apticron report [Tue, 16 Apr 2019 18:49:18 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
nonagon.federez.net
[ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ]
The following packages are currently pending an upgrade:
libjasper1 1.900.1-debian1-2.4+deb8u6
libssh2-1 1.7.0-1+deb9u1
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour jasper (libjasper1) ---
jasper (1.900.1-debian1-2.4+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Improve CVE-2018-19542.patch: The original fix introduced a regression which
could break support for valid jp2 files.
-- Markus Koschany <apo(a)debian.org> Sat, 13 Apr 2019 20:36:54 +0200
--- Modifications pour libssh2 (libssh2-1) ---
libssh2 (1.7.0-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Possible integer overflow in transport read allows out-of-bounds write
(CVE-2019-3855) (Closes: #924965)
* Possible integer overflow in keyboard interactive handling allows
out-of-bounds write (CVE-2019-3856) (Closes: #924965)
* Possible integer overflow leading to zero-byte allocation and
out-of-bounds write (CVE-2019-3857) (Closes: #924965)
* Possible zero-byte allocation leading to an out-of-bounds read
(CVE-2019-3858) (Closes: #924965)
* Out-of-bounds reads with specially crafted payloads due to unchecked use
of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
(Closes: #924965)
* Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
* Integer overflow in user authenicate keyboard interactive allows
out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
* Fixed misapplied patch for user auth.
* moved MAX size declarations
-- Salvatore Bonaccorso <carnil(a)debian.org> Thu, 04 Apr 2019 23:32:50 +0200
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on nonagon.federez.net
--
apticron
apticron report [Mon, 15 Apr 2019 18:49:16 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
nonagon.federez.net
[ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ]
The following packages are currently pending an upgrade:
libjasper1 1.900.1-debian1-2.4+deb8u6
libssh2-1 1.7.0-1+deb9u1
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour jasper (libjasper1) ---
jasper (1.900.1-debian1-2.4+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Improve CVE-2018-19542.patch: The original fix introduced a regression which
could break support for valid jp2 files.
-- Markus Koschany <apo(a)debian.org> Sat, 13 Apr 2019 20:36:54 +0200
--- Modifications pour libssh2 (libssh2-1) ---
libssh2 (1.7.0-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Possible integer overflow in transport read allows out-of-bounds write
(CVE-2019-3855) (Closes: #924965)
* Possible integer overflow in keyboard interactive handling allows
out-of-bounds write (CVE-2019-3856) (Closes: #924965)
* Possible integer overflow leading to zero-byte allocation and
out-of-bounds write (CVE-2019-3857) (Closes: #924965)
* Possible zero-byte allocation leading to an out-of-bounds read
(CVE-2019-3858) (Closes: #924965)
* Out-of-bounds reads with specially crafted payloads due to unchecked use
of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
(Closes: #924965)
* Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
* Integer overflow in user authenicate keyboard interactive allows
out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
* Fixed misapplied patch for user auth.
* moved MAX size declarations
-- Salvatore Bonaccorso <carnil(a)debian.org> Thu, 04 Apr 2019 23:32:50 +0200
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on nonagon.federez.net
--
apticron
apticron report [Sun, 14 Apr 2019 18:49:18 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
nonagon.federez.net
[ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ]
The following packages are currently pending an upgrade:
libjasper1 1.900.1-debian1-2.4+deb8u6
libssh2-1 1.7.0-1+deb9u1
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour jasper (libjasper1) ---
jasper (1.900.1-debian1-2.4+deb8u6) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Improve CVE-2018-19542.patch: The original fix introduced a regression which
could break support for valid jp2 files.
-- Markus Koschany <apo(a)debian.org> Sat, 13 Apr 2019 20:36:54 +0200
--- Modifications pour libssh2 (libssh2-1) ---
libssh2 (1.7.0-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Possible integer overflow in transport read allows out-of-bounds write
(CVE-2019-3855) (Closes: #924965)
* Possible integer overflow in keyboard interactive handling allows
out-of-bounds write (CVE-2019-3856) (Closes: #924965)
* Possible integer overflow leading to zero-byte allocation and
out-of-bounds write (CVE-2019-3857) (Closes: #924965)
* Possible zero-byte allocation leading to an out-of-bounds read
(CVE-2019-3858) (Closes: #924965)
* Out-of-bounds reads with specially crafted payloads due to unchecked use
of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
(Closes: #924965)
* Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
* Integer overflow in user authenicate keyboard interactive allows
out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
* Fixed misapplied patch for user auth.
* moved MAX size declarations
-- Salvatore Bonaccorso <carnil(a)debian.org> Thu, 04 Apr 2019 23:32:50 +0200
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on nonagon.federez.net
--
apticron
apticron report [Sat, 13 Apr 2019 18:49:17 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
nonagon.federez.net
[ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ]
The following packages are currently pending an upgrade:
libssh2-1 1.7.0-1+deb9u1
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour libssh2 (libssh2-1) ---
libssh2 (1.7.0-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Possible integer overflow in transport read allows out-of-bounds write
(CVE-2019-3855) (Closes: #924965)
* Possible integer overflow in keyboard interactive handling allows
out-of-bounds write (CVE-2019-3856) (Closes: #924965)
* Possible integer overflow leading to zero-byte allocation and
out-of-bounds write (CVE-2019-3857) (Closes: #924965)
* Possible zero-byte allocation leading to an out-of-bounds read
(CVE-2019-3858) (Closes: #924965)
* Out-of-bounds reads with specially crafted payloads due to unchecked use
of _libssh2_packet_require and _libssh2_packet_requirev (CVE-2019-3859)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SFTP packets (CVE-2019-3860)
(Closes: #924965)
* Out-of-bounds reads with specially crafted SSH packets (CVE-2019-3861)
(Closes: #924965)
* Out-of-bounds memory comparison (CVE-2019-3862) (Closes: #924965)
* Integer overflow in user authenicate keyboard interactive allows
out-of-bounds writes (CVE-2019-3863) (Closes: #924965)
* Fixed misapplied patch for user auth.
* moved MAX size declarations
-- Salvatore Bonaccorso <carnil(a)debian.org> Thu, 04 Apr 2019 23:32:50 +0200
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on nonagon.federez.net
--
apticron
apticron report [Wed, 10 Apr 2019 19:46:18 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
nonagon.federez.net
[ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ]
The following packages are currently pending an upgrade:
libpam-systemd 232-25+deb9u11
libsystemd0 232-25+deb9u11
libudev1 232-25+deb9u11
systemd 232-25+deb9u11
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour systemd (libpam-systemd libsystemd0 libudev1 systemd) ---
systemd (232-25+deb9u11) stretch-security; urgency=high
* pam-systemd: use secure_getenv() rather than getenv()
Fixes a vulnerability in the systemd PAM module which insecurely uses
the environment and lacks seat verification permitting spoofing an
active session to PolicyKit. (CVE-2019-3842)
-- Michael Biebl <biebl(a)debian.org> Mon, 08 Apr 2019 12:51:41 +0200
systemd (232-25+deb9u10) stretch; urgency=medium
* journald: fix assertion failure on journal_file_link_data (Closes: #916880)
* tmpfiles: fix "e" to support shell style globs (Closes: #918400)
* mount-util: accept that name_to_handle_at() might fail with EPERM.
Container managers frequently block name_to_handle_at(), returning
EACCES or EPERM when this is issued. Accept that, and simply fall back
to fdinfo-based checks. (Closes: #917122)
* automount: ack automount requests even when already mounted.
Fixes a race condition in systemd which could result in automount requests
not being serviced and processes using them to hang, causing denial of
service. (CVE-2018-1049)
* core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
Fixes improper serialization on upgrade which can influence systemd
execution environment and lead to root privilege escalation.
(CVE-2018-15686, Closes: #912005)
-- Michael Biebl <biebl(a)debian.org> Sun, 10 Mar 2019 15:52:46 +0100
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on nonagon.federez.net
--
apticron
apticron report [Wed, 10 Apr 2019 19:39:59 +0200]
========================================================================
apticron has detected that some packages need upgrading on:
nonagon.federez.net
[ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ]
The following packages are currently pending an upgrade:
libpam-systemd 232-25+deb9u11
libsystemd0 232-25+deb9u11
libudev1 232-25+deb9u11
systemd 232-25+deb9u11
========================================================================
Package Details:
apt-listchanges : Lecture des fichiers de modifications (« changelog »)...
apt-listchanges : journaux des modifications (« changelogs »)
-------------------------------------------------------------
--- Modifications pour systemd (libpam-systemd libsystemd0 libudev1 systemd) ---
systemd (232-25+deb9u11) stretch-security; urgency=high
* pam-systemd: use secure_getenv() rather than getenv()
Fixes a vulnerability in the systemd PAM module which insecurely uses
the environment and lacks seat verification permitting spoofing an
active session to PolicyKit. (CVE-2019-3842)
-- Michael Biebl <biebl(a)debian.org> Mon, 08 Apr 2019 12:51:41 +0200
systemd (232-25+deb9u10) stretch; urgency=medium
* journald: fix assertion failure on journal_file_link_data (Closes: #916880)
* tmpfiles: fix "e" to support shell style globs (Closes: #918400)
* mount-util: accept that name_to_handle_at() might fail with EPERM.
Container managers frequently block name_to_handle_at(), returning
EACCES or EPERM when this is issued. Accept that, and simply fall back
to fdinfo-based checks. (Closes: #917122)
* automount: ack automount requests even when already mounted.
Fixes a race condition in systemd which could result in automount requests
not being serviced and processes using them to hang, causing denial of
service. (CVE-2018-1049)
* core: when deserializing state always use read_line(…, LONG_LINE_MAX, …)
Fixes improper serialization on upgrade which can influence systemd
execution environment and lead to root privilege escalation.
(CVE-2018-15686, Closes: #912005)
-- Michael Biebl <biebl(a)debian.org> Sun, 10 Mar 2019 15:52:46 +0100
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on nonagon.federez.net
--
apticron
This is the mail system at host nonagon.crans.org.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<monitoring(a)federez.net> (expanded from <root>): host
smtp.crans.org[2a0c:700:0:1:200:9ff:fe04:1901] said: 550 5.1.0
<root(a)nonagon.crans.org>: Sender address rejected: User unknown in relay
recipient table (in reply to RCPT TO command)
This is the mail system at host nonagon.crans.org.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<monitoring(a)federez.net> (expanded from <root>): host
smtp.crans.org[2a0c:700:0:1:200:9ff:fe04:1901] said: 550 5.1.0
<root(a)nonagon.crans.org>: Sender address rejected: User unknown in relay
recipient table (in reply to RCPT TO command)
This is the mail system at host nonagon.crans.org.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<monitoring(a)federez.net> (expanded from <root>): host
smtp.crans.org[2a0c:700:0:1:200:9ff:fe04:1901] said: 550 5.1.0
<root(a)nonagon.crans.org>: Sender address rejected: User unknown in relay
recipient table (in reply to RCPT TO command)
