1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3021-1] file security update

    From Luciano Bello@1:229/2 to All on Tue Sep 9 15:20:03 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3021-1 [email protected] http://www.debian.org/security/ Luciano Bello September 09, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : file
    CVE ID : CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478
    CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538
    CVE-2014-3587

    Multiple security issues have been found in file, a tool to determine
    a file type. These vulnerabilities allow remote attackers to cause a
    denial of service, via resource consumption or application crash.

    For the stable distribution (wheezy), these problems have been fixed in
    version 5.11-2+deb7u4.

    For the testing distribution (jessie), these problems have been fixed in version file 1:5.19-2.

    For the unstable distribution (sid), these problems have been fixed in
    version file 1:5.19-2.

    We recommend that you upgrade your file packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)

    iQIcBAEBCAAGBQJUDvwUAAoJEG7C3vaP/jd0SDYP/AkzZ+8iuo3Vny9C57fW1nSD 62oc2VbWRmYGQj2fbpbrvfiYe4a00pRRHemEd1V4o5uP7NPX+HfiwhVrm38Pjs1f A4A6yAOQaBtwjpSRcN9j9KsHNcx7wYYW+jFmOHF3VjkyejWUYnMy0sDvFP770ZrO xHAbMnLr8RbS6MD9/ZRYkbZ9pfoDvwkeFLkODDTVOM7Ooy3ks3vAKFZdi/HM8aGO nUH568f96j3EPxEEeu3VRe/3v8iqBuNnckDAkXNhbsFvN0ORbDCidiMDMv4VoaBS x7O6RPxXy0NuvwVbaPzoXCIJnsOvS7F30e/4gULOYx+tjB9zq+ZY3tzEaCSzadOs //cvvrL6E+SlNBHJK6OH6PdHCEWuqbMI1jtEFQrmfwTl7Qiv47lz8YGA0GIvOQCT MMMb5aokOdc7aTkUn81aUwLNdea5Sh2OTyNaC4Tul4D3B0COF1I89ji79BAhWIyU q5RmJq02piIn5SM8DCBDgftfgTZoz3YoEnGSQwyw29IU5/gpPfCXosbo7fxppDw0 e+wu9GSWes2ncCpLCQC8mB4q77WxMEpFLx7TVRqdwKgQb/yjZb5IN/OZhUWTMY5H fqThWmJkyZBkPFspOalaid7/hSCrgxISjqxHJqDdChRDqYhV0KJG+eb+YFgDRIWw fWpibn9fZ7yydgEb1Lmg
    =fJPN
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/6881440.HBSsWZmaxa@mybox

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Adam Walter@1:229/2 to Luciano Bello on Tue Sep 9 22:30:02 2014
    XPost: linux.debian.security
    From: [email protected]

    --089e01176c7f5f710e0502a78207
    Content-Type: text/plain; charset=UTF-8

    Our system is not exposed via ssh and there is no way to pass an OS call through the PHP vulnerability side as we do not run PHP. The threat here is minimal. However, we do need to update a few of these, I would like to do
    an apt-get upgrade this Thursday to true up. I will create a mops ticket
    to contain the pertinent info. Our regular upgrade cycle will begin
    October 6th.

    Inst file [5.11-2] (5.11-2+deb7u3 Debian:7.6/stable,
    Debian-Security:7.0/stable [amd64]) []


    On Tue, Sep 9, 2014 at 8:10 AM, Luciano Bello <[email protected]> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3021-1 [email protected] http://www.debian.org/security/ Luciano Bello September 09, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : file
    CVE ID : CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3478
    CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3538
    CVE-2014-3587

    Multiple security issues have been found in file, a tool to determine
    a file type. These vulnerabilities allow remote attackers to cause a
    denial of service, via resource consumption or application crash.

    For the stable distribution (wheezy), these problems have been fixed in version 5.11-2+deb7u4.

    For the testing distribution (jessie), these problems have been fixed in version file 1:5.19-2.

    For the unstable distribution (sid), these problems have been fixed in version file 1:5.19-2.

    We recommend that you upgrade your file packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.12 (GNU/Linux)

    iQIcBAEBCAAGBQJUDvwUAAoJEG7C3vaP/jd0SDYP/AkzZ+8iuo3Vny9C57fW1nSD 62oc2VbWRmYGQj2fbpbrvfiYe4a00pRRHemEd1V4o5uP7NPX+HfiwhVrm38Pjs1f A4A6yAOQaBtwjpSRcN9j9KsHNcx7wYYW+jFmOHF3VjkyejWUYnMy0sDvFP770ZrO xHAbMnLr8RbS6MD9/ZRYkbZ9pfoDvwkeFLkODDTVOM7Ooy3ks3vAKFZdi/HM8aGO nUH568f96j3EPxEEeu3VRe/3v8iqBuNnckDAkXNhbsFvN0ORbDCidiMDMv4VoaBS x7O6RPxXy0NuvwVbaPzoXCIJnsOvS7F30e/4gULOYx+tjB9zq+ZY3tzEaCSzadOs //cvvrL6E+SlNBHJK6OH6PdHCEWuqbMI1jtEFQrmfwTl7Qiv47lz8YGA0GIvOQCT MMMb5aokOdc7aTkUn81aUwLNdea5Sh2OTyNaC4Tul4D3B0COF1I89ji79BAhWIyU q5RmJq02piIn5SM8DCBDgftfgTZoz3YoEnGSQwyw29IU5/gpPfCXosbo7fxppDw0 e+wu9GSWes2ncCpLCQC8mB4q77WxMEpFLx7TVRqdwKgQb/yjZb5IN/OZhUWTMY5H fqThWmJkyZBkPFspOalaid7/hSCrgxISjqxHJqDdChRDqYhV0KJG+eb+YFgDRIWw fWpibn9fZ7yydgEb1Lmg
    =fJPN
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact
    [email protected]
    Archive: https://lists.debian.org/6881440.HBSsWZmaxa@mybox




    --

    *Adam Walter*

    Systems Administrator
    *P* (402) 416.5790

    *Quickly connect to your potential borrowers with Mortech's Dialer <http://www.mortech.com/lead-management>.*

    --089e01176c7f5f710e0502a78207
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir="ltr"><div>Our system is not exposed via ssh and there is no way to pass an OS call through the PHP vulnerability side as we do not run PHP. The threat here is minimal. However, we do need to update a few of these, I would like to do an apt-get
    upgrade this Thursday to true up.  I will create a mops ticket to contain the pertinent info.  Our regular upgrade cycle will begin October 6th.</div><div><br></div><div>Inst file [5.11-2] (5.11-2+deb7u3 Debian:7.6/stable, Debian-Security:7.0/stable [
    amd64]) []</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 9, 2014 at 8:10 AM, Luciano Bello <span dir="ltr">&lt;<a href="mailto:[email protected]" target="_blank">[email protected]</a>&gt;</span> wrote:<br><
    blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
    Hash: SHA256<br>

    - -------------------------------------------------------------------------<br> Debian Security Advisory DSA-3021-1                   <a href="mailto:[email protected]">[email protected]</a><br>
    <a href="http://www.debian.org/security/" target="_blank">http://www.debian.org/security/</a>                             Luciano Bello<br>
    September 09, 2014                     <a href="http://www.debian.org/security/faq" target="_blank">http://www.debian.org/security/faq</a><br>
    - -------------------------------------------------------------------------<br>

    Package        : file<br>

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)