[SECURITY] [DSA 4253-1] network-manager-vpnc security update

Salvatore Bonaccorso <carnil@xxxxxxxxxx> · Mon, 23 Jul 2018 21:05:20 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4253-1                   security@xxxxxxxxxx
https://www.debian.org/security/                     Salvatore Bonaccorso
July 23, 2018                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : network-manager-vpnc
CVE ID         : CVE-2018-10900
Debian Bug     : 904255

Denis Andzakovic discovered that network-manager-vpnc, a plugin to
provide VPNC support for NetworkManager, is prone to a privilege
escalation vulnerability. A newline character can be used to inject a
Password helper parameter into the configuration data passed to vpnc,
allowing a local user with privileges to modify a system connection to
execute arbitrary commands as root.

For the stable distribution (stretch), this problem has been fixed in
version 1.2.4-4+deb9u1.

We recommend that you upgrade your network-manager-vpnc packages.

For the detailed security status of network-manager-vpnc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/network-manager-vpnc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltWQhJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SKCw//VcNh7gs/gMCYvTOr3+nN0GCSpvDEif63vC9quWGN2KvBclc927tpajgV
eAbYAW+Wr7mm/IV7g0nLR5WK51qnJ6QAevJmkYKWzAQpDnDM85UkNvcYkgbZ7Btp
BMw+1e7EQv/C94nKw9KARZjco8/bo6L5A2AF59HLYAK5BjRblCWyc5dqDSj4gylE
EQUdkODJPuH7s35LUqRhsTvUiQRPaOjZ0oDIkhC44GkWPnwy5yljmRPq54mqhMYU
+NrDQjKwW1eMBNrF8/BrQq0CHP8sxftlvcgMoJzwK0YX8mS3nfhtnQRbMeBWSkId
FYkHFOCdExyZDJ145NQPeVFmHj1qHElcr2swqQg1QmH4twkDhGU90zJBNwOzPTn4
7XQYeH4o29TSNMYC5b/3OpVdrq6BlVMJjTVz92yfaMO2h0ypTqyoBYQ72kZLS9kG
PkKCL1WQWSdVJ4VNqufUiBrJNVREiSeOs00f3uBYgWYocX40b679pm8YbaQj/mUZ
NIVlPJvlrhA7UkJv5VDOZyc6DPbVnLZGB8X14+L86D98JKtfbE/RnW+m2FUkwKEW
462OYIdudV0fDDneDD2e87p8DDdTIMwgO1Smgj8062RMhiv/L6FL/5XUxr1DMS6U
AQLfdnpEf3Am6cL6FTIsj53SAmh1L9B3EHEkAPH7AxX/pogBlGU=
=VkVy
-----END PGP SIGNATURE-----