Debian 9859 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1512-1: sympa security update

Debian GNU/Linux 9:
DSA 4298-1: hylafax security update



DLA 1512-1: sympa security update




Package : sympa
Version : 6.1.23~dfsg-2+deb8u3
CVE ID : CVE-2018-1000671
Debian Bug : 908165


An Open Redirect vulnerability has been discovered in sympa. The
"referer" parameter of the wwsympa.fcgi login action can result in
Open redirection and potential Cross Site Scripting via data URIs.
This attack appear to be exploitable via Victim browser opening a
crafted URL supplied by the attacker.

For Debian 8 "Jessie", this problem has been fixed in version
6.1.23~dfsg-2+deb8u3.

We recommend that you upgrade your sympa packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4298-1: hylafax security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4298-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : hylafax
CVE ID : CVE-2018-17141

Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing
input sanitising in the Hylafax fax software could potentially result in
the execution of arbitrary code via a malformed fax message.

For the stable distribution (stretch), this problem has been fixed in
version 3:6.0.6-7+deb9u1.

We recommend that you upgrade your hylafax packages.

For the detailed security status of hylafax please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/hylafax

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/