ESB-2017.2092.2 - UPDATE [UNIX/Linux][Debian] augeas: Execute arbitrary code/commands - Existing account 2017-08-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2092.2
                          augeas security update
                              22 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           augeas
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7555  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3949

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running augeas check for an updated version of the software for 
         their operating system.

Revision History:  August 22 2017: Update to include Multi-OS comment
                   August 22 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3949-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
August 21, 2017                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : augeas
CVE ID         : CVE-2017-7555
Debian Bug     : 872400

Han Han of Red Hat discovered that augeas, a configuration editing
tool, improperly handled some escaped strings. A remote attacker could
leverage this flaw by sending maliciously crafted strings, thus
causing an augeas-enabled application to crash or potentially execute
arbitrary code.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.0-0.2+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 1.8.0-1+deb9u1.

We recommend that you upgrade your augeas packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlmaoi0ACgkQEL6Jg/PV
nWQa6AgAuDE/urqDtUlXt53PL3b9pZsUSdKQ+74l64hhKMV0+kQ8SSitBdcjXR/8
1nsdd7Qi36lOCwYv7EEcCqz98puB+ef31LwVZiYbVLAG6YT54Zl7XSSIpXx94Ef+
JCAJ8NGOCLoqHjTNtsQVnPMtLUbV42aDqlNeDgMEXzvoDb/k8R4CmrSMremz8xn9
0bPuziBV73NfQAf3hnrj+Q+whEHg9rCie/wsH1m6QcpibJEJpLlTC1gV8PZehGMM
g3h+H2XV/YrMR1swecIH5VxIEeLCL0mgeLJ4azfIxyWH0adVFRCRp8ZiZ3c2KyQS
ejEgj24vgFvrvdQWGAeeh0dl2e/LWw==
=502b
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZuPEox+lLeg9Ub1AQghwBAAmdXQPNv0SVUZeBtVEijJqjN1E/qFFOc0
yXLEH5K3a4ozo4e1+MOMSzfC/eJQbtGzYYbL+Q97r1xxfdcpKRfeh03tLQkY6RGj
wUOiKaUhB/xaxsnVUunUNdopGFB26LbnwmRDL7WTOBzaGoPhkrG203IE+D5gY5Wd
NCmxzCQLaobncxparz974nXyW80vovggZn+ah9VOKSuDj4W6vAnkGw8PsaHp57KP
vtjT683L6gvt/1dz0Fp0ePJvrepn+NK7WICudXa2Vkgs0rYLhrW28Mls74i0c9LM
QjvIzjO2OcDaYbMfCgG+DIASZe7C9DW0QTYWzelWm+BjOXCEufKYCiuXJGYNQIql
9npqZ7lPoJLSMVh5LkfMVNHYPSrhhpp4je0BbUjG+OGpnaGh/Ka8NxUcahzJ12Ne
ptz/U63xdQt+FMwiZKUSHdCrdj2zOOZ0NMhUVWCyqONiekSLB57tag1OYtl/9Pc+
MaTsZ68ceOVNFk3I69pxtLPr6I7lRT0k5iOJ3QeH9a9WCl8KWum8lzfHQxoZ9GHD
nBIa5WBPH+liKYd5TJaum3t79iuNQ+8XMTbP24F/4l+WwAAKiArw/oWOEeU17x6q
BpAiOKCUHixeJQee6SZsZpUHspiavWevVsF4Zuvd6uebTLeunZ48GN6VxNPijJ3+
QaaVSgU3uJw=
=9zhF
-----END PGP SIGNATURE-----

« Back to bulletins