-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1187
                           unzip security update
                               2 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           unzip
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-13232  

Reference:         ESB-2019.3894
                   ESB-2019.2478.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:1181

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: unzip security update
Advisory ID:       RHSA-2020:1181-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1181
Issue date:        2020-03-31
CVE Names:         CVE-2019-13232 
=====================================================================

1. Summary:

An update for unzip is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

The unzip utility is used to list, test, and extract files from zip
archives.

Security Fix(es):

* unzip: overlapping of files in ZIP container leads to denial of service
(CVE-2019-13232)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1727761 - CVE-2019-13232 unzip: overlapping of files in ZIP container leads to denial of service

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
unzip-6.0-21.el7.src.rpm

x86_64:
unzip-6.0-21.el7.x86_64.rpm
unzip-debuginfo-6.0-21.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
unzip-6.0-21.el7.src.rpm

x86_64:
unzip-6.0-21.el7.x86_64.rpm
unzip-debuginfo-6.0-21.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
unzip-6.0-21.el7.src.rpm

ppc64:
unzip-6.0-21.el7.ppc64.rpm
unzip-debuginfo-6.0-21.el7.ppc64.rpm

ppc64le:
unzip-6.0-21.el7.ppc64le.rpm
unzip-debuginfo-6.0-21.el7.ppc64le.rpm

s390x:
unzip-6.0-21.el7.s390x.rpm
unzip-debuginfo-6.0-21.el7.s390x.rpm

x86_64:
unzip-6.0-21.el7.x86_64.rpm
unzip-debuginfo-6.0-21.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
unzip-6.0-21.el7.src.rpm

x86_64:
unzip-6.0-21.el7.x86_64.rpm
unzip-debuginfo-6.0-21.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-13232
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.8_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXoOcdNzjgjWX9erEAQhyLw/+MyUbKAxFFEFeEiFflM6JFC3oGEgx28tv
xapOlE5GFuyJrtPyLnW9sQrd6hCuBk1LhW6631q3CbqzEbTiq4dfVQR0pS0d58bL
aLcNDJpr+On+NohaGmMm79n43OmR9CS+DEB+cb1ByjjsKwVxq+l3fwphUPCu/YpQ
6NV/gnE1ayuOuWpRf0Gdl5XR+zzm9LHKTptznYg7caMX+KFOZ310F65YS+PqGHEa
Kf/ag7af49o+eVQYwcXZMJCtqcXfGovO7llybWECzkzd7rJIRmMLr9mJfu006TIF
AdIB8jvf8bgFRotGV86fMhpCXt8mdKvUEK/4gP3//7y6As7Pr6zK+O3IiQr/37xE
IweN1DLs2PIRKm14QyJ3ahqfSvbXRYGF8TEDZMFCVhQJim5hSvK5PXMRMNqV2Atg
bguoJJfBRgTobjQ3QD2grr0YQzzDtFlN7VW5CiNYomcgeEziSUl75CXa+y/GiZrG
gAoIFDKgNJqQlxk3JbJE+whlspR4DB7VBaP7O2R2UrTtYMKroAbAd9SqttrdjGaO
vj4O8RqB2aJhYAfVP+9QXpbf0jGqM/+johuzXXBuKQMTQM3yje9tMnaZ+zNQa44l
fxdi0p4Z7kFBpRzBtzAlDI5GPemEfBTSCcxeJvfeV13hadwU4zmlqAdGMdAjoUH6
VOAXtsdtC2s=
=uMwR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXoV/O2aOgq3Tt24GAQh3jA/+Po5/nPhXn3jNUSgsWBifhMZuKd17xhR2
KCJJx5+2XNEPRhaswV1brdl7uQmFgT8VcTzglKy2dfYkK57Bx4QTP0mE3EJmAlie
K99SfK6duCudE+/uymSZxUBFMbsLaMaS/1ToBXK0GK1CMsoURaPn4uZ1LLJVzLhI
n8kMlnrBNWK4kpJu0xl1J/3zDTg91o0Xy+nUkU/66GUUX3lUmoEDomqWxzVw5A7z
Vn+GgFWuwXRhCq+XpnsKaecN70QNzVcl9TP/F37WNxZUUFVHkmsGmo9pQ80CbrwS
CWx0Gc4n2NaaZY1DjHtd0QeYImx3gDNUfANCx7HTI1wge7iQMb4OaRYs8D/5EvHH
TNj4V38aZth6CK1+3ewKhMb/rkntlIpwfYEnyRso2uTJubQLhTJuJohnzX2LQs2l
FH7ILIupMOjWfqquBeKjDBfmMLnqR6DXWusgQLT8T0huAtgGyc2xGMxxGzvBPMco
P/S8n61a+DDYEQuyTgprEC55b28fvrikTvEzwfInocz3jI4L6BHfxfe0wbpmodQQ
Y9segZCQH4CZX+FKPB597rv1Pj1YlJi2uDwVYbGpLiEkTp3sbEKCtzB+tMBVnac0
fjSnAegK+Hr37MRbd24sVWXdXD2b2akQ3bUyR+cwAPJcf/Pi7bQVY2/PP82NCLR6
lP5bzoMDIvw=
=gPmx
-----END PGP SIGNATURE-----