Debian 9858 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1778-1: symfony security update
DLA 1779-1: 389-ds-base security update
DLA 1780-1: firefox-esr new upstream version



DLA 1778-1: symfony security update




Package : symfony
Version : 2.3.21+dfsg-4+deb8u5
CVE ID : CVE-2019-10909 CVE-2019-10910 CVE-2019-10911
CVE-2019-10913


Several security vulnerabilities have been discovered in symfony, a PHP
web application framework. Numerous symfony components are affected:
Framework Bundle, Dependency Injection, Security, HttpFoundation

CVE-2019-10909

Validation messages were not escaped when using the form theme of
the PHP templating engine which, when validation messages may
contain user input, could result in an XSS.

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

CVE-2019-10910

Service IDs derived from unfiltered user input could result in the
execution of any arbitrary code, resulting in possible remote code
execution.

For further information, see the upstream advisory at
https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid

CVE-2019-10911

This fixes situations where part of an expiry time in a cookie could
be considered part of the username, or part of the username could be
considered part of the expiry time. An attacker could modify the
remember me cookie and authenticate as a different user. This attack
is only possible if remember me functionality is enabled and the two
users share a password hash or the password hashes (e.g.
UserInterface::getPassword()) are null for all users (which is valid
if passwords are checked by an external system, e.g. an SSO).

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash

CVE-2019-10913

HTTP methods, from either the HTTP method itself or using the
X-Http-Method-Override header were previously returned as the method
in question without validation being done on the string, meaning
that they could be used in dangerous contexts when left unescaped.

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides


For Debian 8 "Jessie", these problems have been fixed in version
2.3.21+dfsg-4+deb8u5.

We recommend that you upgrade your symfony packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1779-1: 389-ds-base security update

Package : 389-ds-base
Version : 1.3.3.5-4+deb8u6
CVE ID : CVE-2019-3883
Debian Bug : 927939


In 389-ds-base up to version 1.4.1.2, requests were handled by worker
threads. Each socket had been waited for by the worker for at most
'ioblocktimeout' seconds. However, this timeout applied only to
un-encrypted requests. Connections using SSL/TLS were not taking this
timeout into account during reads, and may have hung longer. An
unauthenticated attacker could have repeatedly created hanging LDAP
requests to hang all the workers, resulting in a Denial of Service.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.3.5-4+deb8u6.

We recommend that you upgrade your 389-ds-base packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1780-1: firefox-esr new upstream version




Package : firefox-esr
Version : 60.6.2esr-1~deb8u1
Debian Bug : 928415 928449 928509

Firefox 60.6.2 ESR repairs a certificate chain issue that caused
extensions to be disabled in the past few days. More information, and
details of known remaining issues, can be found at
https://www.mozilla.org/firefox/60.6.2/releasenotes/ and
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

Installing this update will re-enable any extensions that were disabled
due to this issue.

Extensions installed from Debian packages were not affected.

For Debian 8 "Jessie", this problem has been fixed in version
60.6.2esr-1~deb8u1.

We recommend that you upgrade your firefox-esr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS