Debian 9858 Published by

The following updates for Debian GNU/Linux has been released:

Debian GNU/Linux 8 LTS:
DLA 1751-1: suricata security update
DLA 1752-1: poppler security update
DLA 1753-1: proftpd-dfsg security update

Debian GNU/Linux 9:
DSA 4428-1: systemd security update



DLA 1751-1: suricata security update




Package : suricata
Version : 2.0.7-2+deb8u4
CVE ID : CVE-2018-10242 CVE-2018-10243

Multiple vulnerabilities have been found in suricata, the network threat
detection engine:

CVE-2018-10242

Missing length check causing out-of-bounds read in SSHParseBanner
(app-layer-ssh.c). Remote attackers might leverage this vulnerability
to cause DoS or potentially unauthorized disclosure of information.

CVE-2018-10243

Unexpected end of Authorization field causing heap-based buffer
over-read in htp_parse_authorization_digest (htp_parsers.c, from the
embedded copy of LibHTP). Remote attackers might leverage this
vulnerability to cause DoS or potentially unauthorized disclosure of
information.

For Debian 8 "Jessie", these problems have been fixed in version
2.0.7-2+deb8u4.

We recommend that you upgrade your suricata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1752-1: poppler security update

Package : poppler
Version : 0.26.5-2+deb8u9
CVE ID : CVE-2019-9631
Debian Bug :


A security issue was discovered in the poppler PDF rendering shared
library.

The Poppler shared library had a heap-based buffer over-read in the
CairoRescaleBox.cc downsample_row_box_filter function.

For Debian 8 "Jessie", this problem has been fixed in version
0.26.5-2+deb8u9.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

--

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net




DLA 1753-1: proftpd-dfsg security update




Package : proftpd-dfsg
Version : 1.3.5e-0+deb8u1
CVE ID : not-available
Debian Bug : 923926

Several memory leaks were discovered in proftpd-dfsg, a versatile,
virtual-hosting FTP daemon, when mod_facl or mod_sftp
is used which could lead to memory exhaustion and a denial-of-service.

For Debian 8 "Jessie", this problem has been fixed in version
1.3.5e-0+deb8u1.

We recommend that you upgrade your proftpd-dfsg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4428-1: systemd security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4428-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 08, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : systemd
CVE ID : CVE-2019-3842

Jann Horn discovered that the PAM module in systemd insecurely uses the
environment and lacks seat verification permitting spoofing an active
session to PolicyKit. A remote attacker with SSH access can take
advantage of this issue to gain PolicyKit privileges that are normally
only granted to clients in an active session on the local console.

For the stable distribution (stretch), this problem has been fixed in
version 232-25+deb9u11.

This update includes updates previously scheduled to be released in the
stretch 9.9 point release.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/