Return-Path: X-Original-To: apmail-corinthia-dev-archive@minotaur.apache.org Delivered-To: apmail-corinthia-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1425510165 for ; Mon, 29 Dec 2014 13:17:52 +0000 (UTC) Received: (qmail 20012 invoked by uid 500); 29 Dec 2014 13:17:52 -0000 Delivered-To: apmail-corinthia-dev-archive@corinthia.apache.org Received: (qmail 19984 invoked by uid 500); 29 Dec 2014 13:17:52 -0000 Mailing-List: contact dev-help@corinthia.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@corinthia.incubator.apache.org Delivered-To: mailing list dev@corinthia.incubator.apache.org Received: (qmail 19942 invoked by uid 99); 29 Dec 2014 13:17:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Dec 2014 13:17:52 +0000 X-ASF-Spam-Status: No, hits=-1997.8 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 29 Dec 2014 13:17:51 +0000 Received: (qmail 19502 invoked by uid 99); 29 Dec 2014 13:17:30 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Dec 2014 13:17:30 +0000 Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 97C011A0397 for ; Mon, 29 Dec 2014 13:17:23 +0000 (UTC) Received: by mail-lb0-f170.google.com with SMTP id 10so11070764lbg.1 for ; Mon, 29 Dec 2014 05:17:07 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.112.12.65 with SMTP id w1mr56503638lbb.68.1419859027111; Mon, 29 Dec 2014 05:17:07 -0800 (PST) Received: by 10.112.10.16 with HTTP; Mon, 29 Dec 2014 05:17:07 -0800 (PST) In-Reply-To: <001901d02368$41778ff0$c466afd0$@acm.org> References: <001901d02368$41778ff0$c466afd0$@acm.org> Date: Mon, 29 Dec 2014 14:17:07 +0100 Message-ID: Subject: Re: FW: [SECURITY] [DSA 3113-1] unzip security update From: jan i To: "dev@corinthia.incubator.apache.org" , "dennis.hamilton@acm.org" Content-Type: multipart/alternative; boundary=001a11c3b796f13772050b5ab015 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c3b796f13772050b5ab015 Content-Type: text/plain; charset=UTF-8 On Monday, December 29, 2014, Dennis E. Hamilton wrote: > FYI and consideration, > > I have no clue to the extent to which any of this apples in the external > sources that Corinthia relies on. thanks for the info, since I am on that part now I will have a look. Please send such alerts to private@ so we can discuss them before telling the world how we solve it. rgds jan i > > - Dennis > > -----Original Message----- > From: Salvatore Bonaccorso [mailto:carnil@debian.org ] > Sent: Sunday, December 28, 2014 00:06 > To: bugtraq@securityfocus.com > Subject: [SECURITY] [DSA 3113-1] unzip security update > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3113-1 security@debian.org > > http://www.debian.org/security/ Salvatore Bonaccorso > December 28, 2014 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : unzip > CVE ID : CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 > Debian Bug : 773722 > > Michele Spagnuolo of the Google Security Team discovered that unzip, an > extraction utility for archives compressed in .zip format, is affected > by heap-based buffer overflows within the CRC32 verification function > (CVE-2014-8139), the test_compr_eb() function (CVE-2014-8140) and the > getZip64Data() function (CVE-2014-8141), which may lead to the execution > of arbitrary code. > > For the stable distribution (wheezy), these problems have been fixed in > version 6.0-8+deb7u1. > > For the upcoming stable distribution (jessie), these problems will be > fixed soon. > > For the unstable distribution (sid), these problems have been fixed in > version 6.0-13. > > We recommend that you upgrade your unzip packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCgAGBQJUn7mQAAoJEAVMuPMTQ89EeowQAKE25ywJuv85W18UDxCVJ4M5 > jECsUBPPrv5gf2leoJDr4UYhIdBQ5StZA6Cro8qsehcCayZuUayE2tfZjhtR9I9X > pif1tPalH5Cdtzph4XZxmah99MFW8J5z2zuhAa6UcVYDXuup8+o0yz9kJuVJ0e5H > pfT4+FwVdNXiGq+5NgXru4egXCSXs62FRTIp5ezx1uz0PBl2FFnu2ZBND5IgNWf/ > cQubdcx02uYkl0fYBQAkClbRK4JZZE/TipdjYkNBpnaHj4EkFKesuSfLcSTmtIK4 > R2r34Kzavn9QStJny+Uvzdqqw8e/q5WSmjR2MtDd4l4f3VxMFaoYaRQgon+K4T4L > rs6C7+VeI5gsYrnTyQRPix+v+esGNMke3l1WzHV5fbSXeUic+vooJZoMBmR2ep4j > Vp8kGkoVG8FQ4GgVGDCyV4XiYl9VaGxk1H8/rCSfn1Ag9ImqiiBNuGnBzx+6kGDk > cdb8ZFZpcF5/ueAC7IZ7Cotzncy2c5d7nDTActjSnmK53gnPgRiQwtyu8doM1heF > pWlXLXKxnspIyNugEI2xRYY2I7GN04AhElN+c9DDNBoBiKUVjjBgR8lT9OnDCgBN > UPx9mxeehoibtE67bONhQoxgbyBT3ukRCNFybkNT3K6bGLclFBUNKMpOjJzIvEJs > XU5IchBNf8BhT7Ekd2Lo > =D8OH > -----END PGP SIGNATURE----- > > -- Sent from My iPad, sorry for any misspellings. --001a11c3b796f13772050b5ab015--