Re: [SECURITY] [DLA 131-1] file security update
On 12/01/2015, Bret Busby <email@example.com> wrote:
> On 09/01/2015, Christoph Biedl <firstname.lastname@example.org> wrote:
>> Package : file
>> Version : 5.04-5+squeeze9
>> CVE ID : CVE-2014-8116 CVE-2014-8117
>> Debian Bug : 773148
>> Multiple security issues have been found in file, a tool/library to
>> determine a file type. Processing a malformed file could result in
>> denial of service. Most of the changes are related to parsing ELF
>> As part of the fixes, several limits on aspects of the detection were
>> added or tightened, sometimes resulting in messages like "recursion
>> limit exceeded" or "too many program header sections".
>> To mitigate such shortcomings, these limits are controllable by a new
>> "-R"/"--recursion" parameter in the file program. Note: A future
>> upgrade for file in squeeze-lts might replace this with the "-P"
>> parameter to keep usage consistent across all distributions.
>> The ELF parser (readelf.c) allows remote attackers to cause a
>> denial of service (CPU consumption or crash).
>> softmagic.c does not properly limit recursion, which allows remote
>> attackers to cause a denial of service (CPU consumption or crash).
>> (no identifier has been assigned so far)
>> out-of-bounds memory access
> II get the following error message;
> An error has occured and downloading has been aborted.
> Error message:
> Failed to fetch
> 404 Not Found [IP: 22.214.171.124 80]
> Failed to fetch
> 404 Not Found [IP: 126.96.36.199 80]
Tried again using apt-get update then upgrade, and it worked.
Synaptic is apparently broken, for updating packages.
"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992