Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3828 xtrlock security update 15 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xtrlock Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2016-10894 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/10/msg00019.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running xtrlock check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : xtrlock Version : 2.6+deb8u1 CVE ID : CVE-2016-10894 Debian Bug : #830726 It was discovered that multitouch devices were not being disabled by the "xtrlock" screen locking utility. xtrlock did not block multitouch events so an attacker could still input and thus control various programs such as Chromium, etc. via so-called "multitouch" events including pan scrolling, "pinch and zoom" or even being able to provide regular mouse clicks by depressing the touchpad once and then clicking with a secondary finger. For Debian 8 "Jessie", this issue has been fixed in xtrlock version 2.6+deb8u1. However, this fix does not the situation where an attacker plugs in a multitouch device *after* the screen has been locked. For more information on this, please see: https://bugs.debian.org/830726#115 We recommend that you upgrade your xtrlock packages pending a deeper fix. Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl2k3yEACgkQHpU+J9Qx HliNfw/+NmKYeWOX7PF5eKhv30fEsIBT4ON6oThRlP5TFZ+72m/diRsmyoCP/KX2 SeWVUYaKPvsRf3vFcM1z/RKhu4tnhAxeFqDULOmNc9k/NfbiN3c7y6u6zUPw5J5T x6fZ7Lz6jsXv0+iLu8OKGgwmCqB6HhlMcmNcuGRZFAVdpnEYKJ7VOrA4e9tcrOiD Z9bVrcgyR2NRPCtqf2GQMifoaKl34XjTpmQ5bEJ1vX0SELVkV84suirUBvKo5W4i zchFO4Bq0eKuvmHnzlTRlDFqezEVBC96r/ce7zc2dmFy5VRylp9+9bipLZ+eP1Ev x+iA4ToB6CT0+gUhu+ODC+07YmKM2s8c0xRJD0x37xuhJtFH1pZd26kW3eItYnnt 0Djx8mIY+3gVxpbMXtP+8da1NRqH1hKKTdOWDAN32PQUT83cxIiYtK7IpuuxKDI7 hGkVi2MY1WaYVImTZrC5gvBN8AQjYP1L3PC17zMbTXa0IIAo157YSpViWRRNEjtm dwx3y11r8noArPxcZclglBEu22QCy+GT0U1+fz8yR0JaZBXT9CxixKuJ2cxNy34A J4EUZvWrn3S0A+bcIpSHiOf+O/L5AgfGfqNKLHgnTppD6SmVlTqF4Kz1ajeKBBbK kvcNkcxVLxoSewnmLv71eqJL9/VltjMhTSXwP5okO2YZob7z934= =e4OJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXaUw/2aOgq3Tt24GAQh3qhAAk5D1NEaLMSgfg5N0ldajA/H3RhR9s2WV TJPXsk9LLCwS+aX4SyWdyS+94GulQoIs38zqktSlbLOVKCu7O+V1oXcEowRD4kzQ w5NXTk5OIl4nkXb9crroXuVmB7P55izMR2nOQf1j2peAzrqW7ylsa0bS8fdabWf1 IketUVz1DTUkq/jExGgpbnU/6CfxwaQM7tqOhPKn1yHIOFmrgbdxSOUBp+55A+rn REYITL2bbQ6jzVo1UmEEgNzSAjfe/l5sS7tO0Je7Q/+P3M+1dbM3ZEKl7asxbNmQ RrYEjkljbSCO+BSdKl2BYPWDyFEiDyqBCkcaQwTj7a6WcKH73bzVCu5nSG6cHrqk 8qQ8keDd0ATyPB+1D1wsqeVtyHEGUEeCoYMdXFbxOQ+VcGSQcuFgzxZB+n8anxr6 xz9JZy8OOLXewiBgzWB6UaVAM8AlydZPIm6+L4HbPwk0O7tTPAch9cymPxqLQQll u1t/ZsFEs9etVQzYveEQvjsXkWbrk+1bQpf92vLKFFytWJ/RgSVYC7SoTI3i+G7D VwELYiVsWQ/rB9t9HTaMpBvLM1GEoycjh2r8SOv9T+JaHQRDC5ovGfgpikWOLOvv +MTvb48zEYF+6WS3cal4VZcqUod82cDhtQZGSsbQa94P5gX+lwGQzcgTCMsA1hFt OTv/4KQh6hA= =n9Uf -----END PGP SIGNATURE-----