Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0397 libyaml security update 27 March 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libyaml Publisher: Debian Operating System: Debian GNU/Linux 6 Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-2525 Original Bulletin: http://www.debian.org/security/2014/dsa-2884 http://www.debian.org/security/2014/dsa-2885 Comment: This bulletin contains two (2) Debian security advisories. This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running libyaml check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2884-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 26, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libyaml CVE ID : CVE-2014-2525 Debian Bug : 742732 Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. For the oldstable distribution (squeeze), this problem has been fixed in version 0.1.3-1+deb6u4. For the stable distribution (wheezy), this problem has been fixed in version 0.1.4-2+deb7u4. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your libyaml packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTMy+yAAoJEAVMuPMTQ89E1McP/1xehR/bgSW0FmyhpnPjG1rQ yXyr7yTsz0jt1fxlzcsx3pWUqNmm5VQ9JvurCNuzjD1Fwc3918xVAAD7lNwCCP6M xyWKeNTxx4Tq6ZwsmJ4soBvMryGhPNWFvhDNsTeZVuDBiDmUylR1J0vmPUfRdSBm 6iPi0Gbxh6nZcIssCmdfTR6oe9vPu136KROX2D9JPbRGotfIHu84Q80KV4OiPRZ2 lXZX3Mg7k74VztOxvzKSQ3C93acH2a4FEgXNtS+VnjF/U1ACeDEg3KjKXPPZmlYp ro3WFsdG/ENmhG7kE7t3yURUu9QRVTmXscazy5FnML+y3sbr27FPmw6cXo/ewF1y I71z7DKhIiW7SNcZobhKq54RKh9FCg3nVOMnb/iZK9eKZtZiwLmEALpq+ivaXpm8 WMD5GJQPVbzooQ4EUmsQlQ1UoZkXS5CPU5dXAGF5uZXAosaLYTnzFGEQybAyjRG/ sb2tn11vHjQ4wn8DCM+kyiDI03hI7IC6Prpuf7XiwXIk9nsfQXTFzBA78l2iJfCz UQgv01Yv3pffecZtosI4/DSvprX4L5enTn+zDQCnhWu//eFqqLtnUjwXuwORhN/j aW1SEmlD+MSiZq9lZyb2B1IpCJHY48h2WaAwJb5m7L9HuTFUJPkdqdJnyDQXw+1y qfFeeBmUxXFDHpxdSzGB =63I8 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2885-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 26, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : libyaml-libyaml-perl CVE ID : CVE-2014-2525 Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. This update corrects this flaw in the copy that is embedded in the libyaml-libyaml-perl package. For the oldstable distribution (squeeze), this problem has been fixed in version 0.33-1+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 0.38-3+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 0.41-5. We recommend that you upgrade your libyaml-libyaml-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTMzAiAAoJEAVMuPMTQ89E6G4P/14Qr/oZjfgcQBw2g249Vxho oNmieBsOvxgPvU+6kyrp7Zt+jIOzLSCWFVfGU8oQRjCHQRfNRHHKhGVq6s8u8/uW H9bXhFBqh4VfxaFkdEdw6SVKwR6eOOy86wx5Rziwy7EYVE45TlkdT7Z23EYO1AA+ k3ggzOx6DDeG5QKB0dAxoZQ+UuTmsbOSchuNQiRS6QyvA0KcUeZdICOOKUJTC/fH Cu61mLj5cjT+xGzRXlZP/vCh1rGRP6MjVtRS6kkDtoadcHzPI7ogTNSADqU6ox2I tKd2nGP163bBb9zvO2TJBM2j2HWCs06tXs79a1q9gAn78RxXfOTNW16WbivFX3Gy O4YBFBwtm5vwaa58jPFASxbpVidJbFtrS/h6vyzlieUbQDNSy8qbvqbmkAKEJdsK traApuNTNjAEvPLUQv8mIZwfbXEXU60N8gk/PSe9fBWNUpp7HdhT3okWkax8KXvy CTyKSODlTjzRsY17eSMcIU1X6bFxMNrv5fBbDHfiHwmFDixjrjVWOaL92+7usxea cj5Ns+zTrUDAE1xuGbYv2GX0Qhy+d8S6J01L54wjFivwhO3PvIRwQ1lpxFPhpkLB uZg1yAepheJGWYZXerHmvX+DEmIAYqTMJYD441jrECiZ7vLgpJ7ETuXrxk3+nZho GUUh3wY2FCUc6V/Iueih =hEn9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUzOgHBLndAQH1ShLAQJT4RAAtP5g+24rPCNwSeofosuiy404wfUv66X9 Xbp+v+IeAUatTvAsDhzNcDpshR7r48FbYur4yihL5rvuXTeujOcPZ94O48QVZWTX gM2+IN9p0ckRwh7z6bPdE1Zw0iw6n0e8dPxFSURyM8h8NtuyEzu1ipem9md/x5dm VPglmAtfR59XReCyK74j8DFvaC1radOL0O0BUd5+dRt6LY4X1kjDAyVi9BOQtI2v rNWE8jhG3MvQIExumGzEWPRCcWLLQXNUJ+Mi+Pax4abZyA3IdlaV4ZxWZ9cBPAy8 CS8/cVXkh8X2VQ5juVMPf5h3E/Px0IpadAIqU/ye34GVOWQuk/t+38Paa0KyOMnj d5njuk3d9oMjHfUHzEC9t3UIIGqHg6ubOyFvC1n0AC7ZDPBwDmAr6njARW8I85DQ 8fW7TuceW17/5kjkbPSaV3rGZKGVVJ9DcEtv4Oj8Rl+zlRBppJoRS2kW8HnBNumQ BDwE4tmROem8r5DW9R4gEFczJsp55NwVUHf6uRpeVMLvweUyLDfSLOBPf37nhDts 0RvKcgu0z70fipgMPH5cMO7J1VqUpt3QHy69XFFvxnGKyiOjM6IxNLf3kaPwsTgQ asFEoGGj418iFUrIDBNbjOx1JYcZDjY+S23Z5wne8xV0VuFUN1l9jWkJyTiN0t5q kxyWTblwDuk= =0uV6 -----END PGP SIGNATURE-----