The following updates has been released for Debian GNU/Linux 8 LTS:
DLA 1796-1: jruby security update
DLA 1797-1: drupal7 security update
DLA 1796-1: jruby security update
DLA 1797-1: drupal7 security update
DLA 1796-1: jruby security update
Package : jruby
Version : 1.5.6-9+deb8u1
CVE ID : CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076
CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321
CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325
Debian Bug : 895778 925987
Multiple vulnerabilities have been discovered in jruby, Java
implementation of the Ruby programming language.
CVE-2018-1000074
Deserialization of Untrusted Data vulnerability in owner command
that can result in code execution. This attack appear to be
exploitable via victim must run the `gem owner` command on a gem
with a specially crafted YAML file
CVE-2018-1000075
an infinite loop caused by negative size vulnerability in ruby gem
package tar header that can result in a negative size could cause an
infinite loop
CVE-2018-1000076
Improper Verification of Cryptographic Signature vulnerability in
package.rb that can result in a mis-signed gem could be installed,
as the tarball would contain multiple gem signatures.
CVE-2018-1000077
Improper Input Validation vulnerability in ruby gems specification
homepage attribute that can result in a malicious gem could set an
invalid homepage URL
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of
homepage attribute that can result in XSS. This attack appear to be
exploitable via the victim must browse to a malicious gem on a
vulnerable gem server
CVE-2019-8321
Gem::UserInteraction#verbose calls say without escaping, escape
sequence injection is possible
CVE-2019-8322
The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur
CVE-2019-8323
Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.
CVE-2019-8324
A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec
CVE-2019-8325
Gem::CommandManager#run calls alert_error without escaping, escape
sequence injection is possible. (There are many ways to cause an
error.)
For Debian 8 "Jessie", these problems have been fixed in version
1.5.6-9+deb8u1.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1797-1: drupal7 security update
Package : drupal7
Version : 7.32-1+deb8u17
CVE ID : CVE-2019-11358 CVE-2019-11831
Debian Bug : 927330 928688
Several security vulnerabilities have been discovered in drupal7, a
PHP web site platform. The vulnerabilities affect the embedded versions
of the jQuery JavaScript library and the Typo3 Phar Stream Wrapper
library.
CVE-2019-11358
It was discovered that the jQuery version embedded in Drupal was
prone to a cross site scripting vulnerability in jQuery.extend().
For additional information, please refer to the upstream advisory
at https://www.drupal.org/sa-core-2019-006.
CVE-2019-11831
It was discovered that incomplete validation in a Phar processing
library embedded in Drupal, a fully-featured content management
framework, could result in information disclosure.
For additional information, please refer to the upstream advisory
at https://www.drupal.org/sa-core-2019-007.
For Debian 8 "Jessie", these problems have been fixed in version
7.32-1+deb8u17.
We recommend that you upgrade your drupal7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
