Debian 9844 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-180-1 aspell security update

Debian GNU/Linux 8 LTS:
DLA 1961-1: milkytracker security update
DLA 1962-1: graphite-web security update
DLA 1967-1: libpcap security update

Debian GNU/Linux 9:
DSA 4548-1: openjdk-8 security update

Debian GNU/Linux 9 and 10:
DSA 4547-1: tcpdump security update



ELA-180-1: aspell security update

Package: aspell
Version: 0.60.7~20110707-1+deb7u1
Related CVE: CVE-2019-17544

GNU Aspell, a spell-checker, is vulnerable to a stack-based buffer over-read via an isolated \ character when processing a configuration file.

For Debian 7 Wheezy, these problems have been fixed in version 0.60.7~20110707-1+deb7u1.

We recommend that you upgrade your aspell packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1961-1: milkytracker security update

Package : milkytracker
Version : 0.90.85+dfsg-2.2+deb8u1
CVE ID : CVE-2019-14464 CVE-2019-14496 CVE-2019-14497
Debian Bug : 933964


Fredric discovered a couple of buffer overflows in MilkyTracker, of which,
a brief description is given below.

CVE-2019-14464

XMFile::read in XMFile.cpp in milkyplay in MilkyTracker had a heap-based
buffer overflow.

CVE-2019-14496

LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker had a
stack-based buffer overflow.

CVE-2019-14497

ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTracker
had a heap-based buffer overflow.


For Debian 8 "Jessie", these problems have been fixed in version
0.90.85+dfsg-2.2+deb8u1.

We recommend that you upgrade your milkytracker packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1962-1: graphite-web security update

Package : graphite-web
Version : 0.9.12+debian-6+deb8u1
CVE ID : CVE-2017-18638


The 'send_email' function in graphite-web/webapp/graphite/composer/views.py
in Graphite is vulnerable to SSRF. The vulnerable SSRF endpoint can be used
by an attacker to have the Graphite web server request any resource.
The response to this SSRF request is encoded into an image file and then sent
to an e-mail address that can be supplied by the attacker. Thus, an attacker
can exfiltrate any information.

For Debian 8 "Jessie", this problem has been fixed in version
0.9.12+debian-6+deb8u1.

We recommend that you upgrade your graphite-web packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1967-1: libpcap security update




Package : libpcap
Version : 1.6.2-2+deb8u1
CVE ID : CVE-2019-15165
Debian Bug : 941697


libpcap (Packet CAPture), a low-level network monitoring library, does
not properly validate the PHB header length before allocating memory.
This update added sanity checks for PHB header length.


For Debian 8 "Jessie", this problem has been fixed in version
1.6.2-2+deb8u1.

We recommend that you upgrade your libpcap packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4548-1: openjdk-8 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4548-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 21, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-8
CVE ID : CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962
CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978
CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988
CVE-2019-2989 CVE-2019-2992 CVE-2019-2999

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, resulting in cross-site scripting, denial of service, information
disclosure or Kerberos user impersonation.

For the oldstable distribution (stretch), these problems have been fixed
in version 8u232-b09-1~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


DSA 4547-1: tcpdump security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4547-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 21, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tcpdump
CVE ID : CVE-2018-10103 CVE-2018-10105 CVE-2018-14461 CVE-2018-14462
CVE-2018-14463 CVE-2018-14464 CVE-2018-14465 CVE-2018-14466
CVE-2018-14467 CVE-2018-14468 CVE-2018-14469 CVE-2018-14470
CVE-2018-14879 CVE-2018-14880 CVE-2018-14881 CVE-2018-14882
CVE-2018-16227 CVE-2018-16228 CVE-2018-16229 CVE-2018-16230
CVE-2018-16300 CVE-2018-16451 CVE-2018-16452 CVE-2019-15166

Several vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial of
service or, potentially, execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.9.3-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 4.9.3-1~deb10u1.

We recommend that you upgrade your tcpdump packages.

For the detailed security status of tcpdump please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tcpdump

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/