|
 |
Gentoo LinuxGentoo Linux Security Advisory GLSA 200601-01
Severity: Normal Synopsispinentry is vulnerable to privilege escalation. Backgroundpinentry is a collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol. Affected packages
DescriptionTavis Ormandy of the Gentoo Linux Security Audit Team has discovered that the pinentry ebuild incorrectly sets the permissions of the pinentry binaries upon installation, so that the sgid bit is set making them execute with the privileges of group ID 0. ImpactA user of pinentry could potentially read and overwrite files with a group ID of 0. WorkaroundThere is no known workaround at this time. ResolutionAll pinentry users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/pinentry-0.7.2-r2"
AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200601-01.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 Ubuntu LinuxUbuntu Security Notice USN-233-1 January 02, 2006 fetchmail vulnerability CVE-2005-4348 A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog) The following packages are affected: fetchmail The problem can be corrected by upgrading the affected package to version 6.2.5-8ubuntu2.3 (for Ubuntu 4.10), 6.2.5-12ubuntu1.3 (for Ubuntu 5.04), or 6.2.5-13ubuntu3.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in 'multidrop' mode, a malicious email server could cause a crash by sending an email without any headers. Since fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed. Updated packages for Ubuntu 4.10: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-12ubuntu1.3_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3_powerpc.deb Updated packages for Ubuntu 5.04: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-8ubuntu2.3_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3_powerpc.deb Updated packages for Ubuntu 5.10: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2.diff.gz Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-13ubuntu3.2_all.deb amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2_powerpc.deb Ubuntu Security Notice USN-234-1 January 02, 2006 cpio vulnerability CVE-2005-4268 A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog) The following packages are affected: cpio The problem can be corrected by upgrading the affected package to version 2.5-1.1ubuntu0.3 (for Ubuntu 4.10), 2.5-1.1ubuntu1.2 (for Ubuntu 5.04), or 2.5-1.2ubuntu1.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system). Updated packages for Ubuntu 4.10: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3.diff.gz amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu0.3_powerpc.deb Updated packages for Ubuntu 5.04: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2.diff.gz amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.1ubuntu1.2_powerpc.deb Updated packages for Ubuntu 5.10: Source archives:
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1.diff.gz amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1_amd64.deb i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1_i386.deb powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/c/cpio/cpio_2.5-1.2ubuntu1.1_powerpc.deb  
|
 |
|
|
|
|
| All times are recorded in UTC. Linux is a trademark of Linus Torvalds. Powered by Linux, Apache and PHP |
