The following security updates has been released for Debian GNU/Linux:
Debian GNU/Linux 7 LTS:
DLA 1350-1: qemu-kvm security update
DLA 1351-1: qemu security update
DLA 1352-1: jruby security update
Debian GNU/Linux 8 and 9:
DSA 4175-1: freeplane security update
Debian GNU/Linux 7 LTS:
DLA 1350-1: qemu-kvm security update
DLA 1351-1: qemu security update
DLA 1352-1: jruby security update
Debian GNU/Linux 8 and 9:
DSA 4175-1: freeplane security update
DLA 1350-1: qemu-kvm security update
Package : qemu-kvm
Version : 1.1.2+dfsg-6+deb7u25
CVE ID : CVE-2018-7550
Debian Bug : 892041
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator
(aka QEMU) allows local guest OS users to execute arbitrary code on
the QEMU host via a mh_load_end_addr value greater than
mh_bss_end_addr, which triggers an out-of-bounds read or write memory
access.
For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u25.
We recommend that you upgrade your qemu-kvm packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1351-1: qemu security update
Package : qemu
Version : 1.1.2+dfsg-6+deb7u25
CVE ID : CVE-2018-7550
Debian Bug : 892041
The load_multiboot function in hw/i386/multiboot.c in Quick Emulator
(aka QEMU) allows local guest OS users to execute arbitrary code on
the QEMU host via a mh_load_end_addr value greater than
mh_bss_end_addr, which triggers an out-of-bounds read or write memory
access.
For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u25.
We recommend that you upgrade your qemu packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1352-1: jruby security update
Package : jruby
Version : 1.5.6-5+deb7u2
CVE ID : CVE-2018-1000074
An unsafe object deserialization vulnerability was found in jruby, a
100% pure-Java implementation of Ruby. An attacker can use this flaw
to run arbitrary code when gem owner is run on a specially crafted
YAML file.
For Debian 7 "Wheezy", these problems have been fixed in version
1.5.6-5+deb7u2.
We recommend that you upgrade your jruby packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DSA 4175-1: freeplane security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4175-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 18, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : freeplane
CVE ID : CVE-2018-1000069
Debian Bug : 893663
Wojciech Regula discovered an XML External Entity vulnerability in the
XML Parser of the mindmap loader in freeplane, a Java program for
working with mind maps, resulting in potential information disclosure if
a malicious mind map file is opened.
For the oldstable distribution (jessie), this problem has been fixed
in version 1.3.12-1+deb8u1.
For the stable distribution (stretch), this problem has been fixed in
version 1.5.18-1+deb9u1.
We recommend that you upgrade your freeplane packages.
For the detailed security status of freeplane please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/freeplane
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
