Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0130.2 libyaml security update 13 February 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libyaml Publisher: Debian Operating System: Windows UNIX variants (UNIX, Linux, OSX) Debian GNU/Linux 6 Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-6393 Original Bulletin: http://www.debian.org/security/2014/dsa-2850 Comment: This bulletin contains two (2) Debian security advisories. This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libyaml check for an updated version of the software for their operating system. Revision History: February 13 2014: The security update released in DSA-2850-1 for libyaml introduced a regression in libyaml February 3 2014: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2850-2 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 12, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libyaml Vulnerability : regression Debian Bug : 738587 The security update released in DSA-2850-1 for libyaml introduced a regression in libyaml failing to parse a subset of valid yaml documents. For reference the original advisory text follows. Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u3. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u3. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJS+zTJAAoJEAVMuPMTQ89EuPwP/3fnkxZLkgdy++jOKsR1XYwR S/GYbdJT8x5xghudJoUyi5JiEMpecaDhaayDPbEOjl/BJXO2nwxRdxMk5aaQLEYP kOSBwKgI2SOVi0rCzr0SbtMHv5VQ3+L5f4s4aGiU8R67tITTf3++pDId23lpaMmy FzS6PZSJLgj0mw2YbnYU8eaYky1s0itMX6leBsvXpNck/d0cvKMBn0HJ1DMKEB/A wVq1q5DErkmLVJRjOW4hhe5AayQNV2nXdufzOpXNUwld/bDc2924i0lNKaHHgix9 KovQYbc9uJWLxIyeN2iVPomX3eqNRdMKYfHWYR40sBt0BOj0YpcGuXi4ZYztpaY/ YlZjaGPCWnIKTcuX9a5tlswPDNXSKjlZW8T4vqDvKFXtBzMz16S4AJzjDJvY2btk UQWsppf9Td6yEDZcD9w0aSBkQrV9bX2sFn0xiDUiIpgeeGOPPw1LQvW0xVbNaqpy Fp6N7d4YimAdwfpPT+RbTuF/unLPtpEQru7xWM1mLdtO0dHRqGbExsY758Bad0Me bG2zYIFwlMFDzDM79mgm3CPreqzRxYanlS1iiNbf0mlj/3LixH5JrNJLkHHXK7g/ 01qqc3ZbY+s+CbVB/tbZ1WnB4b6/L3w1U1uI0//wku1w18xO1RLj/0fcWp2xfHaR ICQuHEzKHquT6INOeF/s =xHlV - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2850-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 31, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libyaml Vulnerability : heap-based buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2013-6393 Debian Bug : 737076 Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 0.1.4-3. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJS7BSkAAoJEAVMuPMTQ89EIUcP/16A9xfaagrDXKn2+FDi4S7+ wXeDpEp0J0n5eAAepEJ3DQmHLAk5hNZLUgvoXSQurzXR3lBQ0vyybCaztH7aOZd2 cYHKu9aRPWyeBsAB6mB4aHZM+FoGu/xHLZL8uqNlVtb4SNQdSmcKB8H0SFKFJ+Nl CU6UMtiN250DDkX+LBuc6Prpu2xonu/hBZ7FaElbvrGSTyjvt3sQBWqckG3ilgJb L2cyDBlptWF/+0vzJ9Q7g5xMVNL+d0oT341OpLPGu0eP8Nz4dxSqIFTK/v6nTFPR 2ngKg5zMBb2plxmMhronLspzx52LVdZmAx2TGBlCLW67i8SBG7SCCKoq3RAE5wBw nk0pV3O2fWjrHM1nkcWmht2hNtvdggKhIUUDROg7QfvATL2NVXW1qZphYH/v9YXy M17W2/4VFKfsZSw9yZKOtUnSY6LnTp5i/nafz5BTh57Gd5Z9GczVfQYZ6b0Rc95O uslDBfwNYAu4gffSDR6Umzuo8j+74OzFJu4bZunZFRWzYQ5Xa5GtovNjY+j0uf5l 1iTVDUMrSvbzHng9gd9iW4kueo5lEI5bhmcxK7dM4XLoSOhYuvH/qYvojvxNnPM7 1AwZqfMoJyMryB/R0QT3osoCEOtQw7yt+2/HpwWcCmLt6p39f9je3n8iOEo3RMMW cESz6UblNfsUm5n3zYPi =6Zgd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUvw5rBLndAQH1ShLAQIzHBAAlY3oKls3KFy1bvEYPieADQ5R9t7Ur6Ft HoH8+XVrwwyrBHdMCofB+MvPWkmxw5qfZaLCtwpYhTuWlGOQ8BmvdoRQlakFfWrS PH365FF4vuqb5IhD6cnVezfLKUQ6GyLUM1PLHh3aYlqRzq/Ll90ceUWhBTMM8cHs zQwbcN9ERHWRcw6I3K2VIiJpF8fnQLommAOhh18MxtftruQ5xVGU45v7Yrq556FL G6r5rTLIFQD/LZW4K/lkZppKancvFQQCZiHzdei/PlfqY99xM1ESDU3zO2PcyjYW ENXsoskvJ5dTQ10kzfPrZAG+jN/TfAzm5/A2gQSXPi0LWXNrx7+sGS/VCJdE30II 6xOmQQI9bNxBE4gagh6Iblzmp4cWr5IcygnqRuA/CJgaAEAVrDbreuaQjsG9RdQc VB50i8l8+oaaBdpuc+4s8PfLlYJq+a1iudmj7XHe0JQqQGAk6FFSXq8M7wfoFBU2 F+4yUuXGyF9QmfvxXQojuwxQZuSbyuI9PwIPDBVsODwvSHHEgaqI9eCMvbBeoCgN EzNNFS51gOncirhh+Ow6NxoYtVeqtZuR24UxViHoBWCrFZD8TZHrQZdbiIofcsM9 9KX23fF4kLpPAWvtLasvKN/i13fp6bU6RWAlt4MSCD7EEQNxrez+9O/GcnMroYSR u06hmdl94bc= =4via -----END PGP SIGNATURE-----