Debian 9891 Published by

The following updates has been released for Debian GNU/Linux 7 LTS:

[DLA 1045-1] graphicsmagick security update
[DLA 1046-1] lucene-solr security update



[DLA 1045-1] graphicsmagick security update

Package : graphicsmagick
Version : 1.3.16-1.1+deb7u8
CVE ID : CVE-2017-10799 CVE-2017-11102 CVE-2017-11140
CVE-2017-11403 CVE-2017-11636 CVE-2017-11637
CVE-2017-11638 CVE-2017-11641 CVE-2017-11642
CVE-2017-11643
Debian Bug : 867077 867746 870149

Multiple security vulnerabilities, NULL pointer dereferences,
use-after-free and heap based overflows, were discovered in
graphicsmagick that can lead to denial of service by consuming all
available memory or segmentation faults.

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.16-1.1+deb7u8.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 1046-1] lucene-solr security update

Package : lucene-solr
Version : 3.6.0+dfsg-1+deb7u2
CVE ID : CVE-2017-3163
Debian Bug : 867712


lucene-solr handler supports an HTTP API (/replication?command=filecontent&file=)
which is vulnerable to path traversal attack. Specifically, this API does not
perform any validation of the user specified file_name parameter. This can
allow an attacker to download any file readable to Solr server process even if
it is not related to the actual Solr index state.

For Debian 7 "Wheezy", this problem has been fixed in version
3.6.0+dfsg-1+deb7u2.

We recommend that you upgrade your lucene-solr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS