ESB-2019.0626 - [Linux][Debian] file: Multiple vulnerabilities 2019-03-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0626
                     [DLA 1698-1] file security update
                               1 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           file
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Linux variants
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8907 CVE-2019-8905 

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/02/msg00044.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running file check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : file
Version        : 1:5.22+15-2+deb8u5
CVE ID         : CVE-2019-8905 CVE-2019-8907

Potential buffer over-reads in readelf.c have been found in file,
a popular file type guesser.

For Debian 8 "Jessie", these problems have been fixed in version
1:5.22+15-2+deb8u5.

We recommend that you upgrade your file packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlx4WQgACgkQiNJCh6LY
mLFPvA/+JlbswU6orYbPqRKG7UQzYjicS9/kt74mBQLBk4pGZ7DIv2VaQFJD2MlX
+MvO1YLMBp8cjqqoJoEMV8gE5GEc6L2coRFunXnPmWNocnEmpwMQgtPpYYgPRlkK
Rk4Ezc7/9CKBCJzGrMMM0ykjrWQlpnkQ+hk3VeFGewhZr9u8uakjTvzWrQIlFiAP
DQk+0mD0koS8+P9H5RdY5UT+5H3frhsclQ+kKCVA2bDzV4oyTvz0RFh0yxewp5jh
9LqeT+XiXD2YegkqIzWhDPwEXjnRpjtnOpRzmqxdZe5QEDx+L/SQDYrS+gjpPq4O
TgZEC+FPuzW5yNhGuuKtdUTUbgZyKoFgbiqWJaDjqCsWcJo8NET+4zx3j3XTL8hn
ulYtlM51MjDxCwxRzrr8CJgSI4OhVfh5ZOpNSKZb8KUkoPrggjogFf4D6eqJ2PYS
LYbEr8ccAslDj60FJ1h5hl6zfL4Z1jT8mC8ZubmfxrzgkLcGSgy3QJJRgcoEb0KW
nzZgytQ1FnzQCQ6tuU9uJ0+hmdoX5lBqOjjtN4d3/8n9JP2naGJGSHwv1YQEhYJj
wJ2ATlfKCHZnt746QLPoUurMdFGzjpRuu9YRkIEIZx3H/Q1OVzdmBxh4+TQ0NAEd
1Dai3MN8i+JrRsmo6jx8w4KSBf2o737Y+bk2fwit8gt2LeL5CTc=
=ucZa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHiNI2aOgq3Tt24GAQi4kxAAiPAUyMUt4YBRCdjLjbdV1nZOTkPLWXWU
/mEFiZsBye6ETAK66sRwoOkkPVywAzQOIXM63Hg0179dKfTNXkeSvejw3vDigT5h
MDAAFOWSmUIfVlHe2QJI6L5Hno6zJMjxv7B8Dt3VfW5O7LpaiZ7NtQvBc+04gTTu
/3TVedEQTYrE87wr6Ca21RkO18wc4PA4Tmp8iYxCqu8xxsqLA+AXd5dTYStzc1RP
OH7b6Zg3j2/alrwY+pzHnlT/Bcf60uO5RdntCgJbrwcI/4FUCh6XGTAlPUSM709u
vQrTqV1M4VnCXXjMqksDyUm7ujN+ZiS93imhVdh31EXBdprrCTmcuMYBA/9sK9/p
0pm8mD9Y5/VUXge0z/LUt374wMvkIPJvTxtNO4DIg680fnoPpqbOIKyqnjS82X2o
uNAKbCL/urPA5bzw0ph963Hdpllgj7zA3UNFtn4GI6aVaQTuat68neOhCIv7jt4B
bsUDECxZTDPrEZg8M6emsKAIbA5DJf71dljqRyLpZRdy+99A6aD8pgfhfZjDputz
zH1tQVctsOY6/B+acnn5+hH6B6sy27JHZ345lszSsTy3ZRm81I66VSlibSX+/HOH
uxCUWJH6j6pdbULJVTyiIKlETH1YWCTE4AyK3pZJAC49I2rpsM5tvlAgZWFraSfy
9f/a38oY4nU=
=ttSq
-----END PGP SIGNATURE-----

« Back to bulletins