The following updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 LTS:
DLA 1111-1: weechat security update
DLA 1112-1: rubygems security update
DLA 1113-1: ruby1.8 security update
DLA 1114-1: ruby1.9.1 security update
Debian GNU/Linux 8 and 9:
DSA 3984-1: git security update
Debian GNU/Linux 7 LTS:
DLA 1111-1: weechat security update
DLA 1112-1: rubygems security update
DLA 1113-1: ruby1.8 security update
DLA 1114-1: ruby1.9.1 security update
Debian GNU/Linux 8 and 9:
DSA 3984-1: git security update
DLA 1111-1: weechat security update
Package : weechat
Version : 0.3.8-1+deb7u3
CVE ID : CVE-2017-14727
Debian Bug : 876553
It was discovered that WeeChat's logger plugin is vulnerable to an
invalid buffer read which can be exploited remotely to trigger an
application crash or other undefined behaviour.
For Debian 7 "Wheezy", these problems have been fixed in version
0.3.8-1+deb7u3.
We recommend that you upgrade your weechat packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1112-1: rubygems security update
Package : rubygems
Version : 1.8.24-1+deb7u1
CVE ID : CVE-2017-0900 CVE-2017-0901
Debian Bug : 873802
Some vulnerabilities were found in the Rubygems package that affects
the LTS distribution.
CVE-2017-0900
DOS vulernerability in the query command
CVE-2017-0901
gem installer allows a malicious gem to overwrite arbitrary files
For Debian 7 "Wheezy", these problems have been fixed in version
1.8.24-1+deb7u1.
We recommend that you upgrade your rubygems packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1113-1: ruby1.8 security update
Package : ruby1.8
Version : 1.8.7.358-7.1+deb7u4
CVE ID : CVE-2017-0898 CVE-2017-10784
Debian Bug : 875931 875936
Some vulnerabilities were found in the Ruby 1.8 package that affects
the LTS distribution.
CVE-2017-0898
Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784
Escape sequence injection vulnerability in the Basic
authentication of WEBrick
For Debian 7 "Wheezy", these problems have been fixed in version
1.8.7.358-7.1+deb7u4.
We recommend that you upgrade your ruby1.8 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1114-1: ruby1.9.1 security update
Package : ruby1.9.1
Version : 1.9.3.194-8.1+deb7u6
CVE ID : CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901
CVE-2017-10784 CVE-2017-14033 CVE-2017-14064
Debian Bug : 873802 873906 875928 875931 875936
Multiple vulnerabilities were discovered in the Ruby 1.9 interpretor.
CVE-2017-0898
Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-0899
ANSI escape sequence vulnerability
CVE-2017-0900
DOS vulernerability in the query command
CVE-2017-0901
gem installer allows a malicious gem to overwrite arbitrary files
CVE-2017-10784
Escape sequence injection vulnerability in the Basic
authentication of WEBrick
CVE-2017-14033
Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064
Heap exposure vulnerability in generating JSON
For Debian 7 "Wheezy", these problems have been fixed in version
1.9.3.194-8.1+deb7u6.
We recommend that you upgrade your ruby1.9.1 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 3984-1: git security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3984-1 security@debian.org
https://www.debian.org/security/ Florian Weimer
September 26, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : git
Debian Bug : 876854
joernchen discovered that the git-cvsserver subcommand of Git, a
distributed version control system, suffers from a shell command
injection vulnerability due to unsafe use of the Perl backtick
operator. The git-cvsserver subcommand is reachable from the
git-shell subcommand even if CVS support has not been configured
(however, the git-cvs package needs to be installed).
In addition to fixing the actual bug, this update removes the
cvsserver subcommand from git-shell by default. Refer to the updated
documentation for instructions how to reenable in case this CVS
functionality is still needed.
For the oldstable distribution (jessie), this problem has been fixed
in version 1:2.1.4-2.1+deb8u5.
For the stable distribution (stretch), this problem has been fixed in
version 1:2.11.0-3+deb9u2.
For the unstable distribution (sid), this problem has been fixed in
version 1:2.14.2-1.
We recommend that you upgrade your git packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/