[SECURITY] [DLA 1797-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: drupal7 Version: 7.32-1+deb8u17 CVE ID : CVE-2019-11358 CVE-2019-11831 Debian Bug : 927330 928688 Several security vulnerabilities have been discovered in drupal7, a PHP web site platform. The vulnerabilities affect the embedded versions of the jQuery JavaScript library and the Typo3 Phar Stream Wrapper library. CVE-2019-11358 It was discovered that the jQuery version embedded in Drupal was prone to a cross site scripting vulnerability in jQuery.extend(). For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-006. CVE-2019-11831 It was discovered that incomplete validation in a Phar processing library embedded in Drupal, a fully-featured content management framework, could result in information disclosure. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-007. For Debian 8 "Jessie", these problems have been fixed in version 7.32-1+deb8u17. We recommend that you upgrade your drupal7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlzit/4ACgkQUmLn/0kQ Sf7Vnw/+MlRUrgDnbKvlAERr6TDph9kcSwl9rbi4kElY3vj0xQZGnaX2HZGYyHHT uUr9xp3JY6UyLrWQLiBmPdtRKTF2dHkTpEna9lrn8JXXMpZsKohkpEmotBfiG4E5 FdkAZtVwcn+4FrnLSvkJrxn9U8huokwEYypSk7lj2OUtXJu1qpYO5pGcRpCGH3Bn 3U3IaAwf+zZvB118GzgBJThbkOMvhIHWLE55E6aUx7navEw87blyvnv/t+f8yEzB wiGVL3sIyxpZau2k3pvMm36ytplP5rD/1UpvyB7Vvqv1uu/1E/+8GdpuishUqSVO T2xiwjIAzAqP1SiJzXWx103poNlhHPFAj8Z/xFqybs/HfMgIEFK60oulZYDRBXo8 +gQ+dH10oM14Qrfgyiwa+TydkSsGqAg5rDN5m1Uj5ncNcRQeQ+vCDoiJefTid/55 KPTkswqgUoZReIDTZ0q0f902gjgpp8uOsuJZUwvrjM8neI6pMm3scJqrns8K5K2B TyNTvtWc/muhhYeB3si9vXM8Ou6uvb2MG+8UT2WqEd4L1VCo7ty46CQSx+h0XHJt BeVbhQEJKYAUCR0W0Wrbux9gV3Z5R054YuIGklUreirmw4vqsDZ+Xf+EexRetWNH DdQIuUVSv2UQ7juqTdgsGbEz7JgnUw5wp+eSjuQ1gHvJ7q387GQ= =LBM6 -END PGP SIGNATURE-
[SECURITY] [DLA 1796-1] jruby security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: jruby Version: 1.5.6-9+deb8u1 CVE ID : CVE-2018-174 CVE-2018-175 CVE-2018-176 CVE-2018-177 CVE-2018-178 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Debian Bug : 895778 925987 Multiple vulnerabilities have been discovered in jruby, Java implementation of the Ruby programming language. CVE-2018-174 Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file CVE-2018-175 an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop CVE-2018-176 Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures. CVE-2018-177 Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL CVE-2018-178 Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server CVE-2019-8321 Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible CVE-2019-8322 The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur CVE-2019-8323 Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. CVE-2019-8324 A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec CVE-2019-8325 Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) For Debian 8 "Jessie", these problems have been fixed in version 1.5.6-9+deb8u1. We recommend that you upgrade your jruby packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlziikEACgkQhj1N8u2c KO8hvw/+KPOQ1N0UqHx7z8JMzaxNpUShpK2x5F/A2VCJIYdcyp8TPT2lg5hnn6gr 83JZx/ipfC8pnw+Hac/BrR9fDp2yhqYBn0K5KAtf23gBXsRX2miXMTMP9Ijqd/M0 SjJE9zt1itE2JuUWkmnqWgnpiQEzH1Eat+1etIzolfRF9PMpj6Sw9y68qE+FGBMN cRB0+3KF2OuDGP6YDiARLyo0rOiAEepzD/mukO2Qgzand/xBDlam3IrVPtCUJArS ADTG694QWEVaZ+TmjZuC7YBnDvNeG2Pbk9R8m+DQPuFeIAhSxD/PmfhQENxQsSIe FE9tqy714X9jtZR5XmKaUtFa+l7Th85EHWVtBXhNmJYy5S9TQGk+VJWwK8I48Wyx nhgZ/UiFLFflRvDax0kLyox1zsol8qdUvCOhyDQTTmkH/LvtnkGtOMoBw4Uj/4fn KSUE46lXQEzyDhv8FO3f0B9C5l1PPP9DGrByAgxoBB8D26PO3wQSlJcjrk6nD+vZ lvTfW5KLZiFE/GlSKJxyo+wVK9tkqktufN+XeuJLM2Rop5lF4t8My9JXIbGs7wNX UzhFv5FJ3MGiFMO+3apEgn0D6djocanE16FCNtcezaIwlvuA1waId0JzKpjRrAdg lYNQK+nyQOOaRhW7boG3WNqo/XRrtU2tFXd0UHygHf2oDrk4vlA= =+mOK -END PGP SIGNATURE-
[SECURITY] [DLA 1795-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: graphicsmagick Version: 1.3.20-3+deb8u7 CVE ID : CVE-2019-11473 CVE-2019-11474 CVE-2019-11505 CVE-2019-11506 Multiple vulnerabilities have been discovered in graphicsmagick, the image processing toolkit: CVE-2019-11473 The WriteMATLABImage function (coders/mat.c) is affected by a heap-based buffer overflow. Remote attackers might leverage this vulnerability to cause denial of service or any other unspecified impact via crafted Matlab matrices. CVE-2019-11474 The WritePDBImage function (coders/pdb.c) is affected by a heap-based buffer overflow. Remote attackers might leverage this vulnerability to cause denial of service or any other unspecified impact via a crafted Palm Database file. CVE-2019-11505 CVE-2019-11506 The XWD module (coders/xwd.c) is affected by multiple heap-based buffer overflows and arithmetic exceptions. Remote attackers might leverage these various flaws to cause denial of service or any other unspecified impact via crafted XWD files. For Debian 8 "Jessie", these problems have been fixed in version 1.3.20-3+deb8u7. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlzieVcACgkQZYVUZx9w 0DTI4AgAsXVth5VMdXxTIOF4IQmDyF97wYwPIbTGbt98/z5TTfI47SSiCdINZhfd 9NEjV1dQsErtpCh5HEtQzbHyUtt0ONtNA6H3Pol00qiQ8xjhN71+NI4U+MbMyFVH nP+Rw8dtAN8o7RT0TUMxzD+mtnab+mp2NM/EjZXoeS/jxpxySUCugVAlQqGpt2PS OQH2h7ocOC4yL9dE4b0drCkA+hMm0SXFCFGHgPtUrBGBH52oJHyK6ne4YEcef2ux P+cFtr42JdR5sNiRDuv0bw5JmKgygV7UOnWOLh2RbPhp8eIcCoOvgSV82QM2HgB/ EEiSI7CUXiYnXt5dD+eMQahoGuQ0AA== =EBdo -END PGP SIGNATURE-