Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1556-1: paramiko security update
DLA 1557-1: tiff security update
DLA 1558-1: ruby2.1 security update

Debian GNU/Linux 9:
DSA 4321-2: graphicsmagick update
DSA 4329-1: teeworlds security update



DLA 1556-1: paramiko security update




Package : paramiko
Version : 1.15.1-1+deb8u1
CVE ID : CVE-2018-7750 CVE-2018-1000805


CVE-2018-1000805
Fix to prevent malicious clients to trick the Paramiko server into
thinking an unauthenticated client is authenticated.

CVE-2018-7750
Fix check whether authentication is completed before processing
other requests. A customized SSH client can simply skip the
authentication step.


For Debian 8 "Jessie", these problems have been fixed in version
1.15.1-1+deb8u1.

We recommend that you upgrade your paramiko packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1557-1: tiff security update




Package : tiff
Version : 4.0.3-12.3+deb8u7
CVE ID : CVE-2018-17100 CVE-2018-17101 CVE-2018-18557


CVE-2018-17100
An int32 overflow can cause a denial of service (application
crash) or possibly have unspecified other impact via a crafted
image file

CVE-2018-17101
Out-of-bounds writes can cause a denial of service (application
crash) or possibly have unspecified other impact via a crafted
image file

CVE-2018-18557
Out-of-bounds write due to ignoring buffer size can cause a denial
of service (application crash) or possibly have unspecified other
impact via a crafted image file


For Debian 8 "Jessie", these problems have been fixed in version
4.0.3-12.3+deb8u7.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1558-1: ruby2.1 security update




Package : ruby2.1
Version : 2.1.5-2+deb8u6
CVE ID : CVE-2018-16395 CVE-2018-16396


CVE-2018-16395
Fix for OpenSSL::X509::Name equality check.

CVE-2018-16396
Tainted flags are not propagated in Array#pack and String#unpack
with some directives.


For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u6.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4321-2: graphicsmagick update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4321-2 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : graphicsmagick

The update of Graphicsmagick in DSA-4321-1 introduced a change in the
handling of case-sensitivity in an internal API function which could
affect some code built against the GraphicsMagick libraries. This update
restores the previous behaviour.

For the stable distribution (stretch), these problems have been fixed in
version 1.3.30+hg15796-1~deb9u2.

We recommend that you upgrade your graphicsmagick packages.

For the detailed security status of graphicsmagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/graphicsmagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4329-1: teeworlds security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4329-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : teeworlds
CVE ID : CVE-2018-18541

It was discovered that incorrect connection setup in the server for
Teeworlds, an online multi-player platform 2D shooter, could result in
denial of service via forged connection packets (rendering all game
server slots occupied).

For the stable distribution (stretch), this problem has been fixed in
version 0.6.5+dfsg-1~deb9u1.

We recommend that you upgrade your teeworlds packages.

For the detailed security status of teeworlds please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/teeworlds

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/