Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2908 [DLA 1871-1] vim security update 5 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: vim Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-12735 CVE-2017-17087 CVE-2017-11109 Reference: ESB-2019.2862 ESB-2019.2750 ESB-2019.2326 ESB-2019.2157.2 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : vim Version : 2:7.4.488-7+deb8u4 CVE ID : CVE-2017-11109 CVE-2017-17087 CVE-2019-12735 Debian Bug : 867720 930020 Several minor issues have been fixed in vim, a highly configurable text editor. CVE-2017-11109 Vim allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. CVE-2017-17087 Vim sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership. CVE-2019-12735 Vim did not restrict the `:source!` command when executed in a sandbox. For Debian 8 "Jessie", these problems have been fixed in version 2:7.4.488-7+deb8u4. We recommend that you upgrade your vim packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1FX5YACgkQj/HLbo2J BZ89qgf8CoBW+7zggqjjTCsK4uFDShdFdpT3jqGhAsZt+N/j5J2BasHH9d00hidJ c/gT8Mx5yZJ7+nvws7ysQ2wSk9WLqQ6cm5O5nN4GpAE6TE/Gzoxa0niTYniGDAwO Fau+xxpNiCeXnTc5L1UeXNs6SQhnYFIdTo47BI957F4mJPW3WR0ka0tExgDTAdhY yLh0lZLe6/8/3/e+xVaAkNW8y0NXcKbEJH2uNB0//VgeLhSQaM2vTo9hlkoASDyU Ibase1K5FHYFziU0y+zRtvTySoJV1XQ8etiI7PwU59rLeWmyQy6W8drMgpzZXEaq VSQJ3SjXXYQulK0Y+SqaiUuxHN5dqw== =yqrh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXUd/oWaOgq3Tt24GAQj83BAA3X7TxzG0NyRFbjkiwwYphNDk2qm5bh3D /dWm9FEW+UOh2jxEAp/ViS4mSfvwStMppu2BcqtiKqr8lGiXZvAGQ12IhkIF/YPu lEGWrdjZ7orpqj1IJb49RoBRlMSCSgnHfbA/wDnat7bJIYbJJALkxh5VcdZxeOqR 5SMvZgkJvGmjvipO8lVvW0XKZ3hLDVjlL/tqBLz//qozZujdDm+5N68HX+iLY5V/ qhS5cGek4LTg7YMhSeVZmXocHBjXgpe1j/MbvFtJvA8TYXH1qKa/p8vUo1SKC2tf t27YqHQtYsc8HgYbdO8QnOp6XERtvesJfe0BhDaKxPp7P5LFI9VDGp+fzczSXaGK wDWIGxeR0ON4Z2r6ZV8J9h3aPE8feqTiJOliP/My8RrfPfsfqY/GuU4TFABs9/gH c31NogMlP4+4ygCdjCGeTuCY1Hn4DCZEnwNr2qfIp4VW7ALnrYi6wpDXnXkFtTHk dzfYOKJ3uQTFEad4CtZTL2YgoYKkBos+7iXwWN/Y/zI/wcmE/tqQx9xM9pN+e3dF T4R3OCTAFW6HUJSwJ4B3LdCTGvPXXdhj94AVPDI1AorgHMmSCCH0PcPgoz1qTS4D HMWP2QtoXp0VskK6Yoxwwz7pbsFF4tpZi8s3/lMeK3tw9db5XLGVn386nWjzeuBb JRQIRvXO7b8= =toe8 -----END PGP SIGNATURE-----