DebianDEBIAN:DLA-564-1:783EB[SECURITY] [DLA 564-1] tardiff security update
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
Low
0.005 Low
EPSS
Percentile
76.3%
Package : tardiff
Version : 0.1-1+deb7u1
CVE ID : CVE-2015-0857 CVE-2015-0858
Two vulnerabilities were found in tardiff:
CVE-2015-0857
Arbitrary command execution was possible via shell metacharacters
in the name of a (1) tar file or (2) file within a tar file.
CVE-2015-0858
Local users could write to arbitrary files via a symlink attack on
a pathname in a /tmp/tardiff-$$ temporary directory.
For Debian 7 "Wheezy", these problems have been fixed in version
0.1-1+deb7u1.
We recommend that you upgrade your tardiff packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | all | tardiff | < 0.1-2+deb8u2 | tardiff_0.1-2+deb8u2_all.deb |
| Debian | 7 | all | tardiff | < 0.1-1+deb7u1 | tardiff_0.1-1+deb7u1_all.deb |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
Low
0.005 Low
EPSS
Percentile
76.3%