Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0556.2 tnef security update 30 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tnef Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-6310 CVE-2017-6309 CVE-2017-6308 CVE-2017-6307 Original Bulletin: http://www.debian.org/security/2017/dsa-3798 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running tnef check for an updated version of the software for their operating system. Revision History: March 30 2017: DSA-3798-1 for tnef introduced a regression March 2 2017: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3798-2 security@debian.org https://www.debian.org/security/ Sebastien Delafond March 29, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : tnef Debian Bug : 857342 DSA-3798-1 for tnef introduced a regression that caused crashes on some attachments. For the stable distribution (jessie), this problem has been fixed in version 1.4.9-1+deb8u2. We recommend that you upgrade your tnef packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAljbfh8ACgkQEL6Jg/PV nWSg6wf/fyZWgVrK/eqkQHTZ30wLb4GR8lt4foQnAqkl05655VTqDB55fKEoEfVC 7o5FppJ1gcn11D1hqjX+MjGDeJrz/49BrGUMCTaQxHPCtO8hnn11Puj6LUaqqs3m kQPlL4OPawc/oChsG5qY6mGTMUNQUBbr0FHr41ImMuY+KLp75dPp+sn4Nae0KsrV D2lBkasJy645S405LLau7UXUH2jCb0T6kSb6Erm9djprvtb4c3Xm9PtV+K01N42P i1EK7GMvXUx5vaM64kuCJHdfHzNfww8zXLALeOxmak6McRjEzmwTnhdpn+ai4ohs zgq2Lukx+NccyJqjFtiJ27yNWgFlhQ== =fr8B - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3798-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond March 01, 2017 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : tnef CVE ID : CVE-2017-6307 CVE-2017-6308 CVE-2017-6309 CVE-2017-6310 Debian Bug : 856117 Eric Sesterhenn, from X41 D-Sec GmbH, discovered several vulnerabilities in tnef, a tool used to unpack MIME attachments of type "application/ms-tnef". Multiple heap overflows, type confusions and out of bound reads and writes could be exploited by tricking a user into opening a malicious attachment. This would result in denial of service via application crash, or potential arbitrary code execution. For the stable distribution (jessie), these problems have been fixed in version 1.4.9-1+deb8u1. We recommend that you upgrade your tnef packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAli2eywACgkQEL6Jg/PV nWRrrgf/eHvfZ9S80RFxzX1ZYpWvPWFyKEAFT5f2Sz3T1qE7a4VCfjTrVKrtrvaG 7r5yKduTqGfRtThw+VyFNYhlnaeZRA64PaPCjb8AWTZ6rCk3ZADqV39gyjRj2b3E mjfXpGvA6cpDdsFLmmEgGqRI19lS7WU1d7/jzM74YNVqWJugI525Td7FBHzrasiD 1wX9tqidpvQw0R0AiInH1UasSi397JtF+i/WXDsTOOkP2yGosriuTZtI2AKM55Li /jFsauFUcnJVINiYoPkb/UZho6jUo/3hm9hm8+mS38uU5pdYHdog6X8aCi2UsHRb ymX0ocnHI4eDwa4JZdnxejZiLGMx7g== =cstV - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWNxZA4x+lLeg9Ub1AQg+zQ/9FRuJL0d64wQ97UfUPI2lrlknJhrax+v9 t/O01ogsy0hr3h7GE3v+cCFbnefSMH3AX8S96bU715Jw2bqgbvKH2zVyMZcbBHQa v0mTMHy4M0j19zVeksWVEgIfl/bflz2bT0tjAT1OO1LiisTmJEUfEZVWSTgkJLbR sDOtgeJya3IytnmpbHoI2chAtPT4HPcBS/z/JQZhWHLW+hQmdbS0mxCpjkAOkAhA Kd2wF4RXRTVoa60beNLdWpqwCIB7RQVQWkBn7GNfYBRZeAerIXH4wnzyoEkd6eJA FDF82kEIhtM4m17GLSKKb6ZVjNnkl5QsY2K5RfXu/W2mwiKTpz8X/Wm2RlIwzxJu xJU9Fm+OGgtYzC/Tye3i3GOgd5el8X6VcZ0rti6UZEtoVcLCIYDym2IPivz1sNnS +7TaodeGkSX6EVmttpJa1Fl/e49Z1zPUpzdUvhvpVFGEUWAjqh7Nvz35AibSqT2t 0R7HPRMnLA+uec1iagqGzkdzVDc6ksoUbMKe6PCZbYGuTGwLwjCETsNxTXAQpEbc xwXT5Pm4O26M6Y8M7Nehpj7DZb2FKW/lR2JkBbO1miRGjTr4pLSdiUsffiY/+ycc S7OZCFGm6d5kLOOHBBDxfXm9SvE/oaceDoSRDS5mPsnck6VsTrmit+7j0a8ulojW bDCcxAlZJ0c= =R7hc -----END PGP SIGNATURE-----