[SECURITY] [DLA 3013-1] needrestart security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3013-1] needrestart security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Wed, 18 May 2022 06:17:12 +0530
Message-id: <[🔎] CAPP0f97oQ0Mw4+hc2SfEa===SG7SEu5aL2RA5qv_Tcnjh_f=UA@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3013-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
May 18, 2022                                https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : needrestart
Version        : 2.11-3+deb9u2
CVE ID         : CVE-2022-30688
Debian Bug     : 1011154

Jakub Wilk discovered a local privilege escalation in needrestart, a
utility to check which daemons need to be restarted after library
upgrades. Regular expressions to detect the Perl, Python, and Ruby
interpreters are not anchored, allowing a local user to escalate
privileges when needrestart tries to detect if interpreters are using
old source files.

For Debian 9 stretch, this problem has been fixed in version
2.11-3+deb9u2.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmKEQesACgkQgj6WdgbD
S5b75BAAtO9RIWctdSGd/lRNDUwja8pcHQQypMPATn5jTYnAfXCHXH4CUu/gEvRB
vylYc2y0OhREi6LVn1nA2etA/MmD7puH1gmU2A/lx8cYMgKg+uE8AS3EW/e1VqMs
Uaeyz07jvmXt+BlC7oCQWvRNvLfMYozuKyJPWgHk6oCrHRgkxJ1FCijpB7MBuXHE
w++KyeqT96oOe5mvBZ0ONh3XPC140+pUdld2thlvbdWVHni7/nQ/CPL9dYiBhgwG
Mr/5LwF06Cz+0bkBmsKajWkNKu+kuiIrkVWf5yPY8L8Tfhj5d9Fi93wUbC/CqjPv
6PllyKXfcthjcNr/H3sMVK65q6WlDHSVQEp3f1XnYLenlU5XSb20517VtcO9zqyP
gnA55uGpa0fdjxo6W9Kx6C7LXyTK6fGyA7IEooehrdIT+cbowjlbZJXJ6dNECmFM
6RIQT7+cYtF0H/3xhlEEE7kQXIL535Cf2bQwTZDrnUtfrHa2EF7Ozsy/vG5e4GWM
MQAGcakZYQTkneEZ5r3faOncjAbJ5eIU83PHCvSIKmbI6uoNZ6orwibIvCY7kp9R
bVcZYEAg/3GpuMYb1XYmmK2FwUBX4nQ693RLozBBcbec9TjjpCzqEAT1vViUUr1s
3cGNrgUH7Stu2EmRy1e4Ty2Wr/kZOBhIacb7ff0WOlYcVNtdBEY=
=/crS
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3012-1] libxml2 security update
Next by Date: [SECURITY] [DLA 3014-1] elog security update
Previous by thread: [SECURITY] [DLA 3012-1] libxml2 security update
Next by thread: [SECURITY] [DLA 3014-1] elog security update
Index(es):
- Date
- Thread