Debian Stretch Openstack images changelog

9.13.2-20200830

Updates in 3 source package(s), 14 binary package(s):

  Source sqlite3, binaries: libsqlite3-0:amd64 libsqlite3-0:arm64  
  sqlite3 (3.16.2-5+deb9u2) stretch-security; urgency=high
  
    * Non-maintainer upload by the LTS Team.
    * CVE-2018-8740: Databases whose schema is corrupted using a CREATE TABLE AS
      statement could cause a NULL pointer dereference.
    * CVE-2018-20346, CVE-2018-20506: Add extra defenses against strategically
      corrupt databases to fts3/4.
    * CVE-2019-5827: Integer overflow allowed a remote attacker to potentially
      exploit heap corruption via a crafted HTML page, primarily impacting
      chromium.
    * CVE-2019-9936: Potential information leak when running fts5 prefix queries
      inside a transaction, which could trigger a heap-based buffer over-read.
    * CVE-2019-9937: interleaving reads and writes in a single transaction with
      an fts5 virtual table will lead to a NULL Pointer Dereference
    * CVE-2019-16168: Missing validation resulting in a potential division by
      zero, which can crash a browser or other application
    * CVE-2019-20218: Do not attempt to unwind the WITH stack in the event of a
      parse error
    * CVE-2020-13630: Fix use-after-free in fts3EvalNextRow, related to the
      snippet feature
    * CVE-2020-13632: Fix NULL pointer dereference via a crafted matchinfo()
      query
    * CVE-2020-13871: Fix use-after-free in resetAccumulator in select.c
    * CVE-2020-11655: Fix denial of service resulting from segmentation fault
      via a malformed window-function query.
    * CVE-2020-13434: Fix integer overflow in sqlite3_str_vappendf.

  Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 libpython2.7-minimal:arm64 libpython2.7-stdlib:arm64 python2.7:arm64 python2.7-minimal:arm64  
  python2.7 (2.7.13-2+deb9u4) stretch-security; urgency=medium
  
    * Non-maintainer upload by the LTS Team. 
    * CVE-2019-20907
      fix for an infinite loop when opening a crafted tar file
    * CVE-2019-16056
      Fix incorrect parsing of email addresses with multiple '@' characters.
    * CVE-2019-10160
      Fixes regression in fix for CVE-2019-9636
    * CVE-2019-9948
      Stop urllib exposing the local_file schema (file://).
    * CVE-2019-9740, CVE-2019-9947
      Disallow control chars in http URLS in urllib2.urlopen.
    * CVE-2019-9636
      Fix mishandling of NFKC normalization in urlsplit
    * CVE-2019-5010
      Fix NULL pointer dereference when using a specially crafted
      X509 certificate
    * CVE-2018-20852
      Cookie handling could be tricked to steal cookies for other domains.

  Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64  
  bind9 (1:9.10.3.dfsg.P4-12.3+deb9u7) stretch-security; urgency=medium
  
    * Non-maintainer upload by the LTS Team. 
    * CVE-2020-8622
      Crafted responses to TSIG-signed requests could lead to an assertion
      failure, causing the server to exit. This could be done by malicious
      server operators or guessing attackers.
    * CVE-2020-8623
      An assertions failure, causing the server to exit, can be exploited by
      a query for an RSA signed zone.

-- Steve McIntyre <93sam@debian.org>  Mon, 31 Aug 2020 11:44:15 +0100

9.13.1-20200729

Updates in 2 source package(s), 10 binary package(s):

  Source qemu, binaries: qemu-utils:amd64 qemu-utils:arm64  
  qemu (1:2.8+dfsg-6+deb9u10) stretch-security; urgency=medium
  
    * vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch
      Fix misuse of libz in VNC disconnect, leading to memory leak
      Closes: CVE-2019-20382
    * scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch
      Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter)
      Closes: CVE-2019-12068
    * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch
      Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb()
    * slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
      Fix another use-after-free in ip_reass() in SLIRP code
      Closes: CVE-2020-1983
    * core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch
      rom_copy() in hw/core/loader.c allows triggering invalid mem copy op.
      Closes: CVE-2020-13765
    * revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch
      Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
      devices which uses min_access_size and max_access_size Memory API fields.
      Also closes: CVE-2020-13791
    * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
      replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch
      Closes: #964793
    * xhci-fix-valid.max_access_size-to-access-address-registers.patch
      This is another issue revealed after the CVE-2020-13754 fix
    * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
      CVE-2020-13659: address_space_map in exec.c can trigger
      a NULL pointer dereference related to BounceBuffer
    * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
      Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
      has an OOB read via a crafted reply_queue_head field from a guest OS user
    * megasas-use-unsigned-type-for-positive-numeric-fields.patch
      fix other possible cases like in CVE-2020-13362 (#961887)
    * 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs
      time-to-use) issues reading various parameters from guest-supplied frame:
      megasas-do-not-read-sense-length-more-than-once-from-frame.patch
      megasas-do-not-read-iovec-count-more-than-once-from-frame.patch
      megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch
      megasas-do-not-read-command-more-than-once-from-frame.patch
      megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch
    * megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch
      possible NULL-pointer dereferece caused by privileged guest user
      megasas hba command processing. Closes: #865754, CVE-2017-9503
    * megasas-fix-possible-out-of-bounds-array-access.patch
      Some tracepoints use a guest-controlled value as an index into the
      mfi_frame_desc[] array. Thus a malicious guest could cause a very low
      impact OOB errors here
    * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
      Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c
      does not properly validate the frame count, which allows guest OS users
      to trigger an out-of-bounds access during an es1370_write() operation
    * slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch
      Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply()
    * slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch
      (and a preparational patch, slirp-add-fmt-helpers.patch)
      Closes: CVE-2020-8608
    * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
      ARM-only XGMAC NIC, possible buffer overflow during packet transmission
      Closes: CVE-2020-15863

  Source e2fsprogs, binaries: e2fslibs:amd64 e2fsprogs:amd64 libcomerr2:amd64 libss2:amd64 e2fslibs:arm64 e2fsprogs:arm64 libcomerr2:arm64 libss2:arm64  
  e2fsprogs (1.43.4-2+deb9u2) stretch-security; urgency=high
  
    * Non-maintainer upload by the LTS Team. 
    * CVE-2019-5188
      A specially crafted ext4 directory can cause an out-of-bounds write 
      on the stack, resulting in code execution. An attacker can corrupt a 
      partition to trigger this vulnerability.
    * If directory has been deleted in pass1[bcd] processing, then we
      shouldn't try to rehash the directory in pass 3a when we try to
      rehash/reoptimize directories. 

-- Steve McIntyre <93sam@debian.org>  Wed, 29 Jul 2020 17:47:01 +0100

9.13.0

  First build for 9.13.0 release

-- Steve McIntyre <93sam@debian.org>  Sun, 19 Jul 2020 01:04:43 +0100