-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0826
                           eject security update
                               29 March 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           eject
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6964  

Reference:         ESB-2017.0811

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3823

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3823-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 28, 2017                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : eject
CVE ID         : CVE-2017-6964
Debian Bug     : 858872

Ilja Van Sprundel discovered that the dmcrypt-get-device helper used to
check if a given device is an encrypted device handled by devmapper, and
used in eject, does not check return values from setuid() and setgid()
when dropping privileges.

For the stable distribution (jessie), this problem has been fixed in
version 2.1.5+deb1+cvs20081104-13.1+deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 2.1.5+deb1+cvs20081104-13.2.

We recommend that you upgrade your eject packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAljag9JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RaLw//RIIkXZzMdggBTgZzDlY2fhypWAlmL6wbjY4QnEDAv26O0HnXl1MxdXls
gTEM4QbcO6OqLizSGGhJBeDXBxnVhD2I3YrjjrdIbXNDvxppDDdskSYV94h4zcYk
q+PDbPbcIxVRGzdpVxXGZR18ZlaHFqxa7akRAJ92C21BltwdEc2dY3TmZWGBzd6P
gtTKDH8QR0di2+tAaQIRbQxDSIEApMJRA1k9Tjbag3SQf4S59BNb1p9SHly0w/CI
3wNxkNs0znP9C8QfBwV4vnGdM18s4gTiU9eIGJy0ePp7LHaRXbh/FtrZdEW8rGOl
OZJtkN4+/QpesytJ+ceJV5i9xVV9ABa+ndqsUF7etjMEtAOlLleou9+vNsmIYzi+
j1bVZz89g/094/1Oi5OB/fxz7RiQ59PoLLj034z7UR6yNQUkYr4BwjCjE5Hv78Ex
00bHUrMvTaKZNWcOjS6P+iSzlTgA/qOfVxHfneS/rK4Kfj/nbDHrjJGAQESFZLSA
alXWkDaqk6Z1iML+P0HIdGQqTXHdyLKczn1FDSffNBV/5Da5fIacOq/UgBMUsI5+
8aRSqbEKL2mzj4+W51wo0Ta0JJEIP73k04B1z1kFarVPE+yafKrsgwVNUEV3paoJ
zAiPEkevV6vsrK62bqOWiv8acuT3/4erxioBTs1+J0nqq4dkRkg=
=XnjU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWNrvR4x+lLeg9Ub1AQhNxA/7BGscv048sToPT67RUUUFl4rg5qjthhgz
wt6ulUNlqJkoGoPfTnPmmx1xq8mnPVgQY0yUautLUJtqN63As/EWXm6lnyjc53+O
OGGN1cC1TSZ/jeMs4WXaj1Js+zKvjizCfORIC53vuSQeb8DhJe6Wz6nKKeZkWIT0
OmnrudSj0mJ8l4f2SPL+/MKzuVktIbAP9bUzXEdGfiqAysrwmBTLzq7D/f2BH+ob
9k6FaSeSEAqC9G9DUiPN7eEHGxWokHSZGWfg67ltnike99gRO+fmVePASAs3C4Cx
W9jFd8A49U2ulHNK/FwGaUN27P+cjimw8pqq7FRT4t5IFCtOBDvlfacoe1FK1k1S
x71uNeU/hf5RzuXidZ5XgBOIrXZuQaHWvLb1fkCTZfDz8My1bHJoGyr6+ZoBdV0S
58fB76G+UZ43W2sgmes+YH0xoQaNmMax/eJue/eGCPWNmS/6AwRIHve2u1AVn7/+
BvVokMg4Z/4Zh0hQWptg/DhM0fk3EZy1R8AysE9rTQm3Zf1fRT4rj8kdtdSh0II+
5/03RKKXK1YvQ9QUNTwMhYo2tmLlkrYcqzIShvelsD0G0BWSpzP2P82x6wuPO0BJ
C9SbQrkyIcVCnzXmqwnXvIIuQmGBWEc3lmcA+XIgiOfp7B0SdULcIhVzs0i7xHxk
PhJZwb9ki3I=
=9afP
-----END PGP SIGNATURE-----