Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
89
security advisorymoderateFedoraFedora 34: FEDORA-2021-cdbd827c1e Moderate: Squashfs-tools Path Issue
4.5 release (includes security fix for CVE-2021-40153). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-cdbd827c1e 2021-08-30 20:41:05.623010 --------------------------------------------------------------------------------Name : squashfs-tools Product : Fedora 34 Version : 4.5 Release : 2.fc34 URL : https://codeload.github.com/plougher/squashfs-tools/tar.gz/refs/tags/4.5 Summary : Utility for the creation of squashfs filesystems Description : Squashfs is a highly compressed read-only filesystem for Linux. This package contains the utilities for manipulating squashfs filesystems. --------------------------------------------------------------------------------Update Information: 4.5 release (includes security fix for CVE-2021-40153) --------------------------------------------------------------------------------ChangeLog: * Mon Jul 26 2021 Bruno Wolff III - 4.5-2 - Fix for sparse fragment bug 1985561 * Fri Jul 23 2021 Bruno Wolff III - 4.5-1 - First crack at 4.5 release - Man pages still need significant work --------------------------------------------------------------------------------References: [ 1 ] Bug #1998621 - CVE-2021-40153 squashfs-tools: unvalidated filepaths allow writing outside of destination https://bugzilla.redhat.com/show_bug.cgi?id=1998621 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-cdbd827c1e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Aug 30, 2021
Fedora
91
security advisorygentoorace conditionGentoo: GLSA-201709-12 Normal: Perl Race Condition Threat
A vulnerability in module File::Path for Perl allows local attackers to set arbitrary mode values on arbitrary files bypassing security restrictions. [More...]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201709-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Perl: Race condition vulnerability Date: September 17, 2017 Bugs: #620304 ID: 201709-12 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability in module File::Path for Perl allows local attackers to set arbitrary mode values on arbitrary files bypassing security restrictions. Background ========= File::Path module provides a convenient way to create directories of arbitrary depth and to delete an entire directory subtree from the filesystem. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/perl < 5.24.1-r2 > = 5.24.1-r2 2 perl-core/File-Path < 2.130.0 > = 2.130.0 3 virtual/perl-File-Path < 2.130.0 > = 2.130.0 ------------------------------------------------------------------- 3 affected packages Description ========== A race condition occurs within concurrent environments. This condition was discovered by The cPanel Security Team in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl. This is due to the time-of-check-to-time-of-use (TOCTOU) race condition between the stat() that decides the inode is a directory and the chmod() that tries to make ituser-rwx. Impact ===== A local attacker could exploit this condition to set arbitrary mode values on arbitrary files and hence bypass security restrictions. Workaround ========= There is no known workaround at this time. Resolution ========= All Perl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-lang/perl-5.24.1-r2" All File-Path users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =perl-core/File-Path-2.130.0" All Perl-File-Path users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =virtual/perl-File-Path-2.130.0" References ========= [ 1 ] CVE-2017-6512 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201709-12 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Sep 17, 2017
Gentoo
98
security advisorymoderatesecurity issueRed Hat Enterprise Linux 5: RHSA-2010:0458-02 Moderate Perl Security Update
Updated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: perl security update Advisory ID: RHSA-2010:0458-02 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2010:0458.html Issue date: 2010-06-07 CVE Names: CVE-2008-5302 CVE-2008-5303 CVE-2010-1168 CVE-2010-1447 ==================================================================== 1. Summary: Updated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Perl is a high-level programming language commonly used for system administration utilities and web programming. The Safe extension module allows users to compile and execute Perl code in restricted compartments. The File::Path module allows users to create and remove directory trees. The Safe module did not properly restrict the code of implicitly called methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe when such objects were accessed or destroyed. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions. (CVE-2010-1168) The Safe module did notproperly restrict code compiled in a Safe compartment and executed out of the compartment via a subroutine reference returned as a result of unsafe code evaluation. A specially-crafted Perl script executed inside of a Safe compartment could use this flaw to bypass intended Safe module restrictions, if the returned subroutine reference was called from outside of the compartment. (CVE-2010-1447) Multiple race conditions were found in the way the File::Path module's rmtree function removed directory trees. A malicious, local user with write access to a directory being removed by a victim, running a Perl script using rmtree, could cause the permissions of arbitrary files to be changed to world-writable and setuid, or delete arbitrary files via a symbolic link attack, if the victim had the privileges to change the permissions of the target files or to remove them. (CVE-2008-5302, CVE-2008-5303) Red Hat would like to thank Tim Bunce for responsibly reporting the CVE-2010-1168 and CVE-2010-1447 issues. Upstream acknowledges Nick Cleaton as the original reporter of CVE-2010-1168, and Tim Bunce and Rafa . The latest security patch for Perl on Red Hat Enterprise Linux addresses multiple vulnerabilities that pose risks to system integrity.. perl security update, Red Hat Enterprise Linux, moderate advisory. . LinuxSecurity.com Team
Jun 07, 2010
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!