Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-119-1 zookeeper security update

Debian GNU/Linux 8 LTS:
DLA 1802-1: wireshark security update

Debian GNU/Linux 9:
DSA 4450-1: wpa security update
DSA 4451-1: thunderbird security update
DSA 4452-1: jackson-databind security update



ELA-119-1 zookeeper security update

Package: zookeeper
Version: 3.4.5+dfsg-2+deb7u2
Related CVE: CVE-2019-0201
It was discovered that there was an information disclosure vulnerability in zookeeper, a distributed co-ordination server. Users who were not authorised to read data were able to view the access control list.

For Debian 7 Wheezy, these problems have been fixed in version 3.4.5+dfsg-2+deb7u2.

We recommend that you upgrade your zookeeper packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1802-1: wireshark security update




Package : wireshark
Version : 1.12.1+g01b65bf-4+deb8u19
CVE ID : CVE-2019-10894 CVE-2019-10895 CVE-2019-10899 CVE-2019-10901
CVE-2019-10903
Debian Bug : 926718

Several vulnerabilities have been found in wireshark, a network traffic analyzer.

CVE-2019-10894

Assertion failure in dissect_gssapi_work (packet-gssapi.c) leading to
crash of the GSS-API dissector. Remote attackers might leverage this
vulnerability to trigger DoS via a packet containing crafted GSS-API
payload.

CVE-2019-10895

Insufficient data validation leading to large number of heap buffer
overflows read and write in the NetScaler trace handling module
(netscaler.c). Remote attackers might leverage these vulnerabilities to
trigger DoS, or any other unspecified impact via crafted packets.

CVE-2019-10899

Heap-based buffer under-read vulnerability in the Service Location
Protocol dissector. Remote attackers might leverage these
vulnerabilities to trigger DoS, or any other unspecified impact via
crafted SRVLOC packets.

CVE-2019-10901

NULL pointer dereference in the Local Download Sharing Service
protocol dissector. Remote attackers might leverage these flaws to
trigger DoS via crafted LDSS packets.

CVE-2019-10903

Missing boundary checks leading to heap out-of-bounds read
vulnerability in the Microsoft Spool Subsystem protocol dissector.
Remote attackers might leverage these vulnerabilities to trigger DoS,
or any other unspecified impact via crafted SPOOLSS packets.

For Debian 8 "Jessie", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u19.

We recommend that you upgrade your wireshark packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4450-1: wpa security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4450-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
May 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wpa
CVE ID : CVE-2019-11555
Debian Bug : 927463

A vulnerability was found in the WPA protocol implementation found in
wpa_supplication (station) and hostapd (access point).

The EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) doesn't properly validate fragmentation reassembly state when receiving
an unexpected fragment. This could lead to a process crash due to a NULL
pointer derefrence.

An attacker in radio range of a station or access point with EAP-pwd support
could cause a crash of the relevant process (wpa_supplicant or hostapd),
ensuring a denial of service.

For the stable distribution (stretch), this problem has been fixed in
version 2:2.4-1+deb9u4.

We recommend that you upgrade your wpa packages.

For the detailed security status of wpa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpa

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4451-1: thunderbird security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4451-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2018-18511 CVE-2019-5798 CVE-2019-7317 CVE-2019-9797
CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819
CVE-2019-9820 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693
CVE-2019-11698

Multiple security issues have been found in Thunderbird: Multiple
vulnerabilities may lead to the execution of arbitrary code or denial of
service.

For the stable distribution (stretch), these problems have been fixed in
version 1:60.7.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4452-1: jackson-databind security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4452-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 24, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : jackson-databind
CVE ID : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718
CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360
CVE-2018-19361 CVE-2018-19362 CVE-2019-12086

Multiple security issues were found in jackson-databind, a Java library
to parse JSON and other data formats which could result in information
disclosure or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.8.6-1+deb9u5.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/