[SECURITY] [DLA 1602-1] nsis security update

2018-11-30T22:35:37
ID DEBIAN:DLA-1602-1:BD742
Type debian
Reporter Debian
Modified 2018-11-30T22:35:37

Description

Package : nsis Version : 2.46-10+deb8u1 CVE ID : CVE-2015-9267 CVE-2015-9268

Among others, Andre Heinicke from gpg4win.org found several issues of nsis, a tool for creating quick and user friendly installers for

Microsoft Windows operating systems.

The issues are fixed by ... ... using SetDefaultDllDirectories() to restrict implicitly loaded and dynamically loaded modules to trusted directories ... creating temporary directories in a way that only elevated users can write into it ... not implicitly linking against Version.dll but using wrapper functions

For Debian 8 "Jessie", these problems have been fixed in version 2.46-10+deb8u1.

We recommend that you upgrade your nsis packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS