[SECURITY] [DLA 1780-1] firefox-esr new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: firefox-esr Version: 60.6.2esr-1~deb8u1 Debian Bug : 928415 928449 928509 Firefox 60.6.2 ESR repairs a certificate chain issue that caused extensions to be disabled in the past few days. More information, and details of known remaining issues, can be found at https://www.mozilla.org/firefox/60.6.2/releasenotes/ and https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ Installing this update will re-enable any extensions that were disabled due to this issue. Extensions installed from Debian packages were not affected. For Debian 8 "Jessie", this problem has been fixed in version 60.6.2esr-1~deb8u1. We recommend that you upgrade your firefox-esr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlzQ0nYACgkQj/HLbo2J BZ+OOQgArZOatJ05dmqz4yPmaNgdAlyscgTQNwW4IhWq+eGB1Pyn5MgbDTSpcS8t +6+P13uV5cwsaSrJj3u/kZyIdM5i9GHkfm8l2jxmtDnoXnrgMbyhmJi9ZUqOGPG/ XeRM11aox63ZN9G0auxPvV8i0kxSofOdTS3z7KF0il1NLC3lApSXos07wqcL48Ie acupvV3WKGAcoElpIw9Q5VGzrOIbvVnontSuIWWpSsTcJYMPleULpoXuiH1v/L5U Iosv3wnV0CWX6D9P9pS9RnQ5+Tsyywz2LHj9msPrUDikG92G9ptmWYA0L0/akz0M /X9Ur50z38q48cfYZ/1Ffqu/sbJTOw== =X1Uv -END PGP SIGNATURE-
[SECURITY] [DLA 1779-1] 389-ds-base security update
Package: 389-ds-base Version: 1.3.3.5-4+deb8u6 CVE ID : CVE-2019-3883 Debian Bug : 927939 In 389-ds-base up to version 1.4.1.2, requests were handled by worker threads. Each socket had been waited for by the worker for at most 'ioblocktimeout' seconds. However, this timeout applied only to un-encrypted requests. Connections using SSL/TLS were not taking this timeout into account during reads, and may have hung longer. An unauthenticated attacker could have repeatedly created hanging LDAP requests to hang all the workers, resulting in a Denial of Service. For Debian 8 "Jessie", this problem has been fixed in version 1.3.3.5-4+deb8u6. We recommend that you upgrade your 389-ds-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 1778-1] symfony security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: symfony Version: 2.3.21+dfsg-4+deb8u5 CVE ID : CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-10913 Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Framework Bundle, Dependency Injection, Security, HttpFoundation CVE-2019-10909 Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS. For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine CVE-2019-10910 Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution. For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid CVE-2019-10911 This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO). For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash CVE-2019-10913 HTTP methods, from either the HTTP method itself or using the X-Http-Method-Override header were previously returned as the method in question without validation being done on the string, meaning that they could be used in dangerous contexts when left unescaped. For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides For Debian 8 "Jessie", these problems have been fixed in version 2.3.21+dfsg-4+deb8u5. We recommend that you upgrade your symfony packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlzQh9UACgkQUmLn/0kQ Sf7pWxAAtYjN2qxy1HVoLYS/tG8C4I5BH5E5n2unqrkC+5djku4tg9RZf/3IpbJ6 iDQI/qWNUzbq3NvMISmPF0PnAFG+MzMgQrQZxBAZof81ZglD8c258+oESZBSJC9r iQThGUJEKcPtMDD/2tory83Q+KtlYr8gvEZj3kOKTDw+W8ThGQ+ErfNnFBhWTnNm iOWquQTl490155bCAn7Phaw+0MB+K8mJqSWTF8UNsyLHMiDFLTdtygzKnurjgoOW YNbNrHbAxMd58R6i5GrtNpUnWohsF/q6fgywhN6Mxt3+ojwtsf6YKVK7pahXo/kD uGmhf/BOl2PvIOFixWSQ9ZuYrLaS+yHt2LChvj6comPjRVelQvOomCq02DGK9gcV NgWsro+HOTuO3KxY8AeQvIDpoMEpy5G5uiuoUt9bJxs4Dp+rics4unLWm1Q5BobE kwBcfZ+t8llkZj0P0RyjWMKn1gP6mvGQWd+0vxVYqxfLoBF0HxQcY2+EZgigb1hR LvXd2UFQDY3auZu6SlyahV6d66cYQoGUiMDEV7aUdmeOZcpwO8O8hFpZzmdzSXRm 2XC+OH4vR9nEHE604s8yxqEv5v6LUPAboE3FP4djSKDdXC1TXS4ls0cKKeSPQYLK S1VmpAWlUb0AGJVP+7Krui3Fpx76HrNVFpx1MSEz+3MVcfcvFoM= =C1Jm -END PGP SIGNATURE-
[SECURITY] [DLA 1777-1] jquery security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: jquery Version: 1.7.2+dfsg-3.2+deb8u6 CVE ID : CVE-2019-11358 jQuery mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-006 . For Debian 8 "Jessie", this problem has been fixed in version 1.7.2+dfsg-3.2+deb8u6. We recommend that you upgrade your jquery packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzP4J8ACgkQKpJZkldk Svpt1g/+MYT8NDzUW5U62FYWxdCAJ3LdG59tacSZ0TS1JR1erFbI4HGs/SzqgmmJ ZV1cR2hehh2f40UypfX840NqigWNGPsTkOKMGjZL8q/aggkq4BPbPJcUnZ4+9Vrx /PLjSG8Pyu1gYeANtbiQZ3OzOXnBJLU6R43zmlOJ6A7nYhkPnCVZ4g5+Siwcj1Tj FeLHTZhLgQfNl+19Cvt9vJe/w2UZLEX0RwLZYC3XWNPgiXG3LF+0oleKARTp/iwz vJ4E/wKICMWVFTsrqNfOI6lKbyeyAveFPs0AHcayoWoEbp2ZKwL9iwlKt5nk3doB QedkRH540+jfSPX/P8ruCtrTPD0z3gM6xF6iyYPdWo4DkhVl/VwqtxB/ng1KFmML QH6rZ+hVAcYE/lbh3RzH5cj3DSQgqNj932792Mq1f9J0kCOh0pcDtma5hiNVX97R Zz1aRQ74+49HhVMxCgc12wTNSrSBVV1BncfnHb1eHwwJQgvdQKneuV8PMQrcuVQm KILkKQjw9MlRX+B9DwzWUUwCMYu8MKznAe0O78QcoKiUWFk8wV7QbjM0Vw1P6elw nxcILgEgmHKs+y2A9w0CTUcvValL9qu7RNjzbP1NOoHqYoIFMDVQT3CJySyLsIZH vogQEdiSeAXpoHVhD7ZPVXOFL+uCO/ObCkimSuajBitPNUGmwy0= =rRg7 -END PGP SIGNATURE-