A zsh security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where an attacker can execute arbitrary commands into a user's shell.
ELA-565-1 zsh security update
Package zsh
ELA-565-1 zsh security update
Version 5.0.7-5+deb8u4
Related CVEs CVE-2021-45444
It was discovered that zsh, a powerful shell and scripting language, did not prevent recursive prompt expansion. This would allow an attacker to execute arbitrary commands into a user’s shell, for instance by tricking a vcs_info user into checking out a git branch with a specially crafted name.
For Debian 8 jessie, these problems have been fixed in version 5.0.7-5+deb8u4.
We recommend that you upgrade your zsh packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
