[SECURITY] [DSA 4677-1] wordpress security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4677-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond May 06, 2020 https://www.debian.org/security/faq - - Package: wordpress CVE ID : CVE-2019-9787 CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030 Debian Bug : 924546 939543 942459 946905 959391 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation. For the oldstable distribution (stretch), these problems have been fixed in version 4.7.5+dfsg-2+deb9u6. For the stable distribution (buster), these problems have been fixed in version 5.0.4+dfsg1-1+deb10u2. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAl6yWNIACgkQEL6Jg/PV nWQnpQgAtGmkFfRTwb2uDsBuHilQxyPcVXVzZZ8AZM3oWxblTP2NNHRTAm4cRLwB M7OnCtl2+0fcsPS/bVJioogwoaqQvFHUUl5cR8jCYUS+hSWwBzd6o70Q4ENXqHEz 5eaF9fhevs03YbZw4F07dN3b1rcc0NrVUqBR39zJVKZyD9syK3auNzLtuyM7vKI3 /03MojNXB5UvQeRGj571fKr6kS+eE0Bd2ojcBzGLvzjRgILAahc7dfyNoaBbvq73 j0/PKTBHtfEanpFsp02FkAX5ScY3D8ixymV/W0eEoq7xYdG36Tv7pJAAMAEJLouN axH8DQPpff2Y+6EQnOrfWBa8IHm99A== =itB2 -END PGP SIGNATURE-
[SECURITY] [DSA 4676-1] salt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4676-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2020 https://www.debian.org/security/faq - - Package: salt CVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652 Debian Bug : 949222 959684 Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u3. For the stable distribution (buster), these problems have been fixed in version 2018.3.4+dfsg1-6+deb10u1. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6yOchfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T6gA//Vq+UdvaEoeTsqMoVzAoeqyw57q2pygxeDGS62n2fWFs5Y9I13qyW/45g 9dWJJunNWskkYBATLdfIO7tSx9B/9kQucRcL81zJ3WLiu5cKiQjLEGjrx6gq7gwU 9WQuoq/M6W9scuGYGemzM1tMGnA0lrDwYm1hb2CXb8BXhtEz0Xapkozi7ZOpuL+J eQwU3jn50Hvh9lF3fHLJstaSzy8aS0arYfFYvq+hevjP8MmVyyqve1WZLrLLp1Th lgwxqsDjqzWXKgyf4+gG0f1hi76qSbHFtHNOzBNW0kwNKKJdp8VXBD9n5z04PGKF 5kT2eQl4FeYR8Mae9zOZf9gDVtATFVP8bAYH6LU9TXmEA5DbA8QoYDWYfmF6YRW2 tJqIWh61n61ZRcvokuEdDXYdx1qBA/tBCdhwi+XYJxT2mdkXdATNCqekKlWtuLZO KbneoiHav4U2QiLkaMv0YfVzDucHMMfvzCrOGUFwEJgUGDCLP6UWZ5utagw017X8 Br4WmeRX59kDOJHX/q985Z51Byf+fmEwT88paFaCHAVKTvAaCS7d9Uw3AsScBw0W lv8BQ8X1865QFYZQnPcipUD5iRc9PK6ZUScYlHzhjSUNzwOQ30HMVsmNdBvgGxsH HEmtB6jyCNW2KofY8jm9Aw4ZbOGO5XaYTkUq0Kz4A5a91BbrQqY= =go+8 -END PGP SIGNATURE-
[SECURITY] [DSA 4675-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4675-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 05, 2020 https://www.debian.org/security/faq - - Package: graphicsmagick CVE ID : CVE-2019-12921 CVE-2020-10938 Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in information disclosure, denial of service or the execution of arbitrary code if malformed image files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u4. For the stable distribution (buster), these problems have been fixed in version 1.4+really1.3.35-1~deb10u1. We recommend that you upgrade your graphicsmagick packages. For the detailed security status of graphicsmagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/graphicsmagick Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6x0CVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RvQg//R5OBPZhCbOTsA/1o3jRXNYlkTeAoJ7rfh4VyGBqdLEqVPhrTWlylLg9p Lxpi+fmzbfEIcfC9joA/f8RCJIPC6ybTt719tjvufV4tw0xGWvdgMBqWAcKYSEKX nJeeA5RlB5shcn/K8zS1C794+m9HxeUPRS8ATgu+siRPnLQRABQ2g2zswaRYoPAG bKihL2Td36PBqCR1YcKYkXHmCP0hzuNItNuy7ajiGeqx4KqNylankyBykFIAiRuf 6CJqkSmz9iw+EJnjBZU8au05bh3GUvrwDWQMx5BjokklxV+45fc0abHuZyqxlxr4 0m+Xi/SRHtpf8LorOuYekeLjbfU2TaSV0YIF8t69Q+OhgngW+mbxd3G+nqJARlF8 +W+HbFuv0T8oES5oqpd65HcslMt+WevauTHqqg/3q//SjdSztJz9uhQeMJj/57LX S5K+I0Q5ax7i9wLrYfv1sTTVIC4c4Z7EEUl7lXhDwB+0O9ZB2GMtBHCE+wrv22i4 Dk0ydpEBrE49uugfwH6Kjn6zY1384AAAKSm39xaeXH9oHwjs54cqnyDvSu80fVfA c7Y+Y1FC7AsHgiKKSFxwjiFQuh/T5OHJ5ixRY5HWQL/pSw2dPAThu7ALIHo+Qbpd UzB7RaUm5VOhFSmvYkaA2q0gZcLarkeHkdWWD2P9GV2LoEaOqF4= =Uw37 -END PGP SIGNATURE-
[SECURITY] [DSA 4674-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4674-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond May 05, 2020 https://www.debian.org/security/faq - - Package: roundcube CVE ID : CVE-2020-12625 CVE-2020-12626 Debian Bug : 959140 959142 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform either a Cross-Site Request Forgery (CSRF) forcing an authenticated user to be logged out, or a Cross-Side Scripting (XSS) leading to execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u4. For the stable distribution (buster), these problems have been fixed in version 1.3.11+dfsg.1-1~deb10u1. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAl6xabwACgkQEL6Jg/PV nWTu0AgAzQr+2TTSuGf66vYe+mLC/iZnpoVI8LwZHgoR0L48TQpcQJ95g+SkeEfy tqoGy4o5aMMY5tnN2StKq4E/CH2RNjUie9lajTkrZIOQpxX3yOZd+VvkPSZxDEJw 8Tr5a22iQwo2WmAkYAMrfVeAXTw3XOufNRQm0PuTFGkx66vpwLgsE28rlbv4DRaX mHUxpPhj/PpNBpGc/Zhpj61qTgTUNaMUUIf8z5Qg1f4Kx6aLfmmRyaF8BBtPpIaQ gBuOr6P77ZlAOurdB6keV0HiBdVZLEgbUk28Ll/g/h1dtCOmIlHxeqlaNwQ5oonO 3+6hq2VdoicnWweisEBFGwwRJWtCwA== =exy5 -END PGP SIGNATURE-