Debian 9844 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-16-1 tiff security update

Debian GNU/Linux 8 LTS:
DLA 1430-1: taglib security update
DLA 1431-1: ant security update

Debian GNU/Linux 9:
DSA 4251-1: vlc security update
DSA 4252-1: znc security update



ELA-16-1 tiff security update

Package: tiff
Version: 4.0.2-6+deb7u22
Related CVE: CVE-2018-10963
The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.

For Debian 7 Wheezy, these problems have been fixed in version 4.0.2-6+deb7u22.

We recommend that you upgrade your tiff packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1430-1: taglib security update




Package : taglib
Version : 1.9.1-2.1+deb8u1
CVE ID : CVE-2018-11439


CVE-2018-11439
Fix for a heap-based buffer over-read via a crafted audio file.


For Debian 8 "Jessie", these problems have been fixed in version
1.9.1-2.1+deb8u1.

We recommend that you upgrade your taglib packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1431-1: ant security update




Package : ant
Version : 1.9.4-3+deb8u1
CVE ID : CVE-2018-10886


unzip and untar target tasks in ant allows the extraction of files
outside the target directory. A crafted zip or tar file submitted to
an Ant build could create or overwrite arbitrary files with the
privileges of the user running Ant.

For Debian 8 "Jessie", these problems have been fixed in version
1.9.4-3+deb8u1.

We recommend that you upgrade your ant packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4251-1: vlc security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4251-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 18, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : vlc
CVE ID : CVE-2018-11529

A use-after-free was discovered in the MP4 demuxer of the VLC media
player, which could result in the execution of arbitrary code if a
malformed media file is played.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.3-1-0+deb9u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4252-1: znc security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4252-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 18, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : znc
CVE ID : CVE-2018-14055 CVE-2018-14056

Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which
could result in privilege escalation or denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 1.6.5-1+deb9u1.

We recommend that you upgrade your znc packages.

For the detailed security status of znc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/znc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/