Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3755
ncurses security update
10 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ncurses
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17595 CVE-2019-17594
Reference: ESB-2019.4513
ESB-2019.4377
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:4426
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ncurses security update
Advisory ID: RHSA-2021:4426-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4426
Issue date: 2021-11-09
CVE Names: CVE-2019-17594 CVE-2019-17595
=====================================================================
1. Summary:
An update for ncurses is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
3. Description:
The ncurses (new curses) library routines are a terminal-independent method
of updating character screens with reasonable optimization. The ncurses
packages contain support utilities including a terminfo compiler tic, a
decompiler infocmp, clear, tput, tset, and a termcap conversion tool
captoinfo.
Security Fix(es):
* ncurses: heap-based buffer overflow in the _nc_find_entry function in
tinfo/comp_hash.c (CVE-2019-17594)
* ncurses: heap-based buffer overflow in the fmt_entry function in
tinfo/comp_hash.c (CVE-2019-17595)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1766617 - CVE-2019-17595 ncurses: heap-based buffer overflow in the fmt_entry function in tinfo/comp_hash.c
1766745 - CVE-2019-17594 ncurses: heap-based buffer overflow in the _nc_find_entry function in tinfo/comp_hash.c
6. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
ncurses-6.1-9.20180224.el8.src.rpm
aarch64:
ncurses-6.1-9.20180224.el8.aarch64.rpm
ncurses-c++-libs-6.1-9.20180224.el8.aarch64.rpm
ncurses-c++-libs-debuginfo-6.1-9.20180224.el8.aarch64.rpm
ncurses-compat-libs-6.1-9.20180224.el8.aarch64.rpm
ncurses-compat-libs-debuginfo-6.1-9.20180224.el8.aarch64.rpm
ncurses-debuginfo-6.1-9.20180224.el8.aarch64.rpm
ncurses-debugsource-6.1-9.20180224.el8.aarch64.rpm
ncurses-devel-6.1-9.20180224.el8.aarch64.rpm
ncurses-libs-6.1-9.20180224.el8.aarch64.rpm
ncurses-libs-debuginfo-6.1-9.20180224.el8.aarch64.rpm
noarch:
ncurses-base-6.1-9.20180224.el8.noarch.rpm
ncurses-term-6.1-9.20180224.el8.noarch.rpm
ppc64le:
ncurses-6.1-9.20180224.el8.ppc64le.rpm
ncurses-c++-libs-6.1-9.20180224.el8.ppc64le.rpm
ncurses-c++-libs-debuginfo-6.1-9.20180224.el8.ppc64le.rpm
ncurses-compat-libs-6.1-9.20180224.el8.ppc64le.rpm
ncurses-compat-libs-debuginfo-6.1-9.20180224.el8.ppc64le.rpm
ncurses-debuginfo-6.1-9.20180224.el8.ppc64le.rpm
ncurses-debugsource-6.1-9.20180224.el8.ppc64le.rpm
ncurses-devel-6.1-9.20180224.el8.ppc64le.rpm
ncurses-libs-6.1-9.20180224.el8.ppc64le.rpm
ncurses-libs-debuginfo-6.1-9.20180224.el8.ppc64le.rpm
s390x:
ncurses-6.1-9.20180224.el8.s390x.rpm
ncurses-c++-libs-6.1-9.20180224.el8.s390x.rpm
ncurses-c++-libs-debuginfo-6.1-9.20180224.el8.s390x.rpm
ncurses-compat-libs-6.1-9.20180224.el8.s390x.rpm
ncurses-compat-libs-debuginfo-6.1-9.20180224.el8.s390x.rpm
ncurses-debuginfo-6.1-9.20180224.el8.s390x.rpm
ncurses-debugsource-6.1-9.20180224.el8.s390x.rpm
ncurses-devel-6.1-9.20180224.el8.s390x.rpm
ncurses-libs-6.1-9.20180224.el8.s390x.rpm
ncurses-libs-debuginfo-6.1-9.20180224.el8.s390x.rpm
x86_64:
ncurses-6.1-9.20180224.el8.x86_64.rpm
ncurses-c++-libs-6.1-9.20180224.el8.i686.rpm
ncurses-c++-libs-6.1-9.20180224.el8.x86_64.rpm
ncurses-c++-libs-debuginfo-6.1-9.20180224.el8.i686.rpm
ncurses-c++-libs-debuginfo-6.1-9.20180224.el8.x86_64.rpm
ncurses-compat-libs-6.1-9.20180224.el8.i686.rpm
ncurses-compat-libs-6.1-9.20180224.el8.x86_64.rpm
ncurses-compat-libs-debuginfo-6.1-9.20180224.el8.i686.rpm
ncurses-compat-libs-debuginfo-6.1-9.20180224.el8.x86_64.rpm
ncurses-debuginfo-6.1-9.20180224.el8.i686.rpm
ncurses-debuginfo-6.1-9.20180224.el8.x86_64.rpm
ncurses-debugsource-6.1-9.20180224.el8.i686.rpm
ncurses-debugsource-6.1-9.20180224.el8.x86_64.rpm
ncurses-devel-6.1-9.20180224.el8.i686.rpm
ncurses-devel-6.1-9.20180224.el8.x86_64.rpm
ncurses-libs-6.1-9.20180224.el8.i686.rpm
ncurses-libs-6.1-9.20180224.el8.x86_64.rpm
ncurses-libs-debuginfo-6.1-9.20180224.el8.i686.rpm
ncurses-libs-debuginfo-6.1-9.20180224.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYYrddNzjgjWX9erEAQhj5A/+I0NyuFg9wHi3RjtqjNpdMA6wE4F+0r/p
zTmx03C4jvaQKg0RL7oN5VDYZT7fU65peDKpuoj0av7u9hM7gs287mT0sCD4xuVI
Eswzbg7rtCmTFcT/8IMBfpD2WODe5QkqXaSozRhV4VDcPJ/A1AN469IHWCnTCxqQ
EoRYrkguJL09L2wkWuvMuZj1AcEazVn5vn6kKjIcM2BsuLSaTTOmeiw4KFt601KI
Ums6dOiTxNejwSAl/ZQGywMdHPwN39LO3OmO6B+lDDAeLk0aTR6vLYMJcLksmvz1
pFYTM01mq8Yf2eFHayn+cUmrTnMHxnGHgbHnlFvoYET85qA0tnDX0rFWUHnE94OU
NxM3xTNyCvPk8E6YUS1IrcvvpM6DmM3LbZf1luhDskQi4gCaW3o5XQKdxMopLL3R
Js0heFHUftEamXMn9LyBiTbQlAjxekQnfiMIdjZ8+fWAK4LjfomqeSs93knZ4CfN
lTHLkHWOBWSRzKc4wcM7gOCGCT5ln5mQidYynoHuiI5WdQO6rijD8Aey6jE9xeym
fyg+8YU4CNcSnvXpVlj4MMI1Pld3z5R1CQrVEn1bz6xW+Cb8CipMOgQDKtqRP4Nb
4RZdk4GcFt2Xeld8RTkOmZ6pGilc9C2Q+DaqJWS1TY+3PT+IBPiv2uoXS8CbNGJB
cfqouJzod8Y=
=ouJ9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYYs8C+NLKJtyKPYoAQjUWA//U4f0I/11Zx9bILGQt0ZW0jPe1lOQaNPD
TREbTg05pMaj4xa+OlMGcNKcFDuPJ0eRN8OM/peJM7vxr12hvcyuwKfAa1Jvq5uP
gcfQWrbwkXlqGEwCh5RdnhQsF188SbvzOAwDbUHn1q0SumEQlTbiy7D/puRDz7Dc
BhiBuWK3532avCgPt3+g48i6vYvmL5KX/yAfjiKJjqqPK+Dv4Z4/uyKIa0LjgV3H
AcxZAiFnuqo6NroIZZSnKnS2YxcEgmPtXd/4ix+xvLRiwu+UwGNsgQ2mmSP1gU7n
LAuBmTtQlbQ9OtOsZopJbrKgZLfBdngcrJ+YRJBAprO8NmV6P2b4q2R+SW1fOzN9
c/ykapLn9IfjJkguhtz1A+0vwY2R3uxfUYr0+Ly2vZBJ/iidtCYrKGrHdyIrbGUY
/P88T9Zf4CPcPfBe9kWKOKYWNkXsfPefAyWijshu4TemSOEmiz7Z8+yqhDCv5724
qXMy/U7chfu0zoMUph6tjRFTgdK96y2vIXtseoghNx7LSEMq39Nz1CvfxLUHArAB
AF3YYJs3X2S7L1szZ8JE2PSayaLFBEyD9SA2X14r606+F54KmCMs1R0Zej3IuwJk
DtwYA1pCivAfepwmFMdqgi7I0P+3MBj60iWEkEDzMaQOTA+BtWRdZCjIFYNa31R4
fA/Wv/G8orI=
=p22j
-----END PGP SIGNATURE-----