Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1702-1: advancecomp security update

Debian GNU/Linux 9:
DSA 4387-2: openssh security update



DLA 1702-1: advancecomp security update




Package : advancecomp
Version : 1.19-1+deb8u1
CVE ID : CVE-2018-1056 CVE-2019-9210
Debian Bug : 889270 923416

Several vulnerabilities were discovered in advancecomp, a collection
of recompression utilities.

CVE-2018-1056

Joonun Jang discovered that the advzip tool was prone to a
heap-based buffer overflow. This might allow an attacker to cause a
denial-of-service (application crash) or other unspecified impact
via a crafted file.

CVE-2019-9210

The png_compress function in pngex.cc in advpng has an integer
overflow upon encountering an invalid PNG size, which results in
another heap based buffer overflow.

For Debian 8 "Jessie", these problems have been fixed in version
1.19-1+deb8u1.

We recommend that you upgrade your advancecomp packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4387-2: openssh security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4387-2 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
March 02, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssh
CVE ID : CVE-2019-6111
Debian Bug : 923486

It was found that a security update (DSA-4387-1) of OpenSSH, an implementation
of the SSH protocol suite, was incomplete. This update did not completely fix
CVE-2019-6111, an arbitrary file overwrite vulnerability in the scp client
implementing the SCP protocol.

For the stable distribution (stretch), this problem has been fixed in
version 1:7.4p1-10+deb9u6.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/