Updated xen packages has been released for Debian GNU/Linux 9 to provide mitigations for the lazy FPU vulnerability affecting a range of Intel CPUs
The Debian Installer team has released the third alpha release of the installer for Debian GNU/Linux 10 (Buster)
The following two updates has been released by Freexian for Debian GNU/Linux 7 Extended LTS:
ELA-1-1 git security update
Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file.
ELA-2-1 openjdk-7 security update
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.
To enable Extended LTS on your Debian GNU/Linux 7 installation, visit this page: How to use Extended LTS
ELA-1-1 git security update
Etienne Stalmans discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability exploitable via specially crafted submodule names in a .gitmodules file.
ELA-2-1 openjdk-7 security update
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, execution of arbitrary code or bypass of JAR signature validation.
To enable Extended LTS on your Debian GNU/Linux 7 installation, visit this page: How to use Extended LTS
The following updates has been released for Debian GNU/Linux 9:
DSA 4230-1: redis security update
Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a persistent key-value database, which could result in denial of service.
DSA 4231-1: libgcrypt20 security update
It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.
DSA 4230-1: redis security update
Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a persistent key-value database, which could result in denial of service.
DSA 4231-1: libgcrypt20 security update
It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.
Updated strongSwan packages has been released for both Debian GNU/Linux 8 and 9
Updated spip packages has been released for both Debian GNU/Linux 8 and 9 to address several vulnerabilities, resulting in cross-site scripting and PHP injection
Updated plexus-archiver packages has been released for Debian GNU/Linux 8 and 9
Updated perl packages has been released for both Debian GNU/Linux 8 and 9 to address a directory traversal flaw in the Archive::Tar module
Ondřej Surý has finally released PHP 7.2.6 and 7.1.18 packages for both Debian GNU/Linux 8 and 9
Updated OpenJDK 7 packages has been released for Debian GNU/Linux 8 to address several vulnerabilities including denial of service, sandbox bypass, execution of arbitrary code and bypass of JAR signature validation
Devuan GNU+Linux 2.0 ASCII Stable, a systemd-free Debian GNU/Linux 9 fork has been released
The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8:
DSA 4224-1: gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Debian GNU/Linux 8 and 9:
DSA 4220-1: firefox-esr security update
Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code.
DSA 4221-1: libvncserver security update
Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents.
DSA 4222-1: gnupg2 security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Debian GNU/Linux 9:
DSA 4223-1: gnupg1 security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Debian GNU/Linux 8:
DSA 4224-1: gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Debian GNU/Linux 8 and 9:
DSA 4220-1: firefox-esr security update
Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code.
DSA 4221-1: libvncserver security update
Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents.
DSA 4222-1: gnupg2 security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Debian GNU/Linux 9:
DSA 4223-1: gnupg1 security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Updated jruby packages has been released for Debian GNU/Linux 9 to address several vulnerabilities. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.
Updated memcached packages has been released for both Debian GNU/Linux 8 and 9
This update fixes three security issues in memcached: 1) Daniel Shapira reported a heap-based buffer over-read in memcached (CVE-2017-9951). 2) It was reported that memcached listens to UDP by default. A remote attacker can take advantage of it to use the memcached service as a DDoS amplifier (CVE-2018-1000115). 3) An integer overflow was reported in memcached, resulting in resource leaks, data corruption, deadlocks or crashes (CVE-2018-1000127).
This update fixes three security issues in memcached: 1) Daniel Shapira reported a heap-based buffer over-read in memcached (CVE-2017-9951). 2) It was reported that memcached listens to UDP by default. A remote attacker can take advantage of it to use the memcached service as a DDoS amplifier (CVE-2018-1000115). 3) An integer overflow was reported in memcached, resulting in resource leaks, data corruption, deadlocks or crashes (CVE-2018-1000127).
The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8 and 9:
DSA 4217-1: wireshark security update
It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC, IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code.
Debian GNU/Linux 9:
DSA 4191-2: redmine regression update
The previous security update for redmine caused regressions with multi-value fields while doing queries on project issues due to an bug in the patch to address CVE-2017-15569. Updated packages are now available to correct this issue.
Debian GNU/Linux 8 and 9:
DSA 4217-1: wireshark security update
It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for PCP, ADB, NBAP, UMTS MAC, IEEE 802.11, SIGCOMP, LDSS, GSM A DTAP and Q.931, which result in denial of service or the execution of arbitrary code.
Debian GNU/Linux 9:
DSA 4191-2: redmine regression update
The previous security update for redmine caused regressions with multi-value fields while doing queries on project issues due to an bug in the patch to address CVE-2017-15569. Updated packages are now available to correct this issue.
Updated prosody packages has been released for Debian GNU/Linux 8 and 9
Updated batik packages has been released for Debian GNU/Linux 8 and 9
Updated Zookeeper packages has been released for both Debian GNU/Linux 8 and 9
An updated Linux kernel has been released for Debian 7 LTS:
DLA 1392-1: linux security update
Debian 7 LTS has reached it's end of life. However, a subset of packages will be still supported as part of Extended LTS support:
DLA 1393-1: Debian 7 Long Term Support reaching end-of-life
DLA 1392-1: linux security update
Debian 7 LTS has reached it's end of life. However, a subset of packages will be still supported as part of Extended LTS support:
DLA 1393-1: Debian 7 Long Term Support reaching end-of-life
The following updates has been released for Debian GNU/Linux 7 LTS:
DLA 1390-1: procps security update
DLA 1391-1: tiff security update
DLA 1390-1: procps security update
DLA 1391-1: tiff security update
