Debian 10169 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1660-2: rssh regression update
DLA 1681-1: gsoap security update
DLA 1682-1: uriparser security update

Debian GNU/Linux 9:
DSA 4393-1: systemd security update
DSA 4394-1: rdesktop security update
DSA 4395-1: chromium security update



DLA 1660-2: rssh regression update




Package : rssh
Version : 2.3.4-4+deb8u3
Debian Bug : #921655

It was discovered that the fix for the security vulnerability
released for rssh in 2.3.4-4+deb8u2 via DLA-1660-1 introduced a
regression that blocked scp(1) of multiple files from a server
using rssh.

Please see https://bugs.debian.org/921655 for more information.

For Debian 8 "Jessie", this issue has been addressed in rssh
version 2.3.4-4+deb8u3.

We recommend that you upgrade your rssh packages.




DLA 1681-1: gsoap security update




Package : gsoap
Version : 2.8.17-1+deb8u2
CVE ID : CVE-2019-7659

It was discovered that there was a denial of service vulnerability in
gsoap a C/C++ language binding used for SOAP-based web services.

For Debian 8 "Jessie", this issue has been fixed in gsoap version
2.8.17-1+deb8u2.

We recommend that you upgrade your gsoap packages. Thanks to Mattias
Ellert for their assistance in
preparing this update.




DLA 1682-1: uriparser security update




Package : uriparser
Version : 0.8.0.1-2+deb8u2
CVE ID : CVE-2018-20721


Joergen Ibsen reported an issue with uriparser, a URI parsing library
compliant with RFC 3986.

An Out-of-bounds read for incomplete URIs with IPv6 addresses with
embedded IPv4 address, e.g. "//[::44.1", were possible.


For Debian 8 "Jessie", this problem has been fixed in version
0.8.0.1-2+deb8u2.

We recommend that you upgrade your uriparser packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4393-1: systemd security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4393-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 18, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : systemd
CVE ID : CVE-2019-6454

Chris Coulson discovered a flaw in systemd leading to denial of service.
An unprivileged user could take advantage of this issue to crash PID1 by
sending a specially crafted D-Bus message on the system bus.

For the stable distribution (stretch), this problem has been fixed in
version 232-25+deb9u9.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4394-1: rdesktop security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4394-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 18, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : rdesktop
CVE ID : CVE-2018-8791 CVE-2018-8792 CVE-2018-8793 CVE-2018-8794
CVE-2018-8795 CVE-2018-8796 CVE-2018-8797 CVE-2018-8798
CVE-2018-8799 CVE-2018-8800 CVE-2018-20174
CVE-2018-20175 CVE-2018-20176 CVE-2018-20177
CVE-2018-20178 CVE-2018-20179 CVE-2018-20180
CVE-2018-20181 CVE-2018-20182

Multiple security issues were found in the rdesktop RDP client, which
could result in denial of service, information disclosure and the
execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 1.8.4-1~deb9u1.

We recommend that you upgrade your rdesktop packages.

For the detailed security status of rdesktop please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rdesktop

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4395-1: chromium security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4395-1 security@debian.org
https://www.debian.org/security/ Michael Gilbert
February 18, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2018-17481 CVE-2019-5754 CVE-2019-5755 CVE-2019-5756
CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760
CVE-2019-5762 CVE-2019-5763 CVE-2019-5764 CVE-2019-5765
CVE-2019-5766 CVE-2019-5767 CVE-2019-5768 CVE-2019-5769
CVE-2019-5770 CVE-2019-5772 CVE-2019-5773 CVE-2019-5774
CVE-2019-5775 CVE-2019-5776 CVE-2019-5777 CVE-2019-5778
CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5782
CVE-2019-5783 CVE-2019-5784

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2018-17481

A use-after-free issue was discovered in the pdfium library.

CVE-2019-5754

Klzgrad discovered an error in the QUIC networking implementation.

CVE-2019-5755

Jay Bosamiya discovered an implementation error in the v8 javascript
library.

CVE-2019-5756

A use-after-free issue was discovered in the pdfium library.

CVE-2019-5757

Alexandru Pitis discovered a type confusion error in the SVG image
format implementation.

CVE-2019-5758

Zhe Jin discovered a use-after-free issue in blink/webkit.

CVE-2019-5759

Almog Benin discovered a use-after-free issue when handling HTML pages
containing select elements.

CVE-2019-5760

Zhe Jin discovered a use-after-free issue in the WebRTC implementation.

CVE-2019-5762

A use-after-free issue was discovered in the pdfium library.

CVE-2019-5763

Guang Gon discovered an input validation error in the v8 javascript
library.

CVE-2019-5764

Eyal Itkin discovered a use-after-free issue in the WebRTC implementation.

CVE-2019-5765

Sergey Toshin discovered a policy enforcement error.

CVE-2019-5766

David Erceg discovered a policy enforcement error.

CVE-2019-5767

Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao reported an error
in the WebAPKs user interface.

CVE-2019-5768

Rob Wu discovered a policy enforcement error in the developer tools.

CVE-2019-5769

Guy Eshel discovered an input validation error in blink/webkit.

CVE-2019-5770

hemidallt discovered a buffer overflow issue in the WebGL implementation.

CVE-2019-5772

Zhen Zhou discovered a use-after-free issue in the pdfium library.

CVE-2019-5773

Yongke Wong discovered an input validation error in the IndexDB
implementation.

CVE-2019-5774

Jnghwan Kang and Juno Im discovered an input validation error in the
SafeBrowsing implementation.

CVE-2019-5775

evil1m0 discovered a policy enforcement error.

CVE-2019-5776

Lnyas Zhang discovered a policy enforcement error.

CVE-2019-5777

Khalil Zhani discovered a policy enforcement error.

CVE-2019-5778

David Erceg discovered a policy enforcement error in the Extensions
implementation.

CVE-2019-5779

David Erceg discovered a policy enforcement error in the ServiceWorker
implementation.

CVE-2019-5780

Andreas Hegenberg discovered a policy enforcement error.

CVE-2019-5781

evil1m0 discovered a policy enforcement error.

CVE-2019-5782

Qixun Zhao discovered an implementation error in the v8 javascript library.

CVE-2019-5783

Shintaro Kobori discovered an input validation error in the developer
tools.

CVE-2019-5784

Lucas Pinheiro discovered an implementation error in the v8 javascript
library.

For the stable distribution (stretch), these problems have been fixed in
version 72.0.3626.96-1~deb9u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/