[SECURITY] [DLA 2117-1] zsh security update

2020-03-02 Thread Roberto C . Sánchez
Package: zsh
Version: 5.0.7-5+deb8u1
CVE ID : CVE-2019-20044
Debian Bug : 951458


A privilege escalation vulnerability was discovered in zsh, a shell with
lots of features, whereby a user could regain a formerly elevated
privelege level even when such an action should not be permitted.

For Debian 8 "Jessie", this problem has been fixed in version
5.0.7-5+deb8u1.

We recommend that you upgrade your zsh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature


[SECURITY] [DLA 2131-2] rrdtool regression update

2020-03-02 Thread Utkarsh Gupta
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: rrdtool
Version: 1.4.8-1.2+deb8u2
CVE ID : CVE-2014-6262
Debian Bug : 952958


It was discovered that there was a regression in a previous fix, which
resulted in the following error:

ERROR: cannot compile regular expression: Error while compiling regular
expression ^(?:[^%]+|%%)*%[+-
0#]?[0-9]*([.][0-9]+)?l[eEfF](?:[^%]+|%%)*%s(?:[^%]+|%%)*$ at char 18:
range out of order in character class (^(?:[^%]+|%%)*%[+-
0#]?[0-9]*([.][0-9]+)?l[eEfF](?:[^%]+|%%)*%s(?:[^%]+|%%)*$)

For Debian 8 "Jessie", this problem has been fixed in version
1.4.8-1.2+deb8u2.

We recommend that you upgrade your rrdtool packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl5dVz8ACgkQgj6WdgbD
S5atbRAArNMYrRewmc20kFoTOPiRep7MNYKC4yL1wNhvcdZidoCjVfy2W2aFg/4Y
xBTDkoO5px3KMBFaNjO/s1EevQkP8iP2mTDwt+jySRAK6szBApUy1OHp52nomkpf
tsvAXGDtGiURwN/XTEJo5KZQ2KrhdOCNK9Kh1Eh7fVtINvqd5bzByvrFENrmEHPy
NZ+rr9UwF2H224wjc6qFGgqmsW+m8UJ8fkKaLEGDzviE2ysfN+VSrzqAskPEOYpX
9ESqh4S4qUQqvwUoHRThUDyyA5LiCiwixSoetUF/etPdupctVX0hFodPsbn3dzgZ
J1Ay+Ve8fCMfHwiu1n7lD91coVE4abLJrzRpj8NUIC+UX+4yHEOTiErgx6k0Bgw4
/eqhK43gL1+7N7FyfUF6LAGbWrH4L0xoPO8EhM2dhy5CGryxMDHw749vV+a+Oe7R
mu8munlgfU9edN3g/icnp5hnebkWluCAp4SyA47Fqm13JoRcsos/xE0e4UmcGrUD
sxoK2Ij77MQi3jGolcg7kyLUbcVBlzaGYUoYkF+pt4A7pk7ix5ijrEBgcGBsa7XD
bzVjzELc3lDI3VjXQhZgLal+SmF2f6170+uedZn/S8fp1LxrtdwadySQoJIdEYrn
EAvXs0/4yxf7QIPc4ZQ/8u+b/G1FVZIKbg9etjPAOtjGlte1Qbw=
=CxF2
-END PGP SIGNATURE-



[SECURITY] [DLA 2115-2] proftpd-dfsg regression update

2020-03-02 Thread Chris Lamb
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: proftpd-dfsg
Version: 1.3.5e+r1.3.5-2+deb8u7
CVE ID : CVE-2020-9273

It was discovered that there was a regression in a previous fix for a
use-after-free vulnerability in the proftpd-dfsg FTP server.

Exploitation of the original vulnerability within the memory pool handling
could have allowed a remote attacker to execute arbitrary code on the
affected system. However, the fix that was released in proftpd-dfsg
version 1.3.5e+r1.3.5-2+deb8u6 had a regression around the handling
of log formatting.

For more information, please see:

  https://github.com/proftpd/proftpd/issues/903

For Debian 8 "Jessie", this issue has been fixed in proftpd-dfsg version
1.3.5e+r1.3.5-2+deb8u7.

We recommend that you upgrade your proftpd-dfsg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl5dT6MACgkQHpU+J9Qx
Hlg12RAAxjvWQ2MCsU7DIIkVujp4pFA3gbXglaQtj7GPgnvOD7+E/CbIpS5h4ChQ
elFscK6MNCWqeU0F0qbjmE0R55PDiCuTiLGgYHg+j3mPkFHsS31BJEQ+jXORIVPK
pXcJWSYIpQhi3zwbeQMkeN/K4Cm+NI++iXNUCELVOMLBX4N1Wix+2zkERMb3pXsw
ZODRIKRpi0NpMrP1xYxOxK1vVSMVbxu97SLT0DsyFPG7jmjcm7c/xlPyjR2mKnij
KA1zNWE/rFQuuEacLVMI/B68I3hnRgGjt1oexmitxTU8AjqAsnt60wsHQcDR2NF+
olHglbca8V8jjs07gjnWEvE8zVvcFCUNXGsb4UYtrGSvL3unhI5ogi4Tp/jw/mfL
ReFi4iLyW5GpqlE1BSAMEpATotlk+jSS0sUDuGVG0T1ybA9Sn64lF7wxUcr3IZw1
FK772xh+C76VjU7VmSTVDSXyO9OjJ13edh3ZCu5DFbVEpd1SBLYrkhdPH3pDoLj+
ApC6G4uOQ51iO/grMEmKkk4AEdMUCnr2o2CUYZg8iNGeAegEOkohr/p2m+x3Cn+8
v1BICuxjegq8XEz4/+mfKfLRnimHvgloEG2QfIANiREBEH4DQ8Wc3vG+fbo4KT7+
UdLudt2L4rLXaPLXq7aMX2oxdbBgrfqpYlE665boHGmkA06NYo4=
=K8+l
-END PGP SIGNATURE-