Debian 10260 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1350-1: qemu-kvm security update
DLA 1351-1: qemu security update
DLA 1352-1: jruby security update

Debian GNU/Linux 8 and 9:
DSA 4175-1: freeplane security update



DLA 1350-1: qemu-kvm security update

Package : qemu-kvm
Version : 1.1.2+dfsg-6+deb7u25
CVE ID : CVE-2018-7550
Debian Bug : 892041

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator
(aka QEMU) allows local guest OS users to execute arbitrary code on
the QEMU host via a mh_load_end_addr value greater than
mh_bss_end_addr, which triggers an out-of-bounds read or write memory
access.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u25.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1351-1: qemu security update

Package : qemu
Version : 1.1.2+dfsg-6+deb7u25
CVE ID : CVE-2018-7550
Debian Bug : 892041

The load_multiboot function in hw/i386/multiboot.c in Quick Emulator
(aka QEMU) allows local guest OS users to execute arbitrary code on
the QEMU host via a mh_load_end_addr value greater than
mh_bss_end_addr, which triggers an out-of-bounds read or write memory
access.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u25.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1352-1: jruby security update




Package : jruby
Version : 1.5.6-5+deb7u2
CVE ID : CVE-2018-1000074

An unsafe object deserialization vulnerability was found in jruby, a
100% pure-Java implementation of Ruby. An attacker can use this flaw
to run arbitrary code when gem owner is run on a specially crafted
YAML file.

For Debian 7 "Wheezy", these problems have been fixed in version
1.5.6-5+deb7u2.

We recommend that you upgrade your jruby packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DSA 4175-1: freeplane security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4175-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 18, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : freeplane
CVE ID : CVE-2018-1000069
Debian Bug : 893663

Wojciech Regula discovered an XML External Entity vulnerability in the
XML Parser of the mindmap loader in freeplane, a Java program for
working with mind maps, resulting in potential information disclosure if
a malicious mind map file is opened.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.12-1+deb8u1.

For the stable distribution (stretch), this problem has been fixed in
version 1.5.18-1+deb9u1.

We recommend that you upgrade your freeplane packages.

For the detailed security status of freeplane please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/freeplane

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/