Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2750
neovim security update
24 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: neovim
Publisher: Debian
Operating System: Debian GNU/Linux 9
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12735
Reference: ESB-2019.2640
ESB-2019.2628
ESB-2019.2284
ESB-2019.2157.2
ESB-2019.2084
ESB-2019.2081
Original Bulletin:
http://www.debian.org/security/2019/dsa-4487
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4487-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 23, 2019 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : neovim
CVE ID : CVE-2019-12735
User "Arminius" discovered a vulnerability in Vim, an enhanced version of the
standard UNIX editor Vi (Vi IMproved), which also affected the Neovim fork, an
extensible editor focused on modern code and features:
Editors typically provide a way to embed editor configuration commands (aka
modelines) which are executed once a file is opened, while harmful commands
are filtered by a sandbox mechanism. It was discovered that the "source"
command (used to include and execute another file) was not filtered, allowing
shell command execution with a carefully crafted file opened in Neovim.
For the oldstable distribution (stretch), this problem has been fixed
in version 0.1.7-4+deb9u1.
We recommend that you upgrade your neovim packages.
For the detailed security status of neovim please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/neovim
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl03eFwACgkQEMKTtsN8
TjZEqw//Yh28fhXy/mKagZmAg1TFkflzYkQ/e0iVYNXsM8h216IvK91KsG+F45Op
linrfocsqRwvn06jipKXEy4p9usQTz/RI91OxjqKTmc/5y/o9te5E/tJ/PgzHJxM
8L1x0yyDox8ZRbnoWtSshfk6tGJSvPO/lPd2Ltf+vxUm0uTJlaOe269gC4C6MViA
aVXPoJ1tLdFzs09vtg7h5joVN1bQ52Ui+jJvGzVeNjtry+lu5H1rvVR+AZeq2m/O
DM3y+eEfMwsJBtrP290ACwzc5RXk5s4IH3yWHlA1glQ8dV4JwJXpbzgKt8JJGkoZ
dvzRYY4rTarfxvagioptK1/WbiV8d8/qRIDnJcTzHLn3Wtmr3cuuYpw8Jn1AH7g/
Z4Qw/Na34fG96Zc4QdauHXsl4lEZ6XF50MVclrytoStsGL6A5yT1QgxLxE0ss97S
XepstVi/F93rBHqQRwJ5ctwNcYGKuZIbYzeaUkuyU6Ir6bA9Ctq6BIzt/eAZjdXb
PBsl8SvsNwDlLjOysWHXyimG0MeN60U7LslTWXJf//dSka3sohXNxNPuprvCBxXE
hrAMrFb6WAU2NPThBwlA08o/lo9c7xCnA/WrOTfcnZ7gsr2kySTp+jNLMjdTBObh
RmZJG4duKeKn9xpjKxAV/DDaS9P8VnM8jNK3S7Oseg+YeKNe5Uk=
=SytE
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXTepBGaOgq3Tt24GAQgPjA//VCcL8jxpc25tzD+PFaUS85GrdfUCHEyv
aHzBkhtGj5eixLnNxNdIrADlZbxKsOR1SpY0POohFU1sbTu7D8MmWQlp9RKQLZv0
eqrblCdWSa5vMmp8l4QhY8dlBkwCEjreq6y+uxqpRWDnZl0fdxEiOQbK0Str+U5h
ZGO2sttVhw/RYdHuRO/od+yS67RvhLqXsyeWUSIKe0CDKByP7nSVqG3eAui+0cU6
cmPKKkleEye9NKEcgNOVMDYzuB7jj7aBdaDXsEt3w6hOYsAZvHArdELs7iBIH7Kg
mz+0SI1thqSREg7ByQYhxO7CsHg5JqQaB0OQKSNCVvQV6J1UK3aJPSRZEd/BHH9Y
rGLrJisC6G/G1Irb3+K/OO+Ko2tNkeOvsqmOgnCsu0ag2Z77uodP7yYw2lVCXgh1
wHqy2SyGriIFtCllejrVPerfalsqqq1Mkv4XH2YvPNOgM682HQgAeur0LCYbmxvJ
l1V4pXL6IfxoZ9DZZH6MiJ7aPdG7KsQvOueQuLFfalVHoSkA3zq2CHgkhlt6uuDb
1GX/BMH2ax/GSbC/EQnOPquIJciw80vOocTK/ZxH02Dg0xHvyDslKZNQf9u2xpHV
H+I+7zbWfTZ+2VcqSidyDYNgoPjgMSwsrENffNfkmNiGhFCw2YP2vf9bEVBkQF8v
9w95m3wowQg=
=vlWN
-----END PGP SIGNATURE-----