ESB-2017.2402.2 - UPDATE [Win][UNIX/Linux][Debian] perl: Multiple vulnerabilities 2017-11-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2402.2
                           perl security update
                             14 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           perl
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12883 CVE-2017-12837 

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3478-2

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running perl check for an updated version of the software for their
         operating system.

Revision History:  November  14 2017: Patch released for Ubuntu 12.04 ESM.
                   September 22 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3478-2
November 13, 2017

perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 12.04 ESM

Summary:

Perl could be made to crash if it received specially crafted
input.

Software Description:
- - perl: Practical Extraction and Report Language

Details:

USN-3478-1 fixed two vulnerabilities in Perl. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Jakub Wilk discovered that Perl incorrectly handled certain regular
 expressions. An attacker could use this issue to cause Perl to crash,
 resulting in a denial of service, or possibly execute arbitrary code.
 (CVE-2017-12883)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  perl                            5.14.2-6ubuntu2.6

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3478-2
  https://www.ubuntu.com/usn/usn-3478-1
  CVE-2017-12883


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3982-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 21, 2017                    https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : perl
CVE ID         : CVE-2017-12837 CVE-2017-12883
Debian Bug     : 875596 875597

Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-12837

    Jakub Wilk reported a heap buffer overflow flaw in the regular
    expression compiler, allowing a remote attacker to cause a denial of
    service via a specially crafted regular expression with the
    case-insensitive modifier.

CVE-2017-12883

    Jakub Wilk reported a buffer over-read flaw in the regular
    expression parser, allowing a remote attacker to cause a denial of
    service or information leak.

For the oldstable distribution (jessie), these problems have been fixed
in version 5.20.2-3+deb8u9.

For the stable distribution (stretch), these problems have been fixed in
version 5.24.1-3+deb9u2.

For the testing distribution (buster), these problems have been fixed
in version 5.26.0-8.

For the unstable distribution (sid), these problems have been fixed in
version 5.26.0-8.

We recommend that you upgrade your perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnDpOlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QrZRAAgOwn5nyHmcm/juHREsQnd/3AuLyS6SQ9rpbQg0IVEndoKBd5NQYcMT/5
Q6gsLlBXYm8u046mD6l/3qQUzy+tdamdw6dCl4fyzMQ2P+awFzC4LrrW6rxK6GPj
CwxfbdcSQtHPqYT/HWLWwyvqXUM6DKwjcARhdRc0hLBmQQtQwq0YFsDtAVG8vxna
1F5xkr+B/um9tf7DDgDzibTG1IoZAm7D+aaGk7UOJnW9ZoEbQTpiwz3FRMxzIzxh
ZYwKw4E+6in62BYoVRLdcQmdXtxifJH7D60tbr7KBpsf8fhNLHWUTXOyq70sD6Os
3G6/48oTfTbHtuAa1Ek2NupPZrX0S60dH3PzMaFnlTocJQC1u/zQAm3ZlwDFBnZs
Moj/iKw5YSq14lia6JmT7Ty5IB3ws5HMMu4f+RXzG/BSUcjIlrJoh7Xe9Tr7GLMJ
ocPJdBOayQnjs01dHENd7C/B4tJNXPJLUqD9h/QP5rCpXfZQuPSkQFlkt2K2nSu7
0+aNK9FQK/McQADfVBEk82/gZHlOjOWGKWz6Y2Yqc8cyFEsgY5Y6m5oNT0wOc6T5
fGFgViO4R2IdelNr/PbZVaN/GjxRTX4/Z4rX3/v39fiIwtwImX9YWewPcq4E54MR
tlf6BufUsxd5IQos5xcI0fXpxA07cK3a5KxYfLgr7dwG9X3/cAQ=
=oqdU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgpNKIx+lLeg9Ub1AQj5Sg/9HrEPFrI5awqJ6JP6ph9xrC7SzyscaQL9
te7gmg42OBb+EhX66/g7r+l7SgsKsNkNa/6s1tAjN/YZEfPADirjrqTK/090X0Fq
cP7Q52lEtHqA7kc+O0GaOln0J5QbMVaJxepvSGKX4+IHoZRC5UrNSv5Tq+h3OXKQ
g+PE/41ljgpO1nt+IbsxIwOmjBcBxrWEDxFLU62WAa5ISbrTsgQcFLGhT10K+I0k
I171A/7gZqcBXhrThtMfsckpi+pyFzrdkzicv07lej2SArEkxEgx0T28MwokeRK0
D+PS5OphWqgWrQxhvYwqT2wrFZCna7hietdBXg1G6jOQqbyiXp8lFcSoYj9jTW/U
u6HbIsu/BF7YeOL+4B436E+/5DyOpEpgk1i5m8wzQ/Sw2/zMSSLeeRlv+YeKiKcf
X+8LodCbdgHtU9wb0Q+zC85ATJn9M5BTe5CYW52OwUIXhrlj9xhlMmg4Zl75qKA0
wIrn41ISLjHnXSmOWqy5Yo64OCW9UqJGSg3S4gsQBiGGjXImoZysCxJjvNBIY65F
DngwzUGwcRVwbBDN6PzCrCP/kjcRlcTJQkGGGck3NbP6WrKLmVbU9Jd2e09p1Jcs
4vF7SBZRQbcb+xOSIW8caTwXymroqClUo2ZneRqgYd2/f41zewOvZNvZwEM2usOo
mAX3viQ37Wo=
=Ri6C
-----END PGP SIGNATURE-----

« Back to bulletins