Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8:
DSA 4224-1: gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Debian GNU/Linux 8 and 9:
DSA 4220-1: firefox-esr security update
Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code.

DSA 4221-1: libvncserver security update
Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents.

DSA 4222-1: gnupg2 security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Debian GNU/Linux 9:
DSA 4223-1: gnupg1 security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.



DSA 4220-1: firefox-esr security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4220-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2018-6126

Ivan Fratric discovered a buffer overflow in the Skia graphics library
used by Firefox, which could result in the execution of arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 52.8.1esr-1~deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 52.8.1esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4221-1: libvncserver security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4221-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvncserver
CVE ID : CVE-2018-7225

Alexander Peslyak discovered that insufficient input sanitising of RFB
packets in LibVNCServer could result in the disclosure of memory
contents.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.9.9+dfsg2-6.1+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.11+dfsg-1+deb9u1.

We recommend that you upgrade your libvncserver packages.

For the detailed security status of libvncserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvncserver

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4222-1: gnupg2 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4222-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gnupg2
CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.18-8~deb9u2.

We recommend that you upgrade your gnupg2 packages.

For the detailed security status of gnupg2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4223-1: gnupg1 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4223-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gnupg1
CVE ID : CVE-2018-12020
Debian Bug : 901088

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the stable distribution (stretch), this problem has been fixed in
version 1.4.21-4+deb9u1.

We recommend that you upgrade your gnupg1 packages.

For the detailed security status of gnupg1 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4224-1: gnupg security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4224-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : gnupg
CVE ID : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4.18-7+deb8u5.

We recommend that you upgrade your gnupg packages.

For the detailed security status of gnupg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/