The following security updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 LTS:
DLA 1337-1: jruby security update
Debian GNU/Linux 8 and 9:
DSA 4163-1: beep security update
Debian GNU/Linux 7 LTS:
DLA 1337-1: jruby security update
Debian GNU/Linux 8 and 9:
DSA 4163-1: beep security update
DLA 1337-1: jruby security update
Package : jruby
Version : 1.5.6-5+deb7u1
CVE ID : CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078
Multiple vulnerabilities were found in the rubygems package management
framework, embedded in JRuby, a pure-Java implementation of the Ruby
programming language.
CVE-2018-1000075
A negative size vulnerability in ruby gem package tar header that could
cause an infinite loop.
CVE-2018-1000076
Ruby gems package improperly verifies cryptographic signatures. A mis-signed
gem could be installed if the tarball contains multiple gem signatures.
CVE-2018-1000077
An improper input validation vulnerability in ruby gems specification
homepage attribute could allow malicious gem to set an invalid homepage
URL.
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of homepage
attribute
For Debian 7 "Wheezy", these problems have been fixed in version
1.5.6-5+deb7u1.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4163-1: beep security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4163-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 02, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : beep
CVE ID : CVE-2018-0492
It was discovered that a race condition in beep (if configured as setuid
via debconf) allows local privilege escalation.
For the oldstable distribution (jessie), this problem has been fixed
in version 1.3-3+deb8u1.
For the stable distribution (stretch), this problem has been fixed in
version 1.3-4+deb9u1.
We recommend that you upgrade your beep packages.
For the detailed security status of beep please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/beep
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/