Mageia alert MGASA-2016-0386 (tar) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2016-0386: Updated tar packages fix security vulnerability 
Date:
    	       Fri, 18 Nov 2016 00:41:23 +0100
Message-ID:
    	       <20161117234123.598079F7A2@duvel.mageia.org>
MGASA-2016-0386 - Updated tar packages fix security vulnerability

Publication date: 17 Nov 2016
URL: http://advisories.mageia.org/MGASA-2016-0386.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-6321

Description:
Harry Sintonen discovered that GNU tar does not properly handle member
names containing '..', thus allowing an attacker to bypass the path names
specified on the command line and replace files and directories in the
target directory (CVE-2016-6321).

References:
- https://bugs.mageia.org/show_bug.cgi?id=19696
- https://www.debian.org/security/2016/dsa-3702
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321

SRPMS:
- 5/core/tar-1.28-3.1.mga5

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2016-0386: Updated tar packages fix security vulnerability
Date:		Fri, 18 Nov 2016 00:41:23 +0100
Message-ID:		<20161117234123.598079F7A2@duvel.mageia.org>