-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1157
                        libarchive security update
                                11 May 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libarchive
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1541  

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3574

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running libarchive check for an updated version of the software for
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3574-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 10, 2016                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : libarchive
CVE ID         : CVE-2016-1541
Debian Bug     : 823893

Rock Stevens, Andrew Ruef and Marcin 'Icewall' Noga discovered a
heap-based buffer overflow vulnerability in the zip_read_mac_metadata
function in libarchive, a multi-format archive and compression library,
which may lead to the execution of arbitrary code if a user or automated
system is tricked into processing a specially crafted ZIP file.

For the stable distribution (jessie), this problem has been fixed in
version 3.1.2-11+deb8u1.

We recommend that you upgrade your libarchive packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXMh7bAAoJEAVMuPMTQ89EpTIP/0NKCwRC0sXwanP4JRS6Bhbn
FByC7rQ7RbLuypcE4W1rojKDsLjqIUIk1pn2ZkVt/FxqkIX+ybQSWm4z8mfO5naS
nZhEJia22G2vqJ0d/PWsBaHr3oZCk+z6XNOLNgyZPldF630TIabkL0/8d2DAQcKC
faokVokCa3vw8Dzd37FQf8DrMeOmak6AIXC69yabGvXs6nYxDDuSiktPekdKidfP
IG9jd9+3cyYVGONIOH1KobnSa7kFy0qy68TwAxYTe8oqATh13pX3WK2yO1ZN36XW
pSd7nZbCcDNjLHTC7Jinbvy55eLXMpV5Hu0QGoOky3ynbFrQXNNoq4YH2+QCGntw
EidYcz0f7xN3vDJdufBj2NJhAE9YaBM709C22t5JJPTsr0gX3X0eMSnsmePwGOB/
xEBuFl46NPrk4ikhtHb3zjAHPbWbYtOqkbqI5L8P/dMElQFA2tQg3UMZX2bg8dzO
ZkLlOQ+BDnLHE3s6pmPv6quyWqYGCT1Z19f3CRIzRnAtiKbFyUJ5QKQPS05EBQ1V
4uV5DdoM0tW2K8oNQfV2LiBx8xUW1ItmmStWTWbs6TJkL22rfF7pxMTVHnvJFvmb
7Uzun6stgkQCoEE+2IzcwG2/aQh+F8uja+ylRwUSHz2Fu4jNevowsOz6wy7LaaPz
5NmzDuq97YhbP+BRgH9P
=yR7s
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVzKqjX6ZAP0PgtI9AQLUcQ/5AZPbKREOx9pbKcSb6dTBlyP8K0nhjaNX
t3UL/H1votOHj5R+c47mfWq52bi/mEwAMnIeYJbBsYu1vPL8bMQeLui2WdNyJbTm
46lklNJ6/U1t8eMbLzapYwN3DuYLNx9m1RUM8clcBKQkTKJPifHDxxLbo8pKhbd5
IhNzv4S9IE2xotCcp42E6pBPimrTghMcR31ld5kf7O2mlzunYnP+bkbNJEYUUQu2
JkHhqUr6+F6c9YIS9XtaEF5SzH+y7PdME5HKm3Hb9zaCdIL1x7kP8BwSnxFxDcss
22HuYo7i2G/6XBROczQzBAHGIHZaqyFp6vt98tkfHzk7aLsWx0b3IjkwJ0Ayoghu
144Wt5bMii1SezrAN0Ya89MCP5wx4KxA4+lYErqki876fdy/PkFRuxUfZxu8/bFK
oE6AREYDqTVJembgqPSscHiI7+rgowNJY2dLw7/NiqcM6ZQpUEZpDRPbiIuORVQA
MZFzWTEXXvdiiUWY9UA7ZvwXWzDYFZy69C7E6oZZzYZQ+smBkUnIyxVi5bfi6sST
bN5Y47NsgEaLJNKk7E4ZkbyC/pwWaXiyrlkPtbMDbAtCnr0KYzcupeALIrv2+XRz
RJHRJnUxhOnrpsfbtg+6UMKerJrJJoEk67SLHOsQVMWCXnrd+0NolDcuZvdCk9as
cBt8TLshtoM=
=rdFU
-----END PGP SIGNATURE-----