Debian Security Advisory

DLA-1600-1 libarchive -- LTS security update

Date Reported:
29 Nov 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 853278, Bug 875960, Bug 875974, Bug 875966, Bug 874539, Bug 840934.
In Mitre's CVE dictionary: CVE-2015-8915, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689, CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2017-5601, CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503.
More information:

Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files.

For Debian 8 Jessie, these problems have been fixed in version 3.1.2-11+deb8u4.

We recommend that you upgrade your libarchive packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: