Debian 9858 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1464-1: postgresql-9.4 security update
DLA 1466-1: linux-4.9 security update
DLA 1467-1: ruby-zip security update
DLA 1468-1: fuse security update



DLA 1464-1: postgresql-9.4 security update




Package : postgresql-9.4
Version : 9.4.19-0+deb8u1
CVE ID : CVE-2018-10915

An unprivileged user of dblink or postgres_fdw could bypass the checks
intended to prevent use of server-side credentials, such as a ~/.pgpass
file owned by the operating-system user running the server. Servers
allowing peer authentication on local connections are particularly
vulnerable. Other attacks such as SQL injection into a postgres_fdw
session are also possible. Attacking postgres_fdw in this way requires
the ability to create a foreign server object with selected connection
parameters, but any user with access to dblink could exploit the
problem. In general, an attacker with the ability to select the
connection parameters for a libpq-using application could cause
mischief, though other plausible attack scenarios are harder to think
of. Our thanks to Andrew Krasichkov for reporting this issue.

For Debian 8 "Jessie", this problem has been fixed in version
9.4.19-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1466-1: linux-4.9 security update

Package : linux-4.9
Version : 4.9.110-3+deb9u2~deb8u1
CVE ID : CVE-2018-5390 CVE-2018-5391 CVE-2018-13405
Debian Bug : 893393 903122 903767 903776 903838 903914

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial of service.

CVE-2018-5390 (SegmentSmack)

Juha-Matti Tilli discovered that a remote attacker can trigger the
worst case code paths for TCP stream reassembly with low rates of
specially crafted packets, leading to remote denial of service.

CVE-2018-5391 (FragmentSmack)

Juha-Matti Tilli discovered a flaw in the way the Linux kernel
handled reassembly of fragmented IPv4 and IPv6 packets. A remote
attacker can take advantage of this flaw to trigger time and
calculation expensive fragment reassembly algorithms by sending
specially crafted packets, leading to remote denial of service.

This is mitigated by reducing the default limits on memory usage
for incomplete fragmented packets. The same mitigation can be
achieved without the need to reboot, by setting the sysctls:

net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608

The default values may still be increased by local configuration
if necessary.

CVE-2018-13405

Jann Horn discovered that the inode_init_owner function in
fs/inode.c in the Linux kernel allows local users to create files
with an unintended group ownership allowing attackers to escalate
privileges by making a plain file executable and SGID.

For Debian 8 "Jessie", these problems have been fixed in version
4.9.110-3+deb9u2~deb8u1. This update includes fixes for several
regressions in the latest point release.

The earlier version 4.9.110-3+deb9u1~deb8u1 included all the above
fixes except for CVE-2018-5391, which may be mitigated as explained
above.

We recommend that you upgrade your linux-4.9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1467-1: ruby-zip security update




Package : ruby-zip
Version : 1.1.6-1+deb8u2
CVE ID : CVE-2018-1000544
Debian Bug : 902720

It was found that rubyzip, a Ruby module for reading and writing zip
files, contained a Directory Traversal vulnerability that can be
exploited to write arbitrary files to the filesystem.

For Debian 8 "Jessie", this problem has been fixed in version
1.1.6-1+deb8u2.

We recommend that you upgrade your ruby-zip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1468-1: fuse security update




Package : fuse
Version : 2.9.3-15+deb8u3
CVE ID : CVE-2018-10906


CVE-2018-10906
This is a fix for a restriction bypass of the "allow_other" option
when SELinux is active.


For Debian 8 "Jessie", this problem has been fixed in version
2.9.3-15+deb8u3.

We recommend that you upgrade your fuse packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS