[Monitoring] 5 Debian package update(s) for nonagon.federez.net

apticron report [Sat, 25 Apr 2020 13:49:06 +0200] ======================================================================== apticron has detected that some packages need upgrading on: nonagon.federez.net [ 185.230.78.42 2a0c:700:0:23:67:e5ff:fee9:3 ] The following packages are currently pending an upgrade: git 1:2.20.1-2+deb10u3 git-man 1:2.20.1-2+deb10u3 libssl1.1 1.1.1d-0+deb10u3 libssl-dev 1.1.1d-0+deb10u3 openssl 1.1.1d-0+deb10u3 ======================================================================== Package Details: apt-listchanges : Lecture des fichiers de modifications (« changelog »)... apt-listchanges : journaux des modifications (« changelogs ») ------------------------------------------------------------- --- Modifications pour git (git git-man) --- git (1:2.20.1-2+deb10u3) buster-security; urgency=high * new upstream point release (see RelNotes/2.20.4.txt). * Addresses the security issue CVE-2020-11008. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability fixed in 1:2.20.1-2+deb10u2, the credentials are not for a host of the attacker's choosing. Instead, they are for an unspecified host, based on how the configured credential helper handles an absent "host" parameter. The attack has been made impossible by refusing to work with underspecified credential patterns. Thanks to Carlo Arenas for reporting that Git was still vulnerable, Felix Wilhelm for providing the proof of concept demonstrating this issue, and Jeff King for promptly providing a corrected fix. Tested using the proof of concept at https://crbug.com/project-zero/2021. -- Jonathan Nieder <jrnieder(a)gmail.com> Sun, 19 Apr 2020 17:19:12 -0700 git (1:2.20.1-2+deb10u2) buster-security; urgency=high [ Salvatore Bonaccorso ] * new upstream point release (see RelNotes/2.20.3.txt). * Addresses the security issue CVE-2020-5260. With a crafted URL that contains a newline, the credential helper machinery can be fooled to supply credential information for the wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. Thanks to Felix Wilhelm of Google Project Zero for finding this vulnerability and Jeff King for fixing it. -- Jonathan Nieder <jrnieder(a)gmail.com> Sun, 12 Apr 2020 00:24:43 -0700 --- Modifications pour openssl (libssl1.1 libssl-dev openssl) --- openssl (1.1.1d-0+deb10u3) buster-security; urgency=medium * CVE-2020-1967 (Segmentation fault in SSL_check_chain). -- Sebastian Andrzej Siewior <sebastian(a)breakpoint.cc> Mon, 20 Apr 2020 22:23:01 +0200 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on nonagon.federez.net -- apticron