Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0700 Debian 7 patches zsh vulnerabilities 12 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zsh Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-18206 CVE-2016-10714 CVE-2014-10072 CVE-2014-10071 CVE-2014-10070 Reference: ESB-2018.0691 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/03/msg00007.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : zsh Version : 4.3.17-1+deb7u1 CVE IDs : CVE-2014-10070 CVE-2014-10071 CVE-2014-10072 CVE-2016-10714 CVE-2017-18206 It was discovered that there were multiple vulnerabilities in the "zsh" shell: * CVE-2014-10070: Fix a privilege-elevation issue if the environment has not been properly sanitized. * CVE-2014-10071: Prevent a buffer overflow for very long file * descriptors in the ">& fd" syntax. * CVE-2014-10072: Correct a buffer overflow when scanning very long directory paths for symbolic links. * CVE-2016-10714: Fix an off-by-one error that was resulting in undersized buffers that were intended to support PATH_MAX. * CVE-2017-18206: Fix a buffer overflow in symlink expansion. For Debian 7 "Wheezy", this issue has been fixed in zsh version 4.3.17-1+deb7u1. We recommend that you upgrade your zsh packages. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlqivesACgkQHpU+J9Qx HlhTBQ/9HHTv266KYfy8tHjGGPAcg1MnNWp/LebpCAu7biEB6MxcaOXWh1CSyxNF 3FZcJ8oG/5GnMzTgJyAjp9o553NIdO+S/0O57634zM489Ei2unqlYprwaoU2naYF J+NssrZ8ALvuE4ULQw4dgrCC4kPPX/Kas2cKICmJFcpZlgR349GPbw4Nc9fOj898 NdX+WB2Ou/5SnrgFcRzDWpZSUwPVSunmU2AI48NfEwMvf3DIoLEZBJupY1MGuNSQ 8VXem0Geqo6AgCaNrkz7T3fDcRVzIAWMRjVZRMcwQ/d5XWqEmA9ks2R1XhDUgL// CGOdy7JquOixJK5BPyhxH+9kcF7IybAxamgAU5kuJLHBS95x99JnO07fDOwgG6JP 0YZyFVHQWMjbb5nXVYTk4MW4I6KSX5ioqElNDaFT/A/rH7Fw0YAAPIH7VAXxxE1K aRhzzEAf+B09sefBGXtlDq+dX97W88s4Nzr4MWVrfNH0pVLJGMrw4zOpcpV6J4A6 T3NciA/1saXTHd1fKrkFGmB1rv+XKU1nvwQlhySpzbo/D8MKjHh22whdFoPpWWOx tRyUfUMIjFMBoCQwA3rceuCiqNYwCR83s9Pck+cAG6L39SOvnafZzg2PZh3qxXbj Ut55l0TX+opysC0l+HLeQaponiH8EzlwcTQOvsCOK4ZsDPvGDhI= =peC3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqW9D4x+lLeg9Ub1AQicYg/+MZFEe4CQnvLhpkLaobANWRg6MDLKa5jv e9WucdyYAowc7h4qU2yer0OBHohu6SP723WSmeM/ODlXIZdGBpVhjFyIJuE3pg7z O7ZXAqhM/n9O41wrljyik9C5y7hdFrKlj9Ein8kDIh2VDA4S5shEW1O53C7uuopF xcsDJg/rXHQ4sExpO/qVPDxNyLbJQHRDu+ebLQoNoxkSbqgsiFegTNdMsGYJCNJK ZO8YDT2xfxPMi56a5TOmW52R3vhoE3zi+IQoAzdqe/9uRvjHvVMb01vzSAMmhE+m zgohLRxO8fSb5zqgn3NaCKfB7OzK9rkoGYRCr3yU0TMsQITKK/KtXDfhu0DOwLVp JpeVRnrF6VeH36OTeolG1HALncdQCZ8ND8mkcQuqOLK7f8h6l3s3Y/LuGxVPcV3r pof7H7Y2RdtamfMbks1D6hhjpQfx144gAXb0MlxpmUYZ063pp4r8jirR7IE2TNU7 hddBg/hjFz7B4/x/jtO3/r9FQDZZOBV3a9P7RnQHGDA6cQJXr0SVEZvAqsBn+SiK akljJ+PjGbVMWKqB96qMLh75wkczWxA/2VCu+gPA6V5NXUqa1say/hThhI2BxcNs m4Dty7Qx4Y1aSd8P0wz6s8EhV2d7Jgn72mhrOD6Z2iJD9KCjf3Q/ALnA3PqRWq5t CE4ZE/sExZw= =tUGl -----END PGP SIGNATURE-----