ASA-202002-4 log original external raw

[ASA-202002-4] ksh: arbitrary command execution
Arch Linux Security Advisory ASA-202002-4 ========================================= Severity: High Date : 2020-02-08 CVE-ID : CVE-2019-14868 Package : ksh Type : arbitrary command execution Remote : No Link : https://security.archlinux.org/AVG-1095 Summary ======= The package ksh before version 2020.0.0-2 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 2020.0.0-2. # pacman -Syu "ksh>=2020.0.0-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A flaw was found in ksh version 2020.0.0 in the evaluation of certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. Impact ====== An attacker is able to execute arbitrary commands that are blacklisted on the affected host. References ========== https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2 https://security.archlinux.org/CVE-2019-14868