Debian 9843 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1600-1: libarchive security update

Debian GNU/Linux 9:
DSA 4347-1: perl security update



DLA 1600-1: libarchive security update




Package : libarchive
Version : 3.1.2-11+deb8u4
CVE ID : CVE-2015-8915 CVE-2016-8687 CVE-2016-8688
CVE-2016-8689 CVE-2016-10209 CVE-2016-10349
CVE-2016-10350 CVE-2017-5601 CVE-2017-14166
CVE-2017-14501 CVE-2017-14502 CVE-2017-14503
Debian Bug : 853278 875960 875974 875966 874539 840934
840935 861609 859456 861609 784213

Multiple security vulnerabilities were found in libarchive, a
multi-format archive and compression library. Heap-based buffer
over-reads, NULL pointer dereferences and out-of-bounds reads allow
remote attackers to cause a denial-of-service (application crash) via
specially crafted archive files.

For Debian 8 "Jessie", these problems have been fixed in version
3.1.2-11+deb8u4.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4347-1: perl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4347-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 29, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : perl
CVE ID : CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2018-18311

Jayakrishna Menon and Christophe Hauser discovered an integer
overflow vulnerability in Perl_my_setenv leading to a heap-based
buffer overflow with attacker-controlled input.

CVE-2018-18312

Eiichi Tsukata discovered that a crafted regular expression could
cause a heap-based buffer overflow write during compilation,
potentially allowing arbitrary code execution.

CVE-2018-18313

Eiichi Tsukata discovered that a crafted regular expression could
cause a heap-based buffer overflow read during compilation which
leads to information leak.

CVE-2018-18314

Jakub Wilk discovered that a specially crafted regular expression
could lead to a heap-based buffer overflow.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u5.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/