[SECURITY] [DLA 2926-1] zsh security update

2022-02-1808:34:48

lists.debian.org

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

37.5%

JSON

Debian LTS Advisory DLA-2926-1 [email protected]
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
February 18, 2022 https://wiki.debian.org/LTS

Package : zsh
Version : 5.3.1-4+deb9u5
CVE ID : CVE-2021-45444

It was discovered that zsh, a powerful shell and scripting language,
did not prevent recursive prompt expansion. This would allow an
attacker to execute arbitrary commands into a user's shell, for
instance by tricking a vcs_info user into checking out a git branch
with a specially crafted name.

For Debian 9 stretch, this problem has been fixed in version
5.3.1-4+deb9u5.

We recommend that you upgrade your zsh packages.

For the detailed security status of zsh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zsh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10armelzsh-static< 5.7.1-1+deb10u1zsh-static_5.7.1-1+deb10u1_armel.deb
Debian11amd64zsh-dev< 5.8-6+deb11u1zsh-dev_5.8-6+deb11u1_amd64.deb
Debian10i386zsh-dbgsym< 5.7.1-1+deb10u1zsh-dbgsym_5.7.1-1+deb10u1_i386.deb
Debian9armelzsh-static< 5.3.1-4+deb9u5zsh-static_5.3.1-4+deb9u5_armel.deb
Debian11amd64zsh-static< 5.8-6+deb11u1zsh-static_5.8-6+deb11u1_amd64.deb
Debian10mips64elzsh-dev< 5.7.1-1+deb10u1zsh-dev_5.7.1-1+deb10u1_mips64el.deb
Debian10armhfzsh-dev< 5.7.1-1+deb10u1zsh-dev_5.7.1-1+deb10u1_armhf.deb
Debian11armelzsh< 5.8-6+deb11u1zsh_5.8-6+deb11u1_armel.deb
Debian11allzsh-doc< 5.8-6+deb11u1zsh-doc_5.8-6+deb11u1_all.deb
Debian11ppc64elzsh-dev< 5.8-6+deb11u1zsh-dev_5.8-6+deb11u1_ppc64el.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	armel	zsh-static	< 5.7.1-1+deb10u1	zsh-static_5.7.1-1+deb10u1_armel.deb
Debian	11	amd64	zsh-dev	< 5.8-6+deb11u1	zsh-dev_5.8-6+deb11u1_amd64.deb
Debian	10	i386	zsh-dbgsym	< 5.7.1-1+deb10u1	zsh-dbgsym_5.7.1-1+deb10u1_i386.deb
Debian	9	armel	zsh-static	< 5.3.1-4+deb9u5	zsh-static_5.3.1-4+deb9u5_armel.deb
Debian	11	amd64	zsh-static	< 5.8-6+deb11u1	zsh-static_5.8-6+deb11u1_amd64.deb
Debian	10	mips64el	zsh-dev	< 5.7.1-1+deb10u1	zsh-dev_5.7.1-1+deb10u1_mips64el.deb
Debian	10	armhf	zsh-dev	< 5.7.1-1+deb10u1	zsh-dev_5.7.1-1+deb10u1_armhf.deb
Debian	11	armel	zsh	< 5.8-6+deb11u1	zsh_5.8-6+deb11u1_armel.deb
Debian	11	all	zsh-doc	< 5.8-6+deb11u1	zsh-doc_5.8-6+deb11u1_all.deb
Debian	11	ppc64el	zsh-dev	< 5.8-6+deb11u1	zsh-dev_5.8-6+deb11u1_ppc64el.deb