Welcome! Log In Create A New Profile

Advanced

Debian Security Advisory

Posted by bodhi 
Debian Security Advisory
November 03, 2014 01:54AM
Re: Debian Security Advisory
April 28, 2015 01:45AM
FYI,

CVE-2014-9715

Quote

    It was found that the netfilter connection tracking subsystem used
    too small a type as an offset within each connection's data
    structure, following a bug fix in Linux 3.2.33 and 3.6.  In some
    configurations, this would lead to memory corruption and crashes
    (even without malicious traffic).  This could potentially also
    result in violation of the netfilter policy or remote code
    execution.

    This can be mitigated by disabling connection tracking accounting:
        sysctl net.netfilter.nf_conntrack_acct=0

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
January 20, 2016 11:42AM
Update your OpenSSH.

https://lists.debian.org/debian-security-announce/2016/msg00015.html

Quote

The Qualys Security team discovered two vulnerabilities in the roaming
code of the OpenSSH client (an implementation of the SSH protocol
suite).

SSH roaming enables a client, in case an SSH connection breaks
unexpectedly, to resume it at a later time, provided the server also
supports it.

The OpenSSH server doesn't support roaming, but the OpenSSH client
supports it (even though it's not documented) and it's enabled by
default.

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
January 20, 2016 01:00PM
@bodhi
Thanks - update script running
Re: Debian Security Advisory
March 03, 2016 12:12AM
Re: Debian Security Advisory
April 18, 2016 02:23PM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3550-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 15, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssh
CVE ID : CVE-2015-8325

Shayan Sadigh discovered a vulnerability in OpenSSH: If PAM support is
enabled and the sshd PAM configuration is configured to read user-
specified environment variables and the "UseLogin" option is enabled, a
local user may escalate her privileges to root.

In Debian "UseLogin" is not enabled by default.

For the oldstable distribution (wheezy), this problem has been fixed
in version 6.0p1-4+deb7u4.

For the stable distribution (jessie), this problem has been fixed in
version 6.7p1-5+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-3.

We recommend that you upgrade your openssh packages.

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
April 26, 2016 04:39AM
Thanks for this topic @bodhi

I think you'd better PIN this one on top if you're willing to keep us updated each time something major comes up ;)
Re: Debian Security Advisory
April 26, 2016 08:05PM
JohnnyUSA Wrote:
-------------------------------------------------------
> Thanks for this topic @bodhi
>
> I think you'd better PIN this one on top if you're
> willing to keep us updated each time something
> major comes up ;)

I subscribed to the mailing list. But I don't want to be blamed for missing announcements that are important to only to some :) hence it is not sticky thread.

Anybody who feels certain security news is important to the way we use these boxes, please feel free to post in this thread.

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
May 04, 2016 01:35AM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3566-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
May 03, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108
CVE-2016-2109 CVE-2016-2176

Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer
toolkit.

CVE-2016-2105

Guido Vranken discovered that an overflow can occur in the function
EVP_EncodeUpdate(), used for Base64 encoding, if an attacker can
supply a large amount of data. This could lead to a heap corruption.

CVE-2016-2106

Guido Vranken discovered that an overflow can occur in the function
EVP_EncryptUpdate() if an attacker can supply a large amount of data.
This could lead to a heap corruption.

CVE-2016-2107

Juraj Somorovsky discovered a padding oracle in the AES CBC cipher
implementation based on the AES-NI instruction set. This could allow
an attacker to decrypt TLS traffic encrypted with one of the cipher
suites based on AES CBC.

CVE-2016-2108

David Benjamin from Google discovered that two separate bugs in the
ASN.1 encoder, related to handling of negative zero integer values
and large universal tags, could lead to an out-of-bounds write.

CVE-2016-2109

Brian Carpenter discovered that when ASN.1 data is read from a BIO
using functions such as d2i_CMS_bio(), a short invalid encoding can
casuse allocation of large amounts of memory potentially consuming
excessive resources or exhausting memory.

CVE-2016-2176

Guido Vranken discovered that ASN.1 Strings that are over 1024 bytes
can cause an overread in applications using the X509_NAME_oneline()
function on EBCDIC systems. This could result in arbitrary stack data
being returned in the buffer.

Additional information about these issues can be found in the OpenSSL
security advisory at https://www.openssl.org/news/secadv/20160503.txt

For the stable distribution (jessie), these problems have been fixed in
version 1.0.1k-3+deb8u5.

For the unstable distribution (sid), these problems have been fixed in
version 1.0.2h-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
May 15, 2016 11:59PM
Re: Debian Security Advisory
August 07, 2016 07:36PM
Quote

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3626-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 24, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssh
CVE ID : CVE-2016-6210
Debian Bug : 831902

Eddie Harari reported that the OpenSSH SSH daemon allows user
enumeration through timing differences when trying to authenticate
users. When sshd tries to authenticate a non-existing user, it will pick
up a fixed fake password structure with a hash based on the Blowfish
algorithm. If real users passwords are hashed using SHA256/SHA512, then
a remote attacker can take advantage of this flaw by sending large
passwords, receiving shorter response times from the server for
non-existing users.

For the stable distribution (jessie), this problem has been fixed in
version 1:6.7p1-5+deb8u3.

For the unstable distribution (sid), this problem has been fixed in
version 1:7.2p2-6.

We recommend that you upgrade your openssh packages.

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
August 17, 2016 06:55PM
Re: Debian Security Advisory
September 24, 2016 05:56AM
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3673-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 23, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
Debian Bug : 838652 838659

It was discovered that the original patch applied for CVE-2016-2182 in
DSA-3673-1 was incomplete, causing a regression when parsing
certificates. Updated packages are now available to address this
problem.

For the stable distribution (jessie), this problem has been fixed in
version 1.0.1t-1+deb8u5.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


- -------------------------------------------------------------------------
Debian Security Advisory DSA-3673-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 22, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openssl
CVE ID : CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180
CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302
CVE-2016-6303 CVE-2016-6304 CVE-2016-6306

Several vulnerabilities were discovered in OpenSSL:

CVE-2016-2177

Guido Vranken discovered that OpenSSL uses undefined pointer
arithmetic. Additional information can be found at
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/

CVE-2016-2178

Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing
leak in the DSA code.

CVE-2016-2179 / CVE-2016-2181

Quan Luo and the OCAP audit team discovered denial of service
vulnerabilities in DTLS.

CVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303

Shi Lei discovered an out-of-bounds memory read in
TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec()
and MDC2_Update().

CVE-2016-2183

DES-based cipher suites are demoted from the HIGH group to MEDIUM
as a mitigation for the SWEET32 attack.

CVE-2016-6302

Shi Lei discovered that the use of SHA512 in TLS session tickets
is susceptible to denial of service.

CVE-2016-6304

Shi Lei discovered that excessively large OCSP status request may
result in denial of service via memory exhaustion.

CVE-2016-6306

Shi Lei discovered that missing message length validation when parsing
certificates may potentially result in denial of service.

For the stable distribution (jessie), these problems have been fixed in
version 1.0.1t-1+deb8u4.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Re: Debian Security Advisory
October 25, 2016 11:13PM
Re: Debian Security Advisory
November 02, 2016 03:18AM
Re: Debian Security Advisory
May 30, 2017 01:03AM
Samba

Quote

Debian Security Advisory DSA-3860-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 24, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : samba
CVE ID : CVE-2017-7494

steelo discovered a remote code execution vulnerability in Samba, a
SMB/CIFS file, print, and login server for Unix. A malicious client with
access to a writable share, can take advantage of this flaw by uploading
a shared library and then cause the server to load and execute it.

For the stable distribution (jessie), this problem has been fixed in
version 2:4.2.14+dfsg-0+deb8u6.

We recommend that you upgrade your samba packages.

-bodhi
===========================
Wiki
latest Kirkwood kernel builds and rootfs
latest u-boot-kirkwood builds
latest Oxnas kernel builds and rootfs
latest u-boot-oxnas builds
latest MVEBU Armada kernel builds and rootfs
U-Boot & Kernel Booting process
bodhi's u-boot GitHub
bodhi's corner
Author:

Your Email:


Subject:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.
Message: