Marios Nicolaides discovered that the PHP plugin in uWSGI, a fast,self-healing application container server, does not properly handle aDOCUMENT_ROOT check during use of the --php-docroot option, allowing aremote attacker to mount a directory traversal attack and gainunauthorized read access to sensitive files located outside of the webroot directory.
More info:
https://www.debian.org/security/2018/dsa-4142
Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in denial ofservice, sandbox bypass, execution of arbitrary code, incorrectLDAP/GSS authentication, insecure use of cryptography or bypass ofdeserialisation restrictions.
More info:
https://www.debian.org/security/2018/dsa-4144
Richard Zhu and Huzaifa Sidhpurwala discovered that an out-of-boundsmemory write when playing Vorbis media files could result in theexecution of arbitrary code.
More info:
https://www.debian.org/security/2018/dsa-4143
