[SECURITY] [DLA 1919-1] linux-4.9 security update
Package: linux-4.9 Version: 4.9.189-3~deb8u1 CVE ID : CVE-2019-0136 CVE-2019-9506 CVE-2019-11487 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15538 CVE-2019-15666 CVE-2019-15807 CVE-2019-15924 CVE-2019-15926 Debian Bug : 930904 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the "KNOB attack". An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them. This update mitigates the attack by requiring a minimum encryption key length of 56 bits. CVE-2019-11487 Jann Horn discovered that the FUSE (Filesystem-in-Userspace) facility could be used to cause integer overflow in page reference counts, leading to a use-after-free. On a system with sufficient physical memory, a local user permitted to create arbitrary FUSE mounts could use this for privilege escalation. By default, unprivileged users can only mount FUSE filesystems through fusermount, which limits the number of mounts created and should completely mitigate the issue. CVE-2019-15211 The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15212 The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15215 The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15216 The syzkaller tool found a bug in the yurex driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15218 The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15219 The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15220 The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15221 The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15292 The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear. CVE-2019-15538 Benjamin Moody reported that operations on XFS hung after a chgrp command failed due to a disk quota. A local user on a system using XFS and disk quotas could use this for denial of service. CVE-2019-15666 The Hulk Robot tool found an incorrect range check in the network transformation (xfrm) layer, leading to out-of-bounds memory accesses. A local user with CAP_NET_ADMIN capability (in any user namespace) could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15807 Jian Luo reported that the Serial Attached SCSI library (libsas) did not
Re: Accepted firefox-esr 60.9.0esr-1~deb8u1 (source amd64 all) into oldoldstable
Le 08/09/2019 à 14:00, Emilio Pozuelo Monfort a écrit : On 07/09/2019 10:01, Pascal Hambourg wrote: It seems that the i386 build failed. Thanks for the notice. I'll take a look at it. Thanks. Still failed.
Accepted linux-4.9 4.9.189-3~deb8u1 (all source) into oldoldstable, oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 19:47:06 +0100 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11 Source: linux-4.9 Architecture: all source Version: 4.9.189-3~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Closes: 866122 904385 930904 935134 Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.189-3~deb8u1) jessie-security; urgency=medium . * Backport to jessie: - Change ABI number to 0.bpo.11 . linux (4.9.189-3) stretch; urgency=medium . * tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue . linux (4.9.189-2) stretch; urgency=medium . [ Salvatore Bonaccorso ] * xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT (CVE-2019-15538) . [ Ben Hutchings ] * [s390x] Revert "perf test 6: Fix missing kvm module load for s390" (fixes FTBFS) . linux (4.9.189-1) stretch; urgency=medium . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.186 - [x86] Input: elantech - enable middle button support on 2 ThinkPads - mac80211: mesh: fix RCU warning - mac80211: free peer keys before vif down in mesh - netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments - netfilter: ipv6: nf_defrag: accept duplicate fragments again - [armhf] Input: imx_keypad - make sure keyboard can always wake up system - [arm64] KVM: arm/arm64: vgic: Fix kvm_device leak in vgic_its_destroy - mac80211: only warn once on chanctx_conf being NULL - md: fix for divide error in status_resync - bnx2x: Check if transceiver implements DDM before access - ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL - net :sunrpc :clnt :Fix xps refcount imbalance on the error path - udf: Fix incorrect final NOT_ALLOCATED (hole) extent length - [x86] ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() - [x86] tls: Fix possible spectre-v1 in do_get_thread_area() - fscrypt: don't set policy for a dead directory - USB: serial: ftdi_sio: add ID for isodebug v1 - USB: serial: option: add support for GosunCn ME3630 RNDIS mode - Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" - p54usb: Fix race between disconnect and firmware loading (CVE-2019-15220) - usb: gadget: ether: Fix race between gether_disconnect and rx_submit - [i386] staging: comedi: dt282x: fix a null pointer deref on interrupt - [x86] staging: comedi: amplc_pci230: fix null pointer deref on interrupt - carl9170: fix misuse of device driver API - [x86] VMCI: Fix integer overflow in VMCI handle arrays - Revert "e1000e: fix cyclic resets at link up with active tx" - e1000e: start network tx queue only when link is up - [arm64] crypto: remove accidentally backported files - perf/core: Fix perf_sample_regs_user() mm check - [armhf] omap2: remove incorrect __init annotation - be2net: fix link failure after ethtool offline test - ppp: mppe: Add softdep to arc4 - sis900: fix TX completion - dm verity: use message limit for data block corruption message - [s390x] fix stfle zero padding - [s390x] qdio: (re-)initialize tiqdio list entries - [s390x] qdio: don't touch the dsci in tiqdio_add_input_queues() https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.187 - [arm64] efi: Mark __efistub_stext_offset as an absolute symbol explicitly - [armhf] dmaengine: imx-sdma: fix use-after-free on probe error path - ath10k: Do not send probe response template for mesh - ath9k: Check for errors when reading SREV register - ath6kl: add some bounds checking - ath: DFS JP domain W56 fixed pulse type 3 RADAR detection - batman-adv: fix for leaked TVLV handler. - media: dvb: usb: fix use after free in dvb_usb_device_exit - media: marvell-ccic: fix DMA s/g desc number calculation - media: media_device_enum_links32: clean a reserved field - [armhf,arm64] net: stmmac: dwmac1000: Clear unused address entries - [armhf,arm64] net: stmmac: dwmac4/5: Clear unused address entries - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig - af_key: fix leaks in key_pol_get_resp and dump_sp. - xfrm: Fix xfrm sel prefix length validation -
[SECURITY] [DLA 1921-1] dnsmasq security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: dnsmasq Version: 2.72-3+deb8u5 CVE ID : CVE-2019-14513 Samuel R Lovejoy discovered a security vulnerability in dnsmasq. Carefully crafted packets by DNS servers might result in out of bounds read operations, potentially leading to a crash and denial of service. For Debian 8 "Jessie", this problem has been fixed in version 2.72-3+deb8u5. We recommend that you upgrade your dnsmasq packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl17jjMACgkQUmLn/0kQ Sf5ooA//QDSu8a+HNPwkfC6P3oFKJ4g5OG6Ra+oN/gc8Q4VrzXeIQh3Ew2C6G0BQ AmlJqJrAYIKOyn2GX3Ki5CDSQ6xDBSkAGXlbEY6/Qt0ZQ8+4gmeY51Hph4ZxlHDz p8xoAhlYO6tWnJ7j2jmuaTSde3YM0rd6LMG2WCjhjRSwoTlLJQq5V88xbag/Q+i8 XWjFVsYUovnYXa9aSxc7qDiyUJrC/XtcNn68PQMgZz0JEeP43dCOGMsZNgSsZUex E30cfK2bhJfIBMJlYS18MuuRq+TDSvdk+ZgXYIQyxL0WkEeLlrPPHjjDzw/+vE10 cyCHayoREBHz5XVuRD0xqqsVFErqmR3KqCqiHoqEkyRG1W0a+ZARZ3Chg4NcA/v9 EI/4XZeWBEheq/VNRX1tcDIroOyhcs5q99v+8C8jgIPj190V63MlOsnylYPBSOZe y9nXTN+JYbBQQDvLNDj9k8fmxw2ctciKHoeOucOpeDH27x8LdA+sfCMHK7j7sGbZ nrQ9Ql4p9+oHENzL3sdcmFPXkrwMyCefV4QSlG62+7G4/14YxLUrJSXfwERpiRTa tqDOMuhlgoyRDbfz/dsyePyTW2x9aiWDP2sXERP720M/hM2nOAd6QuLdqUYodzkE MnveUQbF5tUyxZavPAFAQ9v3pB706n/uofxSoa3fT7RNqBk+q34= =P/zK -END PGP SIGNATURE-
Accepted dnsmasq 2.72-3+deb8u5 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 13 Sep 2019 11:57:09 +0200 Source: dnsmasq Binary: dnsmasq dnsmasq-base dnsmasq-utils Architecture: source amd64 all Version: 2.72-3+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Simon Kelley Changed-By: Jonas Meurer Description: dnsmasq- Small caching DNS proxy and DHCP/TFTP server dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server dnsmasq-utils - Utilities for manipulating DHCP leases Changes: dnsmasq (2.72-3+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2019-14513: Improper bounds checking Checksums-Sha1: 267b7826ced42a35c9f80330080965b44ec6a2cf 1904 dnsmasq_2.72-3+deb8u5.dsc 5d4d723ed5181464a6ad8f1f158068a233a6951b 29238 dnsmasq_2.72-3+deb8u5.diff.gz ac07d80818ccf39e2c52ba08aee1f3dd9c212f2c 403412 dnsmasq-base_2.72-3+deb8u5_amd64.deb 34e45650f39c4a23ca2080285e7769462f2bb481 19418 dnsmasq-utils_2.72-3+deb8u5_amd64.deb dea722b21d509dd5f80301fecf7f3c672db09fbe 15804 dnsmasq_2.72-3+deb8u5_all.deb Checksums-Sha256: 88caa87850fc5b07fdc66ee748fc8d117c15b5465737e288fe990d5cfb1ce716 1904 dnsmasq_2.72-3+deb8u5.dsc 0095daafc22e3688db94c915bdb9a0a996a77848c8e72399abaf924379752621 29238 dnsmasq_2.72-3+deb8u5.diff.gz 940d7f669f8ce2888586e898eb4c35ee0e9116e3f251e4621787794382a61cf2 403412 dnsmasq-base_2.72-3+deb8u5_amd64.deb 03b72c6b8e9b71f211bbdb9447198f62c79e008b4d2d84e692a1ab3bf81acd7e 19418 dnsmasq-utils_2.72-3+deb8u5_amd64.deb 5c3872a5b96503d87bc9db1287e988998710aae34fb7229d87495351fdeaf99c 15804 dnsmasq_2.72-3+deb8u5_all.deb Files: 7983d55473445a92763cb4187dcf2a0f 1904 net optional dnsmasq_2.72-3+deb8u5.dsc baeb08b05e6048fa8623e004744ccfee 29238 net optional dnsmasq_2.72-3+deb8u5.diff.gz 44d70e0d674ba31b26471107db73de4e 403412 net optional dnsmasq-base_2.72-3+deb8u5_amd64.deb 545466b5a254ae9fb98faf02d7d91ca4 19418 net optional dnsmasq-utils_2.72-3+deb8u5_amd64.deb b23e96f5e48c9d74939034b33704f556 15804 net optional dnsmasq_2.72-3+deb8u5_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl17f9kACgkQUmLn/0kQ Sf5ARBAAtJ1Kro3mCCd9EQCfg9TuDqZ2UMkMMhvLzM1XPhReTKvFfERZd7mNT8qB aEaK+fTBuXHYt3CG9VCPvWYqis/d5P4R8DGSbePjYdvPIefBwB6VhWHrtzFaa0OZ fm8vkCyW7uGHojaptdgs4jJqxY8Mdz+yoku5CHLaCJANQ0fRxaCTnqcX+zmUKczV V1kK5DSqCU86zdQIDj5v+RMoeehsi20jF3HhTP3MMvZ0DplyP6ub4zgDDaRIsOih I8TuD/wM3nsFR2neXw5PGQmkXfWpOyxLcnMAmRts0UrWcmbwP8ECDdo59ZDVXYRn XgbpZdLunLm+GUJJ++n1Tftuega2F8TvbESj3K/fLKB8zpu3Z6BlkHoumCM8+fXp omsRvjdAb92a4pnDWdpr7qypkIhYDuekwTVIj2Eech3wKRpqa1XSk1oZkuOs8UTP gqUhKNnToeaeSsQZdn7jMZ88j9LF6ZLe76dRxQqWq4yKWN1QGFksI5UDJ17VTHrp TxkzMQimTQuDP9DmUZhutBV3SpVrSrzbJRJYhJdDlO5lXLMQQg6NY4351vKRIUEx 3YHvI+85p0a2xJ4Ps4O6E2KR+Ddafb2SXRYb52kopdxOlghj89PgoHcG0Yay0k20 v6ZMsmbIoIg4tN3xngTvtHEPjsvJpfCmKTYP2tWu8FSZWoqOFHE= =5tAM -END PGP SIGNATURE-
qemu: request for testing
Hi, A proposed security upload is available at: https://www.beuc.net/tmp/debian-lts/qemu/ I would welcome testing, even if just one feature you use (qemu's feature set is large). I intend to upload within a week. Cheers! Sylvain qemu (1:2.1+dfsg-12+deb8u12) UNRELEASED-security; urgency=medium . * Non-maintainer upload by the LTS team. . [Mike Gabriel] * CVE-2017-9375: Track xhci_kick_ep processing being active in a variable. Check the variable at the beginning of xhci_kick_ep. Add an assert right before processing the kick. * CVE-2019-12155: qxl: Check release info object. When releasing spice resources in release_resource() routine, if release info object 'ext.info' is null, it leads to null pointer dereference. Add check to avoid it. * CVE-2016-5403: virtio: error out if guest exceeds virtqueue size. Plus set vq->inuse correctly at various places. * CVE-2016-5126: block/iscsi: avoid potential overflow of acb->task->cdb. * Remove unused/redundant patch files. . [Sylvain Beucler] * CVE-2019-12068: scsi: lsi: exit infinite loop while executing script * CVE-2019-13164: qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. * CVE-2019-14378: ip_reass in ip_input.c in libslirp has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. * CVE-2019-15890: libslirp has a use-after-free in ip_reass in ip_input.c.
Accepted curl 7.38.0-4+deb8u16 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 12 Sep 2019 10:33:15 +0200 Source: curl Binary: curl libcurl3 libcurl3-gnutls libcurl3-nss libcurl4-openssl-dev libcurl4-gnutls-dev libcurl4-nss-dev libcurl3-dbg libcurl4-doc Architecture: source amd64 all Version: 7.38.0-4+deb8u16 Distribution: jessie-security Urgency: high Maintainer: Alessandro Ghedini Changed-By: Chris Lamb Description: curl - command line tool for transferring data with URL syntax libcurl3 - easy-to-use client-side URL transfer library (OpenSSL flavour) libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours) libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour) libcurl3-nss - easy-to-use client-side URL transfer library (NSS flavour) libcurl4-doc - documentation for libcurl libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour) libcurl4-nss-dev - development files and documentation for libcurl (NSS flavour) libcurl4-openssl-dev - development files and documentation for libcurl (OpenSSL flavour) Closes: 940010 Changes: curl (7.38.0-4+deb8u16) jessie-security; urgency=high . * CVE-2019-5482: Fix a heap buffer overflow in the TFTP protocol handling. (Closes: #940010) Checksums-Sha1: f277a6229eb15f3847cc0389ddb553171242a065 2673 curl_7.38.0-4+deb8u16.dsc 40d8ec9063f076005535139c9229ac77c57f0300 4094034 curl_7.38.0.orig.tar.gz 8e4b3274520b49144a03c51610b44b105850ef32 57984 curl_7.38.0-4+deb8u16.debian.tar.xz 7c4767ec158c1c360a8629bfb3450537a2022dbc 201764 curl_7.38.0-4+deb8u16_amd64.deb 28504a1c7255e32bf6eff8e02d190f19e20b4cf1 261272 libcurl3_7.38.0-4+deb8u16_amd64.deb 49890c640bfb953f168f763c0ac2a071a263c186 253154 libcurl3-gnutls_7.38.0-4+deb8u16_amd64.deb 7d7fba05ff3d60f4dfbad85066aa7cb18f780184 264600 libcurl3-nss_7.38.0-4+deb8u16_amd64.deb 1b75d88b4bea56b148195c9f16bbe3edf1d6aafc 337932 libcurl4-openssl-dev_7.38.0-4+deb8u16_amd64.deb 62f85f3be773f5221a18a4c000745cb02d565103 329582 libcurl4-gnutls-dev_7.38.0-4+deb8u16_amd64.deb af638f16c97e51d95732fef9741f29ad7c567a68 342074 libcurl4-nss-dev_7.38.0-4+deb8u16_amd64.deb 3e12ec88916524ba0faed86afd1b48de1bede1cb 3374892 libcurl3-dbg_7.38.0-4+deb8u16_amd64.deb b0071f700892ea69a9fbbefe129774f8b89fc5ca 1068612 libcurl4-doc_7.38.0-4+deb8u16_all.deb Checksums-Sha256: 3db130cd472eca668fca688a05abc4015e21bb2c71a31dd7922a7e20f28a0f9d 2673 curl_7.38.0-4+deb8u16.dsc 5661028aa6532882fa228cd23c99ddbb8b87643dbb1a7ea55c068d34a943dff1 4094034 curl_7.38.0.orig.tar.gz 2952dba7f69e877ad1d03e3cb41458b52cf7a000226a24be3938c3152136ccc2 57984 curl_7.38.0-4+deb8u16.debian.tar.xz 419e2978603a57fb840c5ea0e5917273f101ea1f110e573abb53d5b7911541f7 201764 curl_7.38.0-4+deb8u16_amd64.deb c1e5b76b0c2d99bffad15f152fe41731d58c111bf6844dcb4eac91575dc8e6f7 261272 libcurl3_7.38.0-4+deb8u16_amd64.deb 01e669050e8f879a1c8560dead1092efa392f215a26c3840461a6e99b47bbbd7 253154 libcurl3-gnutls_7.38.0-4+deb8u16_amd64.deb 477c96550d9e93788e1497fa08b30eb7f8d17853fd679b4dd914e0ac6b300e6f 264600 libcurl3-nss_7.38.0-4+deb8u16_amd64.deb c94c238634bb5e6e5146037fe1b291d444f20efeed0af0232da84ef0a2c45e74 337932 libcurl4-openssl-dev_7.38.0-4+deb8u16_amd64.deb 2fccd3f6496672b61eb102c9487d91ba8a8d9eb13a8c215bc48d6bad705df96d 329582 libcurl4-gnutls-dev_7.38.0-4+deb8u16_amd64.deb 0a83e2d96f29f79b5f1b74ff7ecc392639f510194cf34b6f5118ebbc74e4a09d 342074 libcurl4-nss-dev_7.38.0-4+deb8u16_amd64.deb 602d53c9760fc85bcca31436c9e3491f20c24298837a848a4e5186a04a3b9de8 3374892 libcurl3-dbg_7.38.0-4+deb8u16_amd64.deb 0b735118c0f966a803d1710cddfa2333c2b4319f979f7453ebe8b8f383cb83c6 1068612 libcurl4-doc_7.38.0-4+deb8u16_all.deb Files: c43a05c8008d548c48fe8532bfb7ed4b 2673 web optional curl_7.38.0-4+deb8u16.dsc b6e3ea55bb718f2270489581efa50a8a 4094034 web optional curl_7.38.0.orig.tar.gz ea884cab35ed675b3879227f09271e30 57984 web optional curl_7.38.0-4+deb8u16.debian.tar.xz 6d4f9d5715a82cb507094a70e1f34768 201764 web optional curl_7.38.0-4+deb8u16_amd64.deb a592f7d91d0caad276ecc1383dfca4ca 261272 libs optional libcurl3_7.38.0-4+deb8u16_amd64.deb f076f4ec91e5eb403744e135fff0f4f1 253154 libs optional libcurl3-gnutls_7.38.0-4+deb8u16_amd64.deb 1d4009b189ef707b30aa632c33b63b41 264600 libs optional libcurl3-nss_7.38.0-4+deb8u16_amd64.deb 3e9a492b64f330b974e9d25011397976 337932 libdevel optional libcurl4-openssl-dev_7.38.0-4+deb8u16_amd64.deb d63c3bee89d73f44b85a6fda63bc5f04 329582 libdevel optional libcurl4-gnutls-dev_7.38.0-4+deb8u16_amd64.deb 397aa81f8f8fee76b97acf5af072dd2f 342074 libdevel optional libcurl4-nss-dev_7.38.0-4+deb8u16_amd64.deb ad3818cc11e1eb6614409bb9a480bb1d 3374892 debug extra libcurl3-dbg_7.38.0-4+deb8u16_amd64.deb 113e97d36d5227455e4882aaeb6cb217 1068612 doc optional libcurl4-doc_7.38.0-4+deb8u16_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl17UEEACgkQHpU+J9Qx
[SECURITY] [DLA 1917-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: curl Version: 7.38.0-4+deb8u16 CVE ID : CVE-2019-5482 Debian Bug : #940010 It was discovered that there was a heap buffer overflow vulnerability in curl, the library and command-line tool for transferring data over the internet. For Debian 8 "Jessie", this issue has been fixed in curl version 7.38.0-4+deb8u16. We recommend that you upgrade your curl packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl16BEYACgkQHpU+J9Qx HlhmBA/+M4k27kti4W4u1/hzqwPpo4xA0jkp2ad6KMD8Z0CcwdbilrXCnlvre7cz QLQbJ3Py5o7tcw+dHLm866OyaYnR+ivaUqtF8sjV8p7DXAU/m/Zpbmr0mst031mR ZnOWtuvJwRKE3yWpp1ySSlEKt2IOWonCkLoI9Md7kdo9LIY+EjO+GZjOoBtQpbFS Z83uHeGWiIGT4ch1XI+3/9BfDX9uIc5AMR3l/Q1kx3b1SczWsBsi5a+3FbL3MalW TQ5Nz8773+ite4ot4F9AUx16n8jN8Lpcy/K5/ausklVy8S5duv/t9kugjx9/pJ52 iI81NqQ0NP4bkykOnrDnHS16SRJ/PM9XjuuebuE647afugv4g+1hBwESK6B0Adh8 HF4eZ/I/eyIcLutY//sWFpTP8bsrSw9RsLud7lUwuI3527K6veNDbmyPa3KCek5V zzzpVcnQLLOwAYEFdbBhYIy0ccrhVJrdxCZ8sywbHH+pjMt3VG5NVZwpXC05E1gr 6eXfdEi/nnRvwsOyHQo5kQMv2mCrQWyujhJpzWDPyJ1RxXJ2xyrgETxVDgnjK73A VSnRPYrNQUELqgofaYGcGHQLv/aqUP0Vp293zoBA6uMvAIDORoWW3KfP/op3VBFi 95nnrbL+6iNbsdOxln3bqxlt6NrctP/Yc+ZAZJZWKbPx16qm28c= =lIcc -END PGP SIGNATURE-
Accepted golang-go.crypto 0.0~hg190-1+deb8u2 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 13 Sep 2019 15:54:40 +1000 Source: golang-go.crypto Binary: golang-go.crypto-dev Architecture: source all Version: 0.0~hg190-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Tonnerre Lombard Changed-By: Brian May Description: golang-go.crypto-dev - Supplementary Go cryptography libraries Changes: golang-go.crypto (0.0~hg190-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2019-11841 Add protection for spoofed GPG Hash header. * Include patch to fix infinite loop on malformed GPG input. Checksums-Sha1: c48e1dcfbf1628d021e195bca16354fd4520d79e 2046 golang-go.crypto_0.0~hg190-1+deb8u2.dsc 030d6fb5ba4c97f192d6cafdec3f5d8b0c5b3374 298703 golang-go.crypto_0.0~hg190.orig.tar.gz c8d08f0cc33f63674c31dbb5f614da81916e96b8 6972 golang-go.crypto_0.0~hg190-1+deb8u2.debian.tar.xz 25b305c69bbf0965ecb188b55ab1578a84593262 244598 golang-go.crypto-dev_0.0~hg190-1+deb8u2_all.deb Checksums-Sha256: 238a2f9dc772657bda9448dd25720d3bafd1ac3d652a5d031e76916838c66a11 2046 golang-go.crypto_0.0~hg190-1+deb8u2.dsc 60c26162d00df7e4201ab8df4158572b7acf074a27d11d168be7178cf4ba4ce0 298703 golang-go.crypto_0.0~hg190.orig.tar.gz 1d324177da40b3ebfd79e733313bf3821a9347e1f1d7ad4130111c721b4c5a09 6972 golang-go.crypto_0.0~hg190-1+deb8u2.debian.tar.xz ad0d8277446e114426a9d4cab27e536bce79a9a6af722542e371de4fca0994e9 244598 golang-go.crypto-dev_0.0~hg190-1+deb8u2_all.deb Files: 60da80d153a3c0f25c2e84c9ae6161b4 2046 devel extra golang-go.crypto_0.0~hg190-1+deb8u2.dsc a73ccf3329769910eae9970ce01f5889 298703 devel extra golang-go.crypto_0.0~hg190.orig.tar.gz 39a0f172a8c7c6351a8e207c7607cdca 6972 devel extra golang-go.crypto_0.0~hg190-1+deb8u2.debian.tar.xz 61063e1a262963272abdb0807fa1e06a 244598 devel extra golang-go.crypto-dev_0.0~hg190-1+deb8u2_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl17L6IACgkQKpJZkldk SvpgUg/+LLydvfrANw137OdBpJeaDjLHVUhVzzBbF71fRdYzKfPToM37uInbUhAV o8tXzhk7nT3dubkA2aBYY7oT5PiBmKkCPerAuJcREjS3iEUK58x5a7CC4ehxAa9Y DMYC4H/QEmEMR7JFQ11MgWGP7uTSgwCYQkigFLAgxOyVVI2n1jGbCZ7AHEkzm7bP 5Dy4PL1Cia0It++iRvLlQXaGF5NNAdcZipB2c5TIFK2z93lu4UXQ/DkGk3QX6Ymp eUFAFsWFCwH5FrgpNNvpuRHZNoDgYB6eJX41aAGwDkFs1UxbppC1hIQmIUU2eRV2 iZrpxbjb4tM5dlLwT7I4x3WLyoUR4miNLgQjcLfoZkV1BR9R/IgsFkuWKTSv93VI 7KTn+F8c52bCpOcIUId9Y1wX1ouXKYaiJeNizeeDtEDAuFVvQD+vuVhiV2mCTUG6 tWg/b9idMz8I87ig+WZx6jFLVCsBAPqcw/urwNkzW0pCJNxcl0stxDfwSmgwBS2k HTl0zertbQJySijomhcU7F6dZ7hy6CpYpQOkPfcVcTd/su0qj4EvWph+Kafx2FgW Bfjq+NrWbcbw/YCBaLrZ0g5TPdw0Td5aaE2ORWaTwJpTvXQwIY9MuG6wSySDMxVN EN83VlzKQmns9D0YBDQBJQFZ91SuYSCgzqknWnu/Zpowi/9E+ks= =4mq0 -END PGP SIGNATURE-
