[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1107-1] bzr security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : bzr
Version        : 2.6.0~bzr6526-1+deb7u1
CVE ID         : CVE-2013-2099 CVE-2017-14176
Debian Bug     : 709068 874429

CVE-2013-2099

    Bazaar bundles SSL certificate checking code from Python, which
    had a bug that could cause a denial of service via resource
    consumption through multiple wildcards in certificate hostnames.

CVE-2017-14176

    Adam Collard found that host names in 'bzr+ssh' URLs were not
    parsed correctly by Bazaar, allowing remote attackers to run
    arbitrary code by tricking a user into a maliciously crafted
    URL.

For Debian 7 "Wheezy", these problems have been fixed in version
2.6.0~bzr6526-1+deb7u1.

We recommend that you upgrade your bzr packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlnGZBwACgkQnUbEiOQ2
gwKOmw/8DHmtOJZTXxs9jyLqpnh9OeA5YB1RajkE+1XjuByEUSAvUKzoTZv0WVIf
e0SQZDCwvHYE/vrdbl04+BG6Wrah3zYKz5PuGoCeySruVlFWYi5/ruQru24h1XEw
oBsLvVUKO82/vYv4QUQf4HRV9vcMNX9DO8is9JG59PC+pdKyMKMQp/09pD4JMLSN
Jm74XkJzE/Jj3usWqwQyOvcxFm7KLqp7QeksElHQBHXDlqUU4GPHCkysK4b+MgcU
XP7s8nx/QqYQoRF0pTM3a6sFoXJLch4EaYSXaZAheLJ0lIhYeIZ8i4Op3amW2MTI
UsKlKpi9MViWNmGw/4A3VIOmAEXSOHZX+cozlp7ApyBAxCMHPMq8cfPgZyvQfW/L
Y+PcEP4noQniHyLUu4pc91gkEretqPizBT/RdntnzxRCdfrw6l5gdDthElgDgan1
yUpmAR0EId6hdm2SD/O6aC8RkMyzyiq1Qy7My0/NWRiyzdoeKCLjui0Y6fAYEm6W
YfPf2TCXbk3fRapGzngPuyLf7283byAmySSMqg5/LaLSd9fX8RPyK17ou7EUhoKd
em1cAOJuE1FJRl6KYe/yl/sK1VVOR7Uu5adtqjJBn79Ls+JHdjCsYPD3AO4UCB9I
cdYWDhbMUx/ciQB0gnxj79/TLpcUVJXovx+dbXg3SRTxp9CgPd0=
=Zi+V
-----END PGP SIGNATURE-----


Reply to: