ELA-731-1 sysstat security update

Remote Code Execution (RCE)

Version11.0.1-1+deb8u1 (jessie), 11.4.3-2+deb9u1 (stretch)
Related CVEs CVE-2022-39377

On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).

For Debian 8 jessie, these problems have been fixed in version 11.0.1-1+deb8u1.

For Debian 9 stretch, these problems have been fixed in version 11.4.3-2+deb9u1.

We recommend that you upgrade your sysstat packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.