Debian 9858 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1890-1: kde4libs security update
DLA 1891-1: openldap security update

Debian GNU/Linux 9:
DSA 4503-1: golang-1.11 security update



DLA 1890-1: kde4libs security update

Package : kde4libs
Version : 4:4.14.2-5+deb8u3
CVE ID : CVE-2019-14744
Debian Bug : 934268

Dominik Penner discovered a flaw in how KConfig interpreted shell
commands in desktop files and other configuration files. An attacker may
trick users into installing specially crafted files which could then be
used to execute arbitrary code, e.g. a file manager trying to find out
the icon for a file or any application using KConfig. Thus the entire
feature of supporting shell commands in KConfig entries has been
removed.

For Debian 8 "Jessie", this problem has been fixed in version
4:4.14.2-5+deb8u3.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1891-1: openldap security update

Package : openldap
Version : 2.4.40+dfsg-1+deb8u5
CVE ID : CVE-2019-13057 CVE-2019-13565
Debian Bug : 932997 932998

Several security vulnerabilities were discovered in openldap, a server
and tools to provide a standalone directory service.

CVE-2019-13057

When the server administrator delegates rootDN (database admin)
privileges for certain databases but wants to maintain isolation
(e.g., for multi-tenant deployments), slapd does not properly stop a
rootDN from requesting authorization as an identity from another
database during a SASL bind or with a proxyAuthz (RFC 4370) control.
(It is not a common configuration to deploy a system where the
server administrator and a DB administrator enjoy different levels
of trust.)

CVE-2019-13565

When using SASL authentication and session encryption, and relying
on the SASL security layers in slapd access controls, it is possible
to obtain access that would otherwise be denied via a simple bind
for any identity covered in those ACLs. After the first SASL bind is
completed, the sasl_ssf value is retained for all new non-SASL
connections. Depending on the ACL configuration, this can affect
different types of operations (searches, modifications, etc.). In
other words, a successful authorization step completed by one user
affects the authorization requirement for a different user.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.40+dfsg-1+deb8u5.

We recommend that you upgrade your openldap packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4503-1: golang-1.11 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4503-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 18, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : golang-1.11
CVE ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-14809

Three vulnerabilities have been discovered in the Go programming language;
"net/url" accepted some invalid hosts in URLs which could result in
authorisation bypass in some applications and the HTTP/2 implementation
was susceptible to denial of service.

For the stable distribution (buster), these problems have been fixed in
version 1.11.6-1+deb10u1.

We recommend that you upgrade your golang-1.11 packages.

For the detailed security status of golang-1.11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-1.11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/