Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1600-1 libarchive

Debian Security Advisory

DLA-1600-1 libarchive -- LTS security update

Date Reported:

29 Nov 2018

Affected Packages:

libarchive

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 853278, Bug 875960, Bug 875974, Bug 875966, Bug 874539, Bug 840934.
In Mitre's CVE dictionary: CVE-2015-8915, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689, CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-5601, CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503.

More information:

Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files.

For Debian 8 Jessie, these problems have been fixed in version 3.1.2-11+deb8u4.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS