Debian 9858 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-117-1 apache2 security update

Debian GNU/Linux 8 LTS:
DLA 1787-1: linux-4.9 security update
DLA 1788-1: samba security update
DLA 1789-1: intel-microcode security update

Debian GNU/Linux 9:
DSA 4447-1: intel-microcode security update



ELA-117-1 apache2 security update

Package: apache2
Version: 2.2.22-13+deb7u14
Related CVE: CVE-2019-0217 CVE-2019-0220

CVE-2019-0217

Simon Kappel discovered a race condition in mod_auth_digest when running in
a threaded server which could allow a user with valid credentials to
authenticate using another username, bypassing configured access control
restrictions.
CVE-2019-0220

Bernhard Lorenz of Alpha Strike Labs GmbH discovered a httpd URL
normalization inconsistincy when the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as
LocationMatch and RewriteRule must account for duplicates in regular
expressions while other aspects of the servers processing will implicitly
collapse them.
For Debian 7 Wheezy, these problems have been fixed in version 2.2.22-13+deb7u14.

We recommend that you upgrade your apache2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/ will implicitly collapse them.

DLA 1787-1: linux-4.9 security update

Package : linux-4.9
Version : 4.9.168-1+deb9u2~deb8u1
CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Debian Bug : 928125

Multiple researchers have discovered vulnerabilities in the way the
Intel processor designs have implemented speculative forwarding of data
filled into temporary microarchitectural structures (buffers). This
flaw could allow an attacker controlling an unprivileged process to
read sensitive information, including from the kernel and all other
processes running on the system or cross guest/host boundaries to read
host memory.

See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
for more details.

To fully resolve these vulnerabilities it is also necessary to install
updated CPU microcode. An updated intel-microcode package (only
available in Debian non-free) will be provided via a separate DLA. The
updated CPU microcode may also be available as part of a system firmware
("BIOS") update.

In addition, this update includes a fix for a regression causing
deadlocks inside the loopback driver, which was introduced by the update
to 4.9.168 in the last security update.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.168-1+deb9u2~deb8u1.

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1788-1: samba security update




Package : samba
Version : 2:4.2.14+dfsg-0+deb8u13
CVE ID : CVE-2018-16860

Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos
extension used in Samba's Active Directory support was susceptible to
man-in-the-middle attacks caused by incomplete checksum validation.

For Debian 8 "Jessie", this problem has been fixed in version
2:4.2.14+dfsg-0+deb8u13.

We recommend that you upgrade your samba packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1789-1: intel-microcode security update

Package : intel-microcode
Version : 3.20190514.1~deb8u1
CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Debian Bug : 929007

This update ships updated CPU microcode for most types of Intel CPUs. It
provides microcode support to implement mitigations for the MSBDS,
MFBDS, MLPDS and MDSUM hardware vulnerabilities.

To fully resolve these vulnerabilities it is also necessary to update
the Linux kernel packages. Please refer to DLA-1787-1 for the Linux
kernel updates required to mitigate these hardware vulnerabilities on
Intel processors.

For Debian 8 "Jessie", these problems have been fixed in version
3.20190514.1~deb8u1 of the intel-microcode package, and also by the
Linux kernel package updates described in DLA-1787-1.

We recommend that you upgrade your intel-microcode packages, and Linux
kernel packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be found
at: https://wiki.debian.org/LTS

For the detailed security status of intel-microcode please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

DSA 4447-1: intel-microcode security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4447-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 15, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : intel-microcode
CVE ID : CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
CVE-2019-11091

This update ships updated CPU microcode for most types of Intel CPUs. It
provides mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware
vulnerabilities.

To fully resolve these vulnerabilities it is also necessary to update
the Linux kernel packages as released in DSA 4444.

For the stable distribution (stretch), these problems have been fixed in
version 3.20190514.1~deb9u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/