The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 8 LTS:
DLA 1937-1: httpie security update
Debian GNU/Linux 9:
DSA 4537-1: file-roller security update
Debian GNU/Linux 8 LTS:
DLA 1937-1: httpie security update
Debian GNU/Linux 9:
DSA 4537-1: file-roller security update
DLA 1937-1: httpie security update
Package : httpie
Version : 0.8.0-1+deb8u1
CVE ID : CVE-2019-10751
Debian Bug : 940058
An open redirect, that allows an attacker to write an arbitrary file with
supplied filename and content to the current directory, by redirecting a
request from HTTP to a crafted URL pointing to a server in his or hers control,
was found and reported in CVE-2019-10751.
This was patched upstream and so when `--download` without `--output` results
in a redirect, now only the initial URL is considered, not the final one.
For Debian 8 "Jessie", this problem has been fixed in version
0.8.0-1+deb8u1.
We recommend that you upgrade your httpie packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4537-1: file-roller security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4537-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : file-roller
CVE ID : CVE-2019-16680
It was discovered that file-roller, an archive manager for GNOME, does
not properly handle the extraction of archives with a single ./../ in a
file path. An attacker able to provide a specially crafted archive for
processing can take advantage of this flaw to overwrite files if a user
is dragging a specific file or map to a location to extract to.
For the oldstable distribution (stretch), this problem has been fixed
in version 3.22.3-1+deb9u1.
We recommend that you upgrade your file-roller packages.
For the detailed security status of file-roller please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/file-roller
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/