[SECURITY] [DLA 1343-1] ming security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ming Version: 0.4.4-1.1+deb7u8 CVE ID : CVE-2018-6358 CVE-2018-7867 CVE-2018-7868 CVE-2018-7870 CVE-2018-7871 CVE-2018-7872 CVE-2018-7875 CVE-2018-9165 Multiple vulnerabilities have been discovered in Ming: CVE-2018-6358 Heap-based buffer overflow vulnerability in the printDefineFont2 function (util/listfdb.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7867 Heap-based buffer overflow vulnerability in the getString function (util/decompile.c) during a RegisterNumber sprintf. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7868 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7870 Invalid memory address dereference in the getString function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7871 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7872 Invalid memory address dereference in the getName function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7875 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-9165 The pushdup function (util/decompile.c) performs shallow copy of String elements (instead of deep copy), allowing simultaneous change of multiple elements of the stack, which indirectly makes the library vulnerable to a NULL pointer dereference in getName (util/decompile.c). Remote attackers might leverage this vulnerability to cause dos via a crafted swf file. For Debian 7 "Wheezy", these problems have been fixed in version 0.4.4-1.1+deb7u8. We recommend that you upgrade your ming packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrLWxMACgkQLVy48vb3 khndugf9G1fRWhVJaXb1vOvfztyqweHyu1ppZeVhG7P9EdJcLM/jHPfRU6UZlmcj /0WgxNoMxHmcnIv7f1c64gfWdqJfAkPXxjAyrjzDMam7LuJI7T25B4VGcXg4G4N0 +m4lWvZn+tBJzigDx1Fs9ZYE7bVTNJP+hApyNSDPuDTLlD0NOpTs4Lq0kM14wVIU mJTloRIuHWLkfUiRu9v+c6i5aKoBuqY7XenzqxrEU515HmfOPnTejxlSzyAyH6or yShz6eWExvBs7pXu9TB3cCirtP5gsqrANE/UxGSzPwlk//XtpojSMlysyRwEXxLX Y30B4a+e1VkqDPNMUhtJ+fIOBZBq2Q== =ZzkF -END PGP SIGNATURE-
[SECURITY] [DLA 1342-1] ldap-account-manager security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ldap-account-manager Version: 3.7-2+deb7u1 CVE ID : CVE-2018-8763 Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web front-end for LDAP directories. CVE-2018-8763 The found Reflected Cross Site Scripting (XSS) vulnerability might allow an attacker to execute JavaScript code in the browser of the victim or to redirect her to a malicious website if the victim clicks on a specially crafted link. For Debian 7 "Wheezy", these problems have been fixed in version 3.7-2+deb7u1. We recommend that you upgrade your ldap-account-manager packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLFwYACgkQKpJZkldk SvrWuQ//QRn2ZlJjG4WVs5XJNGOGdmjcxh9D41ndUk4kdazI++nRI4tftEkEdkFM 6y6dpOzpJ/RM2h1nSG4yC9NJoTfpRqkeYTPcO035Bmg8QZkqN/RvPOR5G+pqJbRr S74OpI6cslTW2hEHBZ9g9ZydTxWKZkiAzWCvMdncbyy19zFGVlPZ456DOoykYga+ ILX/6C8uBZ5aTGUSZvRc7Vsz1+iI2ibUK9cHdqHixI7gpeMredahJf6cOabghfMi XnC4VFXaqpnstVfK7PQEGaR8gcBkD05XIcyyc6kIx0xMnIFjll6oXa+AoPtnXFIH guhIl3fWSs2rfo+xWF5el63Z0mrzjVqdG0pfeXrPWdY9GlZZyuQz1S+lqoO0NtVs TNMx3T40WSvqQnQAFRT0w66UwmTfVOSw56J9Y/NjR8X8gjRAD5rRRrSYdzg3x/rc In4oQGZIdWm0LXjccFtS0vsGrHws8AuHWUIHwA0SuJNCrNoNHsRpS77/+qbQVX9B Giwl4Ijaa4YwpVMyV694xzC1AOQk18dP7hCylKTMJ5ky/GslREClIFUC6v9KD9w9 0qWE/28YIzrpuFoz19HTVxWqB/GGxaFUS3TK8KIWpEEKhNJIcfLhzBAmbKlMofKs UGrQ1KmqbYDWOlGPtevkD0LIdfDN7hArvctpxxZuLXoPuR8Lda8= =YRH1 -END PGP SIGNATURE-
[SECURITY] [DLA 1283-2] python-crypto security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: python-crypto Version: 2.6-4+deb7u8 This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue described in CVE-2018-6594 is fixed. It turns out that the fix is partial and upstream has decided not to fix the issue as it would break compatibility and that ElGamal encryption was not intended to work on its own. The recommendation is still to upgrade python-crypto packages. In addition please take into account that the fix is not complete. If you have an application using python-crypto is implementing ElGamal encryption you should consider changing to some other encryption method. There will be no further update to python-crypto for this specific CVE. A fix would break compatibility, the problem has been ignored by regular Debian Security team due to its minor nature and in addition to that we are close to the end of life of the Wheezy security support. CVE-2018-6594: python-crypto generated weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data (i.e., it did not have semantic security in face of a ciphertext-only attack). We recommend that you upgrade your python-crypto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLEasACgkQKpJZkldk Svpnbg/+IF7MHoZMtr9FEjzy/KWbIWlztoAiEwtrf8OC2zwoKwDF91F0hJXF6z9w sWcaIsUiL6mj/j/QlOYMVSpJCN6escC2truu+UW5uVHBtEL+ng38s3CqyPMgy/vf t37pEqti9mHlJoPzNPdSaLXT60LMSpt5mb8mOLP1mc9lDr22PrRF//8USrbU2Iqf 8iy3vIIo+hmSbATHlo1RQzvkzLZQ1unA6dQ747QOWGQuPxPtXc1jCJUymp8hVB38 /pKEzcsAakvhyZGWD2Nlo6jKVrFdGynXoq5iYGz8Knzhw+AUAJyURlA/UIubsRnT 5RTFPV9cWOeiOITAtP2aTp+P10zXJsj2icE2K8ujKIcp3kRRzKYbxnOsBb/CCGhs 2SWsASPswKYgJY4bHGpU9OVs7D/eLXNrjDa4e1yjQGQqp+QfTI705hUjSbj1XxYU v1ZqXrB/rITx+KaxCCIwCmjaPy5Llv0Hrqk+jlIa2oKf7gffrpb38LjOxMf6SFbL c1/7YG74sS4w/9VDpydcVoEHwDTFx04wpBT/nXxOrAPGctE7wZRvBHYDkVaRABuS L5nZnvTYZfmcKySp0xcG2XLknE9UYSjNSi5h9BhivFxb70o160YboIX127SYH6Bm K99oYuMlw21ITP5lfv12LEJcHZOz6rLO4k0t4qyUjodL82DwQcQ= =pY2g -END PGP SIGNATURE-
