Debian 9843 Published by

The following security updates has been released for Debian GNU/Linux

Debian GNU/Linux 8 and 9:
DSA 4142-1: uwsgi security update
DSA 4143-1: firefox-esr security update

Debian GNU/Linux 9:
DSA 4144-1: openjdk-8 security update



DSA 4142-1: uwsgi security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4142-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 17, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : uwsgi
CVE ID : CVE-2018-7490
Debian Bug : 891639

Marios Nicolaides discovered that the PHP plugin in uWSGI, a fast,
self-healing application container server, does not properly handle a
DOCUMENT_ROOT check during use of the --php-docroot option, allowing a
remote attacker to mount a directory traversal attack and gain
unauthorized read access to sensitive files located outside of the web
root directory.

For the oldstable distribution (jessie), this problem has been fixed
in version 2.0.7-1+deb8u2. This update additionally includes the fix for
CVE-2018-6758 which was aimed to be addressed in the upcoming jessie
point release.

For the stable distribution (stretch), this problem has been fixed in
version 2.0.14+20161117-3+deb9u2.

We recommend that you upgrade your uwsgi packages.

For the detailed security status of uwsgi please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/uwsgi

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4143-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4143-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 17, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2018-5146 CVE-2018-5147

Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-bounds
memory write when playing Vorbis media files could result in the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 52.7.2esr-1~deb8u1.

For the stable distribution (stretch), these problems have been fixed in
version 52.7.2esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4144-1: openjdk-8 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4144-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 17, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-8
CVE ID : CVE-2018-2579 CVE-2018-2582 CVE-2018-2588 CVE-2018-2599
CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629
CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641
CVE-2018-2663 CVE-2018-2677 CVE-2018-2678

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, execution of arbitrary code, incorrect
LDAP/GSS authentication, insecure use of cryptography or bypass of
deserialisation restrictions.

For the stable distribution (stretch), these problems have been fixed in
version 8u162-b12-1~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/