Debian 9858 Published by

The following updates has been released for Debian GNU/Linux 7 Extended LTS:

ELA-37-2 openssh regression update
ELA-37-3 openssh security update
ELA-39-1 intel-microcode security update
ELA-40-1 lcms2 security update
ELA-41-1 lcms security update



ELA-37-2 openssh regression update

Package: openssh
Version: 1:6.0p1-4+deb7u9

It was discovered that the recent openssh update issued as ELA-37-1 caused a regression. Authentication failed during public key exchange and a NULL pointer was passed as argument instead. This could prevent a user from logging into a system. This update reverts to the previous state until more information are available.

For Debian 7 Wheezy, these problems have been fixed in version 1:6.0p1-4+deb7u9.

We recommend that you upgrade your openssh packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-37-3 openssh security update

Package: openssh
Version: 1:6.0p1-4+deb7u10
Related CVE: CVE-2018-15473

This update properly implements the fix for the issue first identified in ELA-37-1. The initial update package, version 1:6.0p1-4+deb7u8, is broken and the subsequent package, version 1:6.0p1-4+deb7u9, reverts the incorrect patch and so is vulnerable (as described in ELA-37-2). The package version referenced in this advisory contains the complete and correct fix for CVE-2018-15473.

The original advisory text follows:

It was discovered that there was a user enumeration vulnerability in OpenSSH. A remote attacker could test whether a certain user exists on a target server.

For Debian 7 Wheezy, these problems have been fixed in version 1:6.0p1-4+deb7u10.

We recommend that you upgrade your openssh packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-39-1 intel-microcode security update

Package: intel-microcode
Version: 3.20180807a.1~deb7u1
Related CVE: CVE-2018-3615 CVE-2018-3620 CVE-2018-3646 CVE-2018-3639 CVE-2018-3640 CVE-2017-5715

Security researchers identified speculative execution side-channel methods which have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems.

In order to fix those issues an update to the intel-microcode package is required, which is non-free. It is related to ELA-18-1 and adds more mitigations for additional types of Intel processors.

For more information please also read the official Intel security advisories at:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00088.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
For Debian 7 Wheezy, these problems have been fixed in version 3.20180807a.1~deb7u1.

We recommend that you upgrade your intel-microcode packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-40-1 lcms2 security update

Package: lcms2
Version: 2.2+git20110628-2.2+deb7u3
Related CVE: CVE-2018-16435

Little CMS (aka Little Color Management System) has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.

For Debian 7 Wheezy, these problems have been fixed in version 2.2+git20110628-2.2+deb7u3.

We recommend that you upgrade your lcms2 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-41-1 lcms security update

Package: lcms
Version: 1.19.dfsg2-1.2+deb7u2
Related CVE: CVE-2018-16435

Little CMS (aka Little Color Management System) has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.

For Debian 7 Wheezy, these problems have been fixed in version 1.19.dfsg2-1.2+deb7u2.

We recommend that you upgrade your lcms packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/