The following updates has been released for Debian GNU/Linux 7 LTS:
DLA 1234-2: gdk-pixbuf regression update
DLA 1236-1: plexus-utils security update
DLA 1237-1: plexus-utils2 security update
DLA 1238-1: awstats security update
DLA 1234-2: gdk-pixbuf regression update
DLA 1236-1: plexus-utils security update
DLA 1237-1: plexus-utils2 security update
DLA 1238-1: awstats security update
DLA 1234-2: gdk-pixbuf regression update
Package : gdk-pixbuf
Version : 2.26.1-1+deb7u8
Debian Bug : 886721
The patch introduced in DLA-1234-1 had a problem that caused
gdk-pixbuf's gif module to fail to load.
For Debian 7 "Wheezy", these problems have been fixed in version
2.26.1-1+deb7u8.
We recommend that you upgrade your gdk-pixbuf packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1236-1: plexus-utils security update
Package : plexus-utils
Version : 1:1.5.15-4+deb7u1
CVE ID : CVE-2017-1000487
Charles Duffy discovered that the Commandline class in plexus-utils, a
collection of components used by Apache Maven, does not correctly
quote the contents of double-quoted strings. An attacker may use this
flaw to inject arbitrary shell commands.
For Debian 7 "Wheezy", these problems have been fixed in version
1:1.5.15-4+deb7u1.
We recommend that you upgrade your plexus-utils packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1237-1: plexus-utils2 security update
Package : plexus-utils2
Version : 2.0.5-1+deb7u1
CVE ID : CVE-2017-1000487
Charles Duffy discovered that the Commandline class in plexus-utils2, a
collection of components used by Apache Maven, does not correctly
quote the contents of double-quoted strings. An attacker may use this
flaw to inject arbitrary shell commands.
For Debian 7 "Wheezy", these problems have been fixed in version
2.0.5-1+deb7u1.
We recommend that you upgrade your plexus-utils2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1238-1: awstats security update
Package : awstats
Version : 7.0~dfsg-7+deb7u1
CVE ID : CVE-2017-1000501
Debian Bug : 885835
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the
handling of the "config" and "migrate" parameters resulting in unauthenticated
remote code execution.
For Debian 7 "Wheezy", these problems have been fixed in version
7.0~dfsg-7+deb7u1.
We recommend that you upgrade your awstats packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS