Debian Stretch Openstack images changelog 9.13.5-20201030 Updates in 2 source package(s), 4 binary package(s): Source linux-latest, binaries: linux-image-amd64:amd64 linux-image-arm64:arm64 linux-latest (80+deb9u12) stretch-security; urgency=high * debian/control: Point Vcs URLs to Salsa * Update to 4.9.0-14 (Lots of fixes. See the linux-image-4.9-* changelogs for more Source freetype, binaries: libfreetype6:amd64 libfreetype6:arm64 freetype (2.6.3-3.2+deb9u2) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2020-15999 Fix heap buffer overflow. -- Steve McIntyre <93sam@debian.org> Fri, 30 Oct 2020 17:11:18 +0000 9.13.4-20200929 Updates in 2 source package(s), 4 binary package(s): Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u11) stretch-security; urgency=medium * Non-maintainer upload by the Debian LTS team. * Fix CVE-2020-14364: out-of-bounds read/write access flaw (Closes: #968947) * Fix CVE-2020-13253: out-of-bounds read during sdhci_write() operations (Closes: #961297) * Fix CVE-2020-16092: assertion failure in net_tx_pkt_add_raw_fragment() * Fix CVE-2020-1711: out-of-bounds heap buffer access flaw in iSCSI Block driver (Closes: #949731) Source openssl1.0, binaries: libssl1.0.2:amd64 libssl1.0.2:arm64 openssl1.0 (1.0.2u-1~deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * Fix CVE-2020-1968: disable ciphers that reuse the DH secret across multiple TLS connections in ssl/s3_lib.c. Patch by Marc Deslauriers. -- Steve McIntyre <93sam@debian.org> Wed, 30 Sep 2020 09:50:14 +0100 9.13.3-20200910 Updates in 1 source package(s), 2 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2:arm64 libxml2 (2.9.4+dfsg1-2.2+deb9u3) stretch-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2017-8872: Global buffer-overflow in the htmlParseTryOrFinish function. * Fix CVE-2019-20388: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. * Fix CVE-2020-24977: Out-of-bounds read restricted to xmllint --htmlout. * Fix CVE-2020-7595: Infinite loop in xmlStringLenDecodeEntities can cause a denial of service. * Fix CVE-2017-18258: The xz_head function in libxml2 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. * Fix CVE-2018-14404: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs may be vulnerable to a denial of service attack. * Fix CVE-2018-14567: If --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file. * Fix CVE-2019-19956: The xmlParseBalancedChunkMemoryRecover has a memory leak related to newDoc->oldNs. -- Steve McIntyre <93sam@debian.org> Thu, 10 Sep 2020 13:58:21 +0100 9.13.2-20200830 Updates in 3 source package(s), 14 binary package(s): Source sqlite3, binaries: libsqlite3-0:amd64 libsqlite3-0:arm64 sqlite3 (3.16.2-5+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2018-8740: Databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference. * CVE-2018-20346, CVE-2018-20506: Add extra defenses against strategically corrupt databases to fts3/4. * CVE-2019-5827: Integer overflow allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, primarily impacting chromium. * CVE-2019-9936: Potential information leak when running fts5 prefix queries inside a transaction, which could trigger a heap-based buffer over-read. * CVE-2019-9937: interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference * CVE-2019-16168: Missing validation resulting in a potential division by zero, which can crash a browser or other application * CVE-2019-20218: Do not attempt to unwind the WITH stack in the event of a parse error * CVE-2020-13630: Fix use-after-free in fts3EvalNextRow, related to the snippet feature * CVE-2020-13632: Fix NULL pointer dereference via a crafted matchinfo() query * CVE-2020-13871: Fix use-after-free in resetAccumulator in select.c * CVE-2020-11655: Fix denial of service resulting from segmentation fault via a malformed window-function query. * CVE-2020-13434: Fix integer overflow in sqlite3_str_vappendf. Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64 python2.7 (2.7.13-2+deb9u4) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2019-20907 fix for an infinite loop when opening a crafted tar file * CVE-2019-16056 Fix incorrect parsing of email addresses with multiple '@' characters. * CVE-2019-10160 Fixes regression in fix for CVE-2019-9636 * CVE-2019-9948 Stop urllib exposing the local_file schema (file://). * CVE-2019-9740, CVE-2019-9947 Disallow control chars in http URLS in urllib2.urlopen. * CVE-2019-9636 Fix mishandling of NFKC normalization in urlsplit * CVE-2019-5010 Fix NULL pointer dereference when using a specially crafted X509 certificate * CVE-2018-20852 Cookie handling could be tricked to steal cookies for other domains. Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u7) stretch-security; urgency=medium * Non-maintainer upload by the LTS Team. * CVE-2020-8622 Crafted responses to TSIG-signed requests could lead to an assertion failure, causing the server to exit. This could be done by malicious server operators or guessing attackers. * CVE-2020-8623 An assertions failure, causing the server to exit, can be exploited by a query for an RSA signed zone. -- Steve McIntyre <93sam@debian.org> Mon, 31 Aug 2020 11:44:15 +0100 9.13.1-20200729 Updates in 2 source package(s), 10 binary package(s): Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64 qemu (1:2.8+dfsg-6+deb9u10) stretch-security; urgency=medium * vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch Fix misuse of libz in VNC disconnect, leading to memory leak Closes: CVE-2019-20382 * scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter) Closes: CVE-2019-12068 * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb() * slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch Fix another use-after-free in ip_reass() in SLIRP code Closes: CVE-2020-1983 * core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch rom_copy() in hw/core/loader.c allows triggering invalid mem copy op. Closes: CVE-2020-13765 * revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu devices which uses min_access_size and max_access_size Memory API fields. Also closes: CVE-2020-13791 * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch Closes: #964793 * xhci-fix-valid.max_access_size-to-access-address-registers.patch This is another issue revealed after the CVE-2020-13754 fix * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch CVE-2020-13659: address_space_map in exec.c can trigger a NULL pointer dereference related to BounceBuffer * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c has an OOB read via a crafted reply_queue_head field from a guest OS user * megasas-use-unsigned-type-for-positive-numeric-fields.patch fix other possible cases like in CVE-2020-13362 (#961887) * 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs time-to-use) issues reading various parameters from guest-supplied frame: megasas-do-not-read-sense-length-more-than-once-from-frame.patch megasas-do-not-read-iovec-count-more-than-once-from-frame.patch megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch megasas-do-not-read-command-more-than-once-from-frame.patch megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch * megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch possible NULL-pointer dereferece caused by privileged guest user megasas hba command processing. Closes: #865754, CVE-2017-9503 * megasas-fix-possible-out-of-bounds-array-access.patch Some tracepoints use a guest-controlled value as an index into the mfi_frame_desc[] array. Thus a malicious guest could cause a very low impact OOB errors here * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation * slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply() * slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch (and a preparational patch, slirp-add-fmt-helpers.patch) Closes: CVE-2020-8608 * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch ARM-only XGMAC NIC, possible buffer overflow during packet transmission Closes: CVE-2020-15863 Source e2fsprogs, binaries: e2fslibs:amd64 e2fsprogs:amd64 libcomerr2:amd64 libss2:amd64 e2fslibs:arm64 e2fsprogs:arm64 libcomerr2:arm64 libss2:arm64 e2fsprogs (1.43.4-2+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2019-5188 A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. * If directory has been deleted in pass1[bcd] processing, then we shouldn't try to rehash the directory in pass 3a when we try to rehash/reoptimize directories. -- Steve McIntyre <93sam@debian.org> Wed, 29 Jul 2020 17:47:01 +0100 9.13.0 First build for 9.13.0 release -- Steve McIntyre <93sam@debian.org> Sun, 19 Jul 2020 01:04:43 +0100