In der letzten Woche wurden für die Programme e2fsprogs (Filesystem Utility), exim4 (MTA) und dem WPA Protokoll in Debian Sicherheitsupdates veröffentlicht.
Debian e2fsprogs Security Notes
DSA-4535-1 e2fsprogs — security update
Lilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities. Running e2fsck on a malformed file system can result in the execution of arbitrary code.
For the oldstable distribution (stretch), this problem has been fixed in version 1.43.4-2+deb9u1.
For the stable distribution (buster), this problem has been fixed in version 1.44.5-1+deb10u2.
We recommend that you upgrade your e2fsprogs packages.
For the detailed security status of e2fsprogs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/e2fsprogs
Debian exim4 Security Notes
DSA-4536-1 exim4 — security update
A buffer overflow flaw was discovered in Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code.
For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u3.
We recommend that you upgrade your exim4 packages.
For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4
Debian WPA Protokoll Security Notes
DSA-4538-1 wpa — security update
Date Reported:29 Sep 2019Affected Packages:wpaVulnerable:YesSecurity database references:In the Debian bugtracking system: Bug 934180, Bug 940080.
In Mitre’s CVE dictionary: CVE-2019-13377, CVE-2019-16275.
Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point).
- CVE-2019-13377A timing-based side-channel attack against WPA3’s Dragonfly handshake when using Brainpool curves could be used by an attacker to retrieve the password.
- CVE-2019-16275Insufficient source address validation for some received Management frames in hostapd could lead to a denial of service for stations associated to an access point. An attacker in radio range of the access point could inject a specially constructed unauthenticated IEEE 802.11 frame to the access point to cause associated stations to be disconnected and require a reconnection to the network.
For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u1.