[SECURITY] [DSA 4224-1] gnupg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4224-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 1.4.18-7+deb8u5. We recommend that you upgrade your gnupg packages. For the detailed security status of gnupg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+NFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RlwA/+PHaY6JTa53Q9gM9MMbEV9aJ3aXvl3VAvu4EC8Ei/rxZH0kIOO25aL+Yc DsXwWmLl2FWuwLCRQ2HPsDuWLiNiuo4eAwM3pKg5vovAe4TbGLhd7VaSdTWa+PVj 3WwIgkZvOddPlR7saq48Lcc0taZAZwR1hQCS5bPDUzUhlzc2yMy+pi/oXioTvBxm xOd4899wWcuRpfiZBss6veONbnf12zq/H3aCJshZrIGKxU8b7Fc+Oyq+QyK4B6sO zMo134gF1M3HhjUxPjauX9keJe6/EMFHgjwQpA96JkNoKi96wWx31oBBJwHmLhRY tl0FaXsBuQbZNWDU+QLbH6g2r90uuOsDHK9oY8SKIHN92/s1zW4pv2rbmcmHMPrV oyabPZL10eH3wGf9NJAGhSO1vHOARdGJ2N3KL1AaIWLNfgXLt8QO+IH7OY3S04Y9 /sw89ojtrwIjcLpQ2DJ56Wd0LU/Jc0pNXUeEjkXthPD2VGKCYZm55yhDA5fKvBqo m1BeKMN1qf64c40ZXq3uxV8xnt9yaFMXtX9FMZnigS7doiJhcCjggGZvzbIFoWLE mhsDfST65Sbb9RE8q4V+tl14ssOFsQLhwByl3UzY89GpILU1qwnDyaQ2QgBI4Z18 oDQfpFkwka4Yy0iy8iqdi+DPN/VWBiIoC63ouO9MOU4rA8/VrNY= =WGe/ -END PGP SIGNATURE-
[SECURITY] [DSA 4223-1] gnupg1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4223-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg1 CVE ID : CVE-2018-12020 Debian Bug : 901088 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the stable distribution (stretch), this problem has been fixed in version 1.4.21-4+deb9u1. We recommend that you upgrade your gnupg1 packages. For the detailed security status of gnupg1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+M9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q1wg/+LcbFthhjHEXY0itTJrfbXHvqR8JQ7OzEA+yRybho71ZM3LwjFO2Pl9j0 oNbn20soT5uX1MfP4sORaiOMIUKh2k4zbYQrS4BRV7TWoae3zmHQEhDFfhEhM17O JMnh3NqVs1NpNe7gn1+hBQCzlOmNYU3UvmXwCX3P5yyhSuO6isvLfZURHQB8qvmd RdNZu3nUYI8UfPp1j6wFrdR+rpUUATYy2MHZkD/BbVowk657Bul5Arx/r0QCaH88 ywMGMGvugsVQOdA02cKvCyzXVS/qgVjDsJH2ssDFPI4txKB3hEgYTBoKyoFpzHqc I7BOuDmo6/FpUuuruQcRPQk+5BDeiW2jazwf8WoCXYocwOAw7FTTLTEkZZm2Ce+c jtM7Bvhz3cXoQsTtze/t/BTWZuUWATsiRPgJSyKF2kPFwZIWhLu2BWF8LTGliX9M 8uXxi4ml1v2ISLlo8BEkETBrP+m77rKqfph0uV3sySXBv2qUDfJX2xNF/ig4eMfy zlIaZgv82ZIf+mCD0/Ji0HmsKG3C8RxEhwwr4R/oG7Q7qr07LMjKZhRLIE2ZkCC2 XM8IAdJLIzJckllI8mkPmm0GTZ6lX+BRrUSUKxKxY94QKNLRFzK7mMMWhJq3gMX8 PaYsTU67ZrDd4WPubFNzHC6DP+Fd4YZblXd8dyv1uSoe1/pIr78= =xHpn -END PGP SIGNATURE-
[SECURITY] [DSA 4222-1] gnupg2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4222-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 08, 2018 https://www.debian.org/security/faq - - Package: gnupg2 CVE ID : CVE-2018-12020 Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html For the oldstable distribution (jessie), this problem has been fixed in version 2.0.26-6+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 2.1.18-8~deb9u2. We recommend that you upgrade your gnupg2 packages. For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+MZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sj/Q//S9O9UEDpOL16FPrsYWFohmcoDPspWHyACdFxoGOxJTZxDjDS6IsLuLu7 uSsSNyW1nQt1ghxuKO+XGEHfxMiPh54BdGf1w4PtUUw/1m9uQrlMsuyYGo2O4lMx NvpxN+IVKbKhDYHknH4f59KBv4cVZuLK6R2vuAidUmEoY0H+IEWmwdQxqRommUNh HYziSdcQgFEqWZ6HThqWPqJbvTHk3rX4viezex6TxfXBX88RgfHgxSLEV7xkJkHi X2oM3kEylacb53p3wlXrtpvTwXheIPvquIgOF8LIRGlMk2Hjz+I0jVYPZQL9Pz87 +PmJ2pmTtYFK6FI3LZcxs2JOuUKKEOSv7U7WkRb40tSDlY0mD1DgGghiYuL7tPid NbBRIKsrkvDGfvb1nL54QJ4Ej1J7yeYglxIoF7DW9l7bWgyIZfaIU0VesU9UpQUq YX/iQi1Pt/y6ZCuRlAF2Xg9VLKW/94HWYdD8KKOc8113JeJnlcEOmYDBjbsIdSuK R3hHVoKhZD+oDA2Hww/pDKeow0/9F6Zd/pxSZXxVcVvcT59y7T9XW18f0efZcBHf T2V019/YkYN2RasgDjjw1r1OOjitQn5ktvbdZfNW9BXq8NJiwLd99A3coLZx1GTv +Fl4up+v2d/zUKSXtvLfUyWjqem/keT6PKSBN4g9a5VyKLOj3Js= =2Ci/ -END PGP SIGNATURE-
[SECURITY] [DSA 4221-1] libvncserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4221-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 08, 2018 https://www.debian.org/security/faq - - Package: libvncserver CVE ID : CVE-2018-7225 Alexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents. For the oldstable distribution (jessie), this problem has been fixed in version 0.9.9+dfsg2-6.1+deb8u3. For the stable distribution (stretch), this problem has been fixed in version 0.9.11+dfsg-1+deb9u1. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsa5awACgkQEMKTtsN8 Tjb9wxAAvqz4FyDwnXR1bJbtN8DxhbZx2McQMj9/+wDDW9dzOe/lH4VFWr97rIpb Gx1SSp2DtpXqt0SrgIRkBJHpue5QATh/eLpM+zDmjq2sTanZ3xmKlscXBRRRjSoa lbOmmKrem35otE1PzR5T+ngZqxEvD0pwsNILHLzgEfODqllMpD4rx+JJLNHXqLQ/ VtbWILAltB+D3AFTXUBxCxQ/0khhhXAmn1HeQq3Aa0OxRFjq/UGxMTVkVtygsHXR 0zENx+AFA+np+no0wD0TdnEtgZDw8VswY8IKRvkC96wE8l7P2oCmd3QXsYys4h0F 6mmkbORVV8FeySytQwT9zQKFKCWY1fVWGSRCe7OyQOfBf4AnNDgxYfpsUQ0JNTEp Xa78JigIsSiLWx77eoei4/XabjHMnNBd9X1NnOl0SlGIUbGraPy6hLXCjsP4AaXY sDX8y7qPLU/fvLDB2ntu1+ycVtCpY8muCcUf/b5CBl3mN16k/13RLT8yPJ5CRuDz h6DIMDypR664tMGbnoJypAFqHxYMBc7dLSngGV608xodg4B4gluRlKHsN0uC9VHM MAndJdLj2DZwemQTY7pXHr599wvpAcWK81DF/6dK16yhtww848zVvGH4ul/VV1f+ PdaUDKmxkZYCZF++70a9K/8BRxqIK0BLNu2zfrz2D4j2OV2UN7U= =6xPo -END PGP SIGNATURE-
[SECURITY] [DSA 4220-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4220-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 08, 2018 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2018-6126 Ivan Fratric discovered a buffer overflow in the Skia graphics library used by Firefox, which could result in the execution of arbitrary code. For the oldstable distribution (jessie), this problem has been fixed in version 52.8.1esr-1~deb8u1. For the stable distribution (stretch), this problem has been fixed in version 52.8.1esr-1~deb9u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsay8IACgkQEMKTtsN8 TjbyjhAAr/QwN5ELZtGJQvcLZ8fniiNIC2J2yTzn3xYZc6eT4arZv+crgoLOGT/W o3nXQImxz3di+c7DlJwsMkazgNi+2vOt1RIYkHIoyoQdy1VtS0ZS+vStwJveieaM 4cITp7p1cYTab1kj4KmNGFfZXe15s/v2HajO4BlsaaPTMi5EdUSicRpG2rmRy/MA d8Fti0LlSqr525M4zfLWqvdnIJ2ihw75PY0Tis3v7ktaiGpoZ3/ULk5g2f/Gel/W CNSjW73qQKJzP+oo63eUabh+l9sAE0aWGB5TPyVio35ma6EeMLztxiLgDsXYHusz 1La88B3ECujvOA/WEELcK1EdT1GzrG9CE6CYgxSGpR0ht/Duccl38KIqPbXHsKe+ tcyfV0fo3l+V/psAh0SJmqZNhHih3v9LA7LrOKaV2CXbZv9F7tDUFQxc0xRH9UOh NV265MyHeLNMYFvohLgictrUguNMjrJEmlChkp0sDTqGHL/xqC+ZZeWdbj54JaM7 nCmNi02MKC8IwRDRpUyUyxqYbeQmBkPsc6tN1TOPQpeh4iMb+G5dRgX1R0XjYqR4 Xwh5vVvhRwIQc/PmFYtLPCRFuiLzCQ3CGYnDAXG5QK7qNlrkmcGc/dPI+BaZDwaW OG5Q2lxC9QYqm3hCmAqQWRH4TghKRuk1gED6pKTomgJ1InpJFPU= =pAlB -END PGP SIGNATURE-
[SECURITY] [DSA 4219-1] jruby security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4219-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond June 08, 2018 https://www.debian.org/security/faq - - Package: jruby CVE ID : CVE-2018-173 CVE-2018-174 CVE-2018-175 CVE-2018-176 CVE-2018-177 CVE-2018-178 CVE-2018-179 Debian Bug : 895778 Several vulnerabilities were discovered in jruby, a Java implementation of the Ruby programming language. They would allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code. For the stable distribution (stretch), these problems have been fixed in version 1.7.26-1+deb9u1. We recommend that you upgrade your jruby packages. In addition, this message serves as an announcement that security support for jruby in the Debian 8 oldstable release (jessie) is now discontinued. Users of jruby in Debian 8 that want security updates are strongly encouraged to upgrade now to the current Debian 9 stable release (stretch). For the detailed security status of jruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jruby Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlsaS+EACgkQEL6Jg/PV nWS8Jgf+LHR9BYS8ZelTjDsbTy87E4DKALqLWORN+12IhLMOAYqM02RJsH6tgOvj nASVwqjKvOymnPAf+80dBU9VHY7vkNFryglhubUagHg+OqWHCg2Ovpm0JgR91nT2 TnFIGOvDpHmPqrTQ+yiDqsEC5E4ABveVbJ7uARQKZ3o4x5Gf8h+AnFZbNyZF9L4J d53EzgUKBU+8SEqla1jchqErxg1yBvzCpDHI3SsdX+P+Ofa2tH8slSt4Qy8KHqcS c9YGevgJLfl8ClqlST0hxYgNZhAxCJOocTUUnpBq1KKKx/PM1sW4w5+ynBHTuQoO dnK5UGVKVgRu6nVgY5pZ0mcUtIhC+g== =N+5Z -END PGP SIGNATURE-