Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4492
bsdiff security update
27 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: bsdiff
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-9862
Reference: ESB-2016.1811
ESB-2016.1771
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/11/msg00028.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : bsdiff
Version : 4.3-15+deb8u1
CVE ID : CVE-2014-9862
An issue in bsdiff, a tool to generate/apply a patch between two binary
files, has been found.
Using a crafted patch file an integer signedness error in bspatch could be
used for a heap based buffer overflow and possibly execution of arbitrary
code.
For Debian 8 "Jessie", this problem has been fixed in version
4.3-15+deb8u1.
We recommend that you upgrade your bsdiff packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl3dmR5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEdfbg//esgosF/QmWOO1YensbcRkW3wnBh8Q4gzPFbOtUmc/OjeW7ACSlCYr/XU
mwBd7kyq+X4SVVN2PMVK21IA2YxIf0UQaKkCX2ThxvEJbxg5tYBM5mBIF1S9NqtM
1Br6GOgT2bpMKfNv28thYjYKOfb1VwSahnTucsK2zoiUqk+OuKAFHUeUupOSZuEc
T5ACRQBRZwzR1FhAsahrV19ADUg4cP9v3J3HQsurDiZoDw5g3R75zcaMggAdriPc
g11hhbvwhHMMqaCv0lVaRflCLKadvQ4YEPzS1eSb1W5JiK9mjOASLQ52t5+TwATM
OT+QIXbXqonhvlhmnJ+4BXfg4NDw16hUNOqErhiGqMTcADKEUS35xic2h7JA7cwZ
eMB3n/PKv+HfsMiYgn7htdrGfzckyNgByjXuPyXQA+0ubEUwMyb6cLE1OvCw8+CK
JZh8/SKlWLtUMqxzSOt/zm7ddoQGb9uTblKAnI6/t7Zg+kekB7csK6agrOSa7MMq
Vi0akSNSByNNPZEtStIJpXAUFoVWcYMIxBxN7z7ACZ8K0RmnC0TSIwABzVXN3C2y
IxJkngiRDrF6GbuA7yXsPlHajt3S74iRmV6oJt2KdXg7ynbvvuRorC/rKC48rp59
FDuY9hOahIdNBv2/yGBO8tdVWv/9VB4umVZoKpByS5vj1yXVyXE=
=B1g/
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXd4GJ2aOgq3Tt24GAQjFAQ/6AySWXJBan+4Lfntf9p3WEQ9AhRKyiT/d
rpM2LUyRIU/Tsaa2vvNk9ylE5bu2m/nwMidGRmVjfmhvkVzyIjOQPCV0AZnglbRB
aGNnJmp8LN+B2ALXh908sZ7EBFXMQevPtB5TBwqAP7RZZjNz/W++5iPPOrFd2VHS
n6YQk43xYDKqiAjlrit966/svCX8yNsPXKotVoC45Jf4E69c4jZkYC6PEa1gZ6WY
GJsTPD0UxvmbogqTKMhsH2vu1c4EfLuZgR6dJFUGZRh+4jQC10oNmxAx2kLm/TW8
tFuYtJ2NuUoRJ2Q8zyEv6NOlSFjODID7Id4Io39vEbok8JoPHgNVKba6VNKb8V2y
TzzlGYE7KcpxrNYh1S9CqGokvNtCt7DaUiaAtTQQ6ofZgpsCV/RMTO80K/v2w3iU
ct/emIbdsAdYMq5ZOVKvCxftAH0WXGdtozIRtkfd/1hssI4FVipTx47qPhbsn3/8
OanFW1oMOa1O05SmzrTYtrc476C+3aoT7f5JCmqvHhauxf6phTTCJx+StH+KDqMM
H3eEphYB32DfGnP5BHRMAqAGgX8/XZz36SwrjuHNjDJGCdwiQYKgn0dxhzAsYyqD
Lzj/3ilEsoq2AsN1+kCl+KJ39rQnGImBoxFSPB7epSOB7bRNslRRrYqWUlG958JR
RpeNkEfeUks=
=zjq+
-----END PGP SIGNATURE-----