-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0460
                           slirp security update
                             10 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           slirp
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8608 CVE-2020-7039 

Reference:         ESB-2020.4502
                   ESB-2020.2241
                   ESB-2020.0371

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/02/msg00012.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2551-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
February 09, 2021                             https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : slirp
Version        : 1:1.0.17-8+deb9u1
CVE ID         : CVE-2020-7039 CVE-2020-8608


Two issues have been found in slirp, a SLIP/PPP emulator using a dial up 
shell account.

CVE-2020-7039

     Due to mismanagement of memory, a heap-based buffer overflow or
     other out-of-bounds access might happen, which can lead to a DoS
     or potential execute arbitrary code.

CVE-2020-8608

     Prevent a buffer overflow vulnerability due to incorrect usage
     of return values from snprintf.


For Debian 9 stretch, these problems have been fixed in version
1:1.0.17-8+deb9u1.

We recommend that you upgrade your slirp packages.

For the detailed security status of slirp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/slirp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmAi9w1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfBDQ//bxMDkVDJT9fYMpFJGb8EHVMYJPBJSzg+XI/Fb6V5M79CAR7nRvcwIkHo
bmZ04gxmhDy1ImvnAS+uj1qEE+TMpIHgDBgfr+Ua92Hut5rEkeIKcUCqyB3bihDl
eXjffAuawjhV1f9yIKqUxviduY0xwZwU8A35x3bV+SfeKcOxqhBIIduvWr4Il4Z4
QSMUNsxCY+WyJ83g1NJyQyJJ2WwU9NUL+A8LiEwyNIg/13vt4TGEVb50snPYuHSV
LgamAEtkqR4ZcCwGiuvWlGDpnScyS619iga+pedhk4GhSuDW4P84W5jOrHTm6xZ9
safiuXTw5Bg1NqnXOl1UFu63rnpc5wXYAKad8vVthVZu5pno+9+rlVMyLkcPi5xI
joSzPFtbvWuep6bJmbz/qwVjvDISDJEh504FbVPzpfosPoI48ASfb5WdwYMMfvyC
rpDCIiU/b7/pq0f0Q8rQkHrWPQsaZjOBJ2Gk+rP7Il/tUO6q83no81sGzUcPRWzN
4poCNeudCW5gCrNcd1bkGz9Gg1CK6+VZvq677ZtJL+UM6u0YPsA6yXVOkLwrWuuA
dr/P8NScCQ3ofyeBdoaIqhWzE5onyhIFX/VVhWMe0xXrm/wsNEZm8srdzEHqqd9k
aEVdohKyrSHrxZaG4Rt+dLPnKc8zFfw2qX/pST8UkYPBXKB6+nQ=
=j1K9
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYCNtO+NLKJtyKPYoAQgPERAAm3g11b4DByoohWF5IspxmPDCsK1xJZ9q
CYF7MpMrERHGuMNtACx+fioz+tudxuOhzaExQ17rtwRrLX5xLI5+y+gJ4FIHlIiH
ASHox/17uWT7rBKm0baI1Zi4y6U+4LkFIvbSleF5gqfONRmCkeEwZ/tyiX2I9WhW
GosYm4XNRhqm7pjBYWyOZejPrGeGSodgjLb/DRzCOegQX7msT3fpoJHq5WfYVjti
8EAgzg41i4gh3AUseS8gia37lJL6jYKNuUsMr3yIXUCsIFt0ogpZziTNGeeLQyCm
d7oftlYwFo113Rf2+WVjiQcnJHlBBd8fdLjRBhrBic+Kca8pyXlZjZ4K/JGIeOS/
L+aUptxXz6CQ4SzxNcnP+5dqitSpno4eCg5hGEpU+f5wrclGcm4uv3Xtf2vR9JNd
3/5hV7suE8fYqAXr+JXGxWlszjhIvs6WORwcyxYtuM8WT0sC4kBcxH3qF6RDYfFN
TTokF+vO6Tyv0L05DxRAMtTs5bVpDrIcSLbcOrf0QZgEneQiEJIBWumPq6Dhk8vV
StDsAebLxjHf1Fb7vd2+tSJE3wTat+kWquBfRewd9T+mWFvjzFDseMeYEwGPvqTb
H34TLduwj20xoPncR/GTdV3WS3bMInFoFrDZ1uY+XKbGVONSikaeccUcvk9uYts9
UYrmZOrY0H0=
=nBGG
-----END PGP SIGNATURE-----