Debian 9843 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1246-1: transmission security update
DLA 1247-1: rsync security update
DLA 1248-1: libgd2 security update

Debian GNU/Linux 8 and 9:
DSA 4091-1: mysql-5.5 security update
DSA 4092-1: awstats security update



DLA 1246-1: transmission security update




Package : transmission
Version : 2.52-3+nmu3
CVE ID : CVE-2018-5702
Debian Bug : 886990

Tavis Ormandy discovered a vulnerability in the Transmission BitTorrent
client; insecure RPC handling between the Transmission daemon and the
client interface(s) may result in the execution of arbitrary code if a
user visits a malicious website while Transmission is running.

For Debian 7 "Wheezy", these problems have been fixed in version
2.52-3+nmu3.

We recommend that you upgrade your transmission packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1247-1: rsync security update




Package : rsync
Version : 3.0.9-4+deb7u2
CVE ID : CVE-2018-5764
Debian Bug : #887588

It was discovered that there was an injection vulnerability in the rsync
file-copying tool.

For Debian 7 "Wheezy", this issue has been fixed in rsync version
3.0.9-4+deb7u2.

We recommend that you upgrade your rsync packages.




DLA 1248-1: libgd2 security update




Package : libgd2
Version : 2.0.36~rc1~dfsg-6.1+deb7u11
CVE ID : CVE-2018-5711
Debian Bug : #887485

It was discovered that there was a denial-of-service attack in the
libgd2 image library. A corrupt file could have exploited a signedness
confusion leading to an infinite loop.

For Debian 7 "Wheezy", this issue has been fixed in libgd2 version
2.0.36~rc1~dfsg-6.1+deb7u11.

We recommend that you upgrade your libgd2 packages.




DSA 4091-1: mysql-5.5 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4091-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 18, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mysql-5.5
CVE ID : CVE-2018-2562 CVE-2018-2622 CVE-2018-2640 CVE-2018-2665
CVE-2018-2668

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.59, which includes additional changes. Please see the MySQL
5.5 Release Notes and Oracle's Critical Patch Update advisory for
further details:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

For the oldstable distribution (jessie), these problems have been fixed
in version 5.5.59-0+deb8u1.

We recommend that you upgrade your mysql-5.5 packages.

For the detailed security status of mysql-5.5 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/mysql-5.5

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4092-1: awstats security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4092-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
January 19, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : awstats
CVE ID : CVE-2017-1000501
Debian Bug : 885835

The cPanel Security Team discovered that awstats, a log file analyzer,
was vulnerable to path traversal attacks. A remote unauthenticated
attacker could leverage that to perform arbitrary code execution.

For the oldstable distribution (jessie), this problem has been fixed
in version 7.2+dfsg-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 7.6+dfsg-1+deb9u1.

We recommend that you upgrade your awstats packages.

For the detailed security status of awstats please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/awstats

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/