[SECURITY] [DLA 1780-1] firefox-esr new upstream version

[Sylvain Beucler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: firefox-esr
Version: 60.6.2esr-1~deb8u1
Debian Bug : 928415 928449 928509

Firefox 60.6.2 ESR repairs a certificate chain issue that caused
extensions to be disabled in the past few days.  More information, and
details of known remaining issues, can be found at
https://www.mozilla.org/firefox/60.6.2/releasenotes/ and
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

Installing this update will re-enable any extensions that were disabled
due to this issue.

Extensions installed from Debian packages were not affected.

For Debian 8 "Jessie", this problem has been fixed in version
60.6.2esr-1~deb8u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlzQ0nYACgkQj/HLbo2J
BZ+OOQgArZOatJ05dmqz4yPmaNgdAlyscgTQNwW4IhWq+eGB1Pyn5MgbDTSpcS8t
+6+P13uV5cwsaSrJj3u/kZyIdM5i9GHkfm8l2jxmtDnoXnrgMbyhmJi9ZUqOGPG/
XeRM11aox63ZN9G0auxPvV8i0kxSofOdTS3z7KF0il1NLC3lApSXos07wqcL48Ie
acupvV3WKGAcoElpIw9Q5VGzrOIbvVnontSuIWWpSsTcJYMPleULpoXuiH1v/L5U
Iosv3wnV0CWX6D9P9pS9RnQ5+Tsyywz2LHj9msPrUDikG92G9ptmWYA0L0/akz0M
/X9Ur50z38q48cfYZ/1Ffqu/sbJTOw==
=X1Uv
-END PGP SIGNATURE-

[SECURITY] [DLA 1779-1] 389-ds-base security update

[Mike Gabriel]

Package: 389-ds-base
Version: 1.3.3.5-4+deb8u6
CVE ID : CVE-2019-3883
Debian Bug : 927939


In 389-ds-base up to version 1.4.1.2, requests were handled by worker
threads. Each socket had been waited for by the worker for at most
'ioblocktimeout' seconds. However, this timeout applied only to
un-encrypted requests. Connections using SSL/TLS were not taking this
timeout into account during reads, and may have hung longer. An
unauthenticated attacker could have repeatedly created hanging LDAP
requests to hang all the workers, resulting in a Denial of Service.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u6.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



signature.asc
Description: PGP signature

[SECURITY] [DLA 1778-1] symfony security update

[Jonas Meurer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: symfony
Version: 2.3.21+dfsg-4+deb8u5
CVE ID : CVE-2019-10909 CVE-2019-10910 CVE-2019-10911
 CVE-2019-10913


Several security vulnerabilities have been discovered in symfony, a PHP
web application framework.  Numerous symfony components are affected:
Framework Bundle, Dependency Injection, Security, HttpFoundation

CVE-2019-10909

Validation messages were not escaped when using the form theme of
the PHP templating engine which, when validation messages may
contain user input, could result in an XSS.

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

CVE-2019-10910

Service IDs derived from unfiltered user input could result in the
execution of any arbitrary code, resulting in possible remote code
execution.

For further information, see the upstream advisory at
https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid

CVE-2019-10911

This fixes situations where part of an expiry time in a cookie could
be considered part of the username, or part of the username could be
considered part of the expiry time. An attacker could modify the
remember me cookie and authenticate as a different user. This attack
is only possible if remember me functionality is enabled and the two
users share a password hash or the password hashes (e.g.
UserInterface::getPassword()) are null for all users (which is valid
if passwords are checked by an external system, e.g. an SSO).

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash

CVE-2019-10913

HTTP methods, from either the HTTP method itself or using the
X-Http-Method-Override header were previously returned as the method
in question without validation being done on the string, meaning
that they could be used in dangerous contexts when left unescaped.

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides


For Debian 8 "Jessie", these problems have been fixed in version
2.3.21+dfsg-4+deb8u5.

We recommend that you upgrade your symfony packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -- 
Jonas Meurer


-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlzQh9UACgkQUmLn/0kQ
Sf7pWxAAtYjN2qxy1HVoLYS/tG8C4I5BH5E5n2unqrkC+5djku4tg9RZf/3IpbJ6
iDQI/qWNUzbq3NvMISmPF0PnAFG+MzMgQrQZxBAZof81ZglD8c258+oESZBSJC9r
iQThGUJEKcPtMDD/2tory83Q+KtlYr8gvEZj3kOKTDw+W8ThGQ+ErfNnFBhWTnNm
iOWquQTl490155bCAn7Phaw+0MB+K8mJqSWTF8UNsyLHMiDFLTdtygzKnurjgoOW
YNbNrHbAxMd58R6i5GrtNpUnWohsF/q6fgywhN6Mxt3+ojwtsf6YKVK7pahXo/kD
uGmhf/BOl2PvIOFixWSQ9ZuYrLaS+yHt2LChvj6comPjRVelQvOomCq02DGK9gcV
NgWsro+HOTuO3KxY8AeQvIDpoMEpy5G5uiuoUt9bJxs4Dp+rics4unLWm1Q5BobE
kwBcfZ+t8llkZj0P0RyjWMKn1gP6mvGQWd+0vxVYqxfLoBF0HxQcY2+EZgigb1hR
LvXd2UFQDY3auZu6SlyahV6d66cYQoGUiMDEV7aUdmeOZcpwO8O8hFpZzmdzSXRm
2XC+OH4vR9nEHE604s8yxqEv5v6LUPAboE3FP4djSKDdXC1TXS4ls0cKKeSPQYLK
S1VmpAWlUb0AGJVP+7Krui3Fpx76HrNVFpx1MSEz+3MVcfcvFoM=
=C1Jm
-END PGP SIGNATURE-

[SECURITY] [DLA 1777-1] jquery security update

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: jquery
Version: 1.7.2+dfsg-3.2+deb8u6
CVE ID : CVE-2019-11358

jQuery mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution.  If an unsanitized source object contained an enumerable __proto__
property, it could extend the native Object.prototype. For additional
information, please refer to the upstream advisory at
https://www.drupal.org/sa-core-2019-006 .

For Debian 8 "Jessie", this problem has been fixed in version
1.7.2+dfsg-3.2+deb8u6.

We recommend that you upgrade your jquery packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzP4J8ACgkQKpJZkldk
Svpt1g/+MYT8NDzUW5U62FYWxdCAJ3LdG59tacSZ0TS1JR1erFbI4HGs/SzqgmmJ
ZV1cR2hehh2f40UypfX840NqigWNGPsTkOKMGjZL8q/aggkq4BPbPJcUnZ4+9Vrx
/PLjSG8Pyu1gYeANtbiQZ3OzOXnBJLU6R43zmlOJ6A7nYhkPnCVZ4g5+Siwcj1Tj
FeLHTZhLgQfNl+19Cvt9vJe/w2UZLEX0RwLZYC3XWNPgiXG3LF+0oleKARTp/iwz
vJ4E/wKICMWVFTsrqNfOI6lKbyeyAveFPs0AHcayoWoEbp2ZKwL9iwlKt5nk3doB
QedkRH540+jfSPX/P8ruCtrTPD0z3gM6xF6iyYPdWo4DkhVl/VwqtxB/ng1KFmML
QH6rZ+hVAcYE/lbh3RzH5cj3DSQgqNj932792Mq1f9J0kCOh0pcDtma5hiNVX97R
Zz1aRQ74+49HhVMxCgc12wTNSrSBVV1BncfnHb1eHwwJQgvdQKneuV8PMQrcuVQm
KILkKQjw9MlRX+B9DwzWUUwCMYu8MKznAe0O78QcoKiUWFk8wV7QbjM0Vw1P6elw
nxcILgEgmHKs+y2A9w0CTUcvValL9qu7RNjzbP1NOoHqYoIFMDVQT3CJySyLsIZH
vogQEdiSeAXpoHVhD7ZPVXOFL+uCO/ObCkimSuajBitPNUGmwy0=
=rRg7
-END PGP SIGNATURE-