Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0826 eject security update 29 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: eject Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-6964 Reference: ESB-2017.0811 Original Bulletin: http://www.debian.org/security/2017/dsa-3823 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3823-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 28, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : eject CVE ID : CVE-2017-6964 Debian Bug : 858872 Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to check if a given device is an encrypted device handled by devmapper, and used in eject, does not check return values from setuid() and setgid() when dropping privileges. For the stable distribution (jessie), this problem has been fixed in version 2.1.5+deb1+cvs20081104-13.1+deb8u1. For the unstable distribution (sid), this problem has been fixed in version 2.1.5+deb1+cvs20081104-13.2. We recommend that you upgrade your eject packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljag9JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RaLw//RIIkXZzMdggBTgZzDlY2fhypWAlmL6wbjY4QnEDAv26O0HnXl1MxdXls gTEM4QbcO6OqLizSGGhJBeDXBxnVhD2I3YrjjrdIbXNDvxppDDdskSYV94h4zcYk q+PDbPbcIxVRGzdpVxXGZR18ZlaHFqxa7akRAJ92C21BltwdEc2dY3TmZWGBzd6P gtTKDH8QR0di2+tAaQIRbQxDSIEApMJRA1k9Tjbag3SQf4S59BNb1p9SHly0w/CI 3wNxkNs0znP9C8QfBwV4vnGdM18s4gTiU9eIGJy0ePp7LHaRXbh/FtrZdEW8rGOl OZJtkN4+/QpesytJ+ceJV5i9xVV9ABa+ndqsUF7etjMEtAOlLleou9+vNsmIYzi+ j1bVZz89g/094/1Oi5OB/fxz7RiQ59PoLLj034z7UR6yNQUkYr4BwjCjE5Hv78Ex 00bHUrMvTaKZNWcOjS6P+iSzlTgA/qOfVxHfneS/rK4Kfj/nbDHrjJGAQESFZLSA alXWkDaqk6Z1iML+P0HIdGQqTXHdyLKczn1FDSffNBV/5Da5fIacOq/UgBMUsI5+ 8aRSqbEKL2mzj4+W51wo0Ta0JJEIP73k04B1z1kFarVPE+yafKrsgwVNUEV3paoJ zAiPEkevV6vsrK62bqOWiv8acuT3/4erxioBTs1+J0nqq4dkRkg= =XnjU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWNrvR4x+lLeg9Ub1AQhNxA/7BGscv048sToPT67RUUUFl4rg5qjthhgz wt6ulUNlqJkoGoPfTnPmmx1xq8mnPVgQY0yUautLUJtqN63As/EWXm6lnyjc53+O OGGN1cC1TSZ/jeMs4WXaj1Js+zKvjizCfORIC53vuSQeb8DhJe6Wz6nKKeZkWIT0 OmnrudSj0mJ8l4f2SPL+/MKzuVktIbAP9bUzXEdGfiqAysrwmBTLzq7D/f2BH+ob 9k6FaSeSEAqC9G9DUiPN7eEHGxWokHSZGWfg67ltnike99gRO+fmVePASAs3C4Cx W9jFd8A49U2ulHNK/FwGaUN27P+cjimw8pqq7FRT4t5IFCtOBDvlfacoe1FK1k1S x71uNeU/hf5RzuXidZ5XgBOIrXZuQaHWvLb1fkCTZfDz8My1bHJoGyr6+ZoBdV0S 58fB76G+UZ43W2sgmes+YH0xoQaNmMax/eJue/eGCPWNmS/6AwRIHve2u1AVn7/+ BvVokMg4Z/4Zh0hQWptg/DhM0fk3EZy1R8AysE9rTQm3Zf1fRT4rj8kdtdSh0II+ 5/03RKKXK1YvQ9QUNTwMhYo2tmLlkrYcqzIShvelsD0G0BWSpzP2P82x6wuPO0BJ C9SbQrkyIcVCnzXmqwnXvIIuQmGBWEc3lmcA+XIgiOfp7B0SdULcIhVzs0i7xHxk PhJZwb9ki3I= =9afP -----END PGP SIGNATURE-----