-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2560
                           dpkg security update
                                26 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           dpkg
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-1664  

Original Bulletin: 
   http://www.debian.org/lts/security/2022/dla-3022

Comment: CVSS (Max):  None available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3022-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                 Salvatore Bonaccorso
May 25, 2022                                  https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : dpkg
Version        : 1.18.26
CVE ID         : CVE-2022-1664

Max Justicz reported a directory traversal vulnerability in
Dpkg::Source::Archive in dpkg, the Debian package management system.
This affects extracting untrusted source packages in the v2 and v3
source package formats that include a debian.tar.

For Debian 9 stretch, this problem has been fixed in version
1.18.26.

We recommend that you upgrade your dpkg packages.

For the detailed security status of dpkg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dpkg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKOTlZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RTPg//XGA+5fKdTCNBYP3+vUl2Uzab8R6GOZlRjljfX4htFwLzHGVe/v/6dy6P
4lYHGFeRV8PrWhpU7lwnDC6dIu9jDyuGXFh8hwa1SZUH1/ZtrjTozLdIc1WVj2OO
QZu4O9nAuWkUhWbd6D8+wegHML2A2Ywx1SpcWrFhe3Z2eg9WIQ0YvLx/tw7Kn+wX
u4UlEKw9ZvkH/SMZJ7TaImQsHh19Ba9O4JxlVeOw0bzYLjmQZpv0epRUEnwFy+Lm
q/APvG8F4FaK1tqvIOa4UzjdBAwOsNnmuNfk3AMybg1gie/HYP30RvnAcD7yAL+G
8RBNJ+wnPEs7ubz/5sYRn8sj35nIEjyXKodI7h1hqps4N7DRG3Dkz79wGDMdLfHk
8LnN67+LMFTwM52XJuKVewQMqgCYqq9mNgKptsUU1K9sRYfowt78Fegvkq9JObZ3
dekTgoZbd7KlyGlDY7U0PruUmUT6c9zi/rLKzLDOV5JwblggLPUW5GZ3WgqIxVf6
YVmd8cil2bNA7xNTlCM8DBuWYaNpiTiT7XE2rOlaHDj0xz2plwYrUJvPOoTIwvVx
JEY6IrV0DFfzzCCCjbepI33qxs7ifjTFoIABBOenVuXZ4RM4Dvi3ZdXNhkAojPOJ
QG01IGekLxt8F4RAGVi1fCM5NEf6vGNXG2WufZg9B6cnxywUsG8=
=QcTv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYo69A8kNZI30y1K9AQgidg/7B2C/t0LqrekP1wqkh7CMpiLWxc9ZvchB
MyfbEDVGqLOI5LQA5UU2Y9mdbiKM7Bc5jntDjNhfRl3OwDH2mWViSiPycpC7C4l4
pc9Pmyj30NDIxmQK/GKubz14F0x/N4KD2F6BJDWsKOv6MJHBmDyQF1Wy280D2NQJ
neol1JxIIWBU1kt2d5pyoXK2KtRZbkg3UcHP4TUdcHKlzxBZZVtg3uBvAxffNSkY
aJT1xuKJ8QMzX2pQQ2fCUM6qJTyL6XIzsRscXLc2dne2QRVGZJGVwOa8KkyMLI3U
oiXF5T8IS/CKpjmB19ajFsUxQxSU/fGl1jmlrnz1FVNokp/Hyc839q0J6Lc9RiAw
/W478jwPdOUO2W3sPYm5F0+M4KTL2aVvtrrpbn2M505xBgX4/Fq8AQd5qUK3wF32
3QnWVIXGd2Pp2ojoztYH1lu+UVyM62tjodSYYscye0020rGYeG/37kM48UcYdILy
yXVRhKEMeX5Rrj6yK1qshrFYksWXJEpN28nc7QIqbmDHlpljcIisY09CoIyFMA9b
0hUy8R08Ps+QZ7XiveyEthmxDkeoiu6YJzdikDyS+QeOg5ZsMjFCAEt2MGu4eGhH
9mOY3+s5NBNRuRJJD7EMC8g6TjT21XrMPoM3zkZdPZZUF7BRPrtvXmEuGdOGbqFG
MNrfcp7q58s=
=VwNn
-----END PGP SIGNATURE-----