[SECURITY] [DLA 2472-1] mutt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2472-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk November 30, 2020 https://wiki.debian.org/LTS - - Package: mutt Version: 1.7.2-1+deb9u4 CVE ID : CVE-2020-28896 Debian Bug : In Mutt, a text-based Mail User Agent, invalid IMAP server responses were not properly handled, potentially resulting in authentication credentials being exposed or man-in-the-middle attacks. For Debian 9 stretch, this problem has been fixed in version 1.7.2-1+deb9u4. We recommend that you upgrade your mutt packages. For the detailed security status of mutt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mutt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/FZQgACgkQiNJCh6LY mLFbURAAkGibSQNfpunKZ2lmJH7YBcw2BkL2MDvCaVfYy9/vel8tzIUVn1WoEZxS 1ZCvjvC+Yhg4rrwXkiCt3/WXOHOxghYUH9D+LQNOzrkh071wXR9Y/D2AFCOD2kYb 48fVgx83IdMM6ooQh2z2+fmWkS6R4SoBaJZu9f5amNq2ODTwUxCGXqGJRLOOwVDs 7D16zAKA5G/51fn2LxOqCGl/e++n8o8zUtC8EicuZUiWZeVGWx/NFUuDEqSl1ABE 9+7K4VrZhrI8GxOC/9yKpPqGNMSpq4Uxm9C+xmlyQOldU6Nyws2x30JJ/sWToajC wgp7qXj2uCB6HDoIG7nPfhKTK2QH/SHY1GLSQvqElLoMFENBHJSrgV+nr45229L1 UDYkfWe+/zFf1J3azdU9nrm9br1X/KZAgPk+K8SkjtbDRRKxX/dUl4oAciCWWzQ+ jLRFhwiRFbT++g6UBBMq/wxxg8f0Df2sUDDApd+Fylww8oonvb+IPqUo9P/GAYjq dmzg8PAGd7tlujT1/2U0FjPfMmVbwoH801NuTdYf+xbM62EMRSW8QJFFUdWFjeK6 XpqjIsQda4Jldz0iJuzYv0nDhS96IC11wlT+f0TBIRq+5fEkaWfZr0hxyCCpiVUa d4UCod6UbAKcoGwKZPgOba9bwy4jvLH3f6D0FRpdgok1GjeWNpA= =jMhg -END PGP SIGNATURE-
[SECURITY] [DLA 2473-1] vips security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2473-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk November 30, 2020 https://wiki.debian.org/LTS - - Package: vips Version: 8.4.5-1+deb9u2 CVE ID : CVE-2020-20739 In VIPS, an image processing system, an uninitialized variable which may cause the leakage of remote server path or stack address was fixed. For Debian 9 stretch, this problem has been fixed in version 8.4.5-1+deb9u2. We recommend that you upgrade your vips packages. For the detailed security status of vips please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vips Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/Fbb8ACgkQiNJCh6LY mLHuzw/+OU+Nvq8rqDr/eczlE29Mn4HmX0OYuvhJ4Gbl/nTFtU0s/Q2W3QVJ6VUq dSXXPUZjtWVGTaR3TVbjUB7HBK5dNmOQ79mzfb5sMYfX9rUbDL8JQutapeLIzHR5 uyUU85R5blEXG2ZcOb+OCfXlBgJKuFXPTRy1O+/V8GC14K/LY437cap7en267e9K giIrHTj9AMhKyokWfTXZS8o8CKEhvagtSVimZNn/vyYL6pv5/gGBbU77iiWLG6pv GmHqdABERLt6RNjgxESTrcJSnDIU3hzwZltq7m4+8yXiDXJUbKkefam/Xmgs/H8x yQJAEKoKeTGXSYqSg3mHcgoGQWoKSZUeE3HnScppiW9AAwQNtKovmjet3HTrfg/T S4gAbAcp4K/J9gFvD0fmadZoIWvNE971Y5t1pwKEgxZApBmMY2ycbSweEx/tQGYM BuhILM/2xYcALznKBy7afTk/4Qm8ErtYs1XpVYeglXb4622ax/wnfdRdE+aTVwvM xH2gHOK8zJNIqv3cCqqGA3IQbC9TL+OlWjYgDw1EsftIsl4VsNfmcy3CRHkDVmD1 cXM9GSdxE+0c6q883ebNHRdmE3+lU4YOkpb8Tcb7/CqE2Crq/4svhTgbynXg1quk 8NJvQXpIHQBmLNgQbJEzwIuA0j88HCuDTvJM/wLczrAJwwdGRzM= =EJnf -END PGP SIGNATURE-
[SECURITY] [DLA 2474-1] musl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- Debian LTS Advisory DLA-2474-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 01, 2020 https://wiki.debian.org/LTS - --- Package: musl Version: 1.1.16-3+deb9u1 CVE ID : CVE-2020-28928 Debian Bug : 975365 The wcsnrtombs function in all musl libc versions up through 1.2.1 has been found to have multiple bugs in handling of destination buffer size when limiting the input character count, which can lead to infinite loop with no forward progress (no overflow) or writing past the end of the destination buffers. For Debian 9 stretch, this problem has been fixed in version 1.1.16-3+deb9u1. We recommend that you upgrade your musl packages. For the detailed security status of musl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/musl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl/FcigACgkQgj6WdgbD S5Y5pw/9HNJQh3r2CO/JII5Bm6uh+c1GO7BIgy5max11SZaZBBDhM0l40ga+XhNx MgEMbAZ5as3IibtilKfls83I0SGc9vDO7NbGLWPprYCo51qy5r0z4atkCMNgLTu5 LF/YkHo+uRt3wPR3m5SimbiECkGIoaUlWyU21JQ4ciKwQyYs7iAiAq/X/9SueeYf xDrjbYFP4K+D1l9R+dr1eZ9owms62HI2SyGR9LXTwzCZQcAWvLC3Oa5MGMJ+VfCM uXGVw+sUJmGjuG1tVOByHIf9xQEx18G+eimHYUdYrBTCZ9bOaDeLD+fqTH872y9i MtmxYtixRdmDcevmE5/0BHZHT2AqzYyanzZWo911l+cifhNgH7me4TnjkOyUiSN9 i6eahpkYAVPw4vtsFYq1v+mEgjDk8vmu+E01I1Xt4iwPnz4kadxc1V8yQ4kWtauE /GMryviWRDhNTqo8UWvg5h7Ew5HRJOcsCppOJc3IPQYjmbGr4khmADZC7rFapzj0 mHx0DxTJsSW/Ox6JLAGfz3uS/Jc3TTkdfkYlxzBBEfPuWiWcAp+bcBZFp/ZN2CQe lwFlULH3/3JHdyrCKoilf5ptvL6Xsk8GpWX7mwcoknKE3FbjWuZD1+qUHoqwna9J a/p/Bo/A74c1QqnJ/Au+RN8KDIJ0zKfLsyISZ8I1Deg4cnjWl7s= =68kY -END PGP SIGNATURE-
[SECURITY] [DLA 2470-1] zsh security update
- Debian LTS Advisory DLA-2470-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 30, 2020 https://wiki.debian.org/LTS - Package: zsh Version: 5.3.1-4+deb9u4 CVE ID : CVE-2017-18206 CVE-2018-0502 CVE-2018-1071 CVE-2018-1083 CVE-2018-1100 CVE-2018-13259 CVE-2019-20044 Debian Bug : 908000 894044 894043 895225 951458 Several security vulnerabilities were found and corrected in zsh, a powerful shell and scripting language. Off-by-one errors, wrong parsing of shebang lines and buffer overflows may lead to unexpected behavior. A local, unprivileged user can create a specially crafted message file or directory path. If the receiving user is privileged or traverses the aforementioned path, this leads to privilege escalation. For Debian 9 stretch, these problems have been fixed in version 5.3.1-4+deb9u4. We recommend that you upgrade your zsh packages. For the detailed security status of zsh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zsh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 2471-1] libxstream-java security update
- Debian LTS Advisory DLA-2471-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 30, 2020 https://wiki.debian.org/LTS - Package: libxstream-java Version: 1.4.9-2+deb9u1 CVE ID : CVE-2020-26217 It was found that XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Users who rely on blocklists are affected (the default in Debian). We strongly recommend to use the whitelist approach of XStream's Security Framework because there are likely more class combinations the blacklist approach may not address. For Debian 9 stretch, this problem has been fixed in version 1.4.9-2+deb9u1. We recommend that you upgrade your libxstream-java packages. For the detailed security status of libxstream-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxstream-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
