Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-36-1 curl security update
ELA-37-1 openssh security update

Debian GNU/Linux 8 LTS:
DLA 1505-1: zutils security update



ELA-36-1 curl security update

Package: curl
Version: 7.26.0-1+wheezy25+deb7u2
Related CVE: CVE-2018-14618

Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems.

For Debian 7 Wheezy, these problems have been fixed in version 7.26.0-1+wheezy25+deb7u2.

We recommend that you upgrade your curl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-37-1 openssh security update


Package: openssh
Version: 6.0p1-4+deb7u8
Related CVE: CVE-2018-15473

It was discovered that there was a user enumeration vulnerability in OpenSSH. A remote attacker could test whether a certain user exists on a target server.

For Debian 7 Wheezy, these problems have been fixed in version 6.0p1-4+deb7u8.

We recommend that you upgrade your openssh packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/


DLA 1505-1: zutils security update




Package : zutils
Version : 1.3-4+deb8u1
CVE ID : CVE-2018-1000637
Debian Bug : 902936


zutils version prior to version 1.8-pre2 contains a buffer
overflow vulnerability in zcat which happened with some
input files when the '-v, --show-nonprinting' option was
used (or indirectly enabled). This can result in potential
denial of service or arbitrary code execution. This attack
appear is exploitable via the victim openning a crafted
compressed file and has been fixed in 1.8-pre2.

For Debian 8 "Jessie", this problem has been fixed in
version 1.3-4+deb8u1.

We recommend that you upgrade your zutils packages.

Further information about Debian LTS security advisories,
how to apply these updates to your system and frequently
asked questions can be found at: https://wiki.debian.org/LTS