Debian DLA-1107-1 : bzr security update
High Nessus Plugin ID 103429
SynopsisThe remote Debian host is missing a security update.
Bazaar bundles SSL certificate checking code from Python, which had a bug that could cause a denial of service via resource consumption through multiple wildcards in certificate hostnames.
Adam Collard found that host names in 'bzr+ssh' URLs were not parsed correctly by Bazaar, allowing remote attackers to run arbitrary code by tricking a user into a maliciously crafted URL.
For Debian 7 'Wheezy', these problems have been fixed in version 2.6.0~bzr6526-1+deb7u1.
We recommend that you upgrade your bzr packages.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.