Debian 10168 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1257-1: openssh security update
DLA 1258-1: wireshark security update

Debian GNU/Linux 8 and 9:
DSA 4098-1: curl security update



DLA 1257-1: openssh security update

Package : openssh
Version : 1:6.0p1-4+deb7u7
CVE ID : CVE-2016-10708

OpenSSH was found to be vulnerable to out of order NEWKEYS messages
which could crash the daemon, resulting in a denial of service attack.

For Debian 7 "Wheezy", these problems have been fixed in version
1:6.0p1-4+deb7u7.

We recommend that you upgrade your openssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1258-1: wireshark security update




Package : wireshark
Version : 1.12.1+g01b65bf-4+deb8u6~deb7u9
CVE ID : CVE-2018-5334 CVE-2018-5335 CVE-2018-5336


Kamil Frankowicz and Young found that several parsers of wireshark could
be crashed by malformed packets.


For Debian 7 "Wheezy", these problems have been fixed in version
1.12.1+g01b65bf-4+deb8u6~deb7u9.

We recommend that you upgrade your wireshark packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4098-1: curl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4098-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
January 26, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2018-1000005 CVE-2018-1000007

Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2018-1000005

Zhouyihai Ding discovered an out-of-bounds read in the code
handling HTTP/2 trailers. This issue doesn't affect the oldstable
distribution (jessie).

CVE-2018-1000007

Craig de Stigter discovered that authentication data might be leaked
to third parties when following HTTP redirects.

For the oldstable distribution (jessie), these problems have been fixed
in version 7.38.0-4+deb8u9.

For the stable distribution (stretch), these problems have been fixed in
version 7.52.1-5+deb9u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/