Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0626 unrar-free security update 19 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: unrar-free Publisher: Debian Operating System: Debian GNU/Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-14122 CVE-2017-14121 CVE-2017-14120 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/02/msg00026.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running unrar-free check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2567-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Thorsten Alteholz February 18, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : unrar-free Version : 1:0.0.1+cvs20140707-1+deb9u1 CVE ID : CVE-2017-14120 CVE-2017-14121 CVE-2017-14122 Several issues have been found in unrar-free, an unarchiver for .rar files. CVE-2017-14120 This CVE is related to a directory traversal vulnerability for RAR v2 archives. CVE-2017-14121 This CVE is related to NULL pointer dereference flaw triggered by a specially crafted RAR archive. CVE-2017-14122 This CVE is related to stack-based buffer over-read. For Debian 9 stretch, these problems have been fixed in version 1:0.0.1+cvs20140707-1+deb9u1. We recommend that you upgrade your unrar-free packages. For the detailed security status of unrar-free please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unrar-free Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmAu8W1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfajRAAlqqeBbRkJrrwqECtHM5q8Czd1VtGlu8zPvhkTDi2+ECG3q3FZm9her07 4jB3H959TwGG4zlJWEMA3i+lFa6M3zJ4qwzB4lZfgH9O6r+VPItwStlT7E6Laysu 9vh9UaE3Wx7PZLg9We4MZt2Rr5kfVwPh33r3Dx22ONUzjXODV4DFshsEjHSOv5hV jyLniYP+/FSvsf3YYxpdS9WIuSw7EQe0fXkwJv9zKbEstST53UX6Bz6Qs42QkCPP G2WRavTt0Pgn095j7EK66+Q5x6dDEjxS3iFTArODm/1dm/QqrzKY7Hbb9+77YyWd 2Ey1xXt23YcrhBoLmaZeEn5wt/dDUTb4ps5M8rmbwn22uHqopHLqc3rk9TafU9ed sihV5hf8eOV/XtmQnbtc72DRkWlGNPSm47b4v1DDoF5VpnPfeHngbC9M2HF7vmfY CeQXspzaGlGrtUFWTkeeAYkYyPF2KwKTOtVjYAlJFXrr8R4INwHAR4ZIicDfwrRa FTMhlj3asKVr6TepaKxjdmbzqJYvw67sihZxDSYwUBYJxlbWlPH+yXFDfKpefAa4 6bfjLLKEXDcNH8U3tIexYYAPrt5CMc18AHUwwzK+goqWPpx/ET24hWp27kfzPV46 cYQPLn/rxBDoN4lNxH98i6zIOO0T0SM+FLmj+0G8oNd+Kwebo4M= =gS+I - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYC8/0ONLKJtyKPYoAQjN1Q/9F4yWk9ILc/uV0L7fWD45Kj2B5tFCu8UL 6E86c7hEaRiP1JllmtoDYPdngfscJ1HcOf5Rufhrn0pkQbzUwJaunNka8hhf8xfo m+MD0Zv6WZkClMmLHMzeIm388OKqj8Ujavs3dFCAGoV+O7xMlhe0nlf3VmPYp2S0 lJ5uR0W1YakQJtrpJ2dfASWFaUgibN2tlTpIX2dGltMUAxiG3pWFZuFZZVEJ7Tdr 59NeDCCkTH7Ak8FVTuFmw21j+RbUqMtn4DMvMj4BRN4iOsAix4GQMq+F1svBcP+n 0QrWa8EeYSasU/IE5uNaPAugoyoUYyLuyJpYZW2gboMFr5iiOw4iIEmf024yEk7l Yj8CNvHnazFhUflRM5Oo0sexaioatt4czOGBH7m5l13pw4ErCa4MDmVkU7oJwDTA 1FTvXD3TWp3FYGZLVqDwNT3gIjFCblOBKSdT9FWJYZjiOgqUq33SxvWRisYLO4x+ 4HzcOzJNUjnMjDrybo+l+gi6mL3DpTMxQHPgq3yTdt9uJIgJ+UHPNpIIs6imslcO WjWMfQVQ8Jw4iN9Ono7YTZkF7XBBmkaQDN8Zzw3EZo0d8+7Q0Q6YqZk0aaaMu160 Kfe3aBHPj6SJlsDMdpUG9gQeRnzc0GIfM7RQ9ajqYhpm6l5URTVWcbAR+dQ4yceu 2Ew5KriZmNc= =Xw/f -----END PGP SIGNATURE-----