Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 LTS:
DLA 1336-1: rubygems security update

Debian GNU/Linux 8 and 9:
DSA 4161-1: python-django security update

Debian GNU/Linux 9:
DSA 4159-1: remctl security update
DSA 4160-1: libevt security update
DSA 4162-1: irssi security update



DLA 1336-1: rubygems security update

Package : rubygems
Version : 1.8.24-1+deb7u2
CVE ID : CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078

Multiple vulnerabilities were found in rubygems, a package management framework
for Ruby.

CVE-2018-1000075

A negative size vulnerability in ruby gem package tar header that could
cause an infinite loop.

CVE-2018-1000076

Ruby gems package improperly verifies cryptographic signatures. A mis-signed
gem could be installed if the tarball contains multiple gem signatures.

CVE-2018-1000077

An improper input validation vulnerability in ruby gems specification
homepage attribute could allow malicious gem to set an invalid homepage
URL.

CVE-2018-1000078

Cross Site Scripting (XSS) vulnerability in gem server display of homepage
attribute

For Debian 7 "Wheezy", these problems have been fixed in version
1.8.24-1+deb7u2.

We recommend that you upgrade your rubygems packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4159-1: remctl security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4159-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : remctl
CVE ID : CVE-2018-0493

Santosh Ananthakrishnan discovered a use-after-free in remctl, a server
for Kerberos-authenticated command execution. If the command is
configured with the sudo option, this could potentially result in the
execution of arbitrary code.

The oldstable distribution (jessie) is not affected.

For the stable distribution (stretch), this problem has been fixed in
version 3.13-1+deb9u1.

We recommend that you upgrade your remctl packages.

For the detailed security status of remctl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/remctl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4160-1: libevt security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4160-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libevt
CVE ID : CVE-2018-8754

It was discovered that insufficient input sanitising in libevt, a library
to access the Windows Event Log (EVT) format, could result in denial of
service or the execution of arbitrary code if a malformed EVT file is
processed.

For the stable distribution (stretch), this problem has been fixed in
version 20170120-1+deb9u1.

We recommend that you upgrade your libevt packages.

For the detailed security status of libevt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libevt

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4161-1: python-django security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4161-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2018-7536 CVE-2018-7537

James Davis discovered two issues in Django, a high-level Python web
development framework, that can lead to a denial-of-service attack.
An attacker with control on the input of the django.utils.html.urlize()
function or django.utils.text.Truncator's chars() and words() methods
could craft a string that might stuck the execution of the application.

For the oldstable distribution (jessie), these problems have been fixed
in version 1.7.11-1+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 1:1.10.7-2+deb9u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4162-1: irssi security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4162-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 01, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : irssi
CVE ID : CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208
CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053
CVE-2018-7054

Multiple vulnerabilities have been discovered in Irssi, a terminal-based
IRC client which can result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 1.0.7-1~deb9u1.

We recommend that you upgrade your irssi packages.

For the detailed security status of irssi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/irssi

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/