The following updates has been released for Debian GNU/Linux 7 LTS:
DLA 1283-1: python-crypto security update
DLA 1284-1: leptonlib security update
DLA 1283-1: python-crypto security update
DLA 1284-1: leptonlib security update
DLA 1283-1: python-crypto security update
Package : python-crypto
Version : 2.6-4+deb7u8
CVE ID : CVE-2018-6594
Debian Bug : 889999
python-crypto generated weak ElGamal key parameters, which allowed attackers to
obtain sensitive information by reading ciphertext data (i.e., it did not have
semantic security in face of a ciphertext-only attack).
For Debian 7 "Wheezy", these problems have been fixed in version
2.6-4+deb7u8.
We recommend that you upgrade your python-crypto packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1284-1: leptonlib security update
Package : leptonlib
Version : 1.69-3.1+deb7u1
CVE ID : CVE-2018-3836
Debian Bug : 889759
Talosintelligence discovered a command injection vulnerability in the
gplotMakeOutput function of leptonlib. A specially crafted gplot
rootname argument can cause a command injection resulting in arbitrary
code execution. An attacker can provide a malicious path as input to an
application that passes attacker data to this function to trigger this
vulnerability.
For Debian 7 "Wheezy", these problems have been fixed in version
1.69-3.1+deb7u1.
We recommend that you upgrade your leptonlib packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
