Debian 10261 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-24 fuse security update

Debian GNU/Linux 8 LTS:
DLA 1454-1: network-manager-vpnc security update

Debian GNU/Linux 9:
DSA 4259-1: ruby2.3 security update



ELA-24 fuse security update


Package: fuse
Version: 2.9.0-2+deb7u3
Related CVE: CVE-2018-10906
This upload fixes a restriction bypass of the “allow_other” option when SELinux is active.

For Debian 7 Wheezy, these problems have been fixed in version 2.9.0-2+deb7u3.

We recommend that you upgrade your fuse packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1454-1: network-manager-vpnc security update

Package : network-manager-vpnc
Version : 0.9.10.0-1+deb8u1
CVE ID : CVE-2018-10900
Debian Bug : 904255


Denis Andzakovic discovered that network-manager-vpnc, a plugin to
provide VPNC support for NetworkManager, is prone to a privilege
escalation vulnerability. A newline character can be used to inject a
Password helper parameter into the configuration data passed to vpnc,
allowing a local user with privileges to modify a system connection to
execute arbitrary commands as root.

For Debian 8 "Jessie", this problem has been fixed in version
0.9.10.0-1+deb8u1.

We recommend that you upgrade your network-manager-vpnc packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4259-1: ruby2.3 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4259-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 31, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby2.3
CVE ID : CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914
CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780
CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075
CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078
CVE-2018-1000079

Several vulnerabilities have been discovered in the interpreter for the
Ruby language, which may result in incorrect processing of HTTP/FTP,
directory traversal, command injection, unintended socket creation or
information disclosure.

This update also fixes several issues in RubyGems which could allow an
attacker to use specially crafted gem files to mount cross-site scripting
attacks, cause denial of service through an infinite loop, write arbitrary
files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u3.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/