-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2478
               [SECURITY] [DLA 1846-1] unzip security update
                                8 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           unzip
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Linux variants
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-13232  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/07/msg00005.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running unzip check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : unzip
Version        : 6.0-16+deb8u4
CVE ID         : CVE-2019-13232
Debian Bug     : 931433

David Fifield discovered a way to construct non-recursive "zip bombs"
that achieve a high compression ratio by overlapping files inside the
zip container. However the output size increases quadratically in the
input size, reaching a compression ratio of over 28 million
(10 MB -> 281 TB) at the limits of the zip format which can cause a
denial-of-service. Mark Adler provided a patch to detect and reject
such zip files for the unzip program.

For Debian 8 "Jessie", this problem has been fixed in version
6.0-16+deb8u4.

We recommend that you upgrade your unzip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0iUXFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSNmg//aYlnFC/oldyGW2Y3fDNrE+BDvUVsa692Y2H6g1AIqzHCtMBlRd4ZHU7A
80ebCNDQOuZSrG5MhadlxfpKhMbLzlwYjxEGbl/q7b6wKmj6Zs0JoRkR+gkTuyiv
ivHSe9wBmsWK0dXjw++8agoK2XPBDSVfCMEsFhpOM07dsE0gEU0p5Z3Dziefqfi8
HE3xotd3pp8SzM+0nBiOpVyC6ZdvIlrw5LuF+aTADBclAmuDna6JJnyz1D72auHT
il9kjbqoSCD0mL/iDYXvRuGanRNAN7UIc+rrCWNn/DsYpX7A+o+cncvLK2lKxmZP
1EuQIwh1U6lfiBd4ipvFkGdt4pzHnBsdQc4Z3oFEbEqLqhNZpzzFcIuc4KIxRHkt
KQGjEzQ4desb/MdtD05RmmmHZu3axpuZIyKzrc2t8XIR69KQpDOufHOYfVWc0Iok
ZloyyVmTDOxOoP/TIk5UNXPhHJ0G6MwRxIMKdj2x5g9kswlBAa/67KFqrt9FZ3Ng
MqQH1/fLgGsUJhUyANJHApb6+OoxsNg03MeP59BosXr79X9BbNaTOIh9TdCjklRH
yJzUjg9A6B/b0wiIEMrUvf5IsXCJo1jIiss0a3gCcGPZWdJQGNDKm553PE9EjjzP
zOtJOHCjKbhOwVIHkb3sUTPAc+mTMoiJa/YhbeKl/cW+0jXizmQ=
=197w
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXSKFs2aOgq3Tt24GAQgUNQ//ZZ6p5Xd/t4KJsSvx04/mshxTpAeD9yNV
BaOSoHWsU7aimZ2qMwShZfDIqbwXefVjN6dAiuWV6xmkTRuo24B+wCX1EiEnE13T
JNx19sZvEcbkPCiDAnjZZd3HoezowO6dMYZX898whEPt3AkZOgbtnUX7lE9kwjbW
nCkFE01uAgvTaLSxESDtw5K6le78JR9FChMpOtjkFyhwvKjMuB9tJndxxJFmQVsV
Ja9eB8bbfqDq7BiAszkIqDkdOXT6jbyRlCfdJTzupw0o61KJRvCuhCN58SHsfDqr
oi9Ucu+w33Nvv67EDEhY3YoGQC9l63Hfmin8tfm02aOhsKa4hhMc2LBpLZ5qE9Y0
VZSB2Q0k21aJYcwTspxNYg+jqERD+FTeT5KoUT53aTbIYubecUYwik6gU4dimD8f
ZAIJsTl4U3WkPZr28hYoSJ6nz2cYmC64z2HqI6zHbFFHkb5LngSbehx5wjuPxw8u
IwSgOnxmz3ZxuX0dy6QJOTc3r1yA2tgs/XLZaQKsfw7aCnQRI+7/5pEQA+009Kdh
ud27rNC9AOuvRVbEMjknygXuesYOGkkWABGv4VyuotMY8rE2Sv0Yr15L14BdEeFV
s+HGLeuPszdLNnk1tts+Kjz1ygA0SGZFM1nB5acpl1pZXzevPPvxBzyGnc85iISx
o/4/o7ivTQk=
=HLNP
-----END PGP SIGNATURE-----