Re: libsdl2 patches cause regressions in Jessie
On Mon, Oct 07, 2019 at 11:22:45PM +0200, Hugo Lefeuvre wrote: > > This looks like a regression, indeed. I will provide a regression update > > as soon as possible. > > Looks like I'm actually not the one who issued this update. Abhijith: do > you want to handle this, or should I proceed with a fix tomorrow? I have added a libsdl1.2 entry to dla-needed, will handle the update, then. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
STOP sending [SECURITY] [XXX ----------] to howardn...@earthlink.org
*STOP sending [SECURITY] [XXX --] to howardn...@earthlink.org* On 10/7/19 4:14 AM, Abhijith PA wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ruby-mini-magick Version: 3.8.1-1+deb8u1 CVE ID : CVE-2019-13574 Debian Bug : 931932 In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command. For Debian 8 "Jessie", this problem has been fixed in version 3.8.1-1+deb8u1. We recommend that you upgrade your ruby-mini-magick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl 2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+ M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd 5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X 7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w= =HnaL -END PGP SIGNATURE-
Please STOP sending [SECURITY] [XXX ----------] howardn...@earthlink.org
On 10/7/19 4:14 AM, Abhijith PA wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ruby-mini-magick Version: 3.8.1-1+deb8u1 CVE ID : CVE-2019-13574 Debian Bug : 931932 In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command. For Debian 8 "Jessie", this problem has been fixed in version 3.8.1-1+deb8u1. We recommend that you upgrade your ruby-mini-magick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl 2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+ M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd 5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X 7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w= =HnaL -END PGP SIGNATURE-
Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Utkarsh Gupta writes: > Just a quick question about this patch since I haven't really tested > this at all (however aware of the CVE), > Is checking signature before sending a request to openid.claimed_id URL > strict enough? Yes, that is my understanding. If the signature is checked, that makes it impossible for a third party to change the claimed_id URL, rendering the attack impossible. I don't claim to be an expert on this however. -- Brian May
