-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1413
                           perl security update
                                6 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           perl
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Linux variants
Impact/Access:     Modify Permissions -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6512  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3873

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running perl check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3873-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 05, 2017                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2017-6512
Debian Bug     : 863870

The cPanel Security Team reported a time of check to time of use
(TOCTTOU) race condition flaw in File::Path, a core module from Perl to
create or remove directory trees. An attacker can take advantage of this
flaw to set the mode on an attacker-chosen file to a attacker-chosen
value.

For the stable distribution (jessie), this problem has been fixed in
version 5.20.2-3+deb8u7.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 5.24.1-3.

For the unstable distribution (sid), this problem has been fixed in
version 5.24.1-3.

We recommend that you upgrade your perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlk0/lZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TMvA/9Gm37cLrtTuoSPOPCzAAnntRPhqGmo6j9KOVmpLEOl535n1QImLaCimyY
dhsf3NXhCRWL/d5YKnGiTMbfn3gyaazFuUOpjVxM6Z/MuNjoQVd0dbYthM/AjSS4
HXyfqSetN9Y7Vk5HctnnFTb9y4IdwP+w6uiI0gXfflTbhhAJP5AlLYvGBOwsngtA
eiVsm57jlOWfHK0IUvPygsQs2C7Eck/89fUh9yOe5DrgCZmJF5zITagLHOCXj4jJ
KpxONsUjwNKZhthGYJn+p85nzfbopGxelv8q96PakyUC1Dn8FkaxbWPT8LHa6HwS
f9nB8ZyDu2lhquaFV7rzxZVdNkOOQP182Mj5AKR6/melhp5teM7zyJsEbQF72DNS
r5uH3eeRzOicHAL/Iey52fHchDZhvC8TjdUE3Ot4OetY2+LyjKFSbgEcp04PNrOF
evnRDOnhWQKJx76RvnuhvmaxpnvM0mlx6C/yS0N1wJX1bJr+iKiYSCMo79E8GrXj
RFGquU9YGwPgR4fgYpgg7OVvh+YT6LnZCEaEgoOeEKJPkOY7LZgmm33O+hxdTecG
e0F105oKzeX5aYRyLQhrpmYnTDSLJ4EJG15cioUXqT/3XPXuz8G1HhTbQkFsaYp9
/8N466GtE4UI2VPKbw4KQKr5+mQUfOBbqtCsDqXMyo3MLdvy1cc=
=O9hG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWTXoGYx+lLeg9Ub1AQhPpw//aIdvO0nK98naeRE7qzd0KO5HYsLqQX5v
AzHGOo5rCfLMZNXdIfwXPv4WCf8BG3h1HZ5cgWN0B9zQLPv3l81KeFz7r2mTDgj/
npyBy8NlGfoMQ3Nj5ydDHMV5UwkZqmqSH3/PtBcc3C7JMFXKdHizWnEjt9vpap7/
QUqhaomms24tIIGs506x2LWLiBscXEnUKxA2zqMmmSIRzpw81qqjOC77Gu1A5Zo6
slkaQYZEwmsE48ZEkKfEMr6Xj8tQX3j5cpywJWerY+g9WOXGqyFyS6BQV+cIgXNG
7aije3tlzV9oscjgMJAXE8mYPOaftH/B50d1rQS9rrZ8ttSYxedlQfdN4824JBwn
eAre6Bw7QGpoLJxG+fjPSkSsLkP+wNKmtVRZyylzWm5+uE5ovANuRghS6gW8U+2f
U7g/lISsRr0uLbLL3FmIFFPNNZwTwstdMjT1PsK34lHmDSUiZu3Qf5wGwEBYR2Zx
mtE+aLjmvPXp770Uw51Yq35TxbSQqkz7vaQY9V35gtAV7QCgyYKy1FQGB9VWUt0o
bgUHv4mb7IxqWl3EAcaANkScSXr5ElIjgzpHoNRDekW9ONuu1X46eaAtmPlUz3I+
nz4eXbR/SnMifPwjuXVYTrW5FttKsduL9CxfSRUlIlo5UivKHAWnGnxr3khA5tpm
jXRu287fvwA=
=lAr3
-----END PGP SIGNATURE-----