Home page logo

oss-sec logo oss-sec mailing list archives

[Security hardening] [Notification] haproxy (previously) failed to drop supplementary groups after setuid / setgid calls properly
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 23 Jan 2013 11:25:56 -0500 (EST)

Hello vendors,

  just FYI notification that haproxy upstream has recently corrected [2]
improper dropping of supplementary groups [1] after setuid / setgid

We have further investigated this issue and have reasons to believe that 
by itself this is NOT a security issue (another flaw would need to be
found in haproxy this to be actually possible to use for something interesting).

For now we are considering this fix to be a preventive measure / security
hardening (but took the time to notify you explicitly about this as you might
still want to backport it into affected versions).

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: [1] https://bugzilla.redhat.com/show_bug.cgi?id=894626
      [2] http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=ab012dd3

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]