Debian 10264 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1735-1: ruby2.1 security update
DLA 1736-1: dovecot security update
DLA 1737-1: pdns security update



DLA 1735-1: ruby2.1 security update




Package : ruby2.1
Version : 2.1.5-2+deb8u7
CVE ID : CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324
CVE-2019-8325


Several vulnerabilities have been discovered in rubygems embedded in
ruby2.1, the interpreted scripting language.

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems. Before
making new directories or touching files (which now include
path-checking code for symlinks), it would delete the target
destination.

CVE-2019-8322

The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur.

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec, which is eval-ed by code in ensure_loadable_spec during
the preinstall check.

CVE-2019-8325

An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Since Gem::CommandManager#run calls alert_error without escaping,
escape sequence injection is possible. (There are many ways to cause
an error.)

For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u7.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1736-1: dovecot security update




Package : dovecot
Version : 1:2.2.13-12~deb8u6
CVE ID : CVE-2019-7524

A security vulnerability was discovered in the Dovecot email server.
When reading FTS headers from the Dovecot index, the input buffer
size is not bounds-checked. An attacker with the ability to modify
dovecot indexes, can take advantage of this flaw for privilege
escalation or the execution of arbitrary code with the permissions of
the dovecot user. Only installations using the FTS plugins are affected.

For Debian 8 "Jessie", this problem has been fixed in version
1:2.2.13-12~deb8u6.

We recommend that you upgrade your dovecot packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1737-1: pdns security update




Package : pdns
Version : 3.4.1-4+deb8u9
CVE ID : CVE-2019-3871
Debian Bug : 924966

A vulnerability was found in PowerDNS Authoritative Server before
4.0.7 and before 4.1.7. An insufficient validation of data coming from
the user when building a HTTP request from a DNS query in the HTTP
Connector of the Remote backend, allowing a remote user to cause a
denial of service by making the server connect to an invalid endpoint,
or possibly information disclosure by making the server connect to an
internal endpoint and somehow extracting meaningful information about
the response.

Only installations using the pdns-backend-remote package are affected.

For Debian 8 "Jessie", this problem has been fixed in version
3.4.1-4+deb8u9.

We recommend that you upgrade your pdns packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS