Debian 10260 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1975-1: spip security update

Debian GNU/Linux 9:
DSA 4552-1: php7.0 security update

Debian GNU/Linux 10:
DSA 4553-1: php7.3 security update

Debian GNU/Linux 9 and 10:
DSA 4554-1: ruby-loofah security update



DLA 1975-1: spip security update

Package : spip
Version : 3.0.17-2+deb8u5
CVE ID : CVE-2019-16391 CVE-2019-16392 CVE-2019-16393
CVE-2019-16394


It was discovered that SPIP, a website engine for publishing, would allow
unauthenticated users to modify published content and write to the
database, perform cross-site request forgeries, and enumerate registered
users.


For Debian 8 "Jessie", these problems have been fixed in version
3.0.17-2+deb8u5.

We recommend that you upgrade your spip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4552-1: php7.0 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4552-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php7.0
CVE ID : CVE-2019-11043

Emil Lerner and Andrew Danau discovered that insufficient validation
in the path handling code of PHP FPM could result in the execution of
arbitrary code in some setups.

For the oldstable distribution (stretch), this problem has been fixed
in version 7.0.33-0+deb9u6.

We recommend that you upgrade your php7.0 packages.

For the detailed security status of php7.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.0

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4553-1: php7.3 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4553-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php7.3
CVE ID : CVE-2019-11043

Emil Lerner and Andrew Danau discovered that insufficient validation
in the path handling code of PHP FPM could result in the execution of
arbitrary code in some setups.

For the stable distribution (buster), this problem has been fixed in
version 7.3.11-1~deb10u1.

We recommend that you upgrade your php7.3 packages.

For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4554-1: ruby-loofah security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4554-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ruby-loofah
CVE ID : CVE-2019-15587
Debian Bug : 942894

It was discovered that ruby-loofah, a general library for manipulating
and transforming HTML/XML documents and fragments, was susceptible to
cross-site scripting.

For the oldstable distribution (stretch), this problem has been fixed
in version 2.0.3-2+deb9u3.

For the stable distribution (buster), this problem has been fixed in
version 2.2.3-1+deb10u1.

We recommend that you upgrade your ruby-loofah packages.

For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/