Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-149-1: freetype security update

Debian GNU/Linux 8 LTS:
DLA 1866-1: glib2.0 security update
DLA 1867-1: wpa security update

Debian GNU/Linux 9:
DSA 4490-1: subversion security update



ELA-149-1: freetype security update

Package: freetype
Version: 2.4.9-1.1+deb7u8
Related CVE: CVE-2015-9290

In FreeType a buffer over-read occured in type1/t1parse.c on function T1_Get_Private_Dict. The fix assures that ‘cur’ in the parser code doesn’t point to the end of the file buffer.

For Debian 7 Wheezy, these problems have been fixed in version 2.4.9-1.1+deb7u8.

We recommend that you upgrade your freetype packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1866-1: glib2.0 security update

Package : glib2.0
Version : 2.42.1-1+deb8u2
CVE ID : CVE-2018-16428 CVE-2018-16429 CVE-2019-13012
Debian Bug : 931234


Various minor issues have been addressed in the GLib library. GLib is a
useful general-purpose C library used by projects such as GTK+, GIMP,
and GNOME.

CVE-2018-16428

In GNOME GLib, g_markup_parse_context_end_parse() in gmarkup.c
had a NULL pointer dereference.

CVE-2018-16429

GNOME GLib had an out-of-bounds read vulnerability in
g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().

CVE-2019-13012

The keyfile settings backend in GNOME GLib (aka glib2.0) before
created directories using g_file_make_directory_with_parents
(kfsb->dir, NULL, NULL) and files using g_file_replace_contents
(kfsb->file, contents, length, NULL, FALSE,
G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently,
it did not properly restrict directory (and file) permissions.
Instead, for directories, 0777 permissions were used; for files,
default file permissions were used. This issue is similar to
CVE-2019-12450.

For Debian 8 "Jessie", these problems have been fixed in version
2.42.1-1+deb8u2.

We recommend that you upgrade your glib2.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1867-1: wpa security update

Package : wpa
Version : 2.3-1+deb8u8
CVE ID : CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499
CVE-2019-11555
Debian Bug : 927463


Several vulnerabilities were discovered in WPA supplicant / hostapd. Some
of them could only partially be mitigated, please read below for details.

CVE-2019-9495

Cache-based side-channel attack against the EAP-pwd implementation:
an attacker able to run unprivileged code on the target machine
(including for example javascript code in a browser on a smartphone)
during the handshake could deduce enough information to discover the
password in a dictionary attack.

This issue has only very partially been mitigated against by reducing
measurable timing differences during private key operations. More
work is required to fully mitigate this vulnerability.

CVE-2019-9497

Reflection attack against EAP-pwd server implementation: a lack of
validation of received scalar and elements value in the
EAP-pwd-Commit messages could have resulted in attacks that would
have been able to complete EAP-pwd authentication exchange without
the attacker having to know the password. This did not result in the
attacker being able to derive the session key, complete the following
key exchange and access the network.

CVE-2019-9498

EAP-pwd server missing commit validation for scalar/element: hostapd
didn't validate values received in the EAP-pwd-Commit message, so an
attacker could have used a specially crafted commit message to
manipulate the exchange in order for hostapd to derive a session key
from a limited set of possible values. This could have resulted in an
attacker being able to complete authentication and gain access to the
network.

This issue could only partially be mitigated.

CVE-2019-9499

EAP-pwd peer missing commit validation for scalar/element:
wpa_supplicant didn't validate values received in the EAP-pwd-Commit
message, so an attacker could have used a specially crafted commit
message to manipulate the exchange in order for wpa_supplicant to
derive a session key from a limited set of possible values. This
could have resulted in an attacker being able to complete
authentication and operate as a rogue AP.

This issue could only partially be mitigated.

CVE-2019-11555

The EAP-pwd implementation did't properly validate fragmentation
reassembly state when receiving an unexpected fragment. This could
have lead to a process crash due to a NULL pointer derefrence.

An attacker in radio range of a station or access point with EAP-pwd
support could cause a crash of the relevant process (wpa_supplicant
or hostapd), ensuring a denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
2.3-1+deb8u8.

We recommend that you upgrade your wpa packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4490-1: subversion security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-4490-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 01, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : subversion
CVE ID : CVE-2018-11782 CVE-2019-0203

Several vulnerabilities were discovered in Subversion, a version control
system. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2018-11782

Ace Olszowka reported that the Subversion's svnserve server process
may exit when a well-formed read-only request produces a particular
answer, leading to a denial of service.

CVE-2019-0203

Tomas Bortoli reported that the Subversion's svnserve server process
may exit when a client sends certain sequences of protocol commands.
If the server is configured with anonymous access enabled this could
lead to a remote unauthenticated denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.9.5-1+deb9u4.

For the stable distribution (buster), these problems have been fixed in
version 1.10.4-1+deb10u1.

We recommend that you upgrade your subversion packages.

For the detailed security status of subversion please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/subversion

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/