Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2587
lrzip security update
2 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: lrzip
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-11496 CVE-2018-10685 CVE-2018-5786
CVE-2018-5747 CVE-2018-5650 CVE-2017-9929
CVE-2017-9928 CVE-2017-8846 CVE-2017-8844
Reference: ESB-2019.3216.2
ESB-2019.1136
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2021/08/msg00001.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2725-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
August 01, 2021 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : lrzip
Version : 0.631-1+deb9u1
CVE ID : CVE-2017-8844 CVE-2017-8846 CVE-2017-9928 CVE-2017-9929
CVE-2018-5650 CVE-2018-5747 CVE-2018-5786 CVE-2018-10685
CVE-2018-11496
Several security vulnerabilities have been discovered in lrzip, a compression
program. Heap-based and stack buffer overflows, use-after-free and infinite
loops would allow attackers to cause a denial of service or possibly other
unspecified impact via a crafted file.
For Debian 9 stretch, these problems have been fixed in version
0.631-1+deb9u1.
We recommend that you upgrade your lrzip packages.
For the detailed security status of lrzip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lrzip
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEHF+RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSErQ/+MvTv2Lz81vg6+fzhJfKAILMPFgqmLoPxofNrra4RVwk8zgiU+KpeNQpe
t+S8rdNP5BLijg13vmU/lOM3xG/NMZdzosQ3xX5G6Asg+iPrx44tsd2wyaGlaiWA
VHy5scJB7eesMVBhhDgjJgqwqLY6GygdwyPuNAkbLBZxigfUQcnjnK32adZ5K1B7
8rUFhHNtZDteSrujHk/3Kf7hh3zeZisDILNTRfjPeQQvrU+8D1+TR+1ml3LscSzv
4GCNm7eu213CJElSCK5RD/m3MRSCUNHHDkIxT+siK3gg90awPbXC0MXiO2aodiHR
Lf8vpioopwc4amNNi2t28JdIa31tTiAglXmy3z0CItcznYO+KMak552jX5bb9FKT
MKIz62M7C3FBNqy/FpIHjTM4GzNq6XBexkWlxZJJ/u02dCUWhuc6d0GawaMTMVZd
kr9q5q2vUzo7muoldD4F4M5qQJyapqCxrk2tM306Y8V6IyoZQWrFl91FGr/VOUDH
a3hc8eLebYTtQhPlhYD9QH+E+k9R1aTtpo0kjhDpppr7KbnoOcx5t8Jb8zsD9IHI
ovAAqrIP4l0zZYREjFUX2XFInZ73hKYbRraBXQ4yP/uulWHMbd3kwb8reQAE0g8m
tr2hMP3l/AGVQsqOe4BjnRB4wfovw2gHVcPHsAz+SxOhnZB42CQ=
=Ciw3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYQdmZONLKJtyKPYoAQjTSQ//VoP4bDlFl4c75yMrcOMjmN/n7EsiNHeF
ZyqTAvKf4tXKmrmuHWsAUidIfQ1pD9WoXIjX0qrgVOH0tm5sTpH/KBAWSj0mNK8j
8kV5ctg9jDcQzKERd30zSdTgrrerZDbjJct2qIjjdMbht96Ww1ke7P5a+yzxdLl7
4FynluSTxHvTHlgGpc3ChuyY47AaE18LP6T2d7+8PsMGD7M0nciMD9TwihGveuOp
5tSBxVqJmjQSJkloVFuVZI4b0kavxaLQOEPUQSn+DxvJwqOxthnJLAoEksSOwD+m
KH+3/KaYu52FpauPRhW+5sWN7g9NhkXmiS048IVVZ3rYZ8IiqKdDXt6V1Cs0QOAI
mEDCyiNftxvgO3KBEcj6CB4jbdL+HvSVkql5vXTgtfY+zYPp+/EsoT27ghYm2F5p
GdeRNxAQaDlD2IRNnavjqz/6ELM5QzavvfQD3GaTp5x+La39GXmK7j+7XEz5QTDc
pOCot0njEUgyoSEQR2Slrjci8v9efY9vGgtsyfoIhUU7j4mg2Aj446t38gy+dpyu
lSAXLdPk0GgWj4zdUOnUhMUMXvEdkToPe8Rk0asc5sHcUu0432XhU7A6CCiPG8aY
fsXPBZY7Rme1hlnzTGbCtsRKBn4NZbOWuGCoKVKjMjm16nv/qxhLH104MUnUb16J
Eo/O6qvKrr4=
=nbHe
-----END PGP SIGNATURE-----