Explore top 10 tips to secure your open-source projects now. Read More
×
This update fixes CVE-2013-4184 (possible symlink attack due to use of predictable temporary file names). The module no longer saves state in temporary files at all.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-a58a7e2388 2024-03-28 01:25:38.092437 -------------------------------------------------------------------------------- Name : perl-Data-UUID Product : Fedora 39 Version : 1.227 Release : 1.fc39 URL : https://metacpan.org/dist/Data-UUID Summary : Globally/Universally Unique Identifiers (GUIDs/UUIDs) Description : This module provides a framework for generating v3 UUIDs (Universally Unique Identifiers, also known as GUIDs (Globally Unique Identifiers). A UUID is 128 bits long, and is guaranteed to be different from all other UUIDs/GUIDs generated until 3400 CE. UUIDs were originally used in the Network Computing System (NCS) and later in the Open Software Foundation's (OSF) Distributed Computing Environment. Currently many different technologies rely on UUIDs to provide unique identity for various software components. Microsoft COM/DCOM for instance, uses GUIDs very extensively to uniquely identify classes, applications and components across network-connected systems. The algorithm for UUID generation, used by this extension, is described in the Internet Draft "UUIDs and GUIDs" by Paul J. Leach and Rich Salz (see RFC 4122). It provides a reasonably efficient and reliable framework for generating UUIDs and supports fairly high allocation rates - 10 million per second per machine - and therefore is suitable for identifying both extremely short-lived and very persistent objects on a given system as well as across the network. This module provides several methods to create a UUID. In all methods, is a UUID and is a free form string. -------------------------------------------------------------------------------- Update Information: This update fixesCVE-2013-4184 (possible symlink attack due to use of predictable temporary file names). The module no longer saves state in temporary files at all. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 19 2024 Paul Howarth - 1.227-1 - Update to 1.227 - New maintainer, GTERMARS - Add basic GitHub Actions setup for testing - Typo corrections in POD - Eliminated use of state/node files in temp directory (CVE-2013-4184) * Thu Jan 25 2024 Fedora Release Engineering - 1.226-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Sun Jan 21 2024 Fedora Release Engineering - 1.226-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Tue Aug 29 2023 Jitka Plesnikova - 1.226-14 - Update license to SPDX format -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-a58a7e2388' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
An update that contains security fixes can now be installed. . openSUSE Security Update: Security update for Cadence ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0270-1 Rating: moderate References: #1213330 #1213983 #1213985 Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for Cadence fixes the following issues: - Fix security bugs related to use of Fixed Temporary Files. (boo#1213330, boo#1213983, boo#1213985) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-270=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): Cadence-0.9.1-bp154.2.3.1 References: https://bugzilla.suse.com/1213330 https://bugzilla.suse.com/1213983 https://bugzilla.suse.com/1213985 . Apply security fixes for Cadence using the most recent openSUSE update to mitigate medium-risk vulnerabilities.. openSUSE Security Update,Cadence Fixes,SLE-15 Security Patch. . LinuxSecurity.com Team
An update that fixes three vulnerabilities is now available. Description: Description: This update for keepalived to version 2.0.10 fixes the following issues: Security issues fixed (bsc#1015141): - CVE-2018-19044: Fixed a check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats - CVE-2018-19045: Fixed mode when creating new temporary files upo [More...]. openSUSE Security Update: Security update for keepalived ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:4213-1 Rating: moderate References: #1015141 #1069468 #949238 Cross-References: CVE-2018-19044 CVE-2018-19045 CVE-2018-19046 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for keepalived to version 2.0.10 fixes the following issues: Security issues fixed (bsc#1015141): - CVE-2018-19044: Fixed a check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats - CVE-2018-19045: Fixed mode when creating new temporary files upon a call to PrintData or PrintStats - CVE-2018-19046: Fixed a check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats Non-security issues fixed: - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Use getaddrinfo instead of gethostbyname to workaround glibc gethostbyname function buffer overflow (bsc#949238) For the full list of changes refer to: https://www.keepalived.org/changelog.html Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you canrun the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2018-1575=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64): keepalived-2.0.10-6.1 References: https://www.suse.com/security/cve/CVE-2018-19044.html https://www.suse.com/security/cve/CVE-2018-19045.html https://www.suse.com/security/cve/CVE-2018-19046.html https://bugzilla.suse.com/1015141 https://bugzilla.suse.com/1069468 https://bugzilla.suse.com/949238 -- . openSUSE Security Patch for keepalived addresses several vulnerabilities, enhancing the reliability and safety of your environments.. openSUSE Security, keepalived Update, Linux Patch Management, moderate Security Advisory. . LinuxSecurity.com Team
Fix security issue with tmp file naming.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-020f4b9400 2015-12-20 00:06:39.526376 -------------------------------------------------------------------------------- Name : xsupplicant Product : Fedora 22 Version : 2.2.0 Release : 13.fc22 URL : http://www.open1x.org/ Summary : Open Source Implementation of IEEE 802.1x Description : This software allows a GNU/Linux or BSD workstation to authenticate with a RADIUS server using 802.1x and various EAP protocols. The intended use is for computers with wireless LAN connections to complete a strong authentication before joining the network. -------------------------------------------------------------------------------- Update Information: Fix security issue with tmp file naming. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1276614 - xsupplicant: Usage of fixed temtporary file https://bugzilla.redhat.com/show_bug.cgi?id=1276614 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update xsupplicant' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v5.3.x. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-10520 2015-06-23 03:02:16 -------------------------------------------------------------------------------- Name : trafficserver Product : Fedora 21 Version : 5.3.0 Release : 1.fc21 URL : https://trafficserver.apache.org/index.html Summary : Fast, scalable and extensible HTTP/1.1 compliant caching proxy server Description : Apache Traffic Server is a fast, scalable and extensible HTTP/1.1 compliant caching proxy server. -------------------------------------------------------------------------------- Update Information: https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v5.3.x -------------------------------------------------------------------------------- ChangeLog: * Sun Jun 21 2015 Peter Robinson 5.3.0-1 - Update to 5.3.0 LTS release - Build on aarch64 and power64 - Split perl bindings to sub package - Cleanup and modernise spec * Fri Jun 19 2015 Fedora Release Engineering - 5.0.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Sat May 2 2015 Kalev Lember - 5.0.1-3 - Rebuilt for GCC 5 C++11 ABI change * Mon Jan 26 2015 Petr Machata - 5.0.1-2 - Rebuild for boost 1.57.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1102559 - Add AArch64 support to trafficserver https://bugzilla.redhat.com/show_bug.cgi?id=1102559 [ 2 ] Bug #1103173 - trafficserver: insecure temporary file usage [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1103173 [ 3 ] Bug #1179204 - trafficserver: incorrect handling of "Max-Forwards" header [fedora-21] https://bugzilla.redhat.com/show_bug.cgi?id=1179204 [ 4 ] Bug #1103174 - trafficserver: insecure temporary file usage [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1103174 [ 5 ] Bug #1133387 - CVE-2014-3525trafficserver: unspecified flaw related to health checks fixed in versions 4.2.1.1 and 5.0.1 [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1133387 [ 6 ] Bug #1179205 - trafficserver: incorrect handling of "Max-Forwards" header [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1179205 [ 7 ] Bug #994224 - trafficserver must be compiled with -fno-strict-aliasing, but it is not https://bugzilla.redhat.com/show_bug.cgi?id=994224 [ 8 ] Bug #955127 - trafficserver package should be built with PIE flags https://bugzilla.redhat.com/show_bug.cgi?id=955127 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update trafficserver' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
pmake uses temporary files in an insecure manner, allowing for symlink attacks.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: pmake: Insecure temporary file usage Date: October 28, 2013 Bugs: #367891 ID: 201310-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= pmake uses temporary files in an insecure manner, allowing for symlink attacks. Background ========= pmake is Debian's version of NetBSD's make, a tool to build programs in parallel. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/pmake < 1.111.3.1 > = 1.111.3.1 Description ========== /usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend[PID]), and without using $TMPDIR. Impact ===== The make include files allow local users to overwrite arbitrary files via a symlink attack. Workaround ========= There is no known workaround at this time. Resolution ========= All pmake users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =sys-devel/pmake-1.111.3.1" References ========= [ 1 ] CVE-2011-1920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1920 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201310-17 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentialityand security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
An insecure temporary file usage has been reported in virtualenv, possibly allowing symlink attacks.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: virtualenv: Insecure temporary file usage Date: June 22, 2012 Bugs: #395285 ID: 201206-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An insecure temporary file usage has been reported in virtualenv, possibly allowing symlink attacks. Background ========= virtualenv is a virtual Python environment builder. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-python/virtualenv < 1.5.1 > = 1.5.1 Description ========== The virtualenv.py script in virtualenv does not handle temporary files securely. Impact ===== A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround ========= There is no known workaround at this time. Resolution ========= All virtualenv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-python/virtualenv-1.5.1" References ========= [ 1 ] CVE-2011-4617 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4617 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201206-17 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and securityof our users' machines is of utmost importance to us. Any security concerns should be addressed to
Executables compressed by bzexe could be made to run programs as yourlogin.. =========================================================================Ubuntu Security Notice USN-1308-1 December 14, 2011 bzip2 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Executables compressed by bzexe could be made to run programs as your login. Software Description: - bzip2: high-quality block-sorting file compressor - utilities Details: vladz discovered that executables compressed by bzexe insecurely create temporary files when they are ran. A local attacker could exploit this issue to execute arbitrary code as the user running a compressed executable. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: bzip2 1.0.5-6ubuntu1.11.10.1 Ubuntu 11.04: bzip2 1.0.5-6ubuntu1.11.04.1 Ubuntu 10.10: bzip2 1.0.5-4ubuntu1.1 Ubuntu 10.04 LTS: bzip2 1.0.5-4ubuntu0.2 Ubuntu 8.04 LTS: bzip2 1.0.4-2ubuntu4.2 In general, a standard system update will make all the necessary changes to the bzexe utility. If you have previously used bzexe to compress any executables, they need to be recompressed using the updated version. References: https://ubuntu.com/security/notices/USN-1308-1 CVE-2011-4089 Package Information: https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.10.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.04.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu1.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu0.2 https://launchpad.net/ubuntu/+source/bzip2/1.0.4-2ubuntu4.2 . The recent Ubuntu Security Advisory USN-1308-1 highlights a significant vulnerabilityin bzip2, which could enable local malicious actors to run arbitrary code.. bzip2 exploit, Ubuntu patch, local attack execution. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.