Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3817 file-roller security update 10 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: file-roller Publisher: Red Hat Operating System: Red Hat Impact/Access: Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-36314 CVE-2020-11736 Reference: ESB-2021.1412 ESB-2020.3846 ESB-2020.2112 ESB-2020.1375.2 ESB-2020.1369 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4179 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: file-roller security update Advisory ID: RHSA-2021:4179-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4179 Issue date: 2021-11-09 CVE Names: CVE-2020-36314 ===================================================================== 1. Summary: An update for file-roller is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: File Roller is an application for creating and viewing archives files, such as tar or zip files. Security Fix(es): * file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736) (CVE-2020-36314) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1947534 - CVE-2020-36314 file-roller: directory traversal via directory symlink pointing outside of the target directory (incomplete fix for CVE-2020-11736) 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: file-roller-3.28.1-4.el8.src.rpm aarch64: file-roller-3.28.1-4.el8.aarch64.rpm file-roller-debuginfo-3.28.1-4.el8.aarch64.rpm file-roller-debugsource-3.28.1-4.el8.aarch64.rpm ppc64le: file-roller-3.28.1-4.el8.ppc64le.rpm file-roller-debuginfo-3.28.1-4.el8.ppc64le.rpm file-roller-debugsource-3.28.1-4.el8.ppc64le.rpm s390x: file-roller-3.28.1-4.el8.s390x.rpm file-roller-debuginfo-3.28.1-4.el8.s390x.rpm file-roller-debugsource-3.28.1-4.el8.s390x.rpm x86_64: file-roller-3.28.1-4.el8.x86_64.rpm file-roller-debuginfo-3.28.1-4.el8.x86_64.rpm file-roller-debugsource-3.28.1-4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-36314 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrcgtzjgjWX9erEAQgd4w/+PXjbDXML/3GdTrc6vx+mBL8ahxMqCFcw fkToNdKC5KmoWD2CybGh3Wz948tiAAhFyRRIteR6pxb1vCeYt1u13DCLXRTeKAjU jfRA/4xl0AeFHvSbDOIfiEXa2WnMewP2muNGAFcz62PJBIP7z43wtFSGruoYwOxY 7q8bwA1MkHAWsSpYmzIumnxK61SqkvwZlE7moKPbVM3+DDQ/v26wAVV2JNFuwuXj 2IkKur1UVuRuZMQGUPI76Um85KnW0JH+h1Be0EOyLfCl3pwz2v5sGaglKjdsDwC2 aVCzhLXmY0x+pr7p85YfE2pSN8l5dBviMiGLc71UdYcWrIL8Z9ZgI7p75TqoIplH xQl6B9kQKUVcU5VWaFXdkspgsipuGzVi+SLPAMcIu1bDRxd52KlRID8edMhuNoxU G2ofy0T1lfbRCO09ZhZoO6kVnnEFsJBfjibngvgGQbNjSlRgmLMy0pzPwOo8GxS6 yaN6uDAtBvQISQITREWio8cLzggSpHunKmwitG4i43UzKqdYeigRUguCcvp2QzvY 7ElJKjNIwvrh4BVkMVoozPpG+mHl0lPw4CIJ+a4hKL/2uCxVAcDqpFP0GcDi3Ars car3AmvtHoDk7Nes5tDtU7EAG1MSFly+E7/7XFw1iGPHD+g/PgwueA4KGfgW+4fe 2wHka5A4HmA= =8l/o - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYthyeNLKJtyKPYoAQiXIQ//eFSZz1wn4SUSXQc3eARImi+STYqEiTG5 22gzBvNNo2VE3VSkhPvBI03iLSkMgnSQuEW8HvgLuogJIe8SJW75B1U4aUJhwWSB RKM43NYyrHvsvEiwXFt82joBLW1WbQGG8uUEcOXOhjkxEUd5B6N0LiCxXjlmp+K1 Smn8VLCusXtj/n7sv8uKYribC9YWuMQ6g/vQyKDpCJQM1tRTsFWk+2nqT1peSJUc z1+TTvlEY6twqB0vFs030DtDEA3J8BCLJT+U2jvraJAVP49+F/PaQZ0Ek9lsYB4y 9sUrXOPsCOriacKPRffgyUVSMM7GLUKrGtHC8lZUZw0Ca4i87uIKFaKvHyB8e5+0 R0lp3SuQQihMtQ5hGpBNyBXiyN7LGyZXw3Qav/FcruEIde8xfZmbNhRkiHwIKskQ ZnorX1cVNbt9t0mGSh+6vBxR+SQvjJ4qC0cJ+Uwo09xSSpp2V+9kOJyKG0Y22oGC iEvn/HzKFnDVrcn9Muuxal6fyXFslaFIsV2iUgePtjzy0JLcNRkRF9dtq2W+58K6 e2WJkkLdXlqIo6c2HZOg0Sollp3KodF5s+oSz85KfeeVmAQ4aGwQ/fMn/RJd6VlT c+79xSLmvlqB15U/8j5cT0EoLnejMmxrFBC+KDWYH8SiRjJ6ZGW4ssq4uQOYnUIs tdiF7O4IazI= =+RxS -----END PGP SIGNATURE-----