Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2496 ark security update 23 May 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ark Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2020-24654 CVE-2020-16116 Original Bulletin: https://lists.debian.org/debian-lts-announce/2022/05/msg00026.html Comment: CVSS (Max): 3.3 CVE-2020-24654 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3015-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 20, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : ark Version : 4:16.08.3-2+deb9u1 CVE ID : CVE-2020-16116 CVE-2020-24654 Debian Bug : 969437 Fabian Vogt and Dominik Penner discovered that the Ark archive manager did not sanitize extraction paths, which could result in maliciously crafted archives with symlinks writing outside the extraction directory. For Debian 9 stretch, these problems have been fixed in version 4:16.08.3-2+deb9u1. We recommend that you upgrade your ark packages. For the detailed security status of ark please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ark Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmKHhChfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQlYw/9HVFxDs2IS32mSsjbJTaKa8HKTVkl6Vg9A4JQuPAMc5dCV8R7pld26wZm 92pMFHfmI8I/xvDYl8rBJ3HiLJQB6BddvIhVPhDB5vUq0hPx9RB1cDwegChC0bbQ XXIqULUcP9QWhZirUUgbDQcCmvDWvuJ/rwmorsNvS5vu8FEKgYz/5L+GJoEd6kL0 FgTfHt91i83I2rcbVfRXXKFYp2MKzI6uEPreu7liyknSkJrB3xxz76a3cN9WQx0v UBWYsGfxMXIsV5mSq1v8xaCXErlJ+5wCpR5yM7ErvqyAQjdE/DljJxpya3ynuQ0e /qIUTbh+SUytFxKysLYNn7zj9M3JfZW0ZI1DQlj0qHz+ntk6k7aFYjbQNMdapMzp G3OcEz7+yiGOx4UZDhYulCJ3zUI/sVjfB3yARBjQkEyBS3hAhX6l2N6syWOaH2lI R5vIhAY/sqGGi1fxEar4FH8+YQV7PU5hyuOPy8rTqG/mkJdCFb8flV5YBcoUoW+V Jvm7wJ9NOyKccTdWaRg+pURUv8Z7ZtAKEEhEdQOuNpCZi7wQy1WtjVtYOgRiqFkx WwNlyJ4p42l0FEByjQJw8ETaixU9dNEbRweeeeCkiWItlOcv8WOqbShuEHmAVFMT 1FGVB21g1umtdpBqKk/StJVqk/baz4TuGy9o587c2aG/OpzKwyM= =u8bA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYoq2MckNZI30y1K9AQjtrA/9Ew3Ua5fHwEbCl5svWbPfV8sbEKPbKNOX aS7/UKxzOR/mZiV3g4kY5z+pwTcWZoh/ag98EBhsNm2Fk7VMeVWftzFdC/vNCDpZ DN0FpQpTP9XDTouXNaAsXtxvOaNkOtkciq/kWCIwEShF3kbg+P5DdyCDwxGIdddn bEaPu57TPUvS9SmpKAKdQIs1o6Dxs+NycGUdNvV0d75qhlXkLRT4BxTP5qKbO0mX tsnZnCxob2pLvo45XjIvugyt9R/bBzYop4t/6cHeaeYMn81zJMKKhoCZhO6noU6L 1aoUs3KDrj+lLZ/MAM93K2oAnwtmTjFT20YXmKWO45dMe/n2WGkJww8xW0KojEM5 k5e6v244Cv7gupvVp3y0V/W8rsj+YwApCrzyRcxvcpdo4ReHNM/hSy2UgzzrXs5v GhIPCivgurMDBsjWp+Nwxs+3YW5B0A2rQQ3t02rqVAoVAxeBMie0aihKh7ve4oBf xdMJvBOiHqFecBWtZWAdSi4kLQiH8ejkG+cYjFC+q9r4Lr/F/TpzQV0AXWRiR+Ty 16lAFVxZVRhEjR1fFYbqHODvsHq3zu//oybijCRmgMdMWjltHSEeR9UCi3X4fsZ+ oQE0oTukXryzi3ev5p1VZvdQgaMuO/cN7SQvjJoU4S+VlT+59YqZ2LsrSB4jyYS4 VGl0tVcToeY= =RchC -----END PGP SIGNATURE-----