Debian 10228 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-107-1 libxslt security update

Debian GNU/Linux 9:
DSA 4432-1: ghostscript security update
DSA 4433-1: ruby2.3 security update



ELA-107-1 libxslt security update

Package: libxslt
Version: 1.1.26-14.1+deb7u4
Related CVE: CVE-2019-11068
It was discovered that there was a authentication bypass vulnerability in libxslt, a widely-used library for transforming files from XML to other arbitrary format.

This vulnerability was caused by invalid handling of xsltCheckRead and xsltCheckWrite -1 error return value, handled as a success code. Remote attackers could leverage this vulnerability to bypass protection mechanisms and possibly cause unauthorized disclosure of information or modification.

For Debian 7 Wheezy, these problems have been fixed in version 1.1.26-14.1+deb7u4.

We recommend that you upgrade your libxslt packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DSA 4432-1: ghostscript security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4432-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 16, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ghostscript
CVE ID : CVE-2019-3835 CVE-2019-3838
Debian Bug : 925256 925257

Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in bypass of file system
restrictions of the dSAFER sandbox.

For the stable distribution (stretch), these problems have been fixed in
version 9.26a~dfsg-0+deb9u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4433-1: ruby2.3 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4433-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 16, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby2.3
CVE ID : CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323
CVE-2019-8324 CVE-2019-8325

Several vulnerabilities have been discovered in the Rubygems included in
the interpreter for the Ruby language, which may result in denial of
service or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u6.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/