Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-98-1 openjdk-7 security update
ELA-99-1 libssh2 security update

Debian GNU/Linux 8 LTS:
DLA 1731-1: linux security update
DLA 1732-1: openjdk-7 security update



ELA-98-1 openjdk-7 security update

Package: openjdk-7
Version: 7u211-2.6.17-1~deb7u1
Related CVE: CVE-2019-2422
A memory disclosure vulnerability was discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in information disclosure or bypass of sandbox restrictions.

For Debian 7 Wheezy, these problems have been fixed in version 7u211-2.6.17-1~deb7u1.

We recommend that you upgrade your openjdk-7 packages.

ELA-99-1 libssh2 security update

Package: libssh2
Version: 1.4.2-1.1+deb7u3
Related CVE: CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863
Several vulnerabilities have recently been discovered in libssh2, a client-side C library implementing the SSH2 protocol

CVE-2019-3855: An integer overflow flaw which could have lead to an out of bounds write was discovered in libssh2 in the way packets were read from the server. A remote attacker who compromised an SSH server could have been able to execute code on the client system when a user connected to the server.

CVE-2019-3856: An integer overflow flaw, which could have lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests were parsed. A remote attacker who compromised an SSH server could have been able to execute code on the client system when a user connected to the server.

CVE-2019-3857: An integer overflow flaw which could have lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal were parsed. A remote attacker who compromises an SSH server could have been able to execute code on the client system when a user connected to the server.

CVE-2019-3858: An out of bounds read flaw was discovered in libssh2 when a specially crafted SFTP packet was received from the server. A remote attacker who compromised an SSH server could have been able to cause a Denial of Service or read data in the client memory.

CVE-2019-3859: An out of bounds read flaw was discovered in libssh2’s _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromised an SSH server could have be able to cause a Denial of Service or read data in the client memory.

CVE-2019-3860: An out of bounds read flaw was discovered in libssh2 in the way SFTP packets with empty payloads were parsed. A remote attacker who compromised an SSH server could have be able to cause a Denial of Service or read data in the client memory.

CVE-2019-3861: An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length were parsed. A remote attacker who compromised a SSH server could have been able to cause a Denial of Service or read data in the client memory.

CVE-2019-3862: An out of bounds read flaw was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload were parsed. A remote attacker who compromised an SSH server could have been able to cause a Denial of Service or read data in the client memory.

CVE-2019-3863: A server could have sent multiple keyboard interactive response messages whose total length were greater than unsigned char max characters. This value was used as an index to copy memory causing an out of bounds memory write error.

For Debian 7 Wheezy, these problems have been fixed in version 1.4.2-1.1+deb7u3.

We recommend that you upgrade your libssh2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1731-1: linux security update

Package : linux
Version : 3.16.64-1
CVE ID : CVE-2016-10741 CVE-2017-5753 CVE-2017-13305 CVE-2018-3639
CVE-2018-5848 CVE-2018-5953 CVE-2018-12896 CVE-2018-13053
CVE-2018-16862 CVE-2018-16884 CVE-2018-17972 CVE-2018-18281
CVE-2018-18690 CVE-2018-18710 CVE-2018-19824 CVE-2018-19985
CVE-2018-20169 CVE-2018-20511 CVE-2019-3701 CVE-2019-3819
CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-9213

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2016-10741

A race condition was discovered in XFS that would result in a
crash (BUG). A local user permitted to write to an XFS volume
could use this for denial of service.

CVE-2017-5753

Further instances of code that was vulnerable to Spectre variant 1
(bounds-check bypass) have been mitigated.

CVE-2017-13305

A memory over-read was discovered in the keys subsystem's
encrypted key type. A local user could use this for denial of
service or possibly to read sensitive information.

CVE-2018-3639 (SSB)

Multiple researchers have discovered that Speculative Store Bypass
(SSB), a feature implemented in many processors, could be used to
read sensitive information from another context. In particular,
code in a software sandbox may be able to read sensitive
information from outside the sandbox. This issue is also known as
Spectre variant 4.

This update fixes bugs in the mitigations for SSB for AMD
processors.

CVE-2018-5848

The wil6210 wifi driver did not properly validate lengths in scan
and connection requests, leading to a possible buffer overflow.
On systems using this driver, a local user with the CAP_NET_ADMIN
capability could use this for denial of service (memory corruption
or crash) or potentially for privilege escalation.

CVE-2018-5953

The swiotlb subsystem printed kernel memory addresses to the
system log, which could help a local attacker to exploit other
vulnerabilities.

CVE-2018-12896, CVE-2018-13053

Team OWL337 reported possible integer overflows in the POSIX
timer implementation. These might have some security impact.

CVE-2018-16862

Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
discovered that the cleancache memory management feature did not
invalidate cached data for deleted files. On Xen guests using the
tmem driver, local users could potentially read data from other
users' deleted files if they were able to create new files on the
same volume.

CVE-2018-16884

A flaw was found in the NFS 4.1 client implementation. Mounting
NFS shares in multiple network namespaces at the same time could
lead to a user-after-free. Local users might be able to use this
for denial of service (memory corruption or crash) or possibly
for privilege escalation.

This can be mitigated by disabling unprivileged users from
creating user namespaces, which is the default in Debian.

CVE-2018-17972

Jann Horn reported that the /proc/*/stack files in procfs leaked
sensitive data from the kernel. These files are now only readable
by users with the CAP_SYS_ADMIN capability (usually only root)

CVE-2018-18281

Jann Horn reported a race condition in the virtual memory manager
that can result in a process briefly having access to memory after
it is freed and reallocated. A local user permitted to create
containers could possibly exploit this for denial of service
(memory corruption) or for privilege escalation.

CVE-2018-18690

Kanda Motohiro reported that XFS did not correctly handle some
xattr (extended attribute) writes that require changing the disk
format of the xattr. A user with access to an XFS volume could use
this for denial of service.

CVE-2018-18710

It was discovered that the cdrom driver does not correctly
validate the parameter to the CDROM_SELECT_DISC ioctl. A user with
access to a cdrom device could use this to read sensitive
information from the kernel or to cause a denial of service
(crash).

CVE-2018-19824

Hui Peng and Mathias Payer discovered a use-after-free bug in the
USB audio driver. A physically present attacker able to attach a
specially designed USB device could use this for privilege
escalation.

CVE-2018-19985

Hui Peng and Mathias Payer discovered a missing bounds check in the
hso USB serial driver. A physically present user able to attach a
specially designed USB device could use this to read sensitive
information from the kernel or to cause a denial of service
(crash).

CVE-2018-20169

Hui Peng and Mathias Payer discovered missing bounds checks in the
USB core. A physically present attacker able to attach a specially
designed USB device could use this to cause a denial of service
(crash) or possibly for privilege escalation.

CVE-2018-20511

InfoSect reported an information leak in the AppleTalk IP/DDP
implemntation. A local user with CAP_NET_ADMIN capability could
use this to read sensitive information from the kernel.

CVE-2019-3701

Muyu Yu and Marcus Meissner reported that the CAN gateway
implementation allowed the frame length to be modified, typically
resulting in out-of-bounds memory-mapped I/O writes. On a system
with CAN devices present, a local user with CAP_NET_ADMIN
capability in the initial net namespace could use this to cause a
crash (oops) or other hardware-dependent impact.

CVE-2019-3819

A potential infinite loop was discovered in the HID debugfs
interface exposed under /sys/kernel/debug/hid. A user with access
to these files could use this for denial of service.

This interface is only accessible to root by default, which fully
mitigates the issue.

CVE-2019-6974

Jann Horn reported a use-after-free bug in KVM. A local user
with access to /dev/kvm could use this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation.

CVE-2019-7221

Jim Mattson and Felix Wilhelm reported a user-after-free bug in
KVM's nested VMX implementation. On systems with Intel CPUs, a
local user with access to /dev/kvm could use this to cause a
denial of service (memory corruption or crash) or possibly for
privilege escalation.

Nested VMX is disabled by default, which fully mitigates the
issue.

CVE-2019-7222

Felix Wilhelm reported an information leak in KVM for x86.
A local user with access to /dev/kvm could use this to read
sensitive information from the kernel.

CVE-2019-9213

Jann Horn reported that privileged tasks could cause stack
segments, including those in other processes, to grow downward to
address 0. On systems lacking SMAP (x86) or PAN (ARM), this
exacerbated other vulnerabilities: a null pointer dereference
could be exploited for privilege escalation rather than only for
denial of service.

For Debian 8 "Jessie", these problems have been fixed in version
3.16.64-1.

We recommend that you upgrade your linux packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

--
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams



DLA 1732-1: openjdk-7 security update




Package : openjdk-7
Version : 7u211-2.6.17-1~deb8u1
CVE ID : CVE-2019-2422

A memory disclosure vulnerability was discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in information
disclosure or bypass of sandbox restrictions.

For Debian 8 "Jessie", this problem has been fixed in version
7u211-2.6.17-1~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS