Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2939.2 [SECURITY] [DLA 1527-1] ghostscript security update 2 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ghostscript Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Create Arbitrary Files -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-17183 CVE-2018-16543 Reference: ESB-2018.2807 ESB-2018.2684 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/09/msg00038.html Revision History: October 2 2018: A regression in DLA 2527-1 was found and fixed October 1 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ghostscript Version : 9.06~dfsg-2+deb8u10 Debian Bug : 909999 Berkeley Roshan Churchill reported a regression for the recent security update for ghostscript, announced as DLA-1527-1, caused by an incomplete fix for CVE-2018-16543. The pdf2ps tool failed to produce any output and aborted with /rangecheck in .installpagedevice error. For Debian 8 "Jessie", this problem has been fixed in version 9.06~dfsg-2+deb8u10. We recommend that you upgrade your ghostscript packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAluyHzVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSSqA//dBtt1m9MPq3Y3pAZA+gtXZ3To74B00Lw11VxvAp5KUrRo/EOjmLo6gus 7ozNyoBcc/D67a/r090RTaJ0v4s0H1/upCHexnMSexLPTc42g4Z1J4fOvBvCWTJN eN6QIe8PWEs8geqegA4UfPEgcHTjSTn1+C/Va+saNNCHasB7G4fj6vF3ZgoBsR9V a6VV99ggB43dNQCGfXZtJCX2acsWqek208SMgwRfziH6HfRcvxzlJFRQJZmb0M3D nO65hCS0VssEGiajScnZePl+bHMs+EUFE6MmhjtLAI30x9bWD534eR5HhmTnK44C /YhCTXBTcYvBYjEsExn9T0w3Z3oUfBNW306boUDByTbWW5KXTeRH3n1v7BmGETFc 7uhX8Ptcqz1ucJiIr5TfzruRRQPbopLz2hPn9ijlcaI9eP39gVQBG+1qaku4Xauj kpbzYvlxwOqypngbDxp+KdJrkJPQGq1IeJkihxAF+6ZAL01545gAiuLCFD+8bu4O UgECxaOIc+YDpmYV+r+4s3e7uk7vOD6o9uv1Q6nMDTS5QTRwECpXhqA31i54+Lei lRJ3YG6kCCwe3ky3jzq6V4/+zTYPk6pAupKFudDLSOkyU6kT9MrmPxbDMqe1kppW wlp4utcrpYhhc1kOwkFnbdWHaZkxw30XHYPAcss+4XiS6ZexyoQ= =Hnfb - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : ghostscript Version : 9.06~dfsg-2+deb8u9 CVE ID : CVE-2018-16543 CVE-2018-17183 Debian Bug : 908303 Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled). In addition this update changes the device to txtwrite for the ps2ascii tool to prevent an error due to the fix for CVE-2018-17183. For Debian 8 "Jessie", these problems have been fixed in version 9.06~dfsg-2+deb8u9. We recommend that you upgrade your ghostscript packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAluwuBRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRJlw//WtDhtl0e8Os0ZWE76BoU/LfH52rrJKYdgdrRAdbacg4L9DOXybXp3A7b dTpMiCvZbmM1mazzH1Rtm/X7+Az1gx7LLFvMzwat6c/a9dnu9ZtrOSHq0OdAFWwc FchKHDJDtqVhGC1A5FXZjx8KbQk44S3Vr2fdFs3gbEPpXX1ZIvdAtm6+Nk1yxVoJ 2PjaeCzy7n7ex1ymTOV88v4OTvyk1z6+ugBeX56DAuoNhq79qZX6TqiNNdzO++NI nvV4Z2SVw4DyqVhcsGHgEXUcY7SK8ihGDO3NSnOFGnMHKAvJEYzayKm1n7PNI3ot cFtEZ4t89iQTofwR9yKCKJthdiVoCzbRMfHbPAgKfM5yd7bzH5yR0p9PfDuPRTvg pxYDgrmTXnw0jsYPfVVQhtf4lYgZiJs7vBxYBwznuKhVnJcTpcCvxtxkLG1gl6ot 574RAuSs1CRlJ9E3q+xGyqMyyxufKy9B7Efpds4LPFsT0YjaSFE4p368DmqVTnev m9ytxUPSeByy8YBG9IArpFWvj5cqW36H7MXmfqFUeCo4CzzPQZImj4m7K0kk9YSF bodolCO4zn0qYlJAPSIXBCSdvuXCk+3Xp1NoBwN8MJY6Fyi+SOxE7TKRO+riLbhD mD261MANVUkQSERLWz/DXI1GxXD56f5d/+BhxpCwd7BTSX/6Gmk= =DxDL - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7K1+2aOgq3Tt24GAQjh7RAAp2rMxb+mouG3WXfg0wP5UzXBGi31KQRK XnqzA3xn4b/qCcekFE0WhF5nHp75Xgjfz8G9xYgzASHrIuVFAFvbgmFihw9bYQjr PwzvrDmNNsfbPANeiVNn+UPHw46IF752F4uM4N44VYkzfbFH8nuKDkgP4FW06waS pwn2J8dOOrF3EK6q5osF8LOr2vWXy+1W4pOD/CRva+UgPNaGVTvK20PPYH47ezZ4 dHJTT23puPEBLQlfiRY7AT0PfwgbcbOIsG4cecDkNY5rEZq0sQ7iE/zQId87ff8O xOxTh2YL3vlYE6wvU344yGm/765mFNgaO8MHTrUIC5u4iQhwfo7ggtKo4LLchpSm GbI+UG7XECxPehxYdEMcWLUC8vmKXTZOiVoqFuMHnc139NWgxpNsCE6QnaVTgeF+ GpYHK/hNZpedemX+GJKJw73Lt1Zdo4NPwqlojMHJgkN0Fssr58f2FOhEzD7zYHrZ jC6EmitOtEwvm15dmwaBipCLwRE3xsbGnOkBaN+OebB40llg22ChCeuBissz/qQc qiREgKq7OlUBvT0PC4iSvXwKozP1/fjKRSBT0shzeSvhrLVFsiUZDAKzOIrrojeX BzkCDZhKMIcWVd263ePRwapeqWA/39pHf7p+t9mCMwhFfk4zZBAbEgrhLj6W4sYR 114cGX3JlJY= =oKsc -----END PGP SIGNATURE-----