oss-sec: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly

oss-sec mailing list archives

[Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 23 Jan 2013 11:25:56 -0500 (EST)

Hello vendors,

  just FYI notification that haproxy upstream has recently corrected [2]
improper dropping of supplementary groups [1] after setuid / setgid
calls.

We have further investigated this issue and have reasons to believe that 
by itself this is NOT a security issue (another flaw would need to be
found in haproxy this to be actually possible to use for something interesting).

For now we are considering this fix to be a preventive measure / security
hardening (but took the time to notify you explicitly about this as you might
still want to backport it into affected versions).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: [1] https://bugzilla.redhat.com/show_bug.cgi?id=894626
      [2] http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3

By Date By Thread

Current thread:

[Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Jan Lieskovsky (Jan 23)
- Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Kurt Seifried (Jan 25)
  - Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Steve Grubb (Jan 25)
    - Re: [Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly Willy Tarreau (Jan 29)