Debian alert DLA-846-1 (libzip-ruby)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 846-1] libzip-ruby security update | |
| Date: | Mon, 6 Mar 2017 23:03:29 +0100 | |
| Message-ID: | <6816ffc8-4b1d-9598-1bdf-21ef493bf857@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libzip-ruby Version : 0.9.4-1+deb7u1 CVE ID : CVE-2017-5946 Debian Bug : 856269 It was discovered that libzip-ruby, a Ruby module for reading and writing zip files, is prone to a directory traversal vulnerability. An attacker can take advantage of this flaw to overwrite arbitrary files during archive extraction via a .. (dot dot) in an extracted filename. For Debian 7 "Wheezy", these problems have been fixed in version 0.9.4-1+deb7u1. We recommend that you upgrade your libzip-ruby packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAli93LFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSwqw/8CxrudrYleWzhUQFxyGJaTiZuNvPDAyzX5W32n+c+pqJqLHFJ4KfACFU9 Gsfh1WF0sajaC0E9EGDAHHSUGjIFesTd7T0rIoedw2APyVQtio4KwDbYsN0pCXST ZoBjKmAFCncV1UdWf8ccl3Nfdm3dhBNXZldqXmhT0jBa5hAXqK3QwrGCq7uAST85 h05VGsZrr03YHCB6nOu/7bbTQYTJW8BgL/SWZfKNdH9MO9rKn4jhzaGo3+TbWkxA 4cAEZqVPLNadLjo2n/Of9I0+wcgTyu7YGW4DrtjbfIGGnb+oovgziF3sR+4NsUSX WXhASK1a1luv2A+mErR+MZttHOBzMSvEBOX56CNiLGPgq2FGIYAasFzN02spWTl3 f6PgnHA700ms+YdmHFKoW9ewe39iSfKka1IkkTJpDyLevcpeJs36iBetPcRZ0KOO 7RC0DKT3IFCG3RH/yaGGnXjR/gxjIGT0YUshQnR+t78F9yImjEPx8Otah5VmfPuh idRcMFG5oBXYs5ZJJ8/Qkc2rdReVXxQIrUkz++b1UVTfQp7GHiqjtOxM6kv/N97K vbV8IRbSqVL3tmuGo93qxLXpeom8B5nRuwPuhgIH8Fl+c2TjwAIEKzIUpqki6adO h6dxLrRAYBbETwBuo1DDKWRSA/aL/9lvAznqD/YKNrutn9Zcad0= =ZGk1 -----END PGP SIGNATURE-----