Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1696
unattended-upgrades security update
30 June 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: unattended-upgrades
Publisher: Debian
Operating System: Debian GNU/Linux 8
Debian GNU/Linux 7
Linux variants
Impact/Access: Create Arbitrary Files -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-1330
Original Bulletin:
http://www.debian.org/security/2015/dsa-3297
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running unattended-upgrades check for an updated version of the
software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3297-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
June 29, 2015 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : unattended-upgrades
CVE ID : CVE-2015-1330
It was discovered that unattended-upgrades, a script for automatic
installation of security upgrades, did not properly authenticate
downloaded packages when the force-confold or force-confnew dpkg options
were enabled via the DPkg::Options::* apt configuration.
For the oldstable distribution (wheezy), this problem has been fixed
in version 0.79.5+wheezy2.
For the stable distribution (jessie), this problem has been fixed in
version 0.83.3.2+deb8u1.
For the unstable distribution (sid), this problem will be fixed shortly.
We recommend that you upgrade your unattended-upgrades packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVkXzQAAoJEK+lG9bN5XPL7YQQAIhydn8pwEFGRiW1SrVaODJx
XAWCacPo+3aP+qO0C4XDkotLUv1NGy8qbsreUmu/5ED+hzMjCcfk3+yXFkD7/paB
xvUQuhKgjAoxTMZWUNjHqik2LFfbd+o5L6q6j+AF/C1SeR36C1lapy25pdD/SIGN
Y0dA9Cy2DWUV8IWNJuTwKP2FeGaDdTtZNH0TbA4F2ApC2H2Cx0jJg/pjiV61nk6W
OrJyEkqZ+rlr/luucOE52IEto9Ojh1sWzJ2WBCZkvA/AWLL8JTFUR6REQuH5AYSy
pbxla8C5mOLoIe1wOAJDsV5Fob9J6vDBe8Id2dOowQD8XtoFzUUzGqxbuteL//9Q
nFnKcxEommS2bRIvjWf3s2FBYKcXExonqe1ZNnYzt2AKEKvWiCz5/il1eEXX7ZpO
Ryk4Qepox4yIEShu6auR234TUaFBVezmOAD6BWXdUOZ5DtJ739SSNgKoZo8vcz4A
LPtWLF30Eb+00fXExy+NoPIwRwjRHFUhii0mEbKHG2P3jvsWZs1ozX3l4Lh4/k6F
+ObZPinGbjVCYRcaV+f0Twsb7PvlOchw1iF02UF6YVxjIiUNZUW6+n7m251kffFa
7QmyjKKdNd8t+3Hxf9oAZCAAKswzOopBhGw9f3irHXSOBdhUpPDo6wrG9Un7AJDb
vL3fNxm/g7OC6j4MFgUe
=Y41R
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVZHdNH6ZAP0PgtI9AQJMWQ/+NVLYJkDuA526cots1w/OEPwSYVMraH0I
bVDu/q5PXx4ldFGXJbIa6O69qJO+FqnjsQZM0IweEL9NpFB03JETEgCNEnSvnWJ4
UWAcjT7ivt0oYjvkTYv07c31WyXvY2wqaMrgwoVaeMuduvto7wuAkark115nVWS4
nNOFHy3N1aK0728NnthsQmf7N6rKmOESKoIPuSpd9EhwXV2jnBat8L2VONsrwOze
J9PytvYUgZTGK9j0CzzC5Vc6i/vqyB9SkgIN52a+XW3RKf5RuhpuW4eHgzJ4cPmx
tCdZxS27+7J5JIoYPhXxrOMhZSD/tHyWsNGdN3kAYmzqdo4nB9utdkq5s4/Upccz
Yi9ncdqWPcG+BS5OC0fSfeMzXEvZmxdsVQTz367M4P6NFVlW1aqZldQnyNdv9Jur
aSnV4BiGWftgds27YYZR+o1+NsEkqTr+GjSW28FA0+Lv2vuXEVsR3xFwPCzvKSBx
2dl4QECbZFCXMk3BmYDK4IUy74tKLTOGuaQWbPZdV6pO2dpC9B/aRL5ypqMK3kmA
8EB/RVBjgOHaQ/wDq/jwoTOp/SmF3PtpJeh5pkDBYpmirPy86RIMu/q5p3jkIxAu
1U/oMAsBZw+PVLS3ckMPNjE/+IsPmdrLBvk1JPATmHwlRsY7gBBUeIK/lo5yiDY9
8m0y/YGpoRs=
=lJun
-----END PGP SIGNATURE-----