[SECURITY] [DLA 1737-1] pdns security update

[Sylvain Beucler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: pdns
Version: 3.4.1-4+deb8u9
CVE ID : CVE-2019-3871
Debian Bug : 924966

A vulnerability was found in PowerDNS Authoritative Server before
4.0.7 and before 4.1.7. An insufficient validation of data coming from
the user when building a HTTP request from a DNS query in the HTTP
Connector of the Remote backend, allowing a remote user to cause a
denial of service by making the server connect to an invalid endpoint,
or possibly information disclosure by making the server connect to an
internal endpoint and somehow extracting meaningful information about
the response.

Only installations using the pdns-backend-remote package are affected.

For Debian 8 "Jessie", this problem has been fixed in version
3.4.1-4+deb8u9.

We recommend that you upgrade your pdns packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlyeKOoACgkQj/HLbo2J
BZ/wWwgAiWPZFOh+OXBitp36ySi4OnkDolH9vz1iOPqk6zF8LU8M4PHrbmD2ORjr
pT/PrLHlTkEdPAZeD4vdDEO71CSwIDCCm5j6JAYrBhxTt5waFwFm0VBEUb9cl6Z2
lTXyTiYzXRbnDway8Nb7wS5JHOVbTDf5vQ8ZnP7c3dTvhP4khFoPpTG7W4V4t/Kq
T5X9yvnnmvM6n4nfzX8OdsTp3MPMw2uNECeYlksZKg/ER25bVTBLYWqPAodpiOmS
uQDgzSPqv5MkprxZy8sZXw4XrxGlgi/yMJzh5he9UbPBKijrJXV/jfBBkI4uucJZ
VgDmhGWd4iTdqR8tLFERHmAjItYWVQ==
=Hhny
-END PGP SIGNATURE-

[SECURITY] [DLA 1735-1] ruby2.1 security update

[Abhijith PA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ruby2.1
Version: 2.1.5-2+deb8u7
CVE ID : CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324
 CVE-2019-8325


Several vulnerabilities have been discovered in rubygems embedded in
ruby2.1, the interpreted scripting language.

CVE-2019-8320

A Directory Traversal issue was discovered in RubyGems. Before
making new directories or touching files (which now include
path-checking code for symlinks), it would delete the target
destination.

CVE-2019-8322

The gem owner command outputs the contents of the API response
directly to stdout. Therefore, if the response is crafted, escape
sequence injection may occur.

CVE-2019-8323

Gem::GemcutterUtilities#with_response may output the API response to
stdout as it is. Therefore, if the API side modifies the response,
escape sequence injection may occur.

CVE-2019-8324

A crafted gem with a multi-line name is not handled correctly.
Therefore, an attacker could inject arbitrary code to the stub line
of gemspec, which is eval-ed by code in ensure_loadable_spec during
the preinstall check.

CVE-2019-8325

An issue was discovered in RubyGems 2.6 and later through 3.0.2.
Since Gem::CommandManager#run calls alert_error without escaping,
escape sequence injection is possible. (There are many ways to cause
an error.)

For Debian 8 "Jessie", these problems have been fixed in version
2.1.5-2+deb8u7.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlyd3OkACgkQhj1N8u2c
KO9pWg//Yvg20jnHfxPngvtSWiKe2l+MyZIQjvu//wxeWuJEQJ73XNDcdkZKYxUJ
1M+qupJuiLwB2joS9qf1FvgSWjIpApKZdfMNSBokOYOm3FEOmj4gOI0w/uBr+p2z
+uUyUWP7Jp+AZlN0HRqDFd3YQWn96goL45hPNtCAiSQPBjNfYIpYVNZDh2A67QdR
2gPkbhPhYjTBmKIzFoWeHwXImp0fQfKGC75A/KFROuibzQLa3Ukz8qJuUiBvga9I
zO9aKz7Azeinz1vA53uwdwvw2Oo8a/4SsDOspxbOx2xa2xCWhPEz3A2c2YEbnvV7
PYfWi+qZLBaRXszYxDMNamlHtOc/d5jTlUWNdkmJ3HiJCz7YRIVIDi30iRqUdvEx
4IbcIV2AoomKilk4LTubVLLsllE3ie4+QQDpMtTJU1qo3bJeUQSlbvMstcKpT8HC
G7kMQd1PS32ZwuitU2ZLDoIKPNVmLLSyM67QKr40sqkY5QsYIdR0d1sT2x+xon9g
B5WlL0ff4/9+pc70MwUdXAof2G+Zr03J/LPLkN0f1gwA2C5HjvmMrfyJu0lLizQj
jPLopub0sQBXR7DmxExmxjPD0tdeRLOByDytiwW0xJSel0qdDEbDi4qKJoF0RAYY
Wj3AeUnsFzvb69OepMo84M6KXLmNmjERJ/5AN8RgS2FVfvxRYQw=
=Y7hz
-END PGP SIGNATURE-