Debian 9844 Published by

4 security updates has been released for Debian GUN/Linux 7 Extended LTS:

ELA-4-1 openssl security update
Possible DoS by a malicious server that sends a very large prime value to the client during TLS handshake.

ELA-5-1 gnupg security update
Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

ELA-6-1 ghostscript security update
A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the potential information disclosure about files for which read permissions are not available.

ELA-7-1 perl security update
Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.



ELA-4-1 openssl security update

Package openssl
Version 1.0.1t-1+deb7u5
Related CVE CVE-2018-0732

Possible DoS by a malicious server that sends a very large prime value to the client during TLS handshake.

For Debian 7 Wheezy, these problems have been fixed in version 1.0.1t-1+deb7u5.

We recommend that you upgrade your openssl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-5-1 gnupg security update

Marcus Brinkmann discovered that GnuGPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For Debian 7 Wheezy, these problems have been fixed in version 1.4.12-7+deb7u10.

We recommend that you upgrade your gnupg packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-6-1 ghostscript security update

A vulnerability was discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the potential information disclosure about files for which read permissions are not available.

For Debian 7 Wheezy, these problems have been fixed in version 9.05~dfsg-6.3+deb7u9.

We recommend that you upgrade your ghostscript packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

ELA-7-1 perl security update

Jakub Wilk discovered a directory traversal flaw in the Archive::Tar module, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted tar archive.

For Debian 7 Wheezy, these problems have been fixed in version 5.14.2-21+deb7u7.

We recommend that you upgrade your perl packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/