Explore top 10 tips to secure your open-source projects now. Read More
×
Update to bugfix release 2015.5.8. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-105b3b8804 2016-01-15 20:06:26.124999 -------------------------------------------------------------------------------- Name : salt Product : Fedora 23 Version : 2015.5.8 Release : 1.fc23 URL : https://saltproject.io Summary : A parallel remote execution system Description : Salt is a distributed remote execution system used to execute commands and query data. It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster and more malleable. Salt accomplishes this via its ability to handle larger loads of information, and not just dozens, but hundreds or even thousands of individual servers, handle them quickly and through a simple and manageable interface. -------------------------------------------------------------------------------- Update Information: Update to bugfix release 2015.5.8 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1212784 - CVE-2015-1838 salt: insecure /tmp file handling in salt/modules/serverdensity_device.py https://bugzilla.redhat.com/show_bug.cgi?id=1212784 [ 2 ] Bug #1212788 - CVE-2015-1839 salt: insecure /tmp file handling in salt/modules/chef.py https://bugzilla.redhat.com/show_bug.cgi?id=1212788 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update salt' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v5.3.x. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-10520 2015-06-23 03:02:16 -------------------------------------------------------------------------------- Name : trafficserver Product : Fedora 21 Version : 5.3.0 Release : 1.fc21 URL : https://trafficserver.apache.org/index.html Summary : Fast, scalable and extensible HTTP/1.1 compliant caching proxy server Description : Apache Traffic Server is a fast, scalable and extensible HTTP/1.1 compliant caching proxy server. -------------------------------------------------------------------------------- Update Information: https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v5.3.x -------------------------------------------------------------------------------- ChangeLog: * Sun Jun 21 2015 Peter Robinson 5.3.0-1 - Update to 5.3.0 LTS release - Build on aarch64 and power64 - Split perl bindings to sub package - Cleanup and modernise spec * Fri Jun 19 2015 Fedora Release Engineering - 5.0.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Sat May 2 2015 Kalev Lember - 5.0.1-3 - Rebuilt for GCC 5 C++11 ABI change * Mon Jan 26 2015 Petr Machata - 5.0.1-2 - Rebuild for boost 1.57.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1102559 - Add AArch64 support to trafficserver https://bugzilla.redhat.com/show_bug.cgi?id=1102559 [ 2 ] Bug #1103173 - trafficserver: insecure temporary file usage [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1103173 [ 3 ] Bug #1179204 - trafficserver: incorrect handling of "Max-Forwards" header [fedora-21] https://bugzilla.redhat.com/show_bug.cgi?id=1179204 [ 4 ] Bug #1103174 - trafficserver: insecure temporary file usage [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1103174 [ 5 ] Bug #1133387 - CVE-2014-3525trafficserver: unspecified flaw related to health checks fixed in versions 4.2.1.1 and 5.0.1 [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1133387 [ 6 ] Bug #1179205 - trafficserver: incorrect handling of "Max-Forwards" header [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1179205 [ 7 ] Bug #994224 - trafficserver must be compiled with -fno-strict-aliasing, but it is not https://bugzilla.redhat.com/show_bug.cgi?id=994224 [ 8 ] Bug #955127 - trafficserver package should be built with PIE flags https://bugzilla.redhat.com/show_bug.cgi?id=955127 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update trafficserver' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Updated nagios packages that fix two security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: nagios security update Advisory ID: RHSA-2013:1526-01 Product: Red Hat OpenStack Advisory URL: https://access.redhat.com/errata/RHSA-2013:1526.html Issue date: 2013-11-18 CVE Names: CVE-2013-2029 CVE-2013-4214 ==================================================================== 1. Summary: Updated nagios packages that fix two security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 3 - x86_64 3. Description: Nagios is a program that can monitor hosts and services on your network. It can send email or page alerts when problems arise and when problems are resolved. Multiple insecure temporary file creation flaws were found in Nagios. A local attacker could use these flaws to cause arbitrary files to be overwritten as the root user via a symbolic link attack. (CVE-2013-2029, CVE-2013-4214) These issues were discovered by Grant Murphy of the Red Hat Product Security Team. All users of Nagios are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to applythis update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 958002 - CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage 958015 - CVE-2013-2029 Nagios core: Insecure temporary file usage in nagios.upgrade_to_v3.sh 6. Package List: OpenStack 3: Source: x86_64: nagios-3.5.1-2.el6ost.x86_64.rpm nagios-common-3.5.1-2.el6ost.x86_64.rpm nagios-debuginfo-3.5.1-2.el6ost.x86_64.rpm nagios-devel-3.5.1-2.el6ost.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2013-2029 https://access.redhat.com/security/cve/CVE-2013-4214 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSimqoXlSAg2UNWIIRAhCNAJ0QdH76LO0n6AYxlgcviwSfjpHNlACbBnMi mpULJVQPP3dZZcXvhYu2DnE=SViK -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Multiple insecure temporary file usage flaws were identified in the get-maptools.sh and get_shapelib.sh scripts shipped in xastir packages. As those scripts are not needed with Fedora-distributed xastir packages (they automate installation of libraries used by xastir, which are provided in the Fedora archive in the pre-packaged RPM format), they were removed.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2008-7541 2008-09-05 10:50:44 --------------------------------------------------------------------------------Name : xastir Product : Fedora 9 Version : 1.9.2 Release : 9.fc9 URL : Summary : Amateur Station Tracking and Reporting system for amateur radio Description : Xastir is a graphical application that interfaces HAM radio and internet access to realtime mapping software. Install XASTIR if you are interested in APRS(tm) and HAM radio software. --------------------------------------------------------------------------------Update Information: Multiple insecure temporary file usage flaws were identified in the get-maptools.sh and get_shapelib.sh scripts shipped in xastir packages. As those scripts are not needed with Fedora-distributed xastir packages (they automate installation of libraries used by xastir, which are provided in the Fedora archive in the pre-packaged RPM format), they were removed. --------------------------------------------------------------------------------ChangeLog: * Thu Aug 28 2008 Lucian Langa - 1.9.2-9 - drop uneeded and potential risky files (bug #460429) * Thu Aug 28 2008 Lucian Langa - 1.9.2-8 - fix insecure auxiliary /tmp file usage bug #460429 * Tue Jul 8 2008 Lucian Langa - 1.9.2-7 - Rebuild against newer db4 headers/libs * Fri Jun 6 2008 Lucian Langa - 1.9.2-6 - Rebuild against gpsman, festival, Berkley DB, gdal * Sun May 18 2008 Lucian Langa - 1.9.2-5 - Patch for newer wgetsupport --------------------------------------------------------------------------------References: [ 1 ] Bug #460429 - xastir: Insecure auxiliary /tmp file usage (symlink attack possible) https://bugzilla.redhat.com/show_bug.cgi?id=460429 --------------------------------------------------------------------------------This update can be installed with the "yum" update program. Use su -c ''yum update xastir'' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ Fedora-package-announce mailing list
Stephen Gran and Mark Hymers discovered that some scripts run by GForge, a collaborative development tool, open files in write mode in a potentially insecure manner. This may be exploited to overwrite arbitary files on the local system. . - ------------------------------------------------------------------------Debian Security Advisory DSA-1577-1
The previous update for policyd-weight was unfortunately not complete. Updated packages have been released that fully address the vulnerability. For reference the original advisory follows.. - ------------------------------------------------------------------------Debian Security Advisory DSA-1531-2
Vobcopy uses temporary files in an insecure manner, allowing for a symlink attack.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Vobcopy: Insecure temporary file creation Date: March 05, 2008 Bugs: #197578 ID: 200803-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Vobcopy uses temporary files in an insecure manner, allowing for a symlink attack. Background ========= Vobcopy is a tool for decrypting and copying DVD .vob files to a hard disk. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-video/vobcopy < 1.1.0 > = 1.1.0 Description ========== Joey Hess reported that vobcopy appends data to the file "/tmp/vobcopy.bla" in an insecure manner. Impact ===== A local attacker could exploit this vulnerability to conduct symlink attacks and append data to arbitrary files with the privileges of the user running Vobcopy. Workaround ========= There is no known workaround at this time. Resolution ========= All Vobcopy users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =media-video/vobcopy-1.1.0" References ========= [ 1 ] CVE-2007-5718 https://www.cve.org/CVERecord?id=CVE-2007-5718 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200803-11 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Steve Kemp from the Debian Security Audit project discovered that gfax, a GHOME frontend for fax programs, uses temporary files in an unsafe manner which may be exploited to execute arbitary commands with the privileges of the root user.. - ------------------------------------------------------------------------Debian Security Advisory DSA-1329-1
Get the latest Linux and open source security news straight to your inbox.