The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 LTS:
DLA 1336-1: rubygems security update
Debian GNU/Linux 8 and 9:
DSA 4161-1: python-django security update
Debian GNU/Linux 9:
DSA 4159-1: remctl security update
DSA 4160-1: libevt security update
DSA 4162-1: irssi security update
Debian GNU/Linux 7 LTS:
DLA 1336-1: rubygems security update
Debian GNU/Linux 8 and 9:
DSA 4161-1: python-django security update
Debian GNU/Linux 9:
DSA 4159-1: remctl security update
DSA 4160-1: libevt security update
DSA 4162-1: irssi security update
DLA 1336-1: rubygems security update
Package : rubygems
Version : 1.8.24-1+deb7u2
CVE ID : CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078
Multiple vulnerabilities were found in rubygems, a package management framework
for Ruby.
CVE-2018-1000075
A negative size vulnerability in ruby gem package tar header that could
cause an infinite loop.
CVE-2018-1000076
Ruby gems package improperly verifies cryptographic signatures. A mis-signed
gem could be installed if the tarball contains multiple gem signatures.
CVE-2018-1000077
An improper input validation vulnerability in ruby gems specification
homepage attribute could allow malicious gem to set an invalid homepage
URL.
CVE-2018-1000078
Cross Site Scripting (XSS) vulnerability in gem server display of homepage
attribute
For Debian 7 "Wheezy", these problems have been fixed in version
1.8.24-1+deb7u2.
We recommend that you upgrade your rubygems packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4159-1: remctl security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4159-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : remctl
CVE ID : CVE-2018-0493
Santosh Ananthakrishnan discovered a use-after-free in remctl, a server
for Kerberos-authenticated command execution. If the command is
configured with the sudo option, this could potentially result in the
execution of arbitrary code.
The oldstable distribution (jessie) is not affected.
For the stable distribution (stretch), this problem has been fixed in
version 3.13-1+deb9u1.
We recommend that you upgrade your remctl packages.
For the detailed security status of remctl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/remctl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
DSA 4160-1: libevt security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4160-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libevt
CVE ID : CVE-2018-8754
It was discovered that insufficient input sanitising in libevt, a library
to access the Windows Event Log (EVT) format, could result in denial of
service or the execution of arbitrary code if a malformed EVT file is
processed.
For the stable distribution (stretch), this problem has been fixed in
version 20170120-1+deb9u1.
We recommend that you upgrade your libevt packages.
For the detailed security status of libevt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libevt
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
DSA 4161-1: python-django security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4161-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : python-django
CVE ID : CVE-2018-7536 CVE-2018-7537
James Davis discovered two issues in Django, a high-level Python web
development framework, that can lead to a denial-of-service attack.
An attacker with control on the input of the django.utils.html.urlize()
function or django.utils.text.Truncator's chars() and words() methods
could craft a string that might stuck the execution of the application.
For the oldstable distribution (jessie), these problems have been fixed
in version 1.7.11-1+deb8u3.
For the stable distribution (stretch), these problems have been fixed in
version 1:1.10.7-2+deb9u1.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
DSA 4162-1: irssi security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4162-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : irssi
CVE ID : CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208
CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053
CVE-2018-7054
Multiple vulnerabilities have been discovered in Irssi, a terminal-based
IRC client which can result in denial of service.
For the stable distribution (stretch), these problems have been fixed in
version 1.0.7-1~deb9u1.
We recommend that you upgrade your irssi packages.
For the detailed security status of irssi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/irssi
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/