Debian alert DLA-2095-1 (storebackup)

From:
             
 
Utkarsh Gupta <utkarsh@debian.org> 
To:
             
 
debian-lts-announce@lists.debian.org 
Subject:
             
 
[SECURITY] [DLA 2095-1] storebackup security update 
Date:
             
 
Wed, 5 Feb 2020 11:38:24 +0100
Message-ID:
             
 
<9d98a42c-3364-21f8-9cfe-b72bdb20b139@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : storebackup
Version        : 3.2.1-1+deb8u1
CVE ID         : CVE-2020-7040
Debian Bug     : 949393


storeBackup.pl in storeBackup through 3.5 relies on the
/tmp/storeBackup.lock pathname, which allows symlink attacks
that possibly lead to privilege escalation.

Local users can also create a plain file named /tmp/storeBackup.lock
to block use of storeBackup until an admin manually deletes that file.

For Debian 8 "Jessie", this problem has been fixed in version
3.2.1-1+deb8u1.

We recommend that you upgrade your storebackup packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl46mxUACgkQgj6WdgbD
S5ZfDBAAqcrXQmC1ELUCdHSqEL+1TMnd/zbtYAT3+VmM3mWcwZlUus61e9EM78d+
hQoaG3Qnrm0uecnLz2uPfNMWw5AMp/bjsN9FnDgSexgO27v4czkr6yn/Imx4QsLi
qaW4LEpiWFE5xg6jBA7Jf2bqKU/TkTlupNOUz5w2qyPfHUdIMTjGWSDU2iqfSNkf
W3F0oTTQVtNJPYThwoCOo8MYtPkDfq2B8VZ6CbxNIBiXZHLyVXVVRdWSAoV64bK9
QceP3oAfJbL+YuUlW1Mil6v8jxHOVQ/TmC3jfbRP9TndzcrBWAVibMfWEuC24JQ3
tXsIPFCW0Egyb1UkT12xCmEfbfAEOl/se6ke0NacaqU+DaBGVCtE+ytDb7dXkdvm
toemeohpOpA/qeUXe0uNKCSC2Qx20/YSWo/R5KcIz6Iz/ZtV3OoLo+i/w6wyG2F4
6JAzqEVeEd1dNVg3bztuKbOnRO8cxoClKMql28j6NLzuW9vhqL+oVukgIFiTd/h9
Wjs0mtNnPPvS3AC762YC6txW3q0PvOloOOgKPbeRtmyyMgcBWZxx1pFacCwHyuUJ
7cEWiE89cZKFTlUjsAk5JFUJGucmLNAVxFFcxGy3Q7PU0DgkkpX6BjRawic3YJv2
nFv1VAp7hoQn3qJ0Cb5ROD9BprjeTZvIHTyxERSQ6JHXYgjDMoQ=
=BMrt
-----END PGP SIGNATURE-----