Fedora 21: abrt Security Update 2015-10193
Summary
abrt is a tool to help users to detect defects in applications and
to create a bug report with all information needed by maintainer to fix it.
It uses plugin system to extend its functionality.
Update Information:
Security fixes for:
* CVE-2015-3315
* CVE-2015-3142
* CVE-2015-1869
* CVE-2015-1870
* CVE-2015-3151
* CVE-2015-3150
* CVE-2015-3159
abrt:
====* Move the default dump location from /var/tmp/abrt to /var/spool/abrt
* Use root for owner of all dump directories
* Stop reading hs_error.log from /tmp
* Don not save the system logs by default
* Don not save dmesg if kernel.dmesg_restrict=1
libreport:
=========* Harden the code against directory traversal, symbolic and hard link attacks
* Fix a bug causing that the first value of AlwaysExcludedElements was ignored
* Fix missing icon for the "Stop" button icon name
* Improve development documentation
* Translations updates
gnome-abrt: ==========* Use DBus to get problem data for detail dialog * Fix an error introduced with the details on System page * Enabled the Details also for the System problems
Change Log
* Mon Jun 22 2015 Matej Habrnal
References
[ 1 ] Bug #1214609 - CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1214609 [ 2 ] Bug #1216975 - CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1216975 [ 3 ] Bug #1214452 - CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1214452 [ 4 ] Bug #1212871 - CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1212871 [ 5 ] Bug #1212821 - CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1212821 [ 6 ] Bug #1213485 - Can't extract files from downloaded debuginfo package https://bugzilla.redhat.com/show_bug.cgi?id=1213485 [ 7 ] Bug #1169774 - failure to extract debuginfo https://bugzilla.redhat.com/show_bug.cgi?id=1169774 [ 8 ] Bug #1193656 - abrt-gui renders crash list white-on-white when using dark theme https://bugzilla.redhat.com/show_bug.cgi?id=1193656 [ 9 ] Bug #986876 - RFE: Disallow core dump upload entirely https://bugzilla.redhat.com/show_bug.cgi?id=986876 [ 10 ] Bug #1212865 - CVE-2015-1869 abrt: default event scripts follow symbolic links [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1212865 [ 11 ] Bug #1218239 - CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1218239 [ 12 ] Bug #1179752 - undocumented options in abrt-cli https://bugzilla.redhat.com/show_bug.cgi?id=1179752
Update Instructions
This update can be installed with the "yum" update program. Use su -c 'yum update abrt' at the command line. For more information, refer to "Managing Software with yum", available at .