Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4492 bsdiff security update 27 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: bsdiff Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-9862 Reference: ESB-2016.1811 ESB-2016.1771 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/11/msg00028.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : bsdiff Version : 4.3-15+deb8u1 CVE ID : CVE-2014-9862 An issue in bsdiff, a tool to generate/apply a patch between two binary files, has been found. Using a crafted patch file an integer signedness error in bspatch could be used for a heap based buffer overflow and possibly execution of arbitrary code. For Debian 8 "Jessie", this problem has been fixed in version 4.3-15+deb8u1. We recommend that you upgrade your bsdiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl3dmR5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdfbg//esgosF/QmWOO1YensbcRkW3wnBh8Q4gzPFbOtUmc/OjeW7ACSlCYr/XU mwBd7kyq+X4SVVN2PMVK21IA2YxIf0UQaKkCX2ThxvEJbxg5tYBM5mBIF1S9NqtM 1Br6GOgT2bpMKfNv28thYjYKOfb1VwSahnTucsK2zoiUqk+OuKAFHUeUupOSZuEc T5ACRQBRZwzR1FhAsahrV19ADUg4cP9v3J3HQsurDiZoDw5g3R75zcaMggAdriPc g11hhbvwhHMMqaCv0lVaRflCLKadvQ4YEPzS1eSb1W5JiK9mjOASLQ52t5+TwATM OT+QIXbXqonhvlhmnJ+4BXfg4NDw16hUNOqErhiGqMTcADKEUS35xic2h7JA7cwZ eMB3n/PKv+HfsMiYgn7htdrGfzckyNgByjXuPyXQA+0ubEUwMyb6cLE1OvCw8+CK JZh8/SKlWLtUMqxzSOt/zm7ddoQGb9uTblKAnI6/t7Zg+kekB7csK6agrOSa7MMq Vi0akSNSByNNPZEtStIJpXAUFoVWcYMIxBxN7z7ACZ8K0RmnC0TSIwABzVXN3C2y IxJkngiRDrF6GbuA7yXsPlHajt3S74iRmV6oJt2KdXg7ynbvvuRorC/rKC48rp59 FDuY9hOahIdNBv2/yGBO8tdVWv/9VB4umVZoKpByS5vj1yXVyXE= =B1g/ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXd4GJ2aOgq3Tt24GAQjFAQ/6AySWXJBan+4Lfntf9p3WEQ9AhRKyiT/d rpM2LUyRIU/Tsaa2vvNk9ylE5bu2m/nwMidGRmVjfmhvkVzyIjOQPCV0AZnglbRB aGNnJmp8LN+B2ALXh908sZ7EBFXMQevPtB5TBwqAP7RZZjNz/W++5iPPOrFd2VHS n6YQk43xYDKqiAjlrit966/svCX8yNsPXKotVoC45Jf4E69c4jZkYC6PEa1gZ6WY GJsTPD0UxvmbogqTKMhsH2vu1c4EfLuZgR6dJFUGZRh+4jQC10oNmxAx2kLm/TW8 tFuYtJ2NuUoRJ2Q8zyEv6NOlSFjODID7Id4Io39vEbok8JoPHgNVKba6VNKb8V2y TzzlGYE7KcpxrNYh1S9CqGokvNtCt7DaUiaAtTQQ6ofZgpsCV/RMTO80K/v2w3iU ct/emIbdsAdYMq5ZOVKvCxftAH0WXGdtozIRtkfd/1hssI4FVipTx47qPhbsn3/8 OanFW1oMOa1O05SmzrTYtrc476C+3aoT7f5JCmqvHhauxf6phTTCJx+StH+KDqMM H3eEphYB32DfGnP5BHRMAqAGgX8/XZz36SwrjuHNjDJGCdwiQYKgn0dxhzAsYyqD Lzj/3ilEsoq2AsN1+kCl+KJ39rQnGImBoxFSPB7epSOB7bRNslRRrYqWUlG958JR RpeNkEfeUks= =zjq+ -----END PGP SIGNATURE-----