Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-53-1 mysql-5.5 security update

Debian GNU/Linux 8 LTS:
DLA 1565-1: glusterfs security update
DLA 1566-1: mysql-5.5 security update
DLA 1567-1: gthumb security update



ELA-53-1 mysql-5.5 security update

Package: mysql-5.5
Version: 5.5.62-0+deb7u1
Related CVE: CVE-2018-2767 CVE-2018-3058 CVE-2018-3063 CVE-2018-3066 CVE-2018-3070 CVE-2018-3081 CVE-2018-3133 CVE-2018-3174 CVE-2018-3282
Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.62, which includes additional changes. Please see the MySQL 5.5 Release Notes and Oracle’s Critical Patch Update advisory for further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-61.html
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-62.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
For Debian 7 Wheezy, these problems have been fixed in version 5.5.62-0+deb7u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1565-1: glusterfs security update




Package : glusterfs
Version : 3.5.2-2+deb8u5
CVE ID : CVE-2018-14651 CVE-2018-14652 CVE-2018-14653
CVE-2018-14659 CVE-2018-14661

Multiple security vulnerabilities were discovered in GlusterFS, a
clustered file system. Buffer overflows and path traversal issues may
lead to information disclosure, denial-of-service or the execution of
arbitrary code.

CVE-2018-14651

It was found that the fix for CVE-2018-10927, CVE-2018-10928,
CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete.
A remote, authenticated attacker could use one of these flaws to
execute arbitrary code, create arbitrary files, or cause denial of
service on glusterfs server nodes via symlinks to relative paths.

CVE-2018-14652

The Gluster file system is vulnerable to a buffer overflow in the
'features/index' translator via the code handling the
'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function. A remote
authenticated attacker could exploit this on a mounted volume to
cause a denial of service.

CVE-2018-14653

The Gluster file system is vulnerable to a heap-based buffer
overflow in the '__server_getspec' function via the 'gf_getspec_req'
RPC message. A remote authenticated attacker could exploit this to
cause a denial of service or other potential unspecified impact.

CVE-2018-14659

The Gluster file system is vulnerable to a denial of service attack
via use of the 'GF_XATTR_IOSTATS_DUMP_KEY' xattr. A remote,
authenticated attacker could exploit this by mounting a Gluster
volume and repeatedly calling 'setxattr(2)' to trigger a state dump
and create an arbitrary number of files in the server's runtime
directory.

CVE-2018-14661

It was found that usage of snprintf function in feature/locks
translator of glusterfs server was vulnerable to a format string
attack. A remote, authenticated attacker could use this flaw to
cause remote denial of service.


For Debian 8 "Jessie", these problems have been fixed in version
3.5.2-2+deb8u5.

We recommend that you upgrade your glusterfs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1566-1: mysql-5.5 security update

Package : mysql-5.5
Version : 5.5.62-0+deb8u1
CVE ID : CVE-2018-2767 CVE-2018-3058 CVE-2018-3063 CVE-2018-3066
CVE-2018-3070 CVE-2018-3081 CVE-2018-3133 CVE-2018-3174
CVE-2018-3282


Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.62, which includes additional changes. Please see the MySQL
5.5 Release Notes and Oracle's Critical Patch Update advisory for
further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-61.html
https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-62.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

For Debian 8 "Jessie", these problems have been fixed in version
5.5.62-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1567-1: gthumb security update

Package : gthumb
Version : 3:3.3.1-2.1+deb8u1
CVE ID : CVE-2018-18718
Debian Bug : #912290


CVE-2018-18718 - CWE-415: Double Free
The product calls free() twice on the same memory address, potentially
leading to modification of unexpected memory locations.

There is a suspected double-free bug with
static void add_themes_from_dir() dlg-contact-sheet.c. This method
involves two successive calls of g_free(buffer) (line 354 and 373),
and is likely to cause double-free of the buffer. One possible fix
could be directly assigning the buffer to NULL after the first call
of g_free(buffer). Thanks Tianjun Wu
https://gitlab.gnome.org/GNOME/gthumb/issues/18

For Debian 8 "Jessie", this problem has been fixed in version
3:3.3.1-2.1+deb8u1

We recommend that you upgrade your gthumb packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS