CVE-2014-3865

Description

Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pseudo-header in conjunction with (1) missing --- and +++ header lines or (2) a +++ header line with a blank pathname.

How to fix CVE-2014-3865

To remediate CVE-2014-3865, upgrade the affected package to a fixed version below.

• Debian/dpkg—upgrade to 1.17.10 or later

Is CVE-2014-3865 being exploited?

Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 1.17.10

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3865