Debian alert DLA-1107-1 (bzr)
| From: | Emilio Pozuelo Monfort <pochu@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1107-1] bzr security update | |
| Date: | Sat, 23 Sep 2017 15:39:43 +0200 | |
| Message-ID: | <2b16a782-7552-e8e1-90bb-0ca22d255dd1@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : bzr Version : 2.6.0~bzr6526-1+deb7u1 CVE ID : CVE-2013-2099 CVE-2017-14176 Debian Bug : 709068 874429 CVE-2013-2099 Bazaar bundles SSL certificate checking code from Python, which had a bug that could cause a denial of service via resource consumption through multiple wildcards in certificate hostnames. CVE-2017-14176 Adam Collard found that host names in 'bzr+ssh' URLs were not parsed correctly by Bazaar, allowing remote attackers to run arbitrary code by tricking a user into a maliciously crafted URL. For Debian 7 "Wheezy", these problems have been fixed in version 2.6.0~bzr6526-1+deb7u1. We recommend that you upgrade your bzr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlnGZBwACgkQnUbEiOQ2 gwKOmw/8DHmtOJZTXxs9jyLqpnh9OeA5YB1RajkE+1XjuByEUSAvUKzoTZv0WVIf e0SQZDCwvHYE/vrdbl04+BG6Wrah3zYKz5PuGoCeySruVlFWYi5/ruQru24h1XEw oBsLvVUKO82/vYv4QUQf4HRV9vcMNX9DO8is9JG59PC+pdKyMKMQp/09pD4JMLSN Jm74XkJzE/Jj3usWqwQyOvcxFm7KLqp7QeksElHQBHXDlqUU4GPHCkysK4b+MgcU XP7s8nx/QqYQoRF0pTM3a6sFoXJLch4EaYSXaZAheLJ0lIhYeIZ8i4Op3amW2MTI UsKlKpi9MViWNmGw/4A3VIOmAEXSOHZX+cozlp7ApyBAxCMHPMq8cfPgZyvQfW/L Y+PcEP4noQniHyLUu4pc91gkEretqPizBT/RdntnzxRCdfrw6l5gdDthElgDgan1 yUpmAR0EId6hdm2SD/O6aC8RkMyzyiq1Qy7My0/NWRiyzdoeKCLjui0Y6fAYEm6W YfPf2TCXbk3fRapGzngPuyLf7283byAmySSMqg5/LaLSd9fX8RPyK17ou7EUhoKd em1cAOJuE1FJRl6KYe/yl/sK1VVOR7Uu5adtqjJBn79Ls+JHdjCsYPD3AO4UCB9I cdYWDhbMUx/ciQB0gnxj79/TLpcUVJXovx+dbXg3SRTxp9CgPd0= =Zi+V -----END PGP SIGNATURE-----