[SECURITY] [DLA 3950-1] libarchive security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3950-1] libarchive security update
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 11 Nov 2024 23:52:35 +0200
Message-id: <[🔎] ZzJ8o5WbAk4Kq3Nf@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3950-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
November 11, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libarchive
Version        : 3.4.3-2+deb11u2
CVE ID         : CVE-2021-36976 CVE-2022-26280 CVE-2022-36227 CVE-2024-20696
Debian Bug     : 991442 1008953 1024669 1086155

Multiple vulnerabilities have been fixed in libarchive,
a multi-format archive and compression library.

CVE-2021-36976

    RAR reader use-after-free

CVE-2022-26280

    ZIP reader out-of-bounds-read

CVE-2022-36227

    archive_write NULL dereference

CVE-2024-20696

    RAR reader out-of-bounds write

For Debian 11 bullseye, these problems have been fixed in version
3.4.3-2+deb11u2.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmcyfKMACgkQiNJCh6LY
mLE9CA/7BO/VrmB0zCgD6PJ6fIgtoMPq8iytU3VHWN0BPQIzKGLxP75VH+6vgEEy
8xzlN4DTlmT5HO/O/Xq7IIGq1qH7Hf+y8bizBho++uqFU9SYTA/pXvMeuKgty6zP
dLWXtzYLDNIyvdNkp+5B4ks8Hn4JTmOI5SCdSWZHzxBOD+aL+X/PjOBWRS7nwhoz
R8WrFeL9VGMeOS2R0SVhHqgV1rb3VXwuLPica8qnphe5IJm/3SGuRxzd9JWEZXGr
fvkIvca4zS35sI20S0ft4LbfwBg0O7sAor2JmW0jbsSWkuA1LpZpORZvcp3wYNrG
r1DDQ9f0eFehZNR3UpFvn1w7VlAZYEGB4V+NMyv1Q2dsOHckrQoyxhhfXpAfvjIs
GwdCUXQPiRtunxQKme1jznDfa/oJTQzvcQTLfUpIiaovMHfnMgna2d/JdZgXzXK/
oekzgyVeeE1XMT5aYgu9yo4ihBJq4BvGkVBeXM9I+B+vtTNc2RBvr6MRwYF1L0EM
qgtps65zlUjhrkPEHT3l2gKuL4wU4SzSEb4Jk4H84AeGMj/eEUzSeHVLJ4qOGeuG
KJ3S7TOt45ZXOZPMmuzoU00nmfZVWmefAvtOxujWYJ/9foMPEM6xL4Z6dcP3zsi9
30KrHLkfnvmIFj1PyrW0lqs6KIZ7u5WoXSJz8Dw23xqnIzqORjs=
=JGdi
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3949-1] ruby-saml security update
Next by Date: [SECURITY] [DLA 3951-1] curl security update
Previous by thread: [SECURITY] [DLA 3949-1] ruby-saml security update
Next by thread: [SECURITY] [DLA 3951-1] curl security update
Index(es):
- Date
- Thread