Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1187 unzip security update 2 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: unzip Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-13232 Reference: ESB-2019.3894 ESB-2019.2478.2 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:1181 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: unzip security update Advisory ID: RHSA-2020:1181-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1181 Issue date: 2020-03-31 CVE Names: CVE-2019-13232 ===================================================================== 1. Summary: An update for unzip is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The unzip utility is used to list, test, and extract files from zip archives. Security Fix(es): * unzip: overlapping of files in ZIP container leads to denial of service (CVE-2019-13232) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.8 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1727761 - CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: unzip-6.0-21.el7.src.rpm x86_64: unzip-6.0-21.el7.x86_64.rpm unzip-debuginfo-6.0-21.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: unzip-6.0-21.el7.src.rpm x86_64: unzip-6.0-21.el7.x86_64.rpm unzip-debuginfo-6.0-21.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: unzip-6.0-21.el7.src.rpm ppc64: unzip-6.0-21.el7.ppc64.rpm unzip-debuginfo-6.0-21.el7.ppc64.rpm ppc64le: unzip-6.0-21.el7.ppc64le.rpm unzip-debuginfo-6.0-21.el7.ppc64le.rpm s390x: unzip-6.0-21.el7.s390x.rpm unzip-debuginfo-6.0-21.el7.s390x.rpm x86_64: unzip-6.0-21.el7.x86_64.rpm unzip-debuginfo-6.0-21.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: unzip-6.0-21.el7.src.rpm x86_64: unzip-6.0-21.el7.x86_64.rpm unzip-debuginfo-6.0-21.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-13232 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.8_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXoOcdNzjgjWX9erEAQhyLw/+MyUbKAxFFEFeEiFflM6JFC3oGEgx28tv xapOlE5GFuyJrtPyLnW9sQrd6hCuBk1LhW6631q3CbqzEbTiq4dfVQR0pS0d58bL aLcNDJpr+On+NohaGmMm79n43OmR9CS+DEB+cb1ByjjsKwVxq+l3fwphUPCu/YpQ 6NV/gnE1ayuOuWpRf0Gdl5XR+zzm9LHKTptznYg7caMX+KFOZ310F65YS+PqGHEa Kf/ag7af49o+eVQYwcXZMJCtqcXfGovO7llybWECzkzd7rJIRmMLr9mJfu006TIF AdIB8jvf8bgFRotGV86fMhpCXt8mdKvUEK/4gP3//7y6As7Pr6zK+O3IiQr/37xE IweN1DLs2PIRKm14QyJ3ahqfSvbXRYGF8TEDZMFCVhQJim5hSvK5PXMRMNqV2Atg bguoJJfBRgTobjQ3QD2grr0YQzzDtFlN7VW5CiNYomcgeEziSUl75CXa+y/GiZrG gAoIFDKgNJqQlxk3JbJE+whlspR4DB7VBaP7O2R2UrTtYMKroAbAd9SqttrdjGaO vj4O8RqB2aJhYAfVP+9QXpbf0jGqM/+johuzXXBuKQMTQM3yje9tMnaZ+zNQa44l fxdi0p4Z7kFBpRzBtzAlDI5GPemEfBTSCcxeJvfeV13hadwU4zmlqAdGMdAjoUH6 VOAXtsdtC2s= =uMwR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXoV/O2aOgq3Tt24GAQh3jA/+Po5/nPhXn3jNUSgsWBifhMZuKd17xhR2 KCJJx5+2XNEPRhaswV1brdl7uQmFgT8VcTzglKy2dfYkK57Bx4QTP0mE3EJmAlie K99SfK6duCudE+/uymSZxUBFMbsLaMaS/1ToBXK0GK1CMsoURaPn4uZ1LLJVzLhI n8kMlnrBNWK4kpJu0xl1J/3zDTg91o0Xy+nUkU/66GUUX3lUmoEDomqWxzVw5A7z Vn+GgFWuwXRhCq+XpnsKaecN70QNzVcl9TP/F37WNxZUUFVHkmsGmo9pQ80CbrwS CWx0Gc4n2NaaZY1DjHtd0QeYImx3gDNUfANCx7HTI1wge7iQMb4OaRYs8D/5EvHH TNj4V38aZth6CK1+3ewKhMb/rkntlIpwfYEnyRso2uTJubQLhTJuJohnzX2LQs2l FH7ILIupMOjWfqquBeKjDBfmMLnqR6DXWusgQLT8T0huAtgGyc2xGMxxGzvBPMco P/S8n61a+DDYEQuyTgprEC55b28fvrikTvEzwfInocz3jI4L6BHfxfe0wbpmodQQ Y9segZCQH4CZX+FKPB597rv1Pj1YlJi2uDwVYbGpLiEkTp3sbEKCtzB+tMBVnac0 fjSnAegK+Hr37MRbd24sVWXdXD2b2akQ3bUyR+cwAPJcf/Pi7bQVY2/PP82NCLR6 lP5bzoMDIvw= =gPmx -----END PGP SIGNATURE-----