Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3047 kconfig security update 12 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kconfig Publisher: Debian Operating System: Debian GNU/Linux 9 Debian GNU/Linux 10 Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-14744 Original Bulletin: http://www.debian.org/security/2019/dsa-4494 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running kconfig check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4494-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 09, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : kconfig CVE ID : CVE-2019-14744 Dominik Penner discovered that KConfig, the KDE configuration settings framework, supported a feature to define shell command execution in .desktop files. If a user is provided with a malformed .desktop file (e.g. if it's embedded into a downloaded archive and it gets opened in a file browser) arbitrary commands could get executed. This update removes this feature. For the oldstable distribution (stretch), this problem has been fixed in version 5.28.0-2+deb9u1. For the stable distribution (buster), this problem has been fixed in version 5.54.0-1+deb10u1. We recommend that you upgrade your kconfig packages. For the detailed security status of kconfig please refer to its security tracker page at: https://security-tracker.debian.org/tracker/kconfig Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl1NlzoACgkQEMKTtsN8 Tjaw4Q/9FzjCBgE64hT9vdplL6QpSBBWQr1DJyiME4fd3qRjxOmPghWLrPUAu5vF 2nXGcFf7nZX6+0AjwOGO65V687Xci0KIP/YNQNmbHeThIbUfCt2CDnWDBgYowY26 oRmzfBn7Xo6IuBVCmFYb+yNh2zAoCBm7HmX5L/GaZhBB31ONUs/VKJFvH/zVdnA2 kKnS/DF2TRgQ+uLy/JMEtX1u3TCKVL71mUeeZhACFjck8jZorXEigCJiTftc8l/y 68RnA8NusDz61eKmoVq0kdhna0JgU+oJ+1zQSwSfNaUaqfdDtO6QLzW6A7rdNQH7 Feb7RIDmFq0giGZ0tLcD3U91VMLwmKIYf/ofWq5hSTt+ccR8PzFIdaCoFhfG7ji1 46TfsGpYcci8NxmJ3HI3YY5CSGRBU6GVAs2cs8n72hncBNOWLbRrW9Fdsd8XWiqc toTRG1tsrgAbXYzYzclzqueKv3UDo1qdH34oI8ozZ3Rp6+oIpPRL+74K1G6JxYQl c2YeBmX+LpLrJKrJq8YsUkjv3qLMqduVwvF4Mr2Ktf/QP/CUCw00kIRZIaLBtJy8 4dqTXVDtowC0Qyzc+Cn+iRyl1tyqFAld9gK3Q4Ie53lVZfBLJa4TS9MMvjy4PBDG j0emwOBIYpPQcjfv71XbVqQ6n3pX/RkzLfGvEMRuSbByzvWaT0A= =yWRl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVCnoGaOgq3Tt24GAQhtERAAhZF0hMM/MOd7/MjsKzu/+63KxaZahhaR g9iN5DJyHiBN0ftAvDhj56NBUzOXi9pC4awre7h0ff9n3qNdg4cxMfyvlTb0Cb94 ediaYRWKY9OJoGxjYslMcmFpnhuA10Wx9zr0TDLgFptwHzvn24gNv9KtwO0vQ5Q8 nCb0MtcE2SUgSoWfmVCzQxmQSUhFutsKOMqvmlmDDokQnSLKV5mlVFngMxe5NGzO Bb8hD/B3f3iQnlnJVJZ4qQNmJ2JsKZDe7yNZH2+uATTwFHy/jAAgCbxBWAD3twfv Usgy6E87qH7pgRJWTi0sPJQzeKX6juCSERazsCRatT/TEsAlVMcWaVs76LIIXGe9 VLryBgEa01aUbQOne5ExCnc7RowgiaPNHzz+oIO1VI3f36sZ1vc+gYaz+ZGtyPYx 2YrrKKsXt4DBG4oeub2vUonM2cke+S9QfRlHe7F5nnc7gRlyUypEnDCUwTsso48V 2zbHyvA+lWFj+3dm2xjNZR+OZQWHkqlcvr1uiziOOELeRWI8BIEeL2pui6YWZ2EZ dbhiMyna2FuL9DAkHtBGlNS4rmQ1aFG/QHszu2P2aFX213AktD1bnJZPopQ+wvf9 hcvNtGZkE3lw0o0Xy2DT6WP/gdNCrFHpBCLdSIMc0yJRCGPZAh2PuiKWbhPmVDYw yDA9NS0yoN4= =pa+d -----END PGP SIGNATURE-----