Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0119 ldm security update 13 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ldm Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-20373 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2064 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running ldm check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : ldm Version : 2:2.2.15-2+deb8u1 CVE ID : CVE-2019-20373 Debian Bug : #948538 It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation. For Debian 8 "Jessie", this issue has been fixed in ldm version 2:2.2.15-2+deb8u1. We recommend that you upgrade your ldm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Regards, - - -- ,''`. : :' : Chris Lamb `. `'` lamby@debian.org / chris-lamb.co.uk `- - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl4YkwMACgkQHpU+J9Qx HlgdUhAAvqidGimvnMZyolTY9K2V5Ir1fDo/2eFHj/EAwLO09Miffl+A7cjhv5ip 8Om75CkacrlFehAPQOZ/Zi9Vpdl77G2m73ab3NpWApcFa/4vb8jFpM0VC7XP+Yi5 jeHl/hapszxyXMs/wQi8UoT9MD0Ju2zXQvHgDFJYCOTLAK1vLxPm4bd65lbA4ZJD RYaqJGNzxJXhuJnejP2sywh9sRIANaqeR4NXkXpaf++y1j2IHld1DT0Se5RwqTZ9 ObY5rnr+uyudIJKemOOEV0dQfJ2/NQ9h7s/WLeLHz9caqs6YHSQ0o508FgMgxf/Q U9mjPL2F0cbg23ywH0Yd4P78PATFX5YbezTPDnWbMIMnXP7oe+HxbceC7v10rukC OKC78z6iHQj4/btUJAS9zGyE3SrrSayTPoodbvlCoYu0ViDxSuhxMgCeQzF4Jpcg Oa5KbaY5kgCj6WWrLMIqJB/aSPyfJtZ/3oxfmV2q1gROaDDwi3Q1ZDWqOQeER8KD 6NBjeemzL9U170GQjpP7KHJP1uGnMNlrnKjAzpUY8t3rsTZFdhaj9gDhwj8chcm2 RfOEYRLZt6B6Tcjfpe46Z1DvUTbmlO5u4r9KX+pljT2dTYtFshmfBwJQQocHbsm3 mrs0eCWwjNMByMOcHK3Z5HqAS7FZSE6AqPfNWeRPYckJeyh02O8= =jpgo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXhvqbGaOgq3Tt24GAQi9rg//e/QyyCTSGsxC4mWI+6vRZpy2vpAotKWF u0jUPdnvNKNxe7kVcwQpIjcMpdz2qKnSduVKzz9yExF8sPKI8ExVxGt2K0X86jMB SzBNzzBBOYtc1SinRdN+QSbNe1jig5rSklwjb0SNTs5Iv7oEDSUV7NkvTqmhAdIl pHkOiO6EEy7/4yS5gf5n+d4I1FxlTOl6MQgUtPCH2YGH0CDXvkqsjxn4i13Fzi0+ 6zBG7N+h1xwsvr6CDrIjVJkPVNuZ3b9I3EIuLrROAPi90CPf9kA32gAFKWqh4rMR dAQck/brZ7cQSZwrnOAXxvsJeg5JGKG7ByUVDaWQZPLG5jnVh16DYDrR6Lgou6s9 yW7ket+hJWyyIfpcEG9YycE9tZzjIIKCUhd5Azm4HaZFP0J7nEhuMDSa8I1wmLa/ iPgArPy/78LLlOh0kx/JJ7kMDM9932VMF6i4mi2SVpCjtxL5oqa7FXyuqkr7F++c VVPJKcooY/3IukVPOnpZN1tJvW6nqbZRT0A7tdf1GnvlsloO+FUX5rsHXDlt5UNl pkBqxf/AonC5HNVPT6wyBOThAxCDM0GCbWEbxewLOCS7vv6uGuamqhr/p64JQTxc dramYALm+40GXL9IW1boHQ6ChPbCkbvSo4SYB7j1+HNQDSYuHXWzFpiYvtfbyNSl AFgk+jahUtc= =/ETF -----END PGP SIGNATURE-----