Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-59-1 openssl security update

Debian GNU/Linux 8 LTS:
DLA 1583-1: jasper security update
DLA 1584-1: ruby-i18n security update
DLA 1585-1: ruby-rack security update
DLA 1586-1: openssl security update

Debian GNU/Linux 9:
DSA 4339-2: ceph regression update



ELA-59-1 openssl security update

Package: openssl
Version: 1.0.1t-1+deb7u7
Related CVE: CVE-2018-0735 CVE-2018-5407
CVE-2018-0735 Samuel Weiser reported a timing vulnerability in the OpenSSL ECDSA signature generation, which might leak information to recover the private key.

CVE-2018-5407 Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri reported a vulnerability to a timing side channel attack, which might be used to recover the private key.

For Debian 7 Wheezy, these problems have been fixed in version 1.0.1t-1+deb7u7.

We recommend that you upgrade your openssl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1583-1: jasper security update




Package : jasper
Version : 1.900.1-debian1-2.4+deb8u4
CVE ID : CVE-2015-5203 CVE-2015-5221 CVE-2016-8690
CVE-2017-13748 CVE-2017-14132

Several security vulnerabilities were discovered in the JasPer
JPEG-2000 library.

CVE-2015-5203

Gustavo Grieco discovered an integer overflow vulnerability that
allows remote attackers to cause a denial of service or may have
other unspecified impact via a crafted JPEG 2000 image file.

CVE-2015-5221

Josselin Feist found a double-free vulnerability that allows remote
attackers to cause a denial-of-service (application crash) by
processing a malformed image file.

CVE-2016-8690

Gustavo Grieco discovered a NULL pointer dereference vulnerability
that can cause a denial-of-service via a crafted BMP image file. The
update also includes the fixes for the related issues CVE-2016-8884
and CVE-2016-8885 which complete the patch for CVE-2016-8690.

CVE-2017-13748

It was discovered that jasper does not properly release memory used
to store image tile data when image decoding fails which may lead to
a denial-of-service.

CVE-2017-14132

A heap-based buffer over-read was found related to the
jas_image_ishomosamp function that could be triggered via a crafted
image file and may cause a denial-of-service (application crash) or
have other unspecified impact.

For Debian 8 "Jessie", these problems have been fixed in version
1.900.1-debian1-2.4+deb8u4.

We recommend that you upgrade your jasper packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1584-1: ruby-i18n security update




Package : ruby-i18n
Version : 0.6.9-2+deb8u1
CVE ID : CVE-2014-10077
Debian Bug : #913093

It was discovered that there was a remote denial-of-service vulnerability
in ruby-i18n, a I18n and localization solution for Ruby.

An application crash could be engineering a situation where `:some_key` is
present in the `keep_keys` structure but not present in the hash.

For Debian 8 "Jessie", this issue has been fixed in ruby-i18n version
0.6.9-2+deb8u1.

We recommend that you upgrade your ruby-i18n packages.




DLA 1585-1: ruby-rack security update




Package : ruby-rack
Version : 1.5.2-3+deb8u2
CVE ID : CVE-2018-16471
Debian Bug : #913005

It was discovered that there was an XSS vulnerability in the ruby-rack
web-server library.

A malicious request could impact the HTTP/HTTPS scheme being returned
to the underlying application.

For Debian 8 "Jessie", this issue has been fixed in ruby-rack version
1.5.2-3+deb8u2.

We recommend that you upgrade your ruby-rack packages.




DLA 1586-1: openssl security update




Package : openssl
Version : 1.0.1t-1+deb8u10
CVE ID : CVE-2018-0735 CVE-2018-5407


CVE-2018-0735
Samuel Weiser reported a timing vulnerability in the OpenSSL ECDSA
signature generation, which might leak information to recover the
private key.

CVE-2018-5407
Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar
Pereida Garcia and Nicola Tuveri reported a vulnerability to a
timing side channel attack, which might be used to recover the
private key.


For Debian 8 "Jessie", these problems have been fixed in version
1.0.1t-1+deb8u10.

We recommend that you upgrade your openssl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4339-2: ceph regression update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4339-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 21, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ceph
Debian Bug : 913909

The update for ceph issued as DSA-4339-1 caused a build regression for
the i386 builds. Updated packages are now available to address this
issue. For reference, the original advisory text follows.

Multiple vulnerabilities were discovered in Ceph, a distributed storage
and file system: The cephx authentication protocol was susceptible to
replay attacks and calculated signatures incorrectly, "ceph mon" did not
validate capabilities for pool operations (resulting in potential
corruption or deletion of snapshot images) and a format string
vulnerability in libradosstriper could result in denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 10.2.11-2.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/