Debian DLA-1304-1 : zsh security update

high Nessus Plugin ID 107276

Synopsis

The remote Debian host is missing a security update.

Description

It was discovered that there were multiple vulnerabilities in the 'zsh' shell :

- CVE-2014-10070: Fix a privilege-elevation issue if the environment has not been properly sanitized.

- CVE-2014-10071: Prevent a buffer overflow for very long file

- descriptors in the '>& fd' syntax.

- CVE-2014-10072: Correct a buffer overflow when scanning very long directory paths for symbolic links.

- CVE-2016-10714: Fix an off-by-one error that was resulting in undersized buffers that were intended to support PATH_MAX.

- CVE-2017-18206: Fix a buffer overflow in symlink expansion.

For Debian 7 'Wheezy', this issue has been fixed in zsh version 4.3.17-1+deb7u1.

We recommend that you upgrade your zsh packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2018/03/msg00007.html

https://packages.debian.org/source/wheezy/zsh

Plugin Details

Severity: High

ID: 107276

File Name: debian_DLA-1304.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/12/2018

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:zsh-static, cpe:/o:debian:debian_linux:7.0, p-cpe:/a:debian:debian_linux:zsh-dbg, p-cpe:/a:debian:debian_linux:zsh, p-cpe:/a:debian:debian_linux:zsh-doc, p-cpe:/a:debian:debian_linux:zsh-dev

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/9/2018