Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-86-1 php5 security update

Debian GNU/Linux 8 LTS:
DLA 1692-1: phpmyadmin security update
DLA 1693-1: gpac security update

Debian GNU/Linux 9:
DSA 4395-2: chromium regression update



ELA-86-1 php5 security update

Package php5
Version 5.4.45-0+deb7u19
Related CVE CVE-2018-20783 CVE-2018-1000888 CVE-2019-9022
Several issues in php5 have been fixed to avoid access to illegal memory.

CVE-2019-9022: An issue during parsing of DNS responses allows a hostile DNS server to misuse memcpy, which leads to a read operation past an allocated buffer.

CVE-2018-1000888: Fix for a PHP object injection vulnerability in the PEAR Archive_tar code, potentially allowing a remote attacker to execute arbitrary code.

CVE-2018-20783: buffer over-read in PHAR reading functions may give an attacker access to memory past the actual data when trying to parse a .phar file

For Debian 7 Wheezy, these problems have been fixed in version 5.4.45-0+deb7u19.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1692-1: phpmyadmin security update




Package : phpmyadmin
Version : 4:4.2.12-2+deb8u5
CVE ID : CVE-2019-6799
Debian Bug : 920823


An information leak issue was discovered in phpMyAdmin. An attacker
can read any file on the server that the web server's user can
access. This is related to the mysql.allow_local_infile PHP
configuration. When the AllowArbitraryServer configuration setting is
set to false (default), the attacker needs a local MySQL account. When
set to true, the attacker can exploit this with the use of a rogue
MySQL server.

For Debian 8 "Jessie", this problem has been fixed in version
4:4.2.12-2+deb8u5.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1693-1: gpac security update




Package : gpac
Version : 0.5.0+svn5324~dfsg1-1+deb8u2
CVE ID : CVE-2018-7752 CVE-2018-20760 CVE-2018-20761
CVE-2018-20762 CVE-2018-20763


Several issues have been found by different authors in gpac, an Open
Source multimedia framework for research and academic purposes.

The issues are basically all buffer overflows in different functions all
over the package.


For Debian 8 "Jessie", these problems have been fixed in version
0.5.0+svn5324~dfsg1-1+deb8u2.

We recommend that you upgrade your gpac packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4395-2: chromium regression update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4395-2 security@debian.org
https://www.debian.org/security/ Michael Gilbert
February 26, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
Debian Bug : 922794 923298

A regression was introduced in the previous chromium security update. The
browser would always crash when launched in headless mode. This update fixes
this problem.

A file conflict with the buster chromium packages is also fixed.

For the stable distribution (stretch), this problem has been fixed in
version 72.0.3626.96-1~deb9u2.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/