Advisories » MGASA-2016-0386

Updated tar packages fix security vulnerability

Publication date: 17 Nov 2016
Modification date: 17 Nov 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6321

Description

Harry Sintonen discovered that GNU tar does not properly handle member
names containing '..', thus allowing an attacker to bypass the path names
specified on the command line and replace files and directories in the
target directory (CVE-2016-6321).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19696
• https://www.debian.org/security/2016/dsa-3702
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321

SRPMS

5/core

• tar-1.28-3.1.mga5