STOP sending [SECURITY] [XXX ----------] to howardnoon@earthlink.org
On 10/7/19 4:14 AM, Abhijith PA wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ruby-mini-magick Version : 3.8.1-1+deb8u1 CVE ID : CVE-2019-13574 Debian Bug : 931932 In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command. For Debian 8 "Jessie", this problem has been fixed in version 3.8.1-1+deb8u1. We recommend that you upgrade your ruby-mini-magick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl 2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+ M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd 5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X 7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w= =HnaL -----END PGP SIGNATURE----- |