[SECURITY] [DLA 1720-1] liblivemedia security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: liblivemedia Version: 2014.01.13-1+deb8u3 CVE ID : CVE-2019-9215 Debian Bug : 924655 It was discovered that liblivemedia, the LIVE555 RTSP server library, is vulnerable to an invalid memory access when processing the Authorization header field. Remote attackers could leverage this vulnerability to possibly trigger code execution or denial of service (OOB access and application crash) via a crafted HTTP header. For Debian 8 "Jessie", this problem has been fixed in version 2014.01.13-1+deb8u3. We recommend that you upgrade your liblivemedia packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlyP98kACgkQZYVUZx9w 0DQ/dAgAl7x/KjMZpvuL1MiK6PSDQUwMxGRS4vnSTOyw0svg+/fDh0jzmcZG2HOp 5NdX0fjfqsfkRLw46BLHwF65rDXhEuxJ8c1GqxxMZ/uZOnXkbfpQFELNYyqpigm7 SkE51CCS1mJILmAuBKuRequ1rrhl7v+lbvoiMOlC99g4o8XJsin3kVmdTdoyZRSc F6SE63IoXJGMf/JyFWt4aLqaX5VOhBMbjDle/5JJieXr1oNNbtgOfcPzqUzQ1/zg 9KHrV/1KOjOx/bwlupP8oTKEtua4N57k/3WuYskKhApZyVNTXPABEjZnJ5DXUeDm gn8EfA+F2KTB5jORXx3DrzAUxcW9bw== =sXeH -END PGP SIGNATURE-
[SECURITY] [DLA 1719-1] libjpeg-turbo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libjpeg-turbo Version: 1:1.3.1-12+deb8u2 CVE ID : CVE-2018-14498 Debian Bug : #924678 It was discovered that there was a denial of service vulnerability in the libjpeg-turbo CPU-optimised JPEG image library. A heap-based buffer over-read could be triggered by a specially-crafted bitmap (BMP) file. For Debian 8 "Jessie", this issue has been fixed in libjpeg-turbo version 1:1.3.1-12+deb8u2. We recommend that you upgrade your libjpeg-turbo packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlyP7UQACgkQHpU+J9Qx HljTZhAAuGWwBEfN5h45N6Xe+m9zYUNKy8mC3w47jbJNdhcf9S2rQjdQ4Qw9Fuwc inff+c9aDpXMUpAn/s/ZQun7RFejuWC1HQJK06EaVbhPUOxB/lb4JdQ7Sd5VvyfU lDfYd7VIZ+vwK+zqqzyN1v5GzQ6Sj/o34EIkOpYObpC2OavosXMFGKpr7GANBsPC QeFKAqqMdugCW8e/09BQyBuDfQbEWtqUjrZTqBDgpODJ/2uO04bmunjI/ISWYWSh Ru2apcRJaN7qIKbNqV2fuwTQvq1HnGtksGXPOPzWopdCPuriLXQmMOVXsSAPZDQ1 odPideJHmOwP8KPf63je3Rauy9ZHjbBeAGsb9e74qbVCx94g7R4Ii6Vci9LscXcG tMyvNwUX3/iIP9HMsiLPqpCGqDkg5tDucBluiYs+cTL5N6xjFvMr8Qkm6qmCChAs NAK7Y9QAc36+xH4ydIjlYwxMicBu3qvF6QSzuiZh+H6u1pXFgQPp59O9ASajTUF7 6aRBXzcbOUcJh2nHEmShP+XJpUmPsdehkYYKsnADBPUuUjkl6XqvnObWHVJBNyQq /FtsxhFVPl/OpGNTuZ0euxr+xBlqrQOSXxiHkXo1yBQ3PP3Bsv2gFkeWi+trL5fB X9BppMMJ+FrYMT1Omzi+R0Sl3SWU2cOIpnzcIJ6w48KC0+UXNMg= =2tm6 -END PGP SIGNATURE-
[SECURITY] [DLA 1718-1] sqlalchemy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sqlalchemy Version: 0.9.8+dfsg-0.1+deb8u1 CVE ID : CVE-2019-7164 CVE-2019-7548 Debian Bug : 922669 Two vulnerabilities were discovered in SQLALchemy, a Python SQL Toolkit and Object Relational Mapper. CVE-2019-7164 SQLAlchemy allows SQL Injection via the order_by parameter. CVE-2019-7548 SQLAlchemy has SQL Injection when the group_by parameter can be controlled. The SQLAlchemy project warns that these security fixes break the seldom-used text coercion feature. For Debian 8 "Jessie", these problems have been fixed in version 0.9.8+dfsg-0.1+deb8u1. We recommend that you upgrade your sqlalchemy packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlyPnDwACgkQj/HLbo2J BZ/qqgf9HVfWEeJd9mN/NcJ2/6VILPt7lyDNKuAircBJt4Ya9wTxGpvN3Vknt2ry Z0oCMBz/z8EHNnlDyJHP4QGKrKXK2obwwVFfaOeel1b4OK6Aj3UMBzbEGypCn7y/ 4GzWeQhJcejbhIc8xgJc8/NSqdjeJ7buxV2fny/L+3RNy3UDmLkTqKOaPn0vOau1 N5cOaazYhUvfBmdQCF5cebI5CCOWmpreOGm8QDbwHJAxO6VFtZyMdByQOOYCv80r kQRuon9ia1qwqyVK8WjkDcV9pZxEI5dH7UN6+Eaum+ZAF+sJ/A3oNcc3iWB9N6JV KXcPBxTWcIIQJTK+zWOvU1TJ0VTSww== =JGde -END PGP SIGNATURE-
[SECURITY] [DLA 1717-1] rdflib security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: rdflib Version: 4.1.2-3+deb8u1 CVE ID : CVE-2019-7653 Debian Bug : #921751 The CLI tools in python-rdflib-tools can load python modules found in the current directory. This happens because "python -m" appends the current directory in the python path. For Debian 8 "Jessie", this problem has been fixed in version 4.1.2-3+deb8u1. We recommend that you upgrade your rdflib packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPO24ACgkQKpJZkldk SvpuLw//S2zb9NiB9sMKVyZkLLLh4++DmJc5CSIdtquSkzfwGOV0AvD4Jr5Ls9nk v1VjVSNM1Nty93x5XEeAJHZCO+YAUKFTGjMEhn3Mry380UAiZzZquvIR15xohDaT hhslKlVOgSSM8BhEM42Vyd27zsoZ3DJkFg7kE45f7hEkfz8KKrK8ZAYbF8d3LqmC TQuhv1vUbOyKgnMVXYQwuX7yLTWyu0CRCc6co2n2K1YZyfb6wIhXzAty8EAFu4SR Mg75itoOhrx/75drLLn4/T/zttYQL+Zf9rbFYI8En8vW/57o4jnrR9KldBigmjKD YmNb8ESdmOW06ElDVvJdIY55yCt5Uc0F/2ZV9DrotEdMi0kONznU0A1aqx95CU0R r/D+yyAM+kVOVsg4Xvm5e0rs/g8UxIbfwrzEYfqqOp/nEdMSW/Gz8A9XtD4N2m5U XHfSoM7Grm0I0hTRhcbKTID9rIaZYEQpQFyeJ9eEGPcDSTVORRLJIXVfuJ5DyjO9 4GoBLI+QB2Xd4AVObdMFtPFKBVSH/wSFD4+8utlLyWUi5BR+2Gp84m6Z8qMBSTBW Cc6pg4Aj4yslTKaOjM15B+/gqWwxzE2BMOxP+fP0I5ho5WVFiIq+2HnFW3t3ZHV0 fpk6HBpuyGecbS3lqmTOumc7Gur+rJVfJ+5aBMVfoYh64wcu1dU= =wwN5 -END PGP SIGNATURE-
[SECURITY] [DLA 1716-1] ikiwiki security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ikiwiki Version: 3.20141016.4+deb8u1 CVE ID : CVE-2019-9187 The ikiwiki maintainers discovered that the aggregate plugin did not use LWPx::ParanoidAgent. On sites where the aggregate plugin is enabled, authorized wiki editors could tell ikiwiki to fetch potentially undesired URIs even if LWPx::ParanoidAgent was installed: local files via file: URIs other URI schemes that might be misused by attackers, such as gopher: hosts that resolve to loopback IP addresses (127.x.x.x) hosts that resolve to RFC 1918 IP addresses (192.168.x.x etc.) This could be used by an attacker to publish information that should not have been accessible, cause denial of service by requesting "tarpit" URIs that are slow to respond, or cause undesired side-effects if local web servers implement "unsafe" GET requests. (CVE-2019-9187) Additionally, if liblwpx-paranoidagent-perl is not installed, the blogspam, openid and pinger plugins would fall back to LWP, which is susceptible to similar attacks. This is unlikely to be a practical problem for the blogspam plugin because the URL it requests is under the control of the wiki administrator, but the openid plugin can request URLs controlled by unauthenticated remote users, and the pinger plugin can request URLs controlled by authorized wiki editors. This is addressed in ikiwiki 3.20190228 as follows, with the same fixes backported to Debian 9 in version 3.20170111.1: * URI schemes other than http: and https: are not accepted, preventing access to file:, gopher:, etc. * If a proxy is configured in the ikiwiki setup file, it is used for all outgoing http: and https: requests. In this case the proxy is responsible for blocking any requests that are undesired, including loopback or RFC 1918 addresses. * If a proxy is not configured, and liblwpx-paranoidagent-perl is installed, it will be used. This prevents loopback and RFC 1918 IP addresses, and sets a timeout to avoid denial of service via "tarpit" URIs. * Otherwise, the ordinary LWP user-agent will be used. This allows requests to loopback and RFC 1918 IP addresses, and has less robust timeout behaviour. We are not treating this as a vulnerability: if this behaviour is not acceptable for your site, please make sure to install LWPx::ParanoidAgent or disable the affected plugins. For Debian 8 "Jessie", this problem has been fixed in version 3.20141016.4+deb8u1. We recommend that you upgrade your ikiwiki packages. In addition it is also recommended that you have liblwpx-paranoidagent-perl installed, which listed in the recommends field of ikiwiki. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlyPOxMACgkQKpJZkldk SvoxIhAAhHxmfgAqOieaGfoB/CvszocV3l43v/W8AWdgKfwp83RE8bf+gzR7Jzp6 mgrItSHBBZebCSPwRoJgLAYD2gtwvt+rWimURA+nDHbKsgcyM6Vv9MWAKDzWweJQ WlLr5AlPzA85WKAN5+N2yD2MH4jX8CodQWEITf2Y1eJNftm/Ld7hc/+I3Ec1VbPW JQXqB+JBPKB1KTM2b15/N+lPoczOikHEEZEFzcIfavKE28KiQjvFPgscn69K5/t5 838GqRjIpMHGFUg+KI+UsvArpWuNIKe3f2PZurnBNZ6mcrFDMHHGeYmHFvoMNvZG OtOmxe6lbwVWnvaj5PjaLiKQjJrt+F//qIqA44kCqOqHhCIuGMy1MYHvq2XYvlC2 nMIKN1wZcRfR8s4zi5+42g4EZdExCatTFZWS2H/CqxSHLGp/jIIftrNMdl1IyQX2 TQdfYi503ve6pe9suiQ/ldyAX9RbPHiQEhloZQ22xbv8Mqwd/icksCAiZINPL5dO s/1wXPL5p/Mvg8g1lNwUdwcBGV9p8FG+lUnfVXEtyn3/bBIX7zQKpIqp8tT4FqHV wnai5YzLSR6G8yrpUG5PTEKQiEyzEG5sZn9lCR/xp90OXROadgtrAyY++i5LbRyk iobz4vRAp5b0JD913B+wpaCWztSaH8g4e7scdTY6737xPI24A7k= =kwVR -END PGP SIGNATURE-
