Debian-LTS alert DLA-666-1 (guile-2.0)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 666-1] guile-2.0 security update | |
| Date: | Wed, 19 Oct 2016 00:18:18 +0200 | |
| Message-ID: | <cef5af42-2a88-cb2a-8803-73833061c649@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : guile-2.0 Version : 2.0.5+1-3+deb7u1 CVE ID : CVE-2016-8605 CVE-2016-8606 Debian Bug : 840555 840556 Several vulnerabilities were discovered in GNU Guile, an implementation of the Scheme programming language. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2016-8605: The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. CVE-2016-8606: GNU Guile provides a "REPL server" which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the '--listen' command-line option or equivalent API. It was reported that the REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. For Debian 7 "Wheezy", these problems have been fixed in version 2.0.5+1-3+deb7u1. We recommend that you upgrade your guile-2.0 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYBp+qXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hk5N4QAJT7u7EsoO2KinnaJTnzCcZl P7NG4dNsi/4QUy91sQa2lpY7+u8nxoNyetMdPzT73msdqBtXrSF0QlwL3w9C5Z// VjkexG9bwPMiBLSt03odLYsupWRhFBweMHrBoxgDPGVosxCu/pDXDTICnvrUyIy9 bDJXlRaWbqe2LndfudIwodzEMcaBtfCuUH4ymPmebOHWJ8uYNYOrCMkOfPAQoBPO d/WIH+tvbjRleKwXKmx4nvf6dUrXbMdpk/gx9wrmIfc91K9UMCMG1uNbEC17mwE/ UFsAEYEVE++lgYn/yqu67IY8hwtxDL7fuPumdC1Clm93WcTVulTtat4Pcf2rodTM pL/m9M9IrObXHllCITBKFHwnbRKsWPlAPnNhLam2wLK1azZqYeLwYhLKarTIg7U9 kLIRmylsf6OIqe9EXbuAZpkE0yNPjVWMQQ9RCWtw3dzQP9RCxn98f28/SgpYHIWb 7Lzb+3P+RPC/QRke85M0SV4Er3bznXzqR8h/PiI7jYOBlEwowCGwyGykPOaS8oRT kQ+xZmCJ9RIEtRscoCsFCLNqdO6U+I4WQw+kztl3yCRQjoHo5A9MFDA0JMbx7vwP NkCYLyLF34Z1Rp8kvh4YQ9VwpnAistBtIDm+Eu3Oq6nSG8eywayPhh7IQu5QotGI TUQC19dtlnJmgi7Fulxc =9e39 -----END PGP SIGNATURE-----
(Log in to post comments)