apticron report [Wed, 01 Aug 2018 22:38:05 +0200] ======================================================================== apticron has detected that some packages need upgrading on: quigon.federez.net [ 160.228.155.65 ] The following packages are currently pending an upgrade: clamav 0.100.1+dfsg-0+deb9u1 clamav-base 0.100.1+dfsg-0+deb9u1 clamav-daemon 0.100.1+dfsg-0+deb9u1 clamav-freshclam 0.100.1+dfsg-0+deb9u1 clamdscan 0.100.1+dfsg-0+deb9u1 libclamav7 0.100.1+dfsg-0+deb9u1 libruby2.3 2.3.3-1+deb9u3 ruby2.3 2.3.3-1+deb9u3 ======================================================================== Package Details: apt-listchanges : Lecture des fichiers de modifications (« changelog »)... apt-listchanges : journaux des modifications (« changelogs ») ------------------------------------------------------------- --- Modifications pour clamav (clamav clamav-base clamav-daemon clamav-freshclam clamdscan libclamav7) --- clamav (0.100.1+dfsg-0+deb9u1) stretch; urgency=medium [ Scott Kitterman ] * Only create clamav user during clamav-base install if it does not exist (LP: #121872) - Thanks to Shane Williams for the patch [ Sebastian Andrzej Siewior ] * New upstrem relase (0.100.1) (Closes: #903896). - CVE-2018-0360 (HWP integer overflow, infinite loop vulnerabi) - CVE-2018-0361 (ClamAV PDF object length check, unreasonably long time to parse relatively small file) * Bump symbol version due to new version. * Add read permission for freshclam on /var/log in the apparmor profile. Thanks to Robie Basak (Closes: #902601). -- Sebastian Andrzej Siewior <sebastian(a)breakpoint.cc> Sat, 21 Jul 2018 13:13:59 +0200 --- Modifications pour ruby2.3 (libruby2.3 ruby2.3) --- ruby2.3 (2.3.3-1+deb9u3) stretch-security; urgency=medium [ Santiago R.R. ] * Fix Command injection vulnerability in Net::FTP. [CVE-2017-17405] * webrick: use IO.copy_stream for multipart response. Required changes in WEBrick to fix CVE-2017-17742 and CVE-2018-8777 * Fix HTTP response splitting in WEBrick. [CVE-2017-17742] * Fix Command Injection in Hosts::new() by use of Kernel#open. [CVE-2017-17790] * Fix Unintentional directory traversal by poisoned NUL byte in Dir [CVE-2018-8780] * Fix multiple vulnerabilities in RubyGems. CVE-2018-1000073: Prevent Path Traversal issue during gem installation. CVE-2018-1000074: Fix possible Unsafe Object Deserialization Vulnerability in gem owner. CVE-2018-1000075: Strictly interpret octal fields in tar headers. CVE-2018-1000076: Raise a security error when there are duplicate files in a package. CVE-2018-1000077: Enforce URL validation on spec homepage attribute. CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute when displayed via gem server. CVE-2018-1000079: Prevent path traversal when writing to a symlinked basedir outside of the root. * Fix directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library [CVE-2018-6914] * Fix Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket [CVE-2018-8779] * Fix Buffer under-read in String#unpack [CVE-2018-8778] * Fix tests to cope with updates in tzdata (Closes: #889117) * Exclude Rinda TestRingFinger and TestRingServer test units requiring network access (Closes: #898694) [ Antonio Terceiro ] * debian/tests/excludes/any/TestTimeTZ.rb: ignore tests failing due to assumptions that don't hold on newer tzdata update. Upstream bug: https://bugs.ruby-lang.org/issues/14655 -- Santiago R.R. <santiagorr(a)riseup.net> Thu, 19 Jul 2018 13:28:10 +0200 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on quigon.federez.net -- apticron