Debian 9844 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1461-1: clamav security update
DLA 1472-1: libcgroup security update

Debian GNU/Linux 9:
DSA 4279-1: linux security update



DLA 1461-1: clamav security update

Package : clamav
Version : 0.100.1+dfsg-0+deb8u1
CVE ID : CVE-2018-0360 CVE-2018-0361
Debian Bug : 902601 903896 905044

ClamAV, an anti-virus utility for Unix, has released the version 0.100.1.
Installing this new version is required to make use of all current virus
signatures and to avoid warnings.

This version also fixes two security issues discovered after version 0.100.0:

CVE-2018-0360

Integer overflow with a resultant infinite loop via a crafted Hangul Word
Processor file. Reported by Secunia Research at Flexera.

CVE-2018-0361

PDF object length check, unreasonably long time to parse a relatively small
file. Reported by aCaB.

For Debian 8 "Jessie", these problems have been fixed in version
0.100.1+dfsg-0+deb8u1.

We recommend that you upgrade your clamav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1472-1: libcgroup security update




Package : libcgroup
Version : 0.41-6+deb8u1
CVE ID : CVE-2018-14348
Debian Bug : 906308

The cgrulesengd daemon in libcgroup creates log files with world
readable and writable permissions due to a reset of the file mode
creation mask (umask(0)).

For Debian 8 "Jessie", this problem has been fixed in version
0.41-6+deb8u1.

We recommend that you upgrade your libcgroup packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4279-1: linux security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4279-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2018-3620 CVE-2018-3646

Multiple researchers have discovered a vulnerability in the way the
Intel processor designs have implemented speculative execution of
instructions in combination with handling of page-faults. This flaw
could allow an attacker controlling an unprivileged process to read
memory from arbitrary (non-user controlled) addresses, including from
the kernel and all other processes running on the system or cross
guest/host boundaries to read host memory.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode (only available in Debian non-free). Common server
class CPUs are covered in the update released as DSA 4273-1.

For the stable distribution (stretch), these problems have been fixed in
version 4.9.110-3+deb9u3.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/