A flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

For Debian 9 stretch, this problem has been fixed in version 93u+20120801-3.1+deb9u1.

We recommend that you upgrade your ksh packages.

For the detailed security status of ksh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ksh

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS