Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0284
ruby-archive-tar-minitar security update
1 February 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ruby-archive-tar-minitar
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Overwrite Arbitrary Files -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-10173
Original Bulletin:
http://www.debian.org/security/2017/dsa-3778
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3778-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 31, 2017 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : ruby-archive-tar-minitar
CVE ID : CVE-2016-10173
Debian Bug : 853249
Michal Marek discovered that ruby-archive-tar-minitar, a Ruby library
that provides the ability to deal with POSIX tar archive files, is prone
to a directory traversal vulnerability. An attacker can take advantage
of this flaw to overwrite arbitrary files during archive extraction via
a .. (dot dot) in an extracted filename.
For the stable distribution (jessie), this problem has been fixed in
version 0.5.2-2+deb8u1.
We recommend that you upgrade your ruby-archive-tar-minitar packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAliQ68VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SMxBAAlqySOgo6MeDyBJkoZFiXhiIDEH7uPMl6dfrEg4JcTjoGnQ5TV5TM4BkL
gPtgTuINqo0espL5oNaOm8PaWR/1d9F/FQdb9cLCup8f8Vb/84tfoVGDW/27ky+6
M81Cv/VZEvFkh60A23orAMlWhG7abhNDZ5JfpABpggNKbUwZEhvQxoPKctVkzvYw
uutLiyO/t/B1EtCON+gC0Au1DoreV7hHosqsZDbb2Um6Ek4EY4gRzGAuIRcoZaMy
wGK9MclrPnNQETw/0ZkN13jEq70zLKsURatCvx3/0pzZ0sjlLXlpCzNDpG1NZ1cV
bx32+xyYCzD0qqnlWF8bHBweyZJX7D6BucG7Gi8PydTyiFxc1nOOuH4XNxhaNK+q
ljUI9dWRNeSd1jHl0fTpkTN+ph5zapfDzTuurlawYyH1RAyLEqDiSA3HedePci0+
bQLGIMp+FBJ9skWO+elVTbH2fD9crLDMBg653wzat6AcRSL5/ABPm5YAF3Q5reqt
pLGExWl+gY8+ycDKW92l18vtn1KL8epCjJHgI625FwemIabfkR08ItI18ubsJ0oa
USsSCgcoOzKKtpT6+SJ1yCd6SEop262JE+J/2pPOfYNAhJozAZeRvNZtoqlxFJq+
1viMyIMUMaOtYYNDhSyvbjfSi5ksQriZxCC11TTYzb+LyykXe6w=
=GXaJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWJEroIx+lLeg9Ub1AQgAwg//XcBYq0ptjycm16GWBlzWWz9F2X0fS0sD
Y29MTn2DTh6Qz+KW1J4hidDfuZGcDsmPPkt60pc32vjk6GOTuYr7p1ejhGjn90hc
BUmA59xx6nhkTis9HsyvR9HOFiY0XEz3QHE4rju9QPJLB7UDopqCc2B44IGt7yvP
oHPF/pbgajYNAf6KSMC4rlMt72BNQ2tw1E5s6a/G8DbjNMgXQaBneOSkY5nNV3HB
iSUmXgBr4808lgLtIrr96kb+x4lhs1ZVNhTPGGh0hWZVxoRIJIqZdIP5L3T7YJ6Z
06gRmQ9GlTrnw8Xe4CRP54VVg5tGj8AKNWUs8rNoQdSnuYADTP58l/JP2yvw2Xkt
MvbIK0lL2o2z19pJcFQE35k/pigiHMLJJ43Tr7TKoCceRAXRTH0RXkUXUYkeUlUV
nndTHNt+8EPqVopcBXJdFzDgRq2vQTetMyhvP+0zs04Y+VaIiAoLgrmaQnmltKGB
xkfCNBJKksHqH4QRyQFAC63cwYgEuFGEZD6SYjB8MBKFheVpmQxwPvBxHOIbU1tf
0JLL7lXQOyuWxoil1h5B3HAmA1ioeVRBfuuC2wyRVWc1l8HmCKiw3qrAtVoJ6pAl
BBuNaf0mN1hQkXC6Lr7WsB1HkJ+zvFtO+1KuhkvKlbpN3+XRkcWorXSuqcWGtkp6
LJ2ukQTHT+E=
=rWqS
-----END PGP SIGNATURE-----