Debian 9858 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-155-1 cups security update

Debian GNU/Linux 8 LTS:
DLA 1896-1: commons-beanutils security update

Debian GNU/Linux 9:
DSA 4506-1: qemu security update

Debian GNU/Linux 10:
DSA 4507-1: squid security update
DSA 4508-1: h2o security update



ELA-155-1: cups security update

Package: cups
Version: 1.5.3-5+deb7u10
Related CVE: CVE-2019-8675 CVE-2019-8696
Two issues have been found in cups, the Common UNIX Printing System™.

Basically both CVEs (CVE-2019-8675 and CVE-2019-8696) are about stack-buffer-overflow in two functions of libcup. One happens in asn1_get_type() the other one in asn1_get_packed().

For Debian 7 Wheezy, these problems have been fixed in version 1.5.3-5+deb7u10.

We recommend that you upgrade your cups packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1896-1: commons-beanutils security update

Package : commons-beanutils
Version : 1.9.2-1+deb8u1
CVE ID : CVE-2019-10086

It was discovered that there was a remote arbitrary code
vulnerability in commons-beanutils, a set of utilities for
manipulating JavaBeans code.

For Debian 8 "Jessie", this issue has been fixed in commons-beanutils
version 1.9.2-1+deb8u1.

We recommend that you upgrade your commons-beanutils packages.

DSA 4506-1: qemu security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4506-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : qemu
CVE ID : CVE-2018-20815 CVE-2019-13164 CVE-2019-14378
Debian Bug : 873012 933741 931351

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service, the execution of
arbitrary code or bypass of ACLs.

In addition this update fixes a regression which could cause NBD
connections to hang.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:2.8+dfsg-6+deb9u8.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4507-1: squid security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4507-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : squid
CVE ID : CVE-2019-12525 CVE-2019-12527 CVE-2019-12529 CVE-2019-12854
CVE-2019-13345
Debian Bug : 931478

Several vulnerabilities were discovered in Squid, a fully featured web
proxy cache. The flaws in the HTTP Digest Authentication processing, the
HTTP Basic Authentication processing and in the cachemgr.cgi allowed
remote attackers to perform denial of service and cross-site scripting
attacks, and potentially the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u1.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4508-1: h2o security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4508-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : h2o
CVE ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-9515

Three vulnerabilities were discovered in the HTTP/2 code of the H2O HTTP
server, which could result in denial of service.

For the stable distribution (buster), these problems have been fixed in
version 2.2.5+dfsg2-2+deb10u1.

We recommend that you upgrade your h2o packages.

For the detailed security status of h2o please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/h2o

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/