Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1373-1: php5 security update

Debian GNU/Linux 8 and 9:
DSA 4198-1: prosody security update

Debian GNU/Linux 9:
DSA 4197-1: wavpack security updaze



DLA 1373-1: php5 security update




Package : php5
Version : 5.4.45-0+deb7u14
CVE ID : CVE-2018-10545 CVE-2018-10547 CVE-2018-10548

Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.

CVE-2018-10545

Dumpable FPM child processes allow bypassing opcache access
controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call,
allowing one user (in a multiuser environment) to obtain sensitive
information from the process memory of a second user's PHP
applications by running gcore on the PID of the PHP-FPM worker
process.

CVE-2018-10547

There is a reflected XSS on the PHAR 403 and 404 error pages via
request data of a request for a .phar file. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2018-5712.

CVE-2018-10548

ext/ldap/ldap.c allows remote LDAP servers to cause a denial of
service (NULL pointer dereference and application crash) because of
mishandling of the ldap_get_dn return value.

For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u14.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4197-1: wavpack security updaze




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4197-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 09, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wavpack
CVE ID : CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539
CVE-2018-10540

Multiple vulnerabilities were discovered in the wavpack audio codec which
could result in denial of service or the execution of arbitrary code if
malformed media files are processed.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.0-2+deb9u2.

We recommend that you upgrade your wavpack packages.

For the detailed security status of wavpack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wavpack

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4198-1: prosody security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4198-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 09, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : prosody
CVE ID : CVE-2017-18265
Debian Bug : 875829

Albert Dengg discovered that incorrect parsing of messages
in the Prosody Jabber/XMPP server may result in denial of service.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.12-2+deb9u1.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/prosody

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/