Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3752 ruby-mini-magick security update 8 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ruby-mini-magick Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-13574 Reference: ESB-2019.2631 ESB-2019.2607 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/10/msg00007.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ruby-mini-magick Version : 3.8.1-1+deb8u1 CVE ID : CVE-2019-13574 Debian Bug : 931932 In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command. For Debian 8 "Jessie", this problem has been fixed in version 3.8.1-1+deb8u1. We recommend that you upgrade your ruby-mini-magick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl 2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+ M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd 5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X 7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w= =HnaL - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXZvboGaOgq3Tt24GAQihaA//bJfZffESmZGiveXiINaRnyZL+/5KaU6u 0PbPxuLp9W2qEob0loP4oWXMeYE76Da62yu5eRr/8MQbVDplk6MPHQoLoBuhtQ/o UnseIIF58CyKkqSV6d1lv2x4VRlpoORhS/aFzSuaWVL9+N3ElAzSzNjaUdBL/vaA FZV7gj0EhRCLVoMPqdt3MDqvK5kP8w925dKb0ILPEk0iKc5/OJohTCstiZxDe/L7 SMZREpUlkz1JJ7QBLYnFTYHCPxx4kiepdo5Caw/LXeVP/5WhRgGvfT502QwxZA0E 5JdBQXsnECc7xdofnTfcyj7VrtJhkvq4ROIHHu7A6yN9f49F4Dyc03sqBEKWuXpY KB4XwaiNiHM3fQCfn4UukgzHzG70AJROV4280rx+pjbJx5zTYjU7tw/IOfTlflg2 APH2RFdEDexnV2sfr/w+J7/2bx61Z7nyTkWrhlINxJBycXagHWKLaCSRvBOrdJSq wj2Uci9ngTo3DLK63roslGEGxfhNDb+7p8a6W7/wNuC/cwBEiBgW7YmtGxeAJa1S FufaAaGbqnhkHgFwI9aKtMy0q7H4wwCIUteR7e9DL/60USDUkS6tds8dG3N12R61 hO10ooj3T5uTXsuDLMsh/qU6gjGFgx5xjme1CN2voGPImhoS7mRaRJblpaaxgOCA n3voEtjPsOc= =U8+v -----END PGP SIGNATURE-----