diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2023-12-03 19:48:42 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2023-12-03 19:48:42 +0100 |
| commit | c6ee0814828dde16e82a9618e06266e833c804a8 (patch) | |
| tree | ac658ac07c16728447c1b4585b2db97a90669420 /english/lts | |
| parent | ba1f87909e84d67a414760e88fc18daa96fb1c2d (diff) | |
DLA-3682-1 for ncurses.
Diffstat (limited to 'english/lts')
| -rw-r--r-- | english/lts/security/2023/dla-3682.data | 10 | ||||
| -rw-r--r-- | english/lts/security/2023/dla-3682.wml | 47 |
2 files changed, 57 insertions, 0 deletions
diff --git a/english/lts/security/2023/dla-3682.data b/english/lts/security/2023/dla-3682.data new file mode 100644 index 00000000000..3e8b29aa298 --- /dev/null +++ b/english/lts/security/2023/dla-3682.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-3682-1 ncurses</define-tag> +<define-tag report_date>2023-12-03</define-tag> +<define-tag secrefs>CVE-2021-39537 CVE-2023-29491 Bug#1034372</define-tag> +<define-tag packages>ncurses</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2023/dla-3682.wml b/english/lts/security/2023/dla-3682.wml new file mode 100644 index 00000000000..32977a94276 --- /dev/null +++ b/english/lts/security/2023/dla-3682.wml @@ -0,0 +1,47 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> +<p>Issues were found in ncurses, a collection of shared libraries for +terminal handling, which could lead to denial of service.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2021-39537">CVE-2021-39537</a> + + <p>It has been discovered that the <code>tic(1)</code> utility is susceptible to a + heap overflow on crafted input due to improper bounds checking.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2023-29491">CVE-2023-29491</a> + + <p>Jonathan Bar Or, Michael Pearse and Emanuele Cozzi have discovered + that when ncurses is used by a setuid application, a local user can + trigger security-relevant memory corruption via malformed data in a + terminfo database file found in <code>$HOME/.terminfo</code> or reached via the + <code>TERMINFO</code> or <code>TERM</code> environment variables.</p> + + <p>In order to mitigate this issue, ncurses now further restricts + programs running with elevated privileges (setuid/setgid programs). + Programs run by the superuser remain able to load custom terminfo + entries.</p> + + <p>This change aligns ncurses' behavior in buster-security with that of + Debian Bullseye's latest point release (6.2+20201114-2+deb11u2).</p></li> + +</ul> + +<p>For Debian 10 buster, these problems have been fixed in version +6.1+20181013-2+deb10u5.</p> + +<p>We recommend that you upgrade your ncurses packages.</p> + +<p>For the detailed security status of ncurses please refer to +its security tracker page at: +<a href="https://security-tracker.debian.org/tracker/ncurses">https://security-tracker.debian.org/tracker/ncurses</a></p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2023/dla-3682.data" +# $Id: $ |