[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1948-1] ruby-mini-magick security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : ruby-mini-magick
Version        : 3.8.1-1+deb8u1
CVE ID         : CVE-2019-13574
Debian Bug     : 931932


In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote
image filename could cause remote command execution because Image.open
input is directly passed to Kernel#open, which accepts a '|' character
followed by a command.

For Debian 8 "Jessie", this problem has been fixed in version
3.8.1-1+deb8u1.

We recommend that you upgrade your ruby-mini-magick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c
KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO
QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl
2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK
wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh
tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC
RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z
PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW
wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+
M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd
5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X
7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w=
=HnaL
-----END PGP SIGNATURE-----


Reply to: