Debian 10232 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1111-1: weechat security update
DLA 1112-1: rubygems security update
DLA 1113-1: ruby1.8 security update
DLA 1114-1: ruby1.9.1 security update

Debian GNU/Linux 8 and 9:
DSA 3984-1: git security update



DLA 1111-1: weechat security update




Package : weechat
Version : 0.3.8-1+deb7u3
CVE ID : CVE-2017-14727
Debian Bug : 876553

It was discovered that WeeChat's logger plugin is vulnerable to an
invalid buffer read which can be exploited remotely to trigger an
application crash or other undefined behaviour.

For Debian 7 "Wheezy", these problems have been fixed in version
0.3.8-1+deb7u3.

We recommend that you upgrade your weechat packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1112-1: rubygems security update




Package : rubygems
Version : 1.8.24-1+deb7u1
CVE ID : CVE-2017-0900 CVE-2017-0901
Debian Bug : 873802

Some vulnerabilities were found in the Rubygems package that affects
the LTS distribution.

CVE-2017-0900

DOS vulernerability in the query command

CVE-2017-0901

gem installer allows a malicious gem to overwrite arbitrary files

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.24-1+deb7u1.

We recommend that you upgrade your rubygems packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1113-1: ruby1.8 security update




Package : ruby1.8
Version : 1.8.7.358-7.1+deb7u4
CVE ID : CVE-2017-0898 CVE-2017-10784
Debian Bug : 875931 875936

Some vulnerabilities were found in the Ruby 1.8 package that affects
the LTS distribution.

CVE-2017-0898

Buffer underrun vulnerability in Kernel.sprintf

CVE-2017-10784

Escape sequence injection vulnerability in the Basic
authentication of WEBrick

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.7.358-7.1+deb7u4.

We recommend that you upgrade your ruby1.8 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1114-1: ruby1.9.1 security update




Package : ruby1.9.1
Version : 1.9.3.194-8.1+deb7u6
CVE ID : CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901
CVE-2017-10784 CVE-2017-14033 CVE-2017-14064
Debian Bug : 873802 873906 875928 875931 875936

Multiple vulnerabilities were discovered in the Ruby 1.9 interpretor.

CVE-2017-0898

Buffer underrun vulnerability in Kernel.sprintf

CVE-2017-0899

ANSI escape sequence vulnerability

CVE-2017-0900

DOS vulernerability in the query command

CVE-2017-0901

gem installer allows a malicious gem to overwrite arbitrary files

CVE-2017-10784

Escape sequence injection vulnerability in the Basic
authentication of WEBrick

CVE-2017-14033

Buffer underrun vulnerability in OpenSSL ASN1 decode

CVE-2017-14064

Heap exposure vulnerability in generating JSON

For Debian 7 "Wheezy", these problems have been fixed in version
1.9.3.194-8.1+deb7u6.

We recommend that you upgrade your ruby1.9.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 3984-1: git security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-3984-1 security@debian.org
https://www.debian.org/security/ Florian Weimer
September 26, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : git
Debian Bug : 876854

joernchen discovered that the git-cvsserver subcommand of Git, a
distributed version control system, suffers from a shell command
injection vulnerability due to unsafe use of the Perl backtick
operator. The git-cvsserver subcommand is reachable from the
git-shell subcommand even if CVS support has not been configured
(however, the git-cvs package needs to be installed).

In addition to fixing the actual bug, this update removes the
cvsserver subcommand from git-shell by default. Refer to the updated
documentation for instructions how to reenable in case this CVS
functionality is still needed.

For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u5.

For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u2.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.14.2-1.

We recommend that you upgrade your git packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/