[SECURITY] [DLA 2380-1] ruby-gon security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-2380-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb September 26, 2020https://wiki.debian.org/LTS - - Package: ruby-gon Version: 6.1.0-1+deb9u1 CVE ID : CVE-2020-25739 Debian Bug : #970938 It was discovered that there was a cross-site scripting (XSS) vulnerability in ruby-gon, a Ruby library to send/convert data to Javascript from a Ruby application. For Debian 9 "Stretch", this problem has been fixed in version 6.1.0-1+deb9u1. We recommend that you upgrade your ruby-gon packages. For the detailed security status of ruby-gon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-gon Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl9vC8sACgkQHpU+J9Qx Hlidtg/9F3ffD8lXlSDF5ob9H6zL4uzY/AXTBl/YBNLzt7K9VR5JWHJC4XCDoNCD lmQOO6MIN/PW9cFPEqxbLRNe1vnreRnzwkFQflOBLFLB01FZRc+AAlwn0NCoU2qe oaaNOsZNnynkjiGBtRhzdHldvJLtqVIrRO8Om1GfKhP7sdlkgVi6UlW2chTYeE22 Kg8MZw9mal1WThsa/Rro7VHvGhOlWUJ7nv35HW7qJQOzHSZwz/5b5XtuPNOarmyo q2DC/68rNL2yA9Asd8pjamW28PDr8uIGrWjynOn1S5IL4smB/+r2p10stlIoErD6 j2CsbGyUKsYyughcXkzjnjhfFVPtIu4IJClLbubKvJTiJAalLysRzLfPameiw12Q fHu76civFdMPFEjmFiLayE/W8FuyJLSsQEOR02ALuyfsrPtvhDrYNYg5CjmSuQ2x /+0mydSJzxatcv8sCGGCm2tm2axBiqZQ9q3BOHl4SNA3zj1VXQUscHu98bvTxWWY /UIpgQwegrB4suMf1ooGaRzELjp7Tc3WhKDHN5hlSlim3o/8uSsEs3Lz1/Yrh4le kSFoXxvrxoUsz3KmxyZdY4dKsgardkLifiQWSbJwJPlfcisT+oLilZicRjp44Vyy 6IpNisdc3C8ntGq+JvVZPHiZjksL3jc6Ngi5xKA2N7XWR7tRDEE= =549X -END PGP SIGNATURE-
[SECURITY] [DLA 2382-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2382-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 26, 2020https://wiki.debian.org/LTS - - Package: curl Version: 7.52.1-5+deb9u12 CVE ID : CVE-2020-8231 An issue has been found in curl, a command line tool for transferring data with URL syntax. In rare circumstances, when using the multi API of curl in combination with CURLOPT_CONNECT_ONLY, the wrong connection might be used when transfering data later. For Debian 9 stretch, this problem has been fixed in version 7.52.1-5+deb9u12. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl9vXzFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEefKw//aPzN4SXwKyjBn+69YXRuioMZybwIdidKU5PVTG5k+34hIgzZgGkULCCj 6vvrigyrPd+6A7649hQsufp7OHugGufBH6bIoDD9ipXgfzbdAdQJeVWepdhMFl5c 1pWN4rXFFauI7rwtmrstcBbRQraol/Z5dygsZWn3oBSAY8zgO/RY4Zfngs9Uhz7A 9c0Y2ePCIxVYNiAOsM5qT22tN3/rOFymW+W6fYyWrQ1gC6iBwcLb7OCNL69fXT0r GyYg24ML/3EIgSXyIc/TZ9+rkYUuTz4O9UzfGwvIGIUcEhh/GXyOXcPTt0Iy7VPk 6WBZeW2Z4TcZvr0cEuuWrJfKAupG8IZsR8ggwGNEpc38KVB/8/K4zhuCriTWCa16 zoIzbZsX/ux1PBoucVxfPJRaTJTg1j4ekUAh2A7HcAioyckbsA2cAS8cetq4lWDx WX9ZEqnK4CjyzHhuTC9/ZBL9B7W6OamHI9+0wWRh7xWr6JQcWAL05mIeN4IVaySx OKsbsiPiNdIqlig2H0IlKUkZ1yArBJvleFp78uUnWw70F5/CIO4p8VQ/Wq8R4qCH aLl5fUKSe/Q9ziKj9TWuKHgXeYlg/nHF47ZdN71xqYJdwoKnpsX0JSWht2RXDXTW bA5fHKFH+fZa+kLnhSAnmvasL68MIhKLfCTO1XzGmaP1AQ5fOOw= =0t6E -END PGP SIGNATURE-
[SECURITY] [DLA 2381-1] lua5.3 security update
- Debian LTS Advisory DLA-2381-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez September 26, 2020https://wiki.debian.org/LTS - Package: lua5.3 Version: 5.3.3-1+deb9u1 CVE ID : CVE-2020-24370 A vulnerability was discovered in lua5.3, a simple, extensible, embeddable programming language whereby a a negation overflow and segmentation fault could be triggered in getlocal and setlocal, as demonstrated by getlocal(3,2^31). For Debian 9 stretch, this problem has been fixed in version 5.3.3-1+deb9u1. We recommend that you upgrade your lua5.3 packages. For the detailed security status of lua5.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lua5.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 2384-1] yaws security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2384-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 26, 2020https://wiki.debian.org/LTS - - Package: yaws Version: 2.0.4+dfsg-1+deb9u1 CVE ID : CVE-2020-24379 CVE-2020-24916 Two issues have been found in yaws, a high performance HTTP 1.1 webserver written in Erlang. CVE-2020-24379 Reject external resource requests in DAV in order to avoid XML External Entity (XXE) attackes. CVE-2020-24916 Sanitize CGI executable in order to avoid command injection via CGI requests. For Debian 9 stretch, these problems have been fixed in version 2.0.4+dfsg-1+deb9u1. We recommend that you upgrade your yaws packages. For the detailed security status of yaws please refer to its security tracker page at: https://security-tracker.debian.org/tracker/yaws Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl9vZbpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdB8A/+M2SDA+886lu8+sqgbnTi19dPQmVQcN0TTyHsi/0Xebs8CkQo5TQ1GkGG DVKg2OwY1QG/Y3rUSJUx742bPQLQ/NxtSX2TRuhD2k3G4tUmqtO9Y2JubY9g6NIX NwSWyc4QouEVsUYQsOy4G8/0EDgk8sX6mLUq/y2wE1TUVVg4hbMMdPrCYfbWlP+y DBRisVg4QBKmLBUAEfvStWcd0Cw2qdQUCWt4DwvjGF4/rc7lFPaYjw/gUjPj4XVJ NbS69D5IxeQ+xG/iRXLuw3AyiQbg71CY5Se78kOEfsDXbyC9xjq9AJjfhgESNCfk hD+FfLfKQc093EAFefUTiPuCxtaaSOFKm8T+pYYJ6emSZKMohLgJT/WvgIRbc4jL TO/+eJinzuFnYwzRas7yrEDRksNnRf8Uph2oqyQieHpaedPPcANkcJsCTSmvHmEf 7NnwqhSNjfQsTNbQoc7fG4DvqyAKM92Hhna8oJiiCEA+5+Hj+sf6lGTodm7DdJ7F r+J13d02RzXMRk3gC2TfOLoF7o94CMtkxnh1X0J461xkJxtUwhpePhJdiwYCeGru GhE5EkUjB2S6fOVLHulTEtxaUQXfk1+ln0J+31D6x3WKvcFG+4Q8ENPVMaA63Ivx /2no4UUsEzioxHjhXsRIvuKuPzyCyZZq+rGx1GPHVbcmEajHFM8= =CUx+ -END PGP SIGNATURE-
[SECURITY] [DLA 2383-1] nfdump security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2383-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 26, 2020https://wiki.debian.org/LTS - - Package: nfdump Version: 1.6.15-3+deb9u1 CVE ID : CVE-2019-14459 CVE-2019-1010057 Two issues have been found in nfdump, a netflow capture daemon. Both issues are related to either a buffer overflow or an integer overflow, which could result in a denial of service or a local code execution. For Debian 9 stretch, these problems have been fixed in version 1.6.15-3+deb9u1. We recommend that you upgrade your nfdump packages. For the detailed security status of nfdump please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nfdump Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl9vZO1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEctIRAAhjPW5SYjhTEXhX07WjyraRc9YdN3Q4X1fdusjO6sDm/FxhUgh2T2oItJ f5wFWJ/41/r/s0lowYP9PAs1VF25tJ1oyO3GlmdFAAiEAl/3K6D+uaiO3/JgH/2l PIqIgu6+nP2InP7lnY6jVzdAzrBbvq6GUJoiEpHq9kEJgeLEfJm8wj7H9u54/FNi dq0tThvur0YL6dbo4UhSZia+na3SiZ4Mr+mmOOOPXNZgRpgMSH7WWXesscPHQBQV k8NiHYEAP8hkNnB9FSneEJusHeQJ1lWG/PWXOV+VuR7Spz2hIm3QRByth2ohHwAA 9J3DqHPchbl7sM95N+Npf2hCX0PcWH1wA87EJpV4NwAnCuL3ksjEajisvAZYMMac /qIeFr75LlnyIR/JzxH1+34+0XXBH9xbDVybx5YnaHDUJodcuJUcwbfvNgLO/hhW 7ZFMztDOXIpewKM+QhrQmOYgulER7RwVNXKHUA1lhSWTJOk6ClqTmO9HHdX0oKyl D77GaCgeKy9p+Z6FSKJjv6N7OYI5YcLnu3U2p/RUDomLZP+bqI+LwxhoWeQrcliS wuFONINbhR14yqhaI0MMYJLPdrx79a82KhYw1go5sL1GfChYVAKkz4N5/M6ua0oO pAdIAsBp2gGmsxb5B9i4kGrIlsv4kmNputTKD4g2NBJHTdmCTY8= =3ujC -END PGP SIGNATURE-