Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2005:184 - Updated cfengine packages fix temporary file vulnerabilities
From: Mandriva Security Team <security () mandriva com>
Date: Thu, 13 Oct 2005 21:32:51 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           cfengine
 Advisory ID:            MDKSA-2005:184
 Date:                   October 13th, 2005

 Affected versions:      10.1, 10.2, 2006.0, Corporate 3.0,
                         Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Javier Fernández-Sanguino Peña discovered several insecure temporary
 file uses in cfengine <= 1.6.5 and  <= 2.1.16 which allows local users
 to overwrite arbitrary files via a symlink attack on temporary files
 used by vicf.in. (CAN-2005-2960)
 
 In addition, Javier discovered the cfmailfilter and cfcron.in files
 for cfengine <= 1.6.5 allow local users to overwrite arbitrary files
 via a symlink attack on temporary files (CAN-2005-3137)
 
 The updated packages have been patched to address this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2960
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3137
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 acf648169c296d474886d1d98752a763  10.1/RPMS/cfengine-1.6.5-4.3.101mdk.i586.rpm
 176cbf5b72aba7c6a2b40daf4ee09c94  10.1/SRPMS/cfengine-1.6.5-4.3.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 a9bed51735d6762fe3e1d66c8657f65a  x86_64/10.1/RPMS/cfengine-1.6.5-4.3.101mdk.x86_64.rpm
 176cbf5b72aba7c6a2b40daf4ee09c94  x86_64/10.1/SRPMS/cfengine-1.6.5-4.3.101mdk.src.rpm

 Mandrivalinux 10.2:
 426fd00421697c85c0e63f527faac7e8  10.2/RPMS/cfengine-2.1.12-7.2.102mdk.i586.rpm
 edd39a03e85f5176a0c28667cc91c388  10.2/RPMS/cfengine-cfservd-2.1.12-7.2.102mdk.i586.rpm
 5c9a0c525c45a802f5d89686123e751c  10.2/SRPMS/cfengine-2.1.12-7.2.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 e75f232aa540e80fb9a12558d0c1f105  x86_64/10.2/RPMS/cfengine-2.1.12-7.2.102mdk.x86_64.rpm
 3680ec121accdf0cdf1830b374d804ee  x86_64/10.2/RPMS/cfengine-cfservd-2.1.12-7.2.102mdk.x86_64.rpm
 5c9a0c525c45a802f5d89686123e751c  x86_64/10.2/SRPMS/cfengine-2.1.12-7.2.102mdk.src.rpm

 Mandrivalinux 2006.0:
 61f3c7fe9cf1a69e889cfa4d476473af  2006.0/RPMS/cfengine-base-2.1.15-2.2.20060mdk.i586.rpm
 5a7d6087787de6a9f98288c415562ced  2006.0/RPMS/cfengine-cfagent-2.1.15-2.2.20060mdk.i586.rpm
 0cd9ecbccf2a0b4e775d6629b1b7416f  2006.0/RPMS/cfengine-cfenvd-2.1.15-2.2.20060mdk.i586.rpm
 5c10e7371d807d4f42f2524f24809a92  2006.0/RPMS/cfengine-cfexecd-2.1.15-2.2.20060mdk.i586.rpm
 0bd54480c32575625f3d42badf59d690  2006.0/RPMS/cfengine-cfservd-2.1.15-2.2.20060mdk.i586.rpm
 1b3213afe77bd75af306a63f746994cd  2006.0/SRPMS/cfengine-2.1.15-2.2.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 e81ea72b0431a8cc40753a6dee7037d2  x86_64/2006.0/RPMS/cfengine-base-2.1.15-2.2.20060mdk.x86_64.rpm
 f997658d8fa1dea25353906141443ba9  x86_64/2006.0/RPMS/cfengine-cfagent-2.1.15-2.2.20060mdk.x86_64.rpm
 bc560e64dc5de8046b9d14be43621a10  x86_64/2006.0/RPMS/cfengine-cfenvd-2.1.15-2.2.20060mdk.x86_64.rpm
 1d3cb518f0266f57c182712350935fb8  x86_64/2006.0/RPMS/cfengine-cfexecd-2.1.15-2.2.20060mdk.x86_64.rpm
 db890abf046c63d91fc5fb60c6b796a8  x86_64/2006.0/RPMS/cfengine-cfservd-2.1.15-2.2.20060mdk.x86_64.rpm
 1b3213afe77bd75af306a63f746994cd  x86_64/2006.0/SRPMS/cfengine-2.1.15-2.2.20060mdk.src.rpm

 Corporate Server 2.1:
 12057e0591bdb14e49b74d5c1c268196  corporate/2.1/RPMS/cfengine-1.6.3-8.3.C21mdk.i586.rpm
 4026484a33d7d324da1dce56fd697842  corporate/2.1/SRPMS/cfengine-1.6.3-8.3.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 4dc4d9a367d056f053af80118cee8886  x86_64/corporate/2.1/RPMS/cfengine-1.6.3-8.3.C21mdk.x86_64.rpm
 4026484a33d7d324da1dce56fd697842  x86_64/corporate/2.1/SRPMS/cfengine-1.6.3-8.3.C21mdk.src.rpm

 Corporate 3.0:
 0c82f22f7ef0f6db35eb5f19caba9d2d  corporate/3.0/RPMS/cfengine-1.6.5-3.3.C30mdk.i586.rpm
 ac84162471431da5f5afae45d48ca5c8  corporate/3.0/SRPMS/cfengine-1.6.5-3.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 bb704e30c6f6c0edb0b03d6a6d6c62d3  x86_64/corporate/3.0/RPMS/cfengine-1.6.5-3.3.C30mdk.x86_64.rpm
 ac84162471431da5f5afae45d48ca5c8  x86_64/corporate/3.0/SRPMS/cfengine-1.6.5-3.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTybimqjQ0CJFipgRAnAGAKCwLA12aj2WBEZPLtGTHajy6/2QggCcCkA5
FWV/Ex2QdPdLfLAJjl/YiME=
=RgFb
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • MDKSA-2005:184 - Updated cfengine packages fix temporary file vulnerabilities Mandriva Security Team (Oct 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]