Debian 9858 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1709-1: waagent security update
DLA 1710-1: xmltooling security update
DLA 1711-1: systemd security update
DLA 1712-1: libsndfile security update
DLA 1713-1: libsdl1.2 security update
DLA 1714-1: libsdl2 security update



DLA 1709-1: waagent security update

Package : waagent
Version : 2.2.18-3~deb8u2
CVE ID : CVE-2019-0804

Francis McBratney discovered that the Windows Azure Linux Agent created
swap files with world-readable permissions, resulting in information
disclosure.

For Debian 8 "Jessie", this problem has been fixed in version
2.2.18-3~deb8u2.

We recommend that you upgrade your waagent packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1710-1: xmltooling security update




Package : xmltooling
Version : 1.5.3-2+deb8u4
CVE ID : CVE-2019-9628
Debian Bug : 924346

Ross Geerlings discovered that the XMLTooling library didn't correctly
handle exceptions on malformed XML declarations, which could result in
denial of service against the application using XMLTooling.

For Debian 8 "Jessie", this problem has been fixed in version
1.5.3-2+deb8u4.

We recommend that you upgrade your xmltooling packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1711-1: systemd security update




Package : systemd
Version : 215-17+deb8u11
CVE ID : CVE-2019-3815
Debian Bug : 924060

A memory leak was discovered in the backport of fixes for
CVE-2018-16864 in systemd-journald.

Function dispatch_message_real() in journald-server.c does not free
allocated memory to store the `_CMDLINE=` entry. A local attacker may
use this flaw to make systemd-journald crash.

Note that as the systemd-journald service is not restarted automatically
a restart of the service or more safely a reboot is advised.

For Debian 8 "Jessie", this problem has been fixed in version
215-17+deb8u11.

We recommend that you upgrade your systemd packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1712-1: libsndfile security update




Package : libsndfile
Version : 1.0.25-9.1+deb8u4
CVE ID : CVE-2019-3832

It was found that the fix for CVE-2018-19758 was incomplete. That
has been addressed in this update. The description
for CVE-2018-19758 follows:

A heap-buffer-overflow vulnerability was discovered in libsndfile, the
library for reading and writing files containing sampled sound. This flaw
might be triggered by remote attackers to cause denial of service (out of
bounds read and application crash).

For Debian 8 "Jessie", this problem has been fixed in version
1.0.25-9.1+deb8u4.

We recommend that you upgrade your libsndfile packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1713-1: libsdl1.2 security update




Package : libsdl1.2
Version : 1.2.15-10+deb8u1
CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
CVE-2019-7636 CVE-2019-7637 CVE-2019-7638

Multiple buffer overflow security issues have been found in libsdl1.2,
a library that allows low level access to a video frame buffer, audio
output, mouse, and keyboard.

For Debian 8 "Jessie", these problems have been fixed in version
1.2.15-10+deb8u1.

We recommend that you upgrade your libsdl1.2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1714-1: libsdl2 security update




Package : libsdl2
Version : 2.0.2+dfsg1-6+deb8u1
CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
CVE-2019-7636 CVE-2019-7637 CVE-2019-7638


Multiple buffer overflow security issues have been found in libsdl2,
a library that allows low level access to a video frame buffer, audio
output, mouse, and keyboard.

For Debian 8 "Jessie", these problems have been fixed in version
2.0.2+dfsg1-6+deb8u1.

We recommend that you upgrade your libsdl2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS