Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 516
Alerts This Week
Warning Icon 1 516

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is application sandboxing truly safe?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/155-is-application-sandboxing-truly-safe?task=poll.vote&format=json
155
radio
0
[{"id":500,"title":"Malware still escapes container walls.","votes":0,"type":"x","order":1,"pct":0,"resources":[]},{"id":501,"title":"Supply chains corrupt trusted packages.","votes":0,"type":"x","order":2,"pct":0,"resources":[]},{"id":502,"title":"Convenience consistently compromises strict security.","votes":1,"type":"x","order":3,"pct":100,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found -3 articles for you...
91

Gentoo: GLSA-200611-23 Normal: Mono Security Flaw in Temp File Management

Mono is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mono: Insecure temporary file creation Date: November 28, 2006 Bugs: #150264 ID: 200611-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Mono is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. Background ========= Mono provides the necessary software to develop and run .NET client and server applications. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/mono < 1.1.13.8.1 > = 1.1.13.8.1 Description ========== Sebastian Krahmer of the SuSE Security Team discovered that the System.CodeDom.Compiler classes of Mono create temporary files with insecure permissions. Impact ===== A local attacker could create links in the temporary file directory, pointing to a valid file somewhere on the filesystem. When an affected class is called, this could result in the file being overwritten with the rights of the user running the script. Workaround ========= There is no known workaround at this time. Resolution ========= All Mono users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-lang/mono-1.1.13.8.1" References ========= [ 1 ] CVE-2006-5072 https://www.cve.org/CVERecord?id=CVE-2006-5072 Availability =========== ThisGLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200611-23 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org/. License ====== Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . A nearby user may take advantage of Mono's vulnerable file generation, endangering existing files. Update suggested for enhanced security.. Gentoo Mono Security, Temporary File Risks, Local File Overwrite. . LinuxSecurity.com Team

Calendar%202 Nov 28, 2006 Gentoo
89

Fedora Core 2 FEDORA-2004-547 Moderate: Flim Cache Temp File Issue

Update to 1.14.7 release, which also fixes CAN-2004-0422.. ---------------------------------------------------------------------Fedora Update Notification FEDORA-2004-546 2004-12-15 ---------------------------------------------------------------------Product : Fedora Core 2 Name : flim Version : 1.14.7 Release : 0.FC2 Summary : Basic library for handling email messages for Emacs Description : FLIM is a library to provide basic features about message representation and encoding for Emacs. ---------------------------------------------------------------------Update Information: Update to 1.14.7 release, which also fixes CAN-2004-0422. ---------------------------------------------------------------------* Fri Dec 10 2004 Jens Petersen - 1.14.7-0.FC2 - backport FC3 package: - update to 1.14.7 release - includes fix for CAN-2004-0422 temp file vulnerability (124395) - drop requirements on emacs/xemacs for -nox users (Lars Hupfeldt Nielsen, 134479) - better url and summary - remove redundant docs, large changelog and tests (Warren Togami) ---------------------------------------------------------------------This update can be downloaded from: 07853817dad670bc579823fcd6da5b2e SRPMS/flim-1.14.7-0.FC2.src.rpm 12d318c9aa08ff9cacb9adb18ac7004f x86_64/flim-1.14.7-0.FC2.noarch.rpm 09f68ea43c5ada22faf6335b4cf580cc x86_64/flim-xemacs-1.14.7-0.FC2.noarch.rpm 12d318c9aa08ff9cacb9adb18ac7004f i386/flim-1.14.7-0.FC2.noarch.rpm 09f68ea43c5ada22faf6335b4cf580cc i386/flim-xemacs-1.14.7-0.FC2.noarch.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. -----------------------------------------------------------------------fedora-announce-list mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Fedora Core 2 has upgraded flim to version 1.14.7, addressing CAN-2004-0422 related to temporary file security issues. For more details about this update, click here. FedoraCore 2, Flim Update, CAN-2004-0422 Fix. . LinuxSecurity.com Team

Calendar%202 Dec 15, 2004 Fedora
98

Red Hat Linux 7.0 RHSA-2002:202-25 Critical: Python Temp File Risk

Zack Weinberg discovered that os._execvpe from os.py in Python

Calendar%202 Jan 21, 2003 Red Hat
87

Debian: DSA-016-2 Moderate: Wu-FTPD Temp File and Exploit Risk

This additional advisory only announces a recompile of the package forthe Intel ia32 architecture.. - ---------------------------------------------------------------------------- Debian Security Advisory DSA-016-2 This email address is being protected from spambots. You need JavaScript enabled to view it. Debian -- Security Information Martin Schulze January 24, 2001 - ---------------------------------------------------------------------------- Package : wu-ftpd Vulnerability : temp file creation and format string Debian-specific: no Security people at WireX have noticed a temp file creation bug and the WU-FTPD development team has found a possible format string bug in wu-ftpd. Both could be remotely exploited, though no such exploit exists currently. This additional advisory only announces a recompile of the package for the Intel ia32 architecture. The upload from yesterday was lacking PAM support. This only required a recompile and contains no other fixes. For upgrading please use wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Or use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - ------------------------------------ Intel ia32 architecture: MD5 checksum: e0521153d6c9c23082edb29cc8d03fd3 These files will be moved into soon. - ---------------------------------------------------------------------------- For apt-get: deb Debian -- Security Information stable/updates main For dpkg-ftp: dists/stable/updates/main Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. Package info: `apt-cache show ' and https://www.debian.org/distrib/packages . Debian announces a recompile of Wu-FTPD to mitigate temp file and format string exploit risks. Upgrade recommended.. Debian Security Advisory, wu-ftpd update, remote exploit, file creation issue, ia32 architecture. . LinuxSecurity.com Team

Calendar%202 Jan 23, 2001 Debian
87

Debian: 1.4-10 Critical Advisory For Elvis-Tiny Temp File Race Condition

Topi Miettinen audited elvis-tiny and raised an issue covering the useand creation of temporary files.. - ------------------------------------------------------------------------ Debian Security Advisory This email address is being protected from spambots. You need JavaScript enabled to view it. Debian -- Security Information Martin Schulze November 22, 2000 - ------------------------------------------------------------------------ Package : elvis-tiny Problem type : /tmp-file vulnerability Debian-specific: no Topi Miettinen audited elvis-tiny and raised an issue covering the use and creation of temporary files. Those files are created with a predictable pattern and O_EXCL flag is not used when opening. This makes users of elvis-tiny vulnerable to race conditions and/or data lossage. This problem has been fixed in version 1.4-10 and we recommend that you upgrade your elvis-tiny packages immediately. This problem does not exist in the big elvis package. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.1 alias slink - -------------------------------- Slink is no longer being supported by the Debian Security Team. We highly recommend an upgrade to the current stable release. Debian GNU/Linux 2.2 alias potato - --------------------------------- Potato was released for the Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and Sun SPARC architectures. Fixes are available for all of them and will be included in 2.2r2. Source archives: MD5 checksum: d9c3bac777d0981f7ff5e9348dc93a4d MD5 checksum: eaec6ff7d7796260ef1a956ce1089bdd MD5 checksum: 884cc10828f6a134dfdc218a6cb0cb0e Alpha architecture: MD5 checksum: 2590ee56961063492e4ea9042405cff0 ARM architecture: MD5 checksum: 7e7d705d069d12f9a6f2aafd887f16d5 Intel ia32 architecture: MD5 checksum: 5c53b7b9b8f9f61e64d39f51a57a684c Motorola 680x0 architecture: MD5 checksum:c4198630e2860fb4ed0acc3f2d28f3fa PowerPC architecture: MD5 checksum: e2578f19a8d8ebac6b68e7bccb4a263d Sun Sparc architecture: MD5 checksum: 15c862e3debe027092edba3ab4ae62b3 These files will be moved into soon. Debian GNU/Linux Unstable alias woody - ------------------------------------- This version of Debian is not yet released. Fixes are already installed in the archive for Alpha, ARM and Intel ia32. Fixes for Motorola 680x0, PowerPC, and SPARC will be made available in the Debian archive over the next several days. For not yet released architectures please refer to the appropriate directory . - ---------------------------------------------------------------------------- apt-get: deb Debian -- Security Information stable/updates main dpkg-ftp: dists/stable/updates/main Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. Package info: `apt-cache show ' and https://www.debian.org/distrib/packages . The Debian Security Advisory warns users of elvis-tiny about a critical temp file risk, urging immediate updates to prevent data loss.. Debian Security Advisory, elvis-tiny, temp files. . LinuxSecurity.com Team

Calendar%202 Nov 22, 2000 Debian
98

Red Hat 5.0-7.0: RHSA-2000:114-03 Critical Ghostscript Issue

ghostscript makes use of mktemp instead of mkstemp to create temp files.. ` --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: ghostscript uses mktemp instead of mkstemp, and uses an improper LD_RUN_PATH Advisory ID: RHSA-2000:114-03 Issue date: 2000-11-22 Updated on: 2000-11-22 Product: Red Hat Linux Keywords: ghostscript mktemp LD_RUN_PATH Cross references: N/A --------------------------------------------------------------------- 1. Topic: ghostscript makes use of mktemp instead of mkstemp to create temp files; and also uses improper LD_RUN_PATH values, causing it to search for libraries in the current directory. 2. Relevant releases/architectures: Red Hat Linux 5.0 - i386, alpha, sparc Red Hat Linux 5.1 - i386, alpha, sparc Red Hat Linux 5.2 - i386, alpha, sparc Red Hat Linux 6.0 - i386, alpha, sparc Red Hat Linux 6.1 - i386, alpha, sparc Red Hat Linux 6.2 - i386, alpha, sparc Red Hat Linux 7.0 - i386 3. Problem description: ghostscript makes use of mktemp to create temp files, which is an insecure and predictable apporoach, it is now patched to use mkstemp, which avoid the race condition on the name. It also uses improper LD_RUN_PATH values, causing ghostscript to search for libraries to load in current directorys. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. 5. Bug IDs fixed ( for more info): 20924 - gs reads libraries from current directory 6. RPMs required: Red Hat Linux 5.2: alpha: sparc: i386: sources: Red Hat Linux 6.2: alpha: sparc: i386: sources: Red Hat Linux 7.0: i386: sources: 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- d44d8436655d25ca53d0c4a87c5c7c77 5.2/SRPMS/ghostscript-4.03-2.src.rpm 1c8363a912a6f538312b3e457664d0eb 5.2/alpha/ghostscript-4.03-2.alpha.rpm e11e7ec51f8e6051e50c5a93738f49ed 5.2/i386/ghostscript-4.03-2.i386.rpm d3550b9fa695207b1405ce12a848eae2 5.2/sparc/ghostscript-4.03-2.sparc.rpm e8c166031f02c9659f41a7e83ff4c97e 6.2/SRPMS/ghostscript-5.50-8_6.x.src.rpm 2e2944851c391f4ef50394d6b0c4a76a 6.2/alpha/ghostscript-5.50-8_6.x.alpha.rpm 9a4b61ddea7d18722198b772d6164619 6.2/i386/ghostscript-5.50-8_6.x.i386.rpm fba7b417faaf19629642325ec6f34b84 6.2/sparc/ghostscript-5.50-8_6.x.sparc.rpm 6ad7beeb79d23f32ad320a659f5591d6 7.0/SRPMS/ghostscript-5.50-8.src.rpm 0d5f4448d5245721b1e2762f360791f2 7.0/i386/ghostscript-5.50-8.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: N/A Copyright(c) 2000 Red Hat, Inc. `. Analyzing the Ghostscript security alert for Red Hat distributions, we must assess mktemp vulnerabilities that may result in file race conditions and the risk of exposing confidential data. ghostscript security, Red Hat advisory, temp file issues, software patching. . LinuxSecurity.com Team

Calendar%202 Nov 22, 2000 Red Hat
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is application sandboxing truly safe?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/155-is-application-sandboxing-truly-safe?task=poll.vote&format=json
155
radio
0
[{"id":500,"title":"Malware still escapes container walls.","votes":0,"type":"x","order":1,"pct":0,"resources":[]},{"id":501,"title":"Supply chains corrupt trusted packages.","votes":0,"type":"x","order":2,"pct":0,"resources":[]},{"id":502,"title":"Convenience consistently compromises strict security.","votes":1,"type":"x","order":3,"pct":100,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200