In der letzten Woche wurden für die Programme e2fsprogs (Filesystem Utility), exim4 (MTA) und dem WPA Protokoll in Debian Sicherheitsupdates veröffentlicht.
Debian e2fsprogs Security Notes
DSA-4535-1 e2fsprogs — security update
Date Reported:27 Sep 2019Affected Packages:e2fsprogsVulnerable:YesSecurity database references:In the Debian bugtracking system: Bug 941139.
In Mitre’s CVE dictionary: CVE-2019-5094.
More information:
Lilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities. Running e2fsck on a malformed file system can result in the execution of arbitrary code.
For the oldstable distribution (stretch), this problem has been fixed in version 1.43.4-2+deb9u1.
For the stable distribution (buster), this problem has been fixed in version 1.44.5-1+deb10u2.
We recommend that you upgrade your e2fsprogs packages.
For the detailed security status of e2fsprogs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/e2fsprogs
Debian exim4 Security Notes
DSA-4536-1 exim4 — security update
Date Reported:28 Sep 2019Affected Packages:exim4Vulnerable:YesSecurity database references:In Mitre’s CVE dictionary: CVE-2019-16928.
More information:
A buffer overflow flaw was discovered in Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code.
For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u3.
We recommend that you upgrade your exim4 packages.
For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4
Debian WPA Protokoll Security Notes
DSA-4538-1 wpa — security update
Date Reported:29 Sep 2019Affected Packages:wpaVulnerable:YesSecurity database references:In the Debian bugtracking system: Bug 934180, Bug 940080.
In Mitre’s CVE dictionary: CVE-2019-13377, CVE-2019-16275.
More information:
Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point).
- CVE-2019-13377A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password.
- CVE-2019-16275Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network.
For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u1.
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.