Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2059
libarchive security update
31 August 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libarchive
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5844 CVE-2016-4809 CVE-2016-4302
CVE-2016-4300 CVE-2015-8934 CVE-2015-8933
CVE-2015-8932 CVE-2015-8931 CVE-2015-8930
CVE-2015-8928 CVE-2015-8926 CVE-2015-8925
CVE-2015-8923 CVE-2015-8922 CVE-2015-8921
CVE-2015-8920 CVE-2015-8919 CVE-2015-8917
CVE-2015-8916
Reference: ESB-2016.1875
ESB-2016.1862
Original Bulletin:
http://www.debian.org/security/2016/dsa-3657
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3657-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 30, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libarchive
CVE ID : CVE-2015-8916 CVE-2015-8917 CVE-2015-8919 CVE-2015-8920
CVE-2015-8921 CVE-2015-8922 CVE-2015-8923 CVE-2015-8925
CVE-2015-8926 CVE-2015-8928 CVE-2015-8930 CVE-2015-8931
CVE-2015-8932 CVE-2015-8933 CVE-2015-8934 CVE-2016-4300
CVE-2016-4302 CVE-2016-4809 CVE-2016-5844
Hanno Boeck and Marcin Noga discovered multiple vulnerabilities in
libarchive; processing malformed archives may result in denial of
service or the execution of arbitrary code.
For the stable distribution (jessie), these problems have been fixed in
version 3.1.2-11+deb8u2.
For the testing distribution (stretch), these problems have been fixed
in version 3.2.1-1.
For the unstable distribution (sid), these problems have been fixed in
version 3.2.1-1.
We recommend that you upgrade your libarchive packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXxfarAAoJEBDCk7bDfE42iNgP/RTYOMRpZqnkowRQ2f3epxxa
2YuD6ok1BcwU7Rwl2522IsTcJMMb8bacdcErrW25ww6Iyfe5yIAGaWcjd2GY+YTU
g5jufcf2tVeWS1iMi6ovQx+5bbAXyP+DdP4heFVzXKVa9Faz+Ke60a8W45xZHtpF
9F8bDo22FhSD2GwXEBviSAEYmk41wX27wFBwA/NWcTdVWlava4/a95bu8fLgrAXt
BLqKVXBOydta46uX57WkMVQP7HRJH9NQul5K6gBuCO3CU9OPo7mpLOeLYmMZpTfr
DmsM26pAQ6xnqsvLQzgFxfvT3ssZonNbwpw4HKTHq24GDyQJ+1Ko8M5x3Q852BZs
P1fMpCjNfBEee8R1cOvi01nhQO0D27hWrH04n/nymR099xbNul2OoBNcKVO0FUrE
jrwWhCAzcBUPIrbCvbDz73nWvtUgrocyMKFruoDBt3gRKemsbLQAyO5+BUyNjvkp
W5Sls4zFfGCDjdJ/GGHNykytGkZEMrmrxcCbkMCfFSClR9LTvaFOcyaj9Cci9ftg
lEL3+/Y9NZheozOV1YXF29U2VtK7HQvr0f+Z+puAYGzA7UHNsVo3QX7L6YLdIuwF
mJ4rNrr/bWDKCimD3TH0XyMlSw62mfYb5t+fYdhzotvilXrNyoBJZNEsGVzYCsvX
Hbz7brvSHYoMI/HfWqe1
=5g5q
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV8ZDS4x+lLeg9Ub1AQgTMQ/8DIYOINPgOdW4nWmo503bdaRA0O6oP7vk
g9uReDMl+Zefzj0FqiJmZRWRzq33017yMbiFHjvDldNOhjgV5LE9Md6Aqm1OrHfC
FSE6hWhJ+k9PWqglM17dAZl8KaMXSfqfsMuLbHPMH/MoqcLXLbJNduhAmrdIouTH
fa+NmGGX9qkV3RtR/JJn4tnfANN+5zAXVofkh+Ub4891IZfMuB6iDDXvwSE8c11U
NoSw4MrWMWneF5dxSNNsWSEdoChHas2rDJ0m9GnZjJ5i2UYc2gH68QCPDkAAf0SE
EgXz2PHIfmfyIJ+5Ai2GFo4A0BBlnPhSc/54cSjZvHiwMjBNkF00pyvtH7oU0yU9
AE4ucSLE8oPq7Ruinx/RIF/hXn57ON1RGv22WsClL2pzos5woeQFQ36rzELWVRz6
N0xUCa3+YAloj9jwIJvrZhoN5lvU04THiwGRkstTgoDC13bJ+CJIfwQk/+0gMVcR
lyh7mSHDVhc50V9WJ/oZJWsXR5qaXc/v+2RcKGQ9IA58FLNMHBRPj0kJAgB4nOb7
iYxGLkOJxt3lc6kZ+pxZD2U2CCkT+fDiDS3HhAUADcpmg36pVBAaUa4s5Zh2l9kS
8GK9GbDcrUwBJ78SQ3MPGSJfA7szqw8Kfh3oju4FRAkcE7kN/IcTJEysxbC7cNhW
k2goQrCjVYg=
=9/KM
-----END PGP SIGNATURE-----