Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6385 dlt-daemon security update 8 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: dlt-daemon Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-31291 CVE-2020-36244 CVE-2020-29394 Original Bulletin: https://lists.debian.org/debian-lts-announce/2022/12/msg00016.html Comment: CVSS (Max): 9.8 CVE-2020-36244 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ----------------------------------------------------------------------- Debian LTS Advisory DLA-3231-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 07, 2022 https://wiki.debian.org/LTS - - ----------------------------------------------------------------------- Package : dlt-daemon Version : 2.18.0-1+deb10u1 CVE ID : CVE-2020-29394 CVE-2020-36244 CVE-2022-31291 Debian Bug : 976228 1014534 dlt-daemon, a Diagnostic Log and Trace logging daemon, had the following vulnerabilities reported: CVE-2020-29394 A buffer overflow in the dlt_filter_load function in dlt_common.c from dlt-daemon allows arbitrary code execution because fscanf is misused (no limit on the number of characters to be read in the format argument). CVE-2020-36244 dlt-daemon was vulnerable to a heap-based buffer overflow that could allow an attacker to remotely execute arbitrary code. CVE-2022-31291 An issue in dlt_config_file_parser.c of dlt-daemon allows attackers to cause a double free via crafted TCP packets. For Debian 10 buster, these problems have been fixed in version 2.18.0-1+deb10u1. We recommend that you upgrade your dlt-daemon packages. For the detailed security status of dlt-daemon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dlt-daemon Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmOQeQsACgkQgj6WdgbD S5ZnwhAAj0xKxHgJeDvhXAw8Fxonu2px0NfLYDz3nJb2anbiCIzNMNw5ZJDy7uHp H8FSxOWqTVizmRtT//A/SDaYLHc4U+HcSp0L1cMc3tb4Oh/0ypzOw1/YsOm7z9pg otepGlGpD8r4u9WsROAC4HlZQ9i2ra3PcC6zrYrHtacEsxunjB6bzlrmKlB5vEMy GaB/6QVNLoIda5rovff132Gdozq9P4mqYVpo2wWdwr2nnc8man7Kwj8AOTV14p+d nTYNkiBHCRHMvHBUDx8UZg5Xvl6/VhFosOYk5kjtvyBkR0ozyz/Wkr6fJZE8vOFU zbfE85GT+sh3h/L7muUE0Kft1C+vMMPjRCwRGhP+wrhzAnTOuelx1pp2q9eY5yDO /Sn7gWdL4lmx+ly+lbXZljdwGweuKnG8Qrjxl9SePGRYpxkwXqwHtOVbEv6Shp3t 4Kqg5TwKJ1NfsnAT4AvUsHz4ULdg8hLAkb+s9jjWgfMR04snPuwv3rIhU0nZOD3Q 9KnxsYF9O20ZQbBd8xJUgQl+pDcvrlur/4nTnCIzUFMkY5wRx6PtySGeqSi0VkUY Ehc9PiEdQaHlpmT+sfMFstOUvbvLM2X4u5M7WZi6WyoFPzdHx54eyGk82PSQ+RQK atb3yNVD4fp4TtkB9ja1q/TJUh+DuCwJAfFCE80Zdj+JZTS1zoA= =4FfO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY5EmwskNZI30y1K9AQj3jg/+KlYbd2I+6JtlP3Q5mjXtZFxZyOy9UKkt CZTjc4GWYY7KmJJQghlIwCiPzNdvcwH94/RgOEyvShhQxoQusSyFFspoRnZmqsqA sI4FFu3Tl2VdQQ07EzswRyzdGxjWueQFoSd4IFTcet+vT2cuo2+pA5GiGwXTMViT oFuFRWlemlzcl4fesSi6m6ipNTazJkA7cmf8gP7Ui/LLJtnbpXCEYMG+r+9OY6YI DZw82JI8YSuYp7ps4iWbIxmSldwy5J0eSY88pmU7NOjIwkk1hQKWThNo3W8NpuNb dG4cj8vOmk0deWYBdYkYh4bWT84W7jzcuHp1R4zc9xqqjQujvSk2dg0GSKH3nRAF 81fF2sI3n3IAec3Gsjy7t1fKxLlAll+AwVPYaOr01V2zDf+HSmem/9rOKuDBPXQT Gw1Q+TG8VMD2AqbkTqqthfRA7CqTfUIh+biLRypIxats+r4n6y3FFB0y6JIMqYw2 yx0neIGzJaJGjjR+pgPWexhl3g6uOR+/oElhFVF7HQiHvzrhh07TiNgVfCNDBQ8u eKZfDV4W3v5kO4M3FayEQIT1BMNVh2losG4VQef47jEyvvOIZbJlSZ4Pec6ys8i7 CyVqVx3N4/+vUuRADgHGfeEFiYdTc0LfJo5Xyynu5CzMomO3CFM1ief9t0hshOcL INHFFfHu2X8= =Qgea -----END PGP SIGNATURE-----