[SECURITY] [DLA 2284-1] ksh security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2284-1] ksh security update
From: Brian May <bam@debian.org>
Date: Tue, 21 Jul 2020 07:44:39 +1000
Message-id: <[🔎] 20200720214439.GA27816@silverfish.pri>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2284-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                            Brian May
July 21, 2020                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ksh
Version        : 93u+20120801-3.1+deb9u1
CVE ID         : CVE-2019-14868

A flaw was found in the way it evaluates certain
environment variables. An attacker could use this
flaw to override or bypass environment restrictions
to execute shell commands. Services and
applications that allow remote unauthenticated
attackers to provide one of those environment
variables could allow them to exploit this issue
remotely.

For Debian 9 stretch, this problem has been fixed in version
93u+20120801-3.1+deb9u1.

We recommend that you upgrade your ksh packages.

For the detailed security status of ksh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ksh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl8WDUAACgkQKpJZkldk
SvrGmQ//eQV7NZ5AnTL20mZkw1A7ow/kLpnZL4zMycYs40WdpC97r7eOYXGaUhhv
DMl/oQryJ5YLA2DgvrfupsIacvIhXKYoy82uMQS+C+GefIqNE4JmqMDkvuFy+9EG
/8yVaHVz0VkNrDZPTWvvPb16hhmlI2Ugnpn8sfbNb7T3cRS8X2K+cosQhiOtpz70
LikFfRw6HoFzYXmPD2iNdb/iWVA+Ph6t7ijyDfoiGtZXdSCyi9nbd+noPa0uicoZ
964kh2up5sAtH0Aq9ZIwUK2NuTCyf97Q879UyrB08b2vheO/r1v0IDeAU9nNfOWl
+wFoF8j5cLWaRwpIazi1LJi+rtfhmYlw2hVuKIATlQSGqHFVq4jbpcrrNjlxjeQT
cxLtpqcwTiHm4BrO4tKiUiEUixHYV1OH9TO+G99zXOK5poQgyN6w7z9V1/qxhNoZ
Q+tM+MtiEO4REYJRtbat5VKMY5gDUMK6bblwlzuGUAnr6irt6O+u9IHeCoae309I
np5Mnm++jlKgkt0oG2Rf/9MGqeA6v996UF65TRmpCzaTbuVw2IvSSkTTIionzVfd
on0FOSBu30pEEKDza06u3nX+jFy4rxx03NFKWrUNEvkmql4OMnbiCDisn3kq51r4
kqhEEsYlJvlMi18AL72IowWHTd6fud21R76kjFHLY0g82UKJnMY=
=9+xc
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2283-1] nginx security update
Next by Date: [SECURITY] [DLA 2285-1] librsvg security update
Previous by thread: [SECURITY] [DLA 2283-1] nginx security update
Next by thread: [SECURITY] [DLA 2285-1] librsvg security update
Index(es):
- Date
- Thread