Search This Blog

Monday, January 05, 2015

[SECURITY] [DSA 3119-1] libevent security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3119-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
January 06, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libevent
CVE ID : CVE-2014-6272
Debian Bug : 774645

Andrew Bartlett of Catalyst reported a defect affecting certain
applications using the Libevent evbuffer API. This defect leaves
applications which pass insanely large inputs to evbuffers open to a
possible heap overflow or infinite loop. In order to exploit this flaw,
an attacker needs to be able to find a way to provoke the program into
trying to make a buffer chunk larger than what will fit into a single
size_t or off_t.

For the stable distribution (wheezy), this problem has been fixed in
version 2.0.19-stable-3+deb7u1.

For the upcoming stable distribution (jessie) and the unstable
distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your libevent packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUq40sAAoJEAVMuPMTQ89EE4UQAIKehSXkYfTIEoidF5W0TlHE
gUPmCvaB94OEws116+vNmDuoGnO64X59PDcOp2NWhO0ZLKfz5gxsA6Q3CwyaiV5b
OSxy1Lgw5ANA22zTG8gXF33ZAUS8LQxFYrgwjQ2AbRFiO4IAs4WW97p/LrTxsqv8
OoaPts6W/PJPUutHlVfWJFire8eW6OCWii3MXSAIQDRad+KEsgdfOojqWBPa1yQU
DV0c8MNLDzzFe0kIBhs7OrPPxcYwW1WUqS72LE2X/fhuqXs77eNzCT2O7xH1IcKh
pzEW829a0jk6HgavBm2Vp8rFUxL2yB03hX4dhTxsyLkz48pzqoXB0wL6LZ1ESeOX
xolkXn3WvI2E8d+gVjykuynmwxrnVpY00ebHsewK16TGs7MFzPrvn0DMUqdtB4T9
srNHq7SdGymqd0lsx0pZV4edqilqN8WymFvf8r4hMuOhOd4i8DRe2Oy06Gy8TwLr
MjRZ19AxX/WK/uOtmmevbca4qt3yZMZDk9CvrMBHnGg7W2ewmUpZRQokot+078OL
BlEkCtM8kl2533KZnnqobMrdMNdtXf+NhVcQabOx+7+dNs+IpvwAG1DRTxjFeHYu
TbOOgTqh+XZ2EjlYX8fiMSuAbGa/wkyJ3ClR23WDFM/xLtiW5Y6almYmWiM65EvY
z+UIl9LOGvhlYQVB3Prh
=wi/U
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/E1Y8OTx-0001ZU-6c@master.debian.org

No comments: