Debian 10225 Published by

The following updates has been released for Debian 7 LTS:

[DLA 548-1] drupal7 security update
[DLA 574-1] graphicsmagick security update



[DLA 548-1] drupal7 security update

Package : drupal7
Version : 7.14-2+deb7u13
CVE ID : CVE-2015-7943

It was discovered that there was an open redirect vulnerability in drupal7,
a content management framework.

The "Overlay" module in Drupal core displays administrative pages as a layer
over the current page (using JavaScript) rather than replacing the page
in the browser window. The module did not sufficiently validate URLs prior
to displaying their contents, leading to an open redirect vulnerability.

For Debian 7 "Wheezy", this issue has been fixed in drupal7 version
7.14-2+deb7u13.

We recommend that you upgrade your drupal7 packages.

[DLA 574-1] graphicsmagick security update

Package : graphicsmagick
Version : 1.3.16-1.1+deb7u3
CVE IDs : 2016-5240 2016-5241

It was discovered that there were two denial of service vulnerabilities
in graphicsmagick, a collection of image processing tools:

* CVE-2016-5240: Prevent denial-of-service by detecting and rejecting
negative stroke-dasharray arguments which were resulting in an
endless loop.

* CVE-2016-5241: Fix divide-by-zero problem if fill or stroke pattern
image has zero columns or rows to prevent DoS attack.

For Debian 7 "Wheezy", this issue has been fixed in graphicsmagick version
1.3.16-1.1+deb7u3.

We recommend that you upgrade your graphicsmagick packages.