[SECURITY] [DLA 2862-1] python-gnupg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- Debian LTS Advisory DLA-2862-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 29, 2021 https://wiki.debian.org/LTS - --- Package: python-gnupg Version: 0.3.9-1+deb9u1 CVE ID : CVE-2018-12020 CVE-2019-6690 A couple of vulnerabilites were found in python-gnupg, a Python wrapper for the GNU Privacy Guard. CVE-2018-12020 Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed. CVE-2019-6690 It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations. For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1. We recommend that you upgrade your python-gnupg packages. For the detailed security status of python-gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-gnupg Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHLfW0ACgkQgj6WdgbD S5Y69Q/+MH4ZaPk7ejpyET1B4eGcbs9MO8mQujHlJuYGQJnbS6bD9W6U64+26859 YE8ymF6ljhDaXpAXKhZIUdvGlkKpy87R0jPEVlsHxcti6Vy58imzKiUNpFCtRnLV nRMz04P8OZ91yRjbERFyGKh2Ckdlc9VlKC2Th2i3tgk0p3Z8/keZee+XzQvSuosJ ygoGay3oee8IS350XgEz5rkpFVWmgEGFT2Ni1iDKneyxUVHFxeV/owp/HaLHO5Mw 8DI8E2fViTyFRn85c31asHzXdPaUBKpWaVu4kh3Es1tq5/vqaNWodANR1zItMfy/ C6uRfzZhnQhETZvPAqaEMMafNo3h4+8pCRMhjI9NEj9C2Toryf+2AP36wXdXxH9N d5E8yApLI7jkfiNR06VrYkepgsjzar4PXHnSIbQ/NJNP3PDGjjz4OHS2QwXX8eAC UeqIFsBaWQXOM/vzhQQKU5tRn57Kwy4379M+Z/wdHpcMhiWTD68OPhvelxJO9pPh j7Tt7bAqruOe4o0XaIQ5aSLNC2vu3JyZIgGEMK1Skwqna/Alw+3WzK8P+XqIbIii y1s7EYMrPYOLXAlyYKDBlUaS+s1fZOA+x2IPHVd3jv4MNfl6Fz6kRDzvjI0qmm5p 8vkUgT50cAedICGmkUMB/RS7t6KiP2viM78ke+3Bg9bfl835b1Q= =ocnN -END PGP SIGNATURE-
[SECURITY] [DLA 2861-1] rdflib security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2861-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk December 28, 2021 https://wiki.debian.org/LTS - - Package: rdflib Version: 4.2.1-2+deb9u1 CVE ID : CVE-2019-7653 Debian Bug : 921751 The python-rdflib-tools package (tools for converting to and from RDF) had wrappers that could load Python modules from the current working directory, allowing code injection. For Debian 9 stretch, this problem has been fixed in version 4.2.1-2+deb9u1. We recommend that you upgrade your rdflib packages. For the detailed security status of rdflib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rdflib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmHLDykACgkQiNJCh6LY mLF50g//TKenyICoR8VH6nTWHsY5rg1p21HXNEmQ+CpleWPPbgY1yATUj4UQmj2K jOOVZ/dyzFJ6CcAx8ocHEOcIa67KHIMLWqogDMJ33kMJdUDGmPi79sZBGI7ZL94T g09uGPdOxpIhv8lijpdKiIx0JxCUYUilm+V2IKliJEjlBo7ZS452FM7ynIEWO6Fo hJHvKtJhrvBtPHFDuYS2x/toOyavJI1mKlsRq2518v06ii29a0cWuM3zyAr5yHs6 Xhv9VPZOXOoRvbXm34RJdAxvMlQ5aJ1LeU7sJhJLaBHhGYnJZ82S9D1GefKdu49u BIdn1SKFonap9n+CJyytpiKL/CE8McpmmPjQaQyAu756g7YK35oPwJ3OfCheyDbS 7qEECoNbu5/M6amCiZjyXdBSD+AYTbhzI42dTmMHfJcBmt/+7lGyI2GUBH9aLAGp ZgJ6jsoluD3Aj4lMAyBNZHSoU+xb6fmohChMoateJiVaaDc27duI+d6weZfqWrzq vZseHwXPPvhauH/MRnRe7wKMnEU5jIBQK/hQGbX6dH9lhkB+94qLNi8HFc43s52I 3942nnjQHt7afLlXRPHL58GPN+Hx+TvWZyMikewkdYKcbhn4jAglwP/1QFpeLIda d0XNsYutfovs74QP9jb01pWouasqDMGKD0jYzAM8yp1eDZL07Yg= =r7t7 -END PGP SIGNATURE-
[SECURITY] [DLA 2860-1] paramiko security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-2860-1debian-...@lists.debian.org https://www.debian.org/lts/security/Utkarsh Gupta December 28, 2021 https://wiki.debian.org/LTS - - Package: paramiko Version: 2.0.0-1+deb9u1 CVE ID : CVE-2018-7750 CVE-2018-1000805 Debian Bug : 892859 910760 A couple of vulnerabilites were found in paramiko, an implementation of SSHv2 protocol in Python. CVE-2018-1000805 Fix to prevent malicious clients to trick the Paramiko server into thinking an unauthenticated client is authenticated. CVE-2018-7750 Fix check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step. For Debian 9 stretch, these problems have been fixed in version 2.0.0-1+deb9u1. We recommend that you upgrade your paramiko packages. For the detailed security status of paramiko please refer to its security tracker page at: https://security-tracker.debian.org/tracker/paramiko Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHK8DwACgkQgj6WdgbD S5ZFhw//X7A/XiGTldRPKFU72iozYVo4n2RoaKmHQrEDBb+hoIEmChk06pINTaDm 6JardZ/wOXdQlLSXSECrTWSzEEGqssLDRMsm9y/T30coPKMlNjLwvKl5cm/gnYVX AfVVl8Sg+Wyt5+n9pEmvCv1J2aWG5/NPKs5wOoRwvp23L36jtD8kGSC7NVpDohHt x5ICbjdviU/bu2t32EC0hXt0cwUJYARXSgizngVb9B7jlyE2oeUCPLPR8gvfHCUF ymOLokaMmARfOqCbDOMPaUZBF/evZhQw+fg26A4y/+TZnO89l0LZCBmKxtQ/0DSd i60ic/w7uLwcsdTeDAERKoMA6F+5E2uWxsITQ0kMqsG6ow7HlwGzW3kZDneD9oTo GzjgzLyvo1OhBKUANuukJgkj+Cn/paIVrQga+fELKN3h5TU1gBfTFjQipMPFQtKe 4zN5H0m82TcppZb3k1Lx7u4W5ukK72RNzHznMwbS0NQJjOBRHUYmO2ZAStPMH7E8 Lx+9QIqEFgvcvIGSPPn35vsJyS+MciAkDnYBYNt9/OOVIUK1HbYaQPkZG45roHEq Gw6vwSqNYKdXpw0gI5H7/y/iSVkyqLQllPq4/dWncsSMy6OTftrCRBdxGWWSomVp FkTwqMcn0fy/M1AhHsYVNHLqHh9y6/vEBlIRaA2xbvslh/63z64= =EVj9 -END PGP SIGNATURE-
[SECURITY] [DLA 2854-1] novnc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- Debian LTS Advisory DLA-2854-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 27, 2021 https://wiki.debian.org/LTS - --- Package: novnc Version: 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1 CVE ID : CVE-2017-18635 An XSS vulnerability was discovered in noVNC, a HTML5 VNC client, in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name. For Debian 9 stretch, this problem has been fixed in version 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1. We recommend that you upgrade your novnc packages. For the detailed security status of novnc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/novnc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHK6yoACgkQgj6WdgbD S5apRw/+OE0w9gvG/OIgiqPUo5qnaAeDhgeQUoUl3LjuaKVIVaEsZVukyT+6Uj6V yl0Fp0wvlgjxBOJiA+66OQqs6eLYULDZufxQ01+OHRQtLXK/avjkpDGQsKGqhBm3 AxwljBjLdRfYxz+gfPYjtS63hcVrzaUWTLl7lrKIOc+Cy4eK7Z9/w7QcSeXIrPnt MlIBh1kwnrGHOAKLPrZfHTaZUef3qIrgXD+bqxM4qYE4lCywqMlRiZR+xQizVYwv vZTnifv4Ta/zkgy4ddBU7nluuA+2/csvlzO4R+AqLFRqkDYGUUIEk+vWhbQBSDZc HbNa5r2f57g3Y+jAc/qNRBRyfWbAFy6hpoi4PGpZ0Of3JNPEHYaURP3CWFz16iSS HlJcy7BNBtplIpDPchSKGwSo2ktM04SPDgBvzO16JeWyfgBYnF3VhcOyRvaVmrv5 BvCQHdILeVAeRrlh5i0YnGMMQgd0YIWCnz2lTXRLrtLfcEKjZ6l04rqXO2x7F9cQ JE0ea3kschBV1ERDfWmGiI0wzQEX6cVyOii60BG8IN8x+C82ZaRyXbraft/OOKNM dX02aOJp0jPXpDIh6329+K17jyNLlMvH9JZBAixjq5fZzqVL/DCf9BV46acY3Ph1 KYDp+YpG/EAwv9YeQvSrwPPk5dK3ZlUp4a0tnwJedW3BmFu0RWk= =HCIH -END PGP SIGNATURE-
[SECURITY] [DLA 2853-1] ruby2.3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- Debian LTS Advisory DLA-2853-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 27, 2021 https://wiki.debian.org/LTS - --- Package: ruby2.3 Version: 2.3.3-1+deb9u11 CVE ID : CVE-2021-41817 CVE-2021-41819 A cookie prefix spoofing vulnerability in CGI::Cookie.parse and a regular expression denial of service vulnerability (ReDoS) on date parsing methods were discovered in src:ruby2.1, the Ruby interpreter. For Debian 9 stretch, these problems have been fixed in version 2.3.3-1+deb9u11. We recommend that you upgrade your ruby2.3 packages. For the detailed security status of ruby2.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmHK6JkACgkQgj6WdgbD S5Z0eg//axcQ/C6TkTwAqN/Z9Cm7cFMTqWUPsF4Oo/iJCWpmyIaXi+28nYKIAMra qS2KA6RdOO0yCjgd7mshA+d2K9zljMTM42RAJxkXtoZee3xtRVDjwD9Dvf08XbPZ bYcQVUH+Obn4sTEkaKViJcpRjiRO0EmSON9NWsXvFvgoG9OX2Y7Gu2YA3vIPQAMM giWeZr3Yg4Ar6PzuPNIOoqVkoaLshufU+ilp3XKF6txwSuTxcQEZ5ATJ9zw0vBvg m2cv6r+aBvBLdXDVMc2j9zCQ3SdNG+dK5vJr/KHRXGiTJKBI3nQMVIwCObcIiNZ2 InvDradTEZVE5ZM4yGA0GNeGmkUUjp8hu9DR/zUm6sBcBlcRH0lGN79XlJkb6cAt HyFw7vW3bAm0Lp1dLCbtGJgb6AolwYEBzCuDmTW77MKe6cnSxf+dysy1YLHZDnhz zBrUPEOpIQq2a5SGXpMz6DuRp9z9B9KecwYKXJBS0bcpJQcjSSqNSZwNBrQdk4Tj R1IhgBpnOmrdqNduaOcXyOqCnAI1OPZiHkvyn4ceTkYL9c7fLO/luVXyQY7lTwMZ SzeO7SPBxifQLg+m4ogL/7YzqI2k/vM2/NEg6zrJGcvfkr/2HagWHp20y/2t3Dq0 luxExmBKyUMoC1cNL2BSDoVID5ZhgGqwXfvaUlyk+b6wTYhLBhY= =uPTM -END PGP SIGNATURE-