Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Scientific Linux 7: SLSA-2014:1976-1 Critical: RPM Security Update

Calendar Dec 10, 2014 User Avatar LinuxSecurity Advisories
2 - 3 min read
Scientific Large Esm H500
Topics%20covered

Topics Covered

security advisory update buffer overflow important x86_64 rpm scientific linux
Important: rpm security update 
Date: Tue, 9 Dec 2014 09:04:23 -0600
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: FASTBUGS for SL 7x x86_64 now available
MIME-Version: 1.0

The following FASTBUGS have been uploaded to

x86_64:
 kmod-bnx2x-1.710.51-3.el7_0.x86_64.rpm
 kmod-bnx2x-firmware-1.710.51-3.el7_0.x86_64.rpm
 resource-agents-3.9.5-26.el7_0.6.x86_64.rpm
Date: Wed, 10 Dec 2014 15:59:56 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: rpm on SL7.x x86_64
MIME-Version: 1.0

Synopsis: Important: rpm security update
Advisory ID: SLSA-2014:1976-1
Issue Date: 2014-12-09
CVE Numbers: CVE-2013-6435
 CVE-2014-8118
--

It was found that RPM wrote file contents to the target installation
directory under a temporary name, and verified its cryptographic signature
only after the temporary file has been written completely. Under certain
conditions, the system interprets the unverified temporary file contents
and extracts commands from it. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation. (CVE-2013-6435)

It was found that RPM could encounter an integer overflow, leading to a
stack-based buffer overflow, while parsing a crafted CPIO header in the
payload section of an RPM file. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation. (CVE-2014-8118)

All running applications linked against the RPM library must be restarted
for this update to take effect.
--

SL7
 x86_64
 rpm-4.11.1-18.el7_0.x86_64.rpm
 rpm-build-4.11.1-18.el7_0.x86_64.rpm
 rpm-build-libs-4.11.1-18.el7_0.i686.rpm
 rpm-build-libs-4.11.1-18.el7_0.x86_64.rpm
 rpm-debuginfo-4.11.1-18.el7_0.i686.rpm
 rpm-debuginfo-4.11.1-18.el7_0.x86_64.rpm
 rpm-libs-4.11.1-18.el7_0.i686.rpm
 rpm-libs-4.11.1-18.el7_0.x86_64.rpm
 rpm-python-4.11.1-18.el7_0.x86_64.rpm
 rpm-devel-4.11.1-18.el7_0.i686.rpm
 rpm-devel-4.11.1-18.el7_0.x86_64.rpm
 rpm-sign-4.11.1-18.el7_0.x86_64.rpm
 noarch
 rpm-apidocs-4.11.1-18.el7_0.noarch.rpm
 rpm-cron-4.11.1-18.el7_0.noarch.rpm

- Scientific Linux Development Team
Your message here