[SECURITY] [DSA 4676-1] salt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4676-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2020 https://www.debian.org/security/faq - - Package: salt CVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652 Debian Bug : 949222 959684 Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u3. For the stable distribution (buster), these problems have been fixed in version 2018.3.4+dfsg1-6+deb10u1. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6yOchfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T6gA//Vq+UdvaEoeTsqMoVzAoeqyw57q2pygxeDGS62n2fWFs5Y9I13qyW/45g 9dWJJunNWskkYBATLdfIO7tSx9B/9kQucRcL81zJ3WLiu5cKiQjLEGjrx6gq7gwU 9WQuoq/M6W9scuGYGemzM1tMGnA0lrDwYm1hb2CXb8BXhtEz0Xapkozi7ZOpuL+J eQwU3jn50Hvh9lF3fHLJstaSzy8aS0arYfFYvq+hevjP8MmVyyqve1WZLrLLp1Th lgwxqsDjqzWXKgyf4+gG0f1hi76qSbHFtHNOzBNW0kwNKKJdp8VXBD9n5z04PGKF 5kT2eQl4FeYR8Mae9zOZf9gDVtATFVP8bAYH6LU9TXmEA5DbA8QoYDWYfmF6YRW2 tJqIWh61n61ZRcvokuEdDXYdx1qBA/tBCdhwi+XYJxT2mdkXdATNCqekKlWtuLZO KbneoiHav4U2QiLkaMv0YfVzDucHMMfvzCrOGUFwEJgUGDCLP6UWZ5utagw017X8 Br4WmeRX59kDOJHX/q985Z51Byf+fmEwT88paFaCHAVKTvAaCS7d9Uw3AsScBw0W lv8BQ8X1865QFYZQnPcipUD5iRc9PK6ZUScYlHzhjSUNzwOQ30HMVsmNdBvgGxsH HEmtB6jyCNW2KofY8jm9Aw4ZbOGO5XaYTkUq0Kz4A5a91BbrQqY= =go+8 -END PGP SIGNATURE-
[SECURITY] [DSA 4675-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4675-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 05, 2020 https://www.debian.org/security/faq - - Package: graphicsmagick CVE ID : CVE-2019-12921 CVE-2020-10938 Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in information disclosure, denial of service or the execution of arbitrary code if malformed image files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u4. For the stable distribution (buster), these problems have been fixed in version 1.4+really1.3.35-1~deb10u1. We recommend that you upgrade your graphicsmagick packages. For the detailed security status of graphicsmagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/graphicsmagick Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6x0CVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RvQg//R5OBPZhCbOTsA/1o3jRXNYlkTeAoJ7rfh4VyGBqdLEqVPhrTWlylLg9p Lxpi+fmzbfEIcfC9joA/f8RCJIPC6ybTt719tjvufV4tw0xGWvdgMBqWAcKYSEKX nJeeA5RlB5shcn/K8zS1C794+m9HxeUPRS8ATgu+siRPnLQRABQ2g2zswaRYoPAG bKihL2Td36PBqCR1YcKYkXHmCP0hzuNItNuy7ajiGeqx4KqNylankyBykFIAiRuf 6CJqkSmz9iw+EJnjBZU8au05bh3GUvrwDWQMx5BjokklxV+45fc0abHuZyqxlxr4 0m+Xi/SRHtpf8LorOuYekeLjbfU2TaSV0YIF8t69Q+OhgngW+mbxd3G+nqJARlF8 +W+HbFuv0T8oES5oqpd65HcslMt+WevauTHqqg/3q//SjdSztJz9uhQeMJj/57LX S5K+I0Q5ax7i9wLrYfv1sTTVIC4c4Z7EEUl7lXhDwB+0O9ZB2GMtBHCE+wrv22i4 Dk0ydpEBrE49uugfwH6Kjn6zY1384AAAKSm39xaeXH9oHwjs54cqnyDvSu80fVfA c7Y+Y1FC7AsHgiKKSFxwjiFQuh/T5OHJ5ixRY5HWQL/pSw2dPAThu7ALIHo+Qbpd UzB7RaUm5VOhFSmvYkaA2q0gZcLarkeHkdWWD2P9GV2LoEaOqF4= =Uw37 -END PGP SIGNATURE-
[SECURITY] [DSA 4674-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4674-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond May 05, 2020 https://www.debian.org/security/faq - - Package: roundcube CVE ID : CVE-2020-12625 CVE-2020-12626 Debian Bug : 959140 959142 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform either a Cross-Site Request Forgery (CSRF) forcing an authenticated user to be logged out, or a Cross-Side Scripting (XSS) leading to execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u4. For the stable distribution (buster), these problems have been fixed in version 1.3.11+dfsg.1-1~deb10u1. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAl6xabwACgkQEL6Jg/PV nWTu0AgAzQr+2TTSuGf66vYe+mLC/iZnpoVI8LwZHgoR0L48TQpcQJ95g+SkeEfy tqoGy4o5aMMY5tnN2StKq4E/CH2RNjUie9lajTkrZIOQpxX3yOZd+VvkPSZxDEJw 8Tr5a22iQwo2WmAkYAMrfVeAXTw3XOufNRQm0PuTFGkx66vpwLgsE28rlbv4DRaX mHUxpPhj/PpNBpGc/Zhpj61qTgTUNaMUUIf8z5Qg1f4Kx6aLfmmRyaF8BBtPpIaQ gBuOr6P77ZlAOurdB6keV0HiBdVZLEgbUk28Ll/g/h1dtCOmIlHxeqlaNwQ5oonO 3+6hq2VdoicnWweisEBFGwwRJWtCwA== =exy5 -END PGP SIGNATURE-