Debian Beveiliging

Debian Security Advisories

DSA-4505 nginx – security update

22 August 2019, 12:00 am

Three vulnerabilities were discovered in the HTTP/2 code of Nginx, a
high-performance web and reverse proxy server, which could result in
denial of service.

DSA-4504 vlc – security update

20 August 2019, 12:00 am

Multiple security issues were discovered in the VLC media player, which
could result in the execution of arbitrary code or denial of service if
a malformed file/stream is processed.

Three vulnerabilities have been discovered in the Go programming language;
“net/url” accepted some invalid hosts in URLs which could result in
authorisation bypass in some applications and the HTTP/2 implementation
was susceptible to denial of service.

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

It was discovered that the code fixes to address
CVE-2018-16858 and
CVE-2019-9848 were not complete.

DSA-4497 linux – security update

13 August 2019, 12:00 am

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

Several vulnerabilities were discovered in python-django, a web
development framework. They could lead to remote denial-of-service or
SQL injection,

Netanel reported that the .buildfont1 procedure in Ghostscript, the GPL
PostScript/PDF interpreter, does not properly restrict privileged calls,
which could result in bypass of file system restrictions of the dSAFER
sandbox.

Several vulnerabilities have been discovered in the chromium web browser.

Benno Fuenfstueck discovered that Pango, a library for layout and
rendering of text with an emphasis on internationalization, is prone to a
heap-based buffer overflow flaw in the pango_log2vis_get_embedding_levels
function. An attacker can take advantage of this flaw for denial of
service or potentially the execution of arbitrary code.

DSA-4495 linux – security update

10 August 2019, 12:00 am

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

Dominik Penner discovered that KConfig, the KDE configuration settings
framework, supported a feature to define shell command execution in
.desktop files. If a user is provided with a malformed .desktop file
(e.g. if it’s embedded into a downloaded archive and it gets opened in
a file browser) arbitrary commands could get executed. This update
removes this feature.

A issue has been discovered in the PostgreSQL database system, which
could result in privilege escalation.

Two security issues have been discovered in the PostgreSQL database
system, which could result in privilege escalation, denial of service or
memory disclosure.

Tobias Maedel discovered that the mod_copy module of ProFTPD, a
FTP/SFTP/FTPS server, performed incomplete permission validation for
the CPFR/CPTO commands.

Several vulnerabilities were discovered in Subversion, a version control
system. The Common Vulnerabilities and Exposures project identifies the
following problems:

Imre Rad discovered several vulnerabilities in GNU patch, leading to
shell command injection or escape from the working directory and access
and overwrite files, if specially crafted patch files are processed.

Jeremy Harris discovered that Exim, a mail transport agent, does not
properly handle the ${sort } expansion. This flaw can be exploited by a
remote attacker to execute programs with root privileges in non-default
(and unusual) configurations where ${sort } expansion is used for items
that can be controlled by an attacker.