The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 Extended LTS:
ELA-114-1 ruby1.9.1 security update
Debian GNU/Linux 8 LTS:
DLA 1772-1: libvirt security update
Debian GNU/Linux 7 Extended LTS:
ELA-114-1 ruby1.9.1 security update
Debian GNU/Linux 8 LTS:
DLA 1772-1: libvirt security update
ELA-114-1 ruby1.9.1 security update
Package: ruby1.9.1
Version: 1.9.3.194-8.1+deb7u9
Related CVE: CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8325
Several vulnerabilities have been discovered in rubygems embedded in ruby1.9.1, the interpreted scripting language.
CVE-2019-8320: A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination.
CVE-2019-8322: The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
CVE-2019-8323: Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
CVE-2019-8325: Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
For Debian 7 Wheezy, these problems have been fixed in version 1.9.3.194-8.1+deb7u9.
We recommend that you upgrade your ruby1.9.1 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
DLA 1772-1: libvirt security update
Package : libvirt
Version : 1.2.9-9+deb8u6
CVE ID : CVE-2016-10746
libvirt-domain.c in libvirt supports virDomainGetTime API calls by guest agents
with an RO connection, even though an RW connection was supposed to be
required. This could lead to could lead to potentially disclosing unintended
information or denial of service by causing libvirt to block.
For Debian 8 "Jessie", this problem has been fixed in version
1.2.9-9+deb8u6.
We recommend that you upgrade your libvirt packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS