Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1655-1: mariadb-10.0 security update
DLA 1656-1: agg security update
DLA 1658-1: phpmyadmin security update
DLA 1659-1: drupal7 security update
DLA-1657-1: debian-security-support enigmail end of life

Debian GNU/Linux 9:
DSA 4379-1: golang-1.7 security update
DSA 4380-1: golang-1.8 security update



DLA 1655-1: mariadb-10.0 security update




Package : mariadb-10.0
Version : 10.0.38-0+deb8u1
CVE ID : CVE-2019-2529 CVE-2019-2537

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.38. Please see the MariaDB 10.0 Release Notes for further
details:

https://mariadb.com/kb/en/mariadb/mariadb-10038-release-notes/

For Debian 8 "Jessie", these problems have been fixed in version
10.0.38-0+deb8u1.

We recommend that you upgrade your mariadb-10.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1656-1: agg security update




Package : agg
Version : 2.5+dfsg1-9+deb8u1
CVE ID : CVE-2019-6245
Debian Bug : 919322

A stack overflow vulnerability was discovered in AGG,
the AntiGrain Geometry graphical toolkit, that may lead to code
execution if a malformed file is processed. Since AGG only provides a
static library, the desmume and exactimage packages were rebuilt
against the latest security update.

For Debian 8 "Jessie", this problem has been fixed in version
2.5+dfsg1-9+deb8u1.

We recommend that you upgrade your agg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1658-1: phpmyadmin security update

Package : phpmyadmin
Version : 4:4.2.12-2+deb8u4
CVE ID : CVE-2018-19968 CVE-2018-19970


A couple of vulnerabilities have been discovered in phpmyadmin, MySQL web
administration tool.

CVE-2018-19968

An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a
local file because of an error in the transformation feature. The attacker
must have access to the phpMyAdmin Configuration Storage tables, although
these can easily be created in any database to which the attacker has
access. An attacker must have valid credentials to log in to phpMyAdmin;
this vulnerability does not allow an attacker to circumvent the login
system.

CVE-2018-19970

A XSS vulnerability was found in the navigation tree, where an attacker can
deliver a payload to a user through a crafted database/table name.

For Debian 8 "Jessie", these problems have been fixed in version
4:4.2.12-2+deb8u4.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1659-1: drupal7 security update




Package : drupal7
Version : 7.32-1+deb8u14
CVE ID : CVE-2019-6339

A remote code execution vulnerability exists in PHP's built-in phar
stream wrapper when performing file operations on an untrusted phar://
URI. Some Drupal code (core, contrib, and custom) may be performing
file operations on insufficiently validated user input, thereby being
exposed to this vulnerability.

With this update a new replacement stream wrapper from typo3 project
is used instead of the built-in one.

For Debian 8 "Jessie", this problem has been fixed in version
7.32-1+deb8u14.

We recommend that you upgrade your drupal7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA-1657-1: debian-security-support enigmail end of life

Package : debian-security-support
Version : 2019.02.01~deb8u1

debian-security-support, the Debian security support coverage checker,
has been updated in jessie.

This marks the end of life of the Enigmail package in jessie. After many
months of work to try backporting the various changes and fixes required
to ensure a secure Enigmail package compatible with the newest version
of Thunderbird now shipped in jessie, it is the LTS team's opinion that
the changes are too intrusive to ensure the stability of the
distribution as a whole.

While Enigmail is still available on addons.mozilla.org, we do not
recommend that package is used, as downloads and executes arbitrary
binaries from the internet without the user's knowledge. It also doesn't
respect's Debian commitment to free software, in that it is not
buildable from source.

We instead recommend you upgrade workstations needing Enigmail to Debian
stretch where proper updates are available.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4379-1: golang-1.7 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4379-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : golang-1.7
CVE ID : CVE-2018-7187 CVE-2019-6486

A vulnerability was discovered in the implementation of the P-521 and
P-384 elliptic curves, which could result in denial of service and in
some cases key recovery.

In addition this update fixes a vulnerability in "go get", which could
result in the execution of arbitrary shell commands.

For the stable distribution (stretch), these problems have been fixed in
version 1.7.4-2+deb9u1.

We recommend that you upgrade your golang-1.7 packages.

For the detailed security status of golang-1.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.7

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4380-1: golang-1.8 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4380-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : golang-1.8
CVE ID : CVE-2018-6574 CVE-2018-7187 CVE-2019-6486

A vulnerability was discovered in the implementation of the P-521 and
P-384 elliptic curves, which could result in denial of service and in
some cases key recovery.

In addition this update fixes two vulnerabilities in "go get", which
could result in the execution of arbitrary shell commands.

For the stable distribution (stretch), these problems have been fixed in
version 1.8.1-1+deb9u1.

We recommend that you upgrade your golang-1.8 packages.

For the detailed security status of golang-1.8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/