Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3828
xtrlock security update
15 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xtrlock
Publisher: Debian
Operating System: Debian GNU/Linux 8
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Unauthorised Access -- Console/Physical
Resolution: Patch/Upgrade
CVE Names: CVE-2016-10894
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/10/msg00019.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running xtrlock check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Package : xtrlock
Version : 2.6+deb8u1
CVE ID : CVE-2016-10894
Debian Bug : #830726
It was discovered that multitouch devices were not being disabled
by the "xtrlock" screen locking utility.
xtrlock did not block multitouch events so an attacker could still
input and thus control various programs such as Chromium, etc. via
so-called "multitouch" events including pan scrolling, "pinch and
zoom" or even being able to provide regular mouse clicks by
depressing the touchpad once and then clicking with a secondary
finger.
For Debian 8 "Jessie", this issue has been fixed in xtrlock version
2.6+deb8u1. However, this fix does not the situation where an
attacker plugs in a multitouch device *after* the screen has been
locked. For more information on this, please see:
https://bugs.debian.org/830726#115
We recommend that you upgrade your xtrlock packages pending a
deeper fix.
Regards,
- - --
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl2k3yEACgkQHpU+J9Qx
HliNfw/+NmKYeWOX7PF5eKhv30fEsIBT4ON6oThRlP5TFZ+72m/diRsmyoCP/KX2
SeWVUYaKPvsRf3vFcM1z/RKhu4tnhAxeFqDULOmNc9k/NfbiN3c7y6u6zUPw5J5T
x6fZ7Lz6jsXv0+iLu8OKGgwmCqB6HhlMcmNcuGRZFAVdpnEYKJ7VOrA4e9tcrOiD
Z9bVrcgyR2NRPCtqf2GQMifoaKl34XjTpmQ5bEJ1vX0SELVkV84suirUBvKo5W4i
zchFO4Bq0eKuvmHnzlTRlDFqezEVBC96r/ce7zc2dmFy5VRylp9+9bipLZ+eP1Ev
x+iA4ToB6CT0+gUhu+ODC+07YmKM2s8c0xRJD0x37xuhJtFH1pZd26kW3eItYnnt
0Djx8mIY+3gVxpbMXtP+8da1NRqH1hKKTdOWDAN32PQUT83cxIiYtK7IpuuxKDI7
hGkVi2MY1WaYVImTZrC5gvBN8AQjYP1L3PC17zMbTXa0IIAo157YSpViWRRNEjtm
dwx3y11r8noArPxcZclglBEu22QCy+GT0U1+fz8yR0JaZBXT9CxixKuJ2cxNy34A
J4EUZvWrn3S0A+bcIpSHiOf+O/L5AgfGfqNKLHgnTppD6SmVlTqF4Kz1ajeKBBbK
kvcNkcxVLxoSewnmLv71eqJL9/VltjMhTSXwP5okO2YZob7z934=
=e4OJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXaUw/2aOgq3Tt24GAQh3qhAAk5D1NEaLMSgfg5N0ldajA/H3RhR9s2WV
TJPXsk9LLCwS+aX4SyWdyS+94GulQoIs38zqktSlbLOVKCu7O+V1oXcEowRD4kzQ
w5NXTk5OIl4nkXb9crroXuVmB7P55izMR2nOQf1j2peAzrqW7ylsa0bS8fdabWf1
IketUVz1DTUkq/jExGgpbnU/6CfxwaQM7tqOhPKn1yHIOFmrgbdxSOUBp+55A+rn
REYITL2bbQ6jzVo1UmEEgNzSAjfe/l5sS7tO0Je7Q/+P3M+1dbM3ZEKl7asxbNmQ
RrYEjkljbSCO+BSdKl2BYPWDyFEiDyqBCkcaQwTj7a6WcKH73bzVCu5nSG6cHrqk
8qQ8keDd0ATyPB+1D1wsqeVtyHEGUEeCoYMdXFbxOQ+VcGSQcuFgzxZB+n8anxr6
xz9JZy8OOLXewiBgzWB6UaVAM8AlydZPIm6+L4HbPwk0O7tTPAch9cymPxqLQQll
u1t/ZsFEs9etVQzYveEQvjsXkWbrk+1bQpf92vLKFFytWJ/RgSVYC7SoTI3i+G7D
VwELYiVsWQ/rB9t9HTaMpBvLM1GEoycjh2r8SOv9T+JaHQRDC5ovGfgpikWOLOvv
+MTvb48zEYF+6WS3cal4VZcqUod82cDhtQZGSsbQa94P5gX+lwGQzcgTCMsA1hFt
OTv/4KQh6hA=
=n9Uf
-----END PGP SIGNATURE-----