Debian LTS: Security Advisory for elfutils (DLA-2802-1)

The remote host is missing an update for the 'elfutils' package(s) announced via the DLA-2802-1 advisory.

Several vulnerabilities were fixed in elfutils, a collection of utilities and libraries to handle ELF objects. CVE-2018-16062 dwarf_getaranges in dwarf_getaranges.c in libdw allowed a denial of service (heap-based buffer over-read) via a crafted file. CVE-2018-16402 libelf/elf_end.c in allowed to cause a denial of service (double free and application crash) because it tried to decompress twice. CVE-2018-18310 An invalid memory address dereference libdwfl allowed a denial of service (application crash) via a crafted file. CVE-2018-18520 A use-after-free in recursive ELF ar files allowed a denial of service (application crash) via a crafted file. CVE-2018-18521 A divide-by-zero in arlib_add_symbols() allowed a denial of service (application crash) via a crafted file. CVE-2019-7150 A segmentation fault could occur due to dwfl_segment_report_module() not checking whether the dyn data read from a core file is truncated. CVE-2019-7665 NT_PLATFORM core notes contain a zero terminated string allowed a denial of service (application crash) via a crafted file.

'elfutils' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 9 stretch, these problems have been fixed in version 0.168-1+deb9u1. We recommend that you upgrade your elfutils packages.