August 2017 - SourceTree - Critical Security Advisory

[David Black]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/c-mdNw .


CVE ID:

* CVE-2017-1000117 - Git.
* CVE-2017-1000115 - Mercurial.
* CVE-2017-1000116 - Mercurial.
* CVE-2017-9800 - Subversion.


Product: SourceTree.

Affected SourceTree product versions:

* SourceTree for macOS 1.0b2 <= version < 2.6.1
* SourceTree for Windows 0.5.1.0 <= version < 2.1.10


Fixed SourceTree product versions:

* Versions of SourceTree for macOS, equal to and above 2.6.1 contain a
fix for this issue.
* Versions of SourceTree for Windows, equal to and above 2.1.10
contain a fix for this issue.


Summary:
This advisory discloses critical severity security vulnerabilities
which affect SourceTree for macOS and SourceTree for Windows. Versions
of SourceTree for macOS starting with 1.0b2 before version 2.6.1 and
versions of SourceTree for Windows starting with 0.5.1.0 before
version 2.1.10 are affected by this vulnerability.


Customers who have upgraded SourceTree for macOS to version 2.6.1 are
not affected.
Customers who have upgraded SourceTree for Windows to version 2.1.10
are not affected.

Customers who have downloaded and installed SourceTree for macOS
starting with 1.0b2 before version 2.6.1 or who have downloaded and
installed SourceTree for Windows starting with 0.5.1.0 before version
2.1.10 please upgrade your SourceTree for macOS or SourceTree for
Windows installations immediately to fix the vulnerabilities mentioned
in this advisory.

SourceTree for macOS and Windows - Remote Code Execution via Git and
Mercurial - Multiple CVEs

Severity:
Atlassian rates the severity level of this vulnerability as critical,
according to the scale published in our Atlassian severity levels. The
scale allows us to rank the severity as critical, high, moderate or
low.
This is our assessment and you should evaluate its applicability to
your own IT environment.


Description:

SourceTree for macOS and Windows are affected by vulnerabilities found
in the Git and Mercurial software. This vulnerability can be triggered
through a malicious repository when it is checked out using
SourceTree. From version 1.4.0 of SourceTree for macOS and 0.8.4b of
SourceTree for Windows, this vulnerability can be triggered from a
webpage through the use of the SourceTree URI handler.
Versions of SourceTree for macOS starting with 1.0b2 before version
2.6.1 and versions of SourceTree for Windows starting with 0.5.1.0
before version 2.1.10 are affected by this vulnerability. This issue
can be tracked at: https://jira.atlassian.com/browse/SRCTREE-4904 and
for Windows at https://jira.atlassian.com/browse/SRCTREEWIN-7663.


Remediation:

Upgrade SourceTree for macOS to version 2.6.1 or higher.  Please note
that since SourceTree for Mac 2.5.0 OSX 10.11 or later is required.
Upgrade SourceTree for Windows to version 2.1.10 or higher.

You can download the latest version of SourceTree from
https://www.sourcetreeapp.com/ .


Support:
Atlassian supports SourceTree through the Atlassian Community. If you
have questions or concerns regarding this advisory, go to
https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree .
-BEGIN PGP SIGNATURE-

iQI0BAEBCgAeBQJZr1kdFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8
Unag+WgP/3IIGyB+oShEgGGmRaSUsT9bA2Vqis/0i9nr/I//f5XACt897M+THELj
2S+ZD9RiALjkCD5Hq2wvTvs42KWt34+ImKQutI8FqnMf96cIszPhuhwurd7NdcX8
hhfZbVx1RZra7wKK2FbyC64VlxlYKHcNOvpTyDHAuki5bhBFkwLI0hf8vXWNPYZg
w6i6EzLC+QQNoEO5qb+NURuAImWt2tGQWsskLMbwlJIdrqsqQ3TrjUvKAgvRfkUn
1H8cCDArA1HpQKz6peI32NeuvC2WcI3Zc7sKP7qDW/pNRk0iIDkRlJ8AlRMEu/LD
DgpJVhpVmDkdWHCy4SRN9Was3mRnaL9uZxsY6GUH2wi8Nt4/3JKJKsbG+MhmY762
B/NLuUA78mqDos6I0KxCjluhPOeFKv8W/BGkexLEjAoV2c348Fy5+X1S4vdoGlq+
+z7zyCUf3fsi6iz/Nt1C3vY/q76m1hL1VI5HX3btizwLOenUof6RDt6jTBzaA+zS
xt6YpwB1K+P2Lv32ChGFjAtAUljqoIqWK6brJljxHM5ey24hnovYYBJq8DI/xKPr
6EDGLAseEHldKy+8nAJ4BHgDWYco5jx0++GaHzLQTW/1VLn3uAXDK4MGJPcsLYQ6
WIlV192qlMUMPk53X3kAYNQG7t2EevWKn960hR8s/bwCm3Pvuvbi
=l639
-END PGP SIGNATURE-

[SECURITY] [DSA 3965-1] file security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3965-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 05, 2017https://www.debian.org/security/faq
- -

Package: file
CVE ID : CVE-2017-1000249

Thomas Jarosch discovered a stack-based buffer overflow flaw in file, a
file type classification tool, which may result in denial of service if
an ELF binary with a specially crafted .notes section is processed.

For the stable distribution (stretch), this problem has been fixed in
version 1:5.30-1+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:5.32-1.

We recommend that you upgrade your file packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmvBG1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S3tA//S/EZiFJ2DfFBkKYFKthu+AOPjMjZS3Seoo5uNBwcqfC3zcpKc5BnjJSs
do0J2eKHYxkmVtW5Ox2AhnRlOBTGky3wiS5wFS3LCaeYgjhFt7L6I0VHY09wF9B4
QnkQ6f4r7PJ8/iwKow0XaOrjoE4ClACckaWTpVfFg2oOOZWODSWEoGxQxDEXdsVP
DnyY/9TmdRbIhx8OrKJs0oUVQdt6gFguoENvV8zEsTdcJ4trDlFb8t8RcqRWOuWW
8WZ1jeIqDJ31Sl37tItM/AN8MD1STi4Ic9NaDFjAk80iiFBoMxKyfiwWjuZ/d3DX
/acoG3XcHLw6V0zB5LBc8HLCqhKrlAqoQ0rFB07+SRr8XGftnRXRT9CuterJcPzp
wqgHzvnVL9XsfwZSEAR0yqQAE7Yj6yhEHy4QlPkM6aedO7IIffOE3NvdOBCd46Jg
KUKeJZZ4AYH2FcHAzucE9aqdujwfMu/STiPosveA/Z4Kqc3o7ds9nY5N77yynzdH
MHzU01lbJBes3+MkfSn9mbGrU6OiB8qUQL0MuOdbB0qAbzYuhJvtzoJ2Pk6PApIX
bxDUhQhP5WW1MJ6adOBk0aV6qGLqBaAwbjbMQva0MNmQC01M3IJtR1Su7GCNadU9
+19j1pIJBURMbaHaegidNwLVZudfl+V+uvK8ERgk6RII7MasSJk=
=suKv
-END PGP SIGNATURE-

[security bulletin] HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple Vulnerabilities

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbux03772en_us

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbux03772en_us
Version: 1

HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple
Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-09-05
Last Updated: 2017-09-05

Potential Security Impact: Remote: Denial of Service (DoS), Unauthorized Read
Access to Data

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in the HP-UX BIND
service running named. These vulnerabilities could be exploited remotely to
allow Denial of Service (DoS), and unauthorized read access to data.

References:

  - CVE-2017-3140 - BIND 9.11.1
  - CVE-2017-3142 - BIND 9.11.1, 9.9.4
  - CVE-2017-3143 - BIND 9.11.1, 9.9.4

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP-UX DNS and BIND Software B.11.31 - BIND 9.9.4 prior to C.9.9.4.11.0
and BIND 9.11.1 prior to C.9.11.1.2.0

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2017-3140
  3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)

CVE-2017-3142
  5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2017-3143
  7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has provided the following software updates to resolve the
vulnerabilities in the HP-UX BIND service running named.

* For BIND 9.9.4:

  - BIND 9.9.4 for HP-UX Release B.11.31 (PA and IA)
  - Depot: HP_UX_11.31_HPUX-NameServer_C.9.9.4.11.0_HP-UX_B.11.31_IA_PA.depot

* For BIND 9.11.1:
  - BIND 9.11.1 for HP-UX Release B.11.31 (PA and IA)
  - Depot: HP_UX_11.31_HPUX-NameServer_C.9.11.1.2.0_HP-UX_B.11.31_IA_PA.depot

**Note:** The depot files can be found here: 

 *


MANUAL ACTIONS: Yes - Update 
Download and install the software update 

PRODUCT SPECIFIC INFORMATION 
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application

that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins 
issued by HPE and lists recommended actions that may apply to a specific
HP-UX 
system. It can also download patches and create a depot automatically. For
more information see: 
 
 *


The following text is for use by the HP-UX Software Assistant. 

AFFECTED VERSIONS
HP-UX B.11.31 IA/PA 
=== 
NameService.BIND-AUX 
NameService.BIND-RUN 
Action 
For 9.9.4 : install C.9.9.4.11.0 or subsequent
For 9.11.1 : install C.9.11.1.2.0 or subsequent

Note: HPE recommends to migrate to 9.11.1

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 5 September 2017 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for