Debian 10228 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA-1169-1: postgresql-common security update

Debian GNU/Linux 9:
DSA 4031-1: ruby2.3 security update
DSA 4032-1: imagemagick security update



DLA-1169-1: postgresql-common security update

Package : postgresql-common
Version : 134wheezy6

A security vulnerability has been found in postgresql-common, Debian's
PostgreSQL database cluster management tools.

CVE-2017-8806

It was discovered that the pg_ctlcluster, pg_createcluster and
pg_upgradecluster commands handled symbolic links insecurely which
could result in local denial of service by overwriting arbitrary
files.

For Debian 7 "Wheezy", these problems have been fixed in version
134wheezy6.

We recommend that you upgrade your postgresql-common packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4031-1: ruby2.3 security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4031-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby2.3
CVE ID : CVE-2017-0898 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033
Debian Bug : 875928 875931 875936 879231

Several vulnerabilities have been discovered in the interpreter for the
Ruby language. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2017-0898

aerodudrizzt reported a buffer underrun vulnerability in the sprintf
method of the Kernel module resulting in heap memory corruption or
information disclosure from the heap.

CVE-2017-0903

Max Justicz reported that RubyGems is prone to an unsafe object
deserialization vulnerability. When parsed by an application which
processes gems, a specially crafted YAML formatted gem specification
can lead to remote code execution.

CVE-2017-10784

Yusuke Endoh discovered an escape sequence injection vulnerability
in the Basic authentication of WEBrick. An attacker can take
advantage of this flaw to inject malicious escape sequences to the
WEBrick log and potentially execute control characters on the
victim's terminal emulator when reading logs.

CVE-2017-14033

asac reported a buffer underrun vulnerability in the OpenSSL
extension. A remote attacker can take advantage of this flaw to
cause the Ruby interpreter to crash leading to a denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 2.3.3-1+deb9u2.

We recommend that you upgrade your ruby2.3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4032-1: imagemagick security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4032-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 12, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2017-12983 CVE-2017-13134 CVE-2017-13758
CVE-2017-13769 CVE-2017-14224 CVE-2017-14607
CVE-2017-14682 CVE-2017-14989 CVE-2017-15277
Debian Bug : 873134 873099 878508 878507 876097 878527 876488 878562
878578

This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure or the execution of
arbitrary code if malformed GIF, TTF, SVG, TIFF, PCX, JPG or SFW files
are processed.

For the stable distribution (stretch), these problems have been fixed in
version 8:6.9.7.4+dfsg-11+deb9u3.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/