Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3734 [DLA 1602-1] nsis security update 3 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nsis Publisher: Debian Operating System: Debian GNU/Linux 8 Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Overwrite Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-9268 CVE-2015-9267 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/11/msg00041.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running nsis check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : nsis Version : 2.46-10+deb8u1 CVE ID : CVE-2015-9267 CVE-2015-9268 Among others, Andre Heinicke from gpg4win.org found several issues of nsis, a tool for creating quick and user friendly installers for Microsoft Windows operating systems. The issues are fixed by ... ... using SetDefaultDllDirectories() to restrict implicitly loaded and dynamically loaded modules to trusted directories ... creating temporary directories in a way that only elevated users can write into it ... not implicitly linking against Version.dll but using wrapper functions For Debian 8 "Jessie", these problems have been fixed in version 2.46-10+deb8u1. We recommend that you upgrade your nsis packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlwBuiJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfbNw/9GmDMw7fhxaWgNQbz/b1RRhfMs8BBxBZBdMe3w5OrbxjkRTYJaQVrhAhH CpNWcz90BmXjRyHOczP6EV8Uc0KTNFPEZKqnDSjZuAQiN3yGKwLzmrZn7x9Z48C4 YqExAgQHwKpjQcMhX3CgOONJqHHXPDmiCe1b2xrn72+XNkNjSCvyKY53aP/MDS6O TZg9y9qQXaa4mjOSGFFpY+gpLo02c8g+Tx4r1534BomQgykHd99e1mD0dS9m+jH6 0y+0IFNLujoZDpiyCQ1dqSveHhDyDCWNjtNgSAP64lSV/iTVyCWXZOfLaJhj4a1w FYUqnr4V2diiwKEV2WgOC0TjUlHFe+Z9yIqs/S6+ByNRTuy3ooPPkoSZVcGL8Nvv R2m1RkGXjpZeZmfjiIpH2N7WA5NPiMlhj9NHhd3Zqu1kWYh/CnI+XnCQTC7b9m1Z 7tx0mx51TxiHHTZnb0NEuBUPe0WcnoFdlkqrl8GURAG8OVnp7lPqQBkPTVkz2q5c GE4M3cB8tdjDTKc0Jp9lUgISSIAyEOf5ygvA14zaa9+jdItBK8Z4FFYJf6D7Piqt 50z9mMpsoG5R47BJaVsOe1Rre+1Csj/JdGfcc7dxER2Nz7naDPtGMhpK9MOADCYT Gl5FBM23qxzzKrs+DDS4nSXu+M6LTBsfJHKVHuuIujL8Q8qRnmc= =+r1R - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXAR2G2aOgq3Tt24GAQhhzxAAxD5f3IcC0lecAwmWOkBLi7BPHnwcAX0p 2yAIvjfEM1GX99AXr8+oJnsEWvfg66vrWdFKBdM+8HIUzvd7ks2zK6/k7zM15eU6 RaZNrzie93u9+Efgxj3E40lOKK9zyjDPhKJ7Yk8CkU/Sk2bP9fEZSsEgzo0mYzwL j+RuO9SgNZT3ZZx3U+GjQvlzHPAkBLvSBSsoCjWSigEgBBmhF18JHSJIzUKlCWpc EgV33oAu9+K79kdtECM2Sar8x+ww/V0b7L5Wq0STbnGB2Gu/7r/kLNDS9Oqvg3Ju BA99yqTP0pNHwibqZxJC7v6iKfXLxLGQBzyCoOQ9Bef0kxoMiRBLoRRvyCwLm80C Jmkxt644cG3kraviimdKdOZGcGkWPEV5CBjRFDX0Cfv70o9+NNiP13AFERk+V3ft PS0Vx6G1jI9HvKZBfkczcuMJNiCDDXtG1vtntyAw6aGFRTRDIGHrnSeW8bl2AdrS 92ZF7NODJGmV1iZApYXDPRJy/cvCMNmhuNf6NC3M1BpHXz4WghQGlZ4TrkNv5PCs lIS2ftkk5xRPy4aPwrrdHDYBykbuTmHjuCYY800XY7cT7sqEhXNQocOilUA34Kgi aSt9EaFK6Ek2Qd9ov7pV3g1tRbo2Pt8FxbHJTeJviqrN9bvMV7X/L2h1xqGxHBHF 26e3yaW3edE= =XApo -----END PGP SIGNATURE-----