4 security updates has been released for Debian GUN/Linux 7 Extended LTS:
ELA-4-1 openssl security update
Possible DoS by a malicious server that sends a very large prime value to the client during TLS handshake.
ELA-5-1 gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
ELA-6-1 ghostscript security update
A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the potential information disclosure about files for which read permissions are not available.
ELA-7-1 perl security update
Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
ELA-4-1 openssl security update
Possible DoS by a malicious server that sends a very large prime value to the client during TLS handshake.
ELA-5-1 gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
ELA-6-1 ghostscript security update
A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the potential information disclosure about files for which read permissions are not available.
ELA-7-1 perl security update
Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
ELA-4-1 openssl security update
Package openssl
Version 1.0.1t-1+deb7u5
Related CVE CVE-2018-0732
Possible DoS by a malicious server that sends a very large prime value to the client during TLS handshake.
For Debian 7 Wheezy, these problems have been fixed in version 1.0.1t-1+deb7u5.
We recommend that you upgrade your openssl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
ELA-5-1 gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.
Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
For Debian 7 Wheezy, these problems have been fixed in version 1.4.12-7+deb7u10.
We recommend that you upgrade your gnupg packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
ELA-6-1 ghostscript security update
A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the potential information disclosure about files for which read permissions are not available.
For Debian 7 Wheezy, these problems have been fixed in version 9.05~dfsg-6.3+deb7u9.
We recommend that you upgrade your ghostscript packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
ELA-7-1 perl security update
Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.
For Debian 7 Wheezy, these problems have been fixed in version 5.14.2-21+deb7u7.
We recommend that you upgrade your perl packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
