[Secure-testing-commits] r55208 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Tue Aug 29 19:06:59 UTC 2017


Author: carnil
Date: 2017-08-29 19:06:59 +0000 (Tue, 29 Aug 2017)
New Revision: 55208

Modified:
   data/CVE/list
Log:
Add fixing version for CVE-2014-9983/rar

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-08-29 18:30:12 UTC (rev 55207)
+++ data/CVE/list	2017-08-29 19:06:59 UTC (rev 55208)
@@ -90740,11 +90740,12 @@
 	[wheezy] - unrar-nonfree 1:4.1.4-1+deb7u1
 	[squeeze] - unrar-nonfree <no-dsa> (Non-free not supported)
 CVE-2014-9983 (Directory Traversal exists in RAR 4.x and 5.x because an unpack ...)
-	- rar <unfixed> (bug #774172)
-	[stretch] - rar <no-dsa> (Non-free not supported)
+	- rar 2:5.3.b2-1 (bug #774172)
 	[jessie] - rar <no-dsa> (Non-free not supported)
 	[wheezy] - rar <no-dsa> (Non-free not supported)
 	[squeeze] - rar <no-dsa> (Not fixed upstream and license does not allow modification)
+	NOTE: Version 5.21 upstream changes behaviour: by default rar skips symbolic links
+	NOTE: symbolic links with absolute paths in link target when extracting.
 CVE-2015-1589 (Directory traversal vulnerability in arCHMage 0.2.4 allows remote ...)
 	- archmage 1:0.2.4-4 (bug #776164)
 	[squeeze] - archmage <no-dsa> (Minor issue)




More information about the Secure-testing-commits mailing list