Debian 10228 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-109-1 jquery security update
ELA-72-2 jasper regression update

Debian GNU/Linux 8 LTS:
DLA 1758-1: debian-security-support update

Debian GNU/Linux 9:
DSA 4434-1: drupal7 security update



ELA-109-1 jquery security update

Package: jquery
Version: 1.7.2+dfsg-1+deb7u1
Related CVE: CVE-2019-11358
jQuery mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

For Debian 7 Wheezy, these problems have been fixed in version 1.7.2+dfsg-1+deb7u1.

We recommend that you upgrade your jquery packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-72-2 jasper regression update

Package: jasper
Version: 1.900.1-13+deb7u9
Related CVE: CVE-2018-19542
The update of jasper issued as ELA-72-1 caused a regression due to the fix for CVE-2018-19542, a NULL pointer dereference in the function jp2_decode, which could lead to a denial-of-service. In some cases not only invalid jp2 files but also valid jp2 files were rejected.

For Debian 7 Wheezy, these problems have been fixed in version 1.900.1-13+deb7u9.

We recommend that you upgrade your jasper packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1758-1: debian-security-support update

Package : debian-security-support
Version : 2019.02.02~deb8u1

debian-security-support, the Debian security support coverage checker,
has been updated in jessie. The jessie relevant changes are:

* Mark spice-xpi as end-of-life for Jessie.
* Add edk2 to security-support-ended.deb8
* Add robocode to security-support-ended.deb8

For Debian 8 "Jessie", this problem has been fixed in version
2019.02.02~deb8u1.

We recommend that you upgrade your debian-security-support packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4434-1: drupal7 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4434-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 20, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : drupal7
CVE ID : CVE-2019-11358
Debian Bug : 927330

A cross-site scripting vulnerability has been found in Drupal, a
fully-featured content management framework. For additional information,
please refer to the upstream advisory at
https://www.drupal.org/sa-core-2019-006 .

For the stable distribution (stretch), this problem has been fixed in
version 7.52-2+deb9u8.

We recommend that you upgrade your drupal7 packages.

For the detailed security status of drupal7 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/drupal7

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/