Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1321
reportbug security update
6 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: reportbug
Publisher: Debian
Operating System: Debian GNU/Linux 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0479
Original Bulletin:
http://www.debian.org/security/2014/dsa-2997
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2997-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
August 05, 2014 http://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : reportbug
CVE ID : CVE-2014-0479
Jakub Wilk discovered a remote command execution flaw in reportbug, a
tool to report bugs in the Debian distribution. A man-in-the-middle
attacker could put shell metacharacters in the version number allowing
arbitrary code execution with the privileges of the user running
reportbug.
For the stable distribution (wheezy), this problem has been fixed in
version 6.4.4+deb7u1.
For the testing distribution (jessie), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 6.5.0+nmu1.
We recommend that you upgrade your reportbug packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT4R2DAAoJEAVMuPMTQ89EQ3IP/jpMDvRgkU3Qf9zVnbsqBudl
ChgkyXxAFvsCOUSB9IwXdaBX4pd6B4g/3hxXlrp6CO2iA+dYIqx8Ih57kQSFU5aJ
dSyR7VmEu2VuiEHi9cRIc/857Eye5iZHiuRQPfwYIfQgKAaNwFSdEAfcKuUS3zJu
yE5TCVRXuS4W32iqgjVbpGgBzlbX+8IssqFvh/9Rx/FJvfHHTx3QS4TUyxC93bgf
aIWdggniW3NmKhvE0IlrnAU+vUQMivWaOw2zocXUjKwoXPSm3dpXC9HWGwbwUYwf
ebggLC/RMdS353+GsS3wXfyueD4dSLoDnCcOAzzl1Q8iFnrtPmDre3XWzvMeGEPy
IuvK64Ulmpy83ZmpL7yBJMjCH/oivFeax9SeQwpP/UY0vg1s7awQT69DiO2tr7t4
v8HVPTUhfakKlagIqda+CHIX8i/6cu8d0QInwdk0EaFJinO4MBeYq/7/SD1AkW8e
8jsGAFZjcpMHYLpbeoVVWTZjLz/qIlIAiIUZ89RGqiDn2Ws84OzgwCku9ABZyKJd
QAK2VkEWISk7h1olnDfOkYPCtTlmH1KaAmlhVYPXdKGHx+bmEwuLzutjnRSrIJYv
MQYESsZlrqMePs1NwOuWj2C7io8uLapgr+Ity57xYaZ2mGx+CO0Is9sUyQ7Blsqw
HsWQa6M8WJz3bcLpjrpw
=+VYD
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU+GIqRLndAQH1ShLAQIXwxAAugcuyGPJYo9gAGGQmFl7XisBUTD58sp4
fceh8ZjilvMs0O1YiurRrGWGFrhxUyMeY1Eu2RJGEr5t5D05mx3fTq8j4nZrBkEt
DJeD91ZiPXedqbPbwDEQzj4+qAhhmYSZJkhvakPbmL9RZ+T4R1vhG5UFXaaspcj/
atOMszGKb0NhlEqZO/7/RPq0r/eemHnERpK0u7jXPb5p3Kr+TUZXTVCyoTU8dpWE
kZP510RrQ3bF56J+25M2FpeZQG+Ciz6vOZ3thuaiE167F5YRjEQxgn+J+gYIKPD8
H1Ufaxgq6TgYosSvU+gBJmPsMaAkcr2W2oNoulAIpS7WKB6u4dz+jO71tRGkGgwd
rv5twA0LjyHPnAxwxyLmuM1CEzwZu1W/XB4T9+5cBL1XG1XXASGzFCSYZaVlp3Op
kWiJh+YtYO3mrGu0On2o/RYz/HBAukMiz2QNH87klMbHRwYmYH3pms2GqMhwoLYt
ztl3tb5cAPPrY8o62XQg8soJgbfkmo76IeWxpwS9OtoAmAWEkJebRnwLl0tnk1UT
aYoLsDVFIpD3dWkZUDlPJOB/PtFmTIPGBRbq3C6S9Ie6ZvLxDnVc+6+yLVEv9Pps
XMSlrmde/s/wiMgHlGixCpzDGyUrnHuZ7xic0MENcG8nKBxK5mkkwaWsfQSF6731
XX+/KJSeAVM=
=mIBO
-----END PGP SIGNATURE-----