Date:         Tue, 25 Nov 2008 13:41:49 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for tog-pegasus on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Important: tog-pegasus security update
Issue date:	2008-11-25
CVE Names:	CVE-2008-4313 CVE-2008-4315

Scientific Linux defines additional security enhancements for OpenGroup Pegasus 
WBEM services in addition to those defined by the upstream OpenGroup Pegasus
release.

After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these
additional security enhancements were no longer being applied. As a
consequence, access to OpenPegasus WBEM services was not restricted to the
dedicated users. An attacker able to authenticate using a valid user account 
could use this flaw to send requests to WBEM services. (CVE-2008-4313)

Note: default SELinux policy prevents tog-pegasus from modifying system
files. This flaw's impact depends on whether or not tog-pegasus is confined
by SELinux, and on any additional CMPI providers installed and enabled on a
particular system.

Failed authentication attempts against the OpenPegasus CIM server were not
logged to the system log. An attacker could use this flaw to perform password 
guessing attacks against a user account without leaving traces in the system 
log. (CVE-2008-4315)

SL 5.x

    SRPMS:
tog-pegasus-2.7.0-2.el5_2.1.src.rpm
    i386:
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
    x86_64:
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm

-Connie Sieh
-Troy Dawson
lastline

SciLinux: CVE-2008-4313 tog-pegasus SL5.x i386/x86_64

Important: tog-pegasus security update

Summary

Date:         Tue, 25 Nov 2008 13:41:49 -0600Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for tog-pegasus on SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis:	Important: tog-pegasus security updateIssue date:	2008-11-25CVE Names:	CVE-2008-4313 CVE-2008-4315Scientific Linux defines additional security enhancements for OpenGroup Pegasus WBEM services in addition to those defined by the upstream OpenGroup Pegasusrelease.After re-basing to version 2.7.0 of the OpenGroup Pegasus code, theseadditional security enhancements were no longer being applied. As aconsequence, access to OpenPegasus WBEM services was not restricted to thededicated users. An attacker able to authenticate using a valid user account could use this flaw to send requests to WBEM services. (CVE-2008-4313)Note: default SELinux policy prevents tog-pegasus from modifying systemfiles. This flaw's impact depends on whether or not tog-pegasus is confinedby SELinux, and on any additional CMPI providers installed and enabled on aparticular system.Failed authentication attempts against the OpenPegasus CIM server were notlogged to the system log. An attacker could use this flaw to perform password guessing attacks against a user account without leaving traces in the system log. (CVE-2008-4315)SL 5.x    SRPMS:tog-pegasus-2.7.0-2.el5_2.1.src.rpm    i386:tog-pegasus-2.7.0-2.el5_2.1.i386.rpmtog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm    x86_64:tog-pegasus-2.7.0-2.el5_2.1.i386.rpmtog-pegasus-2.7.0-2.el5_2.1.x86_64.rpmtog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpmtog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm-Connie Sieh-Troy Dawsonlastline



Security Fixes

Severity