Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
89
security advisoryFedorasecurity issuesFedora 20: Security Advisory - perl-Test-Signature Critical Issues
This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update. Security issues: * Module::Signature before version 0.75 could be tricked [More...]. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-5840 2015-04-09 04:58:27 -------------------------------------------------------------------------------- Name : perl-Test-Signature Product : Fedora 20 Version : 1.11 Release : 1.fc20 URL : https://metacpan.org/dist/Test-Signature Summary : Automated SIGNATURE testing Description : Module::Signature allows you to verify that a distribution has not been tampered with. Test::Signature lets that be tested as part of the distribution's test suite. -------------------------------------------------------------------------------- Update Information: This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update. Security issues: * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries. * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute automatically during "make test". * Module::Signature before version 0.75 used two argument open() calls to read the files when generatingchecksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious module so that they would load from the '.' path in @INC. -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 8 2015 Paul Howarth - 1.11-1 - Update to 1.11 - Compatibility with Module::Signature 0.75+ - Classify buildreqs by usage - Don't use macros for commands - Avoid clobbering ~/.gnupg for local builds - Make %files list more explicit - Drop %defattr, redundant since rpm 4.4 - Import upstream's GPG key in %prep so we don't need to fetch it from a keyserver when running the signature test * Tue Aug 26 2014 Jitka Plesnikova - 1.10-18 - Perl 5.20 rebuild * Sat Jun 7 2014 Fedora Release Engineering - 1.10-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as signed in some circumstances https://bugzilla.redhat.com/show_bug.cgi?id=1209911 [ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during test phase https://bugzilla.redhat.com/show_bug.cgi?id=1209915 [ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when verifying module signatures https://bugzilla.redhat.com/show_bug.cgi?id=1209917 [ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some circumstances https://bugzilla.redhat.com/show_bug.cgi?id=1209918 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum updateperl-Test-Signature' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Apr 18, 2015
•Critical
Fedora
98
security advisorybug fiximportant advisoryRed Hat OpenStack 3: RHSA-2013:0992-01 Critical: Python-Keystoneclient Flaw
Updated python-keystoneclient packages that fix two security issues, one bug, and add one enhancement are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: python-keystoneclient security, bug fix, and enhancement update Advisory ID: RHSA-2013:0992-01 Product: Red Hat OpenStack Advisory URL: https://access.redhat.com/errata/RHSA-2013:0992.html Issue date: 2013-06-27 CVE Names: CVE-2013-2166 CVE-2013-2167 ==================================================================== 1. Summary: Updated python-keystoneclient packages that fix two security issues, one bug, and add one enhancement are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: Python-keystoneclient is the client library and command line utility for interacting with the OpenStack identity API. A flaw was found in the way python-keystoneclient handled encrypted data from memcached. Even when the memcache_security_strategy setting in "/etc/swift/proxy-server.conf" was set to ENCRYPT to help prevent tampering, an attacker on the local network, or possibly an unprivileged user in a virtual machine hosted on OpenStack, could use this flaw to bypass intended restrictions and modify data in memcached that will later be used by services utilizing python-keystoneclient (such as Nova, Cinder, Swift, Glance, and so on). (CVE-2013-2166) A flaw was found in the way python-keystoneclient verified data from memcached. Even when the memcache_security_strategy setting in "/etc/swift/proxy-server.conf" was set to MAC to performsignature checking, an attacker on the local network, or possibly an unprivileged user in a virtual machine hosted on OpenStack, could use this flaw to modify data in memcached that will later pass signature checking in python-keystoneclient. (CVE-2013-2167) Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Paul McMillan of Nebula as the original reporter. This update also fixes the following bug: * python-webob1.2 (which can be installed in parallel with python-webob1.0) was not found by python-keystoneclient. Attempting to import python-webob from python-keystoneclient failed with a stack trace. This could also be observed with other applications using python-keystoneclient, such as OpenStack Swift. With this update, python-keystoneclient can import python-webob1.2 independently from other installed versions. (BZ#971026) Additionally, this update adds the following enhancement: * This update adds support for Amazon Web Services (AWS) Signature Version 4 to python-keystoneclient. This makes python-keystoneclient compatible with future versions of python-boto, which will use Signature Version 4 by default. (BZ#970134) All users of Red Hat OpenStack 3.0 (Grizzly) Preview are advised to install these updated packages, which correct these issues and add this enhancement. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 971026 - Dependancy issue prevents swift proxy from starting 974271 - CVE-2013-2166 CVE-2013-2167 python-keystoneclient: middleware memcache encryption and signing bypass 6. Package List: OpenStack 3: Source: noarch: python-keystoneclient-0.2.3-5.el6ost.noarch.rpm python-keystoneclient-doc-0.2.3-5.el6ost.noarch.rpm These packages are GPG signed byRed Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2013-2166 https://access.redhat.com/security/cve/CVE-2013-2167 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2013 Red Hat, Inc. . Critical notice regarding python-keystoneclient addressing vulnerabilities and improvements in Red Hat OpenStack 3.0.. python-keystoneclient Update, OpenStack Security, Red Hat Advisory. . Severity: Important. LinuxSecurity.com Team
Jun 27, 2013
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!