH7WHnqP0uyjASiPGMjq6fRUAgBRJAcLCjEVTRMjzjpXGj GHzuL1YEtmZAmaEd2HvVWuIIDV6bozy6tv0pDNPpex8of/oEtFViO5KjS4CpPl6r VsScevidzcz6l0wblT8KxDdCyzDL6+tx/JPh2WG4ahlr7gJn/xR13RTzXH2ShGsF ggi30u6mM43e3j7OhnhzgH0dJu3c9ZKy2bfqFcl/TUpAbwp7hxruJIsjR5AnarCt 2hZr7IqrhEHANxlhRVm7GSmzjanKRk4yMgAiAABR7dyrXPfGoIq+xo0UToyuL6/r PLvHs04N+1Mf45elu051VJ5UHzdYfuS+W2hPhrMZ4TmJVIwgnmc= =j0FZ -END PGP SIGNATURE-
[SECURITY] [DSA 4181-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4181-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2018https://www.debian.org/security/faq - - Package: roundcube CVE ID : CVE-2018-9846 Debian Bug : 895184 Andrea Basile discovered that the 'archive' plugin in roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize a user-controlled parameter, allowing a remote attacker to inject arbitrary IMAP commands and perform malicious actions. For the stable distribution (stretch), this problem has been fixed in version 1.2.3+dfsg.1-4+deb9u2. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrkD/VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TqIg/+J7QKaTDGTrtXrd0PcOLYZnuag7l5Wj+QXispJDNQ9v6Plxp4x0lFW5EC HC110TE1lg9cXHH6SV0EVrY1kPDao0dUiemL3BNRW+7RxEMF3J0Hw7qBjt8YxQtV +Ef9c7FXJ5IcSBvDFs6wz0WKjzaHzvY7WrGt20lujKf+2BhWapTp7sv4tBhGkdEv piJZlkL5jXzAurvKfw9YKFUEQ0xJg/8VUwEyaHbUNFX3SKgHwM+yB5woz+hoPNCm 8yNvOjfl006rStfQcxLMk3G+d6mGLin6BF/Tx7sTh2QQnMKSfR2Ym/WZvYJyDZd+ M3ekHlIQcaAM+Up5Za1uUSIB5X0aErroMTW8WSYE8wTC920xmgFMmoFVMa0EI/aY dGQrFu2JfA2rZw3pLX7TjkHPAg0aL50paAJ63G0zabehYSMQE6Pt603RrHA+8Dkb EvnfgCZlGXUrUAGrhHuGYJiKK4lD33/4NWEi1JdPLwlxkUZMqEXn2k5cDGdZmhlK utn2TtlKKyTD2AgOyp6/b6mi6FJr3VtX/lWOksfODwaL/BElWL1T+gc8Ldz4Qit3 +TRRQGPRtlJrGOnqBxrxU8l+ImLTxpvvFPlA48vdA1yPjT9xzTpx+Ig2KGBuaFer JIo6n5RcPsLFtac9ym+pwlWHQNcBqebG8SFoZ5KgnbP/ENtbTcw= =xeJP -END PGP SIGNATURE-
[SECURITY] [DSA 4182-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4182-1 secur...@debian.org https://www.debian.org/security/ Michael Gilbert April 28, 2018https://www.debian.org/security/faq - - Package: chromium-browser CVE ID : CVE-2018-6056 CVE-2018-6057 CVE-2018-6060 CVE-2018-6061 CVE-2018-6062 CVE-2018-6063 CVE-2018-6064 CVE-2018-6065 CVE-2018-6066 CVE-2018-6067 CVE-2018-6068 CVE-2018-6069 CVE-2018-6070 CVE-2018-6071 CVE-2018-6072 CVE-2018-6073 CVE-2018-6074 CVE-2018-6075 CVE-2018-6076 CVE-2018-6077 CVE-2018-6078 CVE-2018-6079 CVE-2018-6080 CVE-2018-6081 CVE-2018-6082 CVE-2018-6083 CVE-2018-6085 CVE-2018-6086 CVE-2018-6087 CVE-2018-6088 CVE-2018-6089 CVE-2018-6090 CVE-2018-6091 CVE-2018-6092 CVE-2018-6093 CVE-2018-6094 CVE-2018-6095 CVE-2018-6096 CVE-2018-6097 CVE-2018-6098 CVE-2018-6099 CVE-2018-6100 CVE-2018-6101 CVE-2018-6102 CVE-2018-6103 CVE-2018-6104 CVE-2018-6105 CVE-2018-6106 CVE-2018-6107 CVE-2018-6108 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111 CVE-2018-6112 CVE-2018-6113 CVE-2018-6114 CVE-2018-6116 CVE-2018-6117 Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-6056 lokihardt discovered an error in the v8 javascript library. CVE-2018-6057 Gal Beniamini discovered errors related to shared memory permissions. CVE-2018-6060 Omair discovered a use-after-free issue in blink/webkit. CVE-2018-6061 Guang Gong discovered a race condition in the v8 javascript library. CVE-2018-6062 A heap overflow issue was discovered in the v8 javascript library. CVE-2018-6063 Gal Beniamini discovered errors related to shared memory permissions. CVE-2018-6064 lokihardt discovered a type confusion error in the v8 javascript library. CVE-2018-6065 Mark Brand discovered an integer overflow issue in the v8 javascript library. CVE-2018-6066 Masato Kinugawa discovered a way to bypass the Same Origin Policy. CVE-2018-6067 Ned Williamson discovered a buffer overflow issue in the skia library. CVE-2018-6068 Luan Herrera discovered object lifecycle issues. CVE-2018-6069 Wanglu and Yangkang discovered a stack overflow issue in the skia library. CVE-2018-6070 Rob Wu discovered a way to bypass the Content Security Policy. CVE-2018-6071 A heap overflow issue was discovered in the skia library. CVE-2018-6072 Atte Kettunen discovered an integer overflow issue in the pdfium library. CVE-2018-6073 Omair discover a heap overflow issue in the WebGL implementation. CVE-2018-6074 Abdulrahman Alqabandi discovered a way to cause a downloaded web page to not contain a Mark of the Web. CVE-2018-6075 Inti De Ceukelaire discovered a way to bypass the Same Origin Policy. CVE-2018-6076 Mateusz Krzeszowiec discovered that URL fragment identifiers could be handled incorrectly. CVE-2018-6077 Khalil Zhani discovered a timing issue. CVE-2018-6078 Khalil Zhani discovered a URL spoofing issue. CVE-2018-6079 Ivars discovered an information disclosure issue. CVE-2018-6080 Gal Beniamini discovered an information disclosure issue. CVE-2018-6081 Rob Wu discovered a cross-site scripting issue. CVE-2018-6082 WenXu Wu discovered a way to bypass blocked ports. CVE-2018-6083 Jun Kokatsu discovered that AppManifests could be handled incorrectly. CVE-2018-6085 Ned Williamson discovered a use-after-free issue. CVE-2018-6086 Ned Williamson discovered a use-after-free issue. CVE-2018-6087 A use-after-free issue was discovered in the WebAssembly implementation. CVE-2018-6088 A use-after-free issue was discovered in the pdfium library. CVE-2018-6089 Rob Wu discovered a way to bypass the Same Origin Policy. CVE-2018-6090 ZhanJia Song discovered a heap overflow issue in the skia library. CVE-2018-6091 Jun Kokatsu discovered that plugins could be handled incorrectly. CVE-2018-6092 Natalie Silvanovich discovered an integer overflow issue in the WebAssembly implementation. CVE-2018-6093 Jun Kokatsu discovered a way to bypass the Same Origin Policy. CVE-2018-6094 Chris Rohlf discovered a regression in garbage collection hardening. CVE-2018-6095 Abdulrahman Alqabandi discovered files could be uploaded without user interaction. CVE-2018-6096 WenXu Wu discovered a user interface spoofing issue. CVE-2018-6097 xisigr discovered a user interface spoofing issue. CVE-2018-6098 Khalil Zhani discovered a URL spoo