Tuesday, August 05, 2014

[SECURITY] [DSA 2997-1] reportbug security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2997-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
August 05, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : reportbug
CVE ID : CVE-2014-0479

Jakub Wilk discovered a remote command execution flaw in reportbug, a
tool to report bugs in the Debian distribution. A man-in-the-middle
attacker could put shell metacharacters in the version number allowing
arbitrary code execution with the privileges of the user running
reportbug.

For the stable distribution (wheezy), this problem has been fixed in
version 6.4.4+deb7u1.

For the testing distribution (jessie), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 6.5.0+nmu1.

We recommend that you upgrade your reportbug packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT4R2DAAoJEAVMuPMTQ89EQ3IP/jpMDvRgkU3Qf9zVnbsqBudl
ChgkyXxAFvsCOUSB9IwXdaBX4pd6B4g/3hxXlrp6CO2iA+dYIqx8Ih57kQSFU5aJ
dSyR7VmEu2VuiEHi9cRIc/857Eye5iZHiuRQPfwYIfQgKAaNwFSdEAfcKuUS3zJu
yE5TCVRXuS4W32iqgjVbpGgBzlbX+8IssqFvh/9Rx/FJvfHHTx3QS4TUyxC93bgf
aIWdggniW3NmKhvE0IlrnAU+vUQMivWaOw2zocXUjKwoXPSm3dpXC9HWGwbwUYwf
ebggLC/RMdS353+GsS3wXfyueD4dSLoDnCcOAzzl1Q8iFnrtPmDre3XWzvMeGEPy
IuvK64Ulmpy83ZmpL7yBJMjCH/oivFeax9SeQwpP/UY0vg1s7awQT69DiO2tr7t4
v8HVPTUhfakKlagIqda+CHIX8i/6cu8d0QInwdk0EaFJinO4MBeYq/7/SD1AkW8e
8jsGAFZjcpMHYLpbeoVVWTZjLz/qIlIAiIUZ89RGqiDn2Ws84OzgwCku9ABZyKJd
QAK2VkEWISk7h1olnDfOkYPCtTlmH1KaAmlhVYPXdKGHx+bmEwuLzutjnRSrIJYv
MQYESsZlrqMePs1NwOuWj2C7io8uLapgr+Ity57xYaZ2mGx+CO0Is9sUyQ7Blsqw
HsWQa6M8WJz3bcLpjrpw
=+VYD
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/E1XEjA6-0006qk-4I@master.debian.org

No comments:

Post a Comment