[SECURITY] [DLA 2268-2] mutt regression update
Package: mutt Version: 1.5.23-3+deb8u3 CVE ID : CVE-2020-14093 CVE-2020-14954 Debian Bug : Two vulnerabilities have been discovered in mutt, a console email client. CVE-2020-14093 Mutt allowed an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. CVE-2020-14954 Mutt had a STARTTLS buffering issue that affected IMAP, SMTP, and POP3. When a server had sent a "begin TLS" response, the client read additional data (e.g., from a man-in-the-middle attacker) and evaluated it in a TLS context, aka "response injection." In Debian jessie, the mutt source package builds two variants of mutt: mutt and mutt-patched. The previous package version (1.5.23-3+deb8u2, DLA-2268-1) provided fixes for the issues referenced above, but they were only applied for the mutt-patched package build, not for the (vanilla) mutt package build. For Debian 8 "Jessie", this problem has been fixed in version 1.5.23-3+deb8u3. We recommend that you upgrade your mutt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2268-1] mutt security update
Package: mutt Version: 1.5.23-3+deb8u2 CVE ID : CVE-2020-14093 CVE-2020-14954 Debian Bug : 962897 Two vulnerabilities have been discovered in mutt, a console email client. CVE-2020-14093 Mutt allowed an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. CVE-2020-14954 Mutt had a STARTTLS buffering issue that affected IMAP, SMTP, and POP3. When a server had sent a "begin TLS" response, the client read additional data (e.g., from a man-in-the-middle attacker) and evaluated it in a TLS context, aka "response injection." For Debian 8 "Jessie", these problems have been fixed in version 1.5.23-3+deb8u2. We recommend that you upgrade your mutt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2266-1] nss security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: nss Version: 2:3.26-1+debu8u11 CVE ID : CVE-2020-12399 CVE-2020-12402 Several vulnerabilities were fixed in nss, the Network Security Service libraries. CVE-2020-12399 Force a fixed length for DSA exponentiation. CVE-2020-12402 Side channel vulnerabilities during RSA key generation. For Debian 8 "Jessie", these problems have been fixed in version 2:3.26-1+debu8u11. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl77kNMACgkQiNJCh6LY mLEnPg//Rguhvk7zU3wLjjrii/LYLzZL++pajyeU+IZfwUx7dXk+07tqjmjyQ25K kS9HTBqK560eFCYCT3HMbzjnUjVDAcVf8DxFbFVzCsqK0V+bwug39w72TQ2RjMHs Ii+Uy0wR3f8IWFqGv4sCZWlNIx/FfYq6VmhV9zdHsUFCMW52CvPXZIBlvD99OGBO eHshXb0mvEIJJPr/Bt3W8ei0SxqDUHdZx1tzTpgRPiV1IuXlZ/rUGUSwgek/CmAY 9fWyP2W01D472TU7ZEaEZf+vxy7TnXGpNhB8psFNDbTrjK5/sqKiEWkOhMFLsRl3 W/Dv1DbCeCYvuBy2IU14JpkCL+OtXympA9+TO0zR1Wks47pJHJj+4azYOAdMW7l/ 5Sc0pmOoXzXjzmfmHupd5ZMGuq0YbN4jDpMcQQ0RCFEb6edALGkJh2KEIxfj55d4 6wPnIVp4cmCGq8II4ZmIb7pavqdLdHAk01Ohnr4YqeirbzlUV8HEB4tuErMelrmi 1Sa1mFSGNteett1FbuOrwyYdollD/XVzouQYvtMJF6Lrd0vjCHZE2pwv0bFsWf+b YFK+8vgggbEt1wdLP66NW6xxkmd9WBo69cupdQdrbX+n9KH8MDDxHOdUlR1CPb7J jJAEjYz1V5T7SERlzRSnduY/tsHTXDBYqST1EI0QYIqlVQ8Go3I= =7T9U -END PGP SIGNATURE-
[SECURITY] [DLA 2267-1] libmatio security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libmatio Version: 1.5.2-3+deb8u1 CVE ID : CVE-2019-17533 In libmatio, a library to read and write Matlab MAT files, a vulnerability was fixed in Mat_VarReadNextInfo4 in mat4.c that could lead to a heap-based buffer over-read in strdup_vprintf. For Debian 8 "Jessie", this problem has been fixed in version 1.5.2-3+deb8u1. We recommend that you upgrade your libmatio packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl77kboACgkQiNJCh6LY mLEP7BAAqxQZZrcRg6dPRYOpD6C5NWFrS8fgaqcwcjFL62yxF1Cp4ycV9eVq24zX G/NJpjGdYGDL3EFrAF8S3rZvSBmdj/SL30WLdAZpg1RYLZuZOHiSAS5CHp7drnjz JCh9DMLX8BYyP6FYMp5UagykjEUMwUE+4mPrsXVPLPBrFapYF08XqB5otZP2Ia6f sIpRw44cmkJEH0zWjq9vowF6aWlWzHTma+Bu4z5jqPhsgTDyKUGk3KZd1R781ay1 20SzB5dZi1wx5VMwEj26+ComcvDhxJW2NcU4ImRAUv0GLNyvJKXglwGNesH8KWZH CNxXGZAk/IkvtSDYlpnN5T48RkIVlS32huUQrf7ZlfFIwFFRBPhgnY7mS5V4F/1C KsI4/Y1UKzZ4rmDGqWISzZ6Tudoy/BbkluctqgXpXltC31aWK2Cn6xNj/uXPibGb rZP184l6+T33QlHgKF+KHseUlktr3oP5Z8d0C6as47zoNVWHaR60ik0Z6Pu/ogUy mWmjDnstM0amWCLj4qvoE6Nd951I3aZCaZbphtMI0KSwwnC7plkk5W6mbSgkq4SN cUzKWSZfzVcUJVkKbW1h4IElOWdRlm7DuR7+qbly7p/wS6UF8v1lDfyBjtyfj5VD 40xOiFslQJSMoWRIg9htDeBC+4N3trQAUyoZuvAEvUXufaFZ15Y= =NQEF -END PGP SIGNATURE-
[SECURITY] [DLA 2265-1] mailman security update
Package: mailman Version: 1:2.1.18-2+deb8u7 CVE ID : CVE-2020-15011 Debian Bug : GNU Mailman allowed arbitrary content injection via the Cgi/private.py private archive login page. For Debian 8 "Jessie", this problem has been fixed in version 1:2.1.18-2+deb8u7. We recommend that you upgrade your mailman packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2264-1] libvncserver security update
Package: libvncserver Version: 0.9.9+dfsg2-6.1+deb8u8 CVE ID : CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405 Debian Bug : Several vulnerabilities have been discovered in libVNC (libvncserver Debian package), an implemenantation of the VNC server and client protocol. CVE-2019-20839 libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket filename. CVE-2020-14397 libvncserver/rfbregion.c had a NULL pointer dereference. CVE-2020-14399 Byte-aligned data was accessed through uint32_t pointers in libvncclient/rfbproto.c. CVE-2020-14400 Byte-aligned data was accessed through uint16_t pointers in libvncserver/translate.c. CVE-2020-14401 libvncserver/scale.c had a pixel_value integer overflow. CVE-2020-14402 libvncserver/corre.c allowed out-of-bounds access via encodings. CVE-2020-14403 libvncserver/hextile.c allowed out-of-bounds access via encodings. CVE-2020-14404 libvncserver/rre.c allowed out-of-bounds access via encodings. CVE-2020-14405 libvncclient/rfbproto.c does not limit TextChat size. For Debian 8 "Jessie", these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u8. We recommend that you upgrade your libvncserver packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2263-1] drupal7 security update
Package: drupal7 Version: 7.32-1+deb8u19 CVE ID : CVE-2020-13663 Debian Bug : CVE-2020-13663 - Drupal SA 2020-004 The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. For Debian 8 "Jessie", this problem has been fixed in version 7.32-1+deb8u19. We recommend that you upgrade your drupal7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
