Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2015-1083

Опубликовано: 09 июн. 2015
Источник: oracle-oval
Платформа: Oracle Linux 7

Описание

ELSA-2015-1083: abrt security update (IMPORTANT)

abrt [2.1.11-22.0.1]

  • Drop libreport-rhel and libreport-plugin-rhtsupport requires

[2.1.11-22]

  • do not open the build_ids file as the user abrt
  • do not unlink failed and big user core files
  • Related: #1212819, #1216973

[2.1.11-21]

  • validate all D-Bus method arguments
  • Related: #1214610

[2.1.11-20]

  • remove the old dump directories during upgrade
  • abrt-action-install-debuginfo-to-abrt-cache: sanitize arguments and umask
  • fix race conditions and directory traversal issues in abrt-dbus
  • use /var/spool/abrt instead of /var/tmp/abrt
  • make the problem directories owned by root and the group abrt
  • validate uploaded problem directories in abrt-handle-upload
  • don't override files with user core dump files
  • fix symbolic link and race condition flaws
  • Resolves: #1211969, #1212819, #1212863, #1212869
  • Resolves: #1214453, #1214610, #1216973, #1218583

libreport [2.1.11-23.0.1]

  • Update workflow xml for Oracle [18945470]
  • Add oracle-enterprise.patch and oracle-enterprise-po.patch
  • Remove libreport-plugin-rhtsupport and libreport-rhel
  • Added orabug20390725.patch to remove redhat reference [bug 20390725]
  • Added Bug20357383.patch to remove redhat reference [bug 20357383]

[2.1.11-23]

  • do not open files outside a dump directory
  • Related: #1217484

[2.1.11-22]

  • switch the default dump dir mode to 0750
  • harden against directory traversal, crafted symbolic links
  • avoid race-conditions in dump dir opening
  • Resolves: #1212096, #1217499, #1218610, #1217484

Обновленные пакеты

Oracle Linux 7

Oracle Linux x86_64

abrt

2.1.11-22.0.1.el7_1

abrt-addon-ccpp

2.1.11-22.0.1.el7_1

abrt-addon-kerneloops

2.1.11-22.0.1.el7_1

abrt-addon-pstoreoops

2.1.11-22.0.1.el7_1

abrt-addon-python

2.1.11-22.0.1.el7_1

abrt-addon-upload-watch

2.1.11-22.0.1.el7_1

abrt-addon-vmcore

2.1.11-22.0.1.el7_1

abrt-addon-xorg

2.1.11-22.0.1.el7_1

abrt-cli

2.1.11-22.0.1.el7_1

abrt-console-notification

2.1.11-22.0.1.el7_1

abrt-dbus

2.1.11-22.0.1.el7_1

abrt-desktop

2.1.11-22.0.1.el7_1

abrt-devel

2.1.11-22.0.1.el7_1

abrt-gui

2.1.11-22.0.1.el7_1

abrt-gui-devel

2.1.11-22.0.1.el7_1

abrt-gui-libs

2.1.11-22.0.1.el7_1

abrt-libs

2.1.11-22.0.1.el7_1

abrt-python

2.1.11-22.0.1.el7_1

abrt-python-doc

2.1.11-22.0.1.el7_1

abrt-retrace-client

2.1.11-22.0.1.el7_1

abrt-tui

2.1.11-22.0.1.el7_1

libreport

2.1.11-23.0.1.el7_1

libreport-anaconda

2.1.11-23.0.1.el7_1

libreport-cli

2.1.11-23.0.1.el7_1

libreport-compat

2.1.11-23.0.1.el7_1

libreport-devel

2.1.11-23.0.1.el7_1

libreport-filesystem

2.1.11-23.0.1.el7_1

libreport-gtk

2.1.11-23.0.1.el7_1

libreport-gtk-devel

2.1.11-23.0.1.el7_1

libreport-newt

2.1.11-23.0.1.el7_1

libreport-plugin-bugzilla

2.1.11-23.0.1.el7_1

libreport-plugin-kerneloops

2.1.11-23.0.1.el7_1

libreport-plugin-logger

2.1.11-23.0.1.el7_1

libreport-plugin-mailx

2.1.11-23.0.1.el7_1

libreport-plugin-reportuploader

2.1.11-23.0.1.el7_1

libreport-plugin-ureport

2.1.11-23.0.1.el7_1

libreport-python

2.1.11-23.0.1.el7_1

libreport-rhel-anaconda-bugzilla

2.1.11-23.0.1.el7_1

libreport-rhel-bugzilla

2.1.11-23.0.1.el7_1

libreport-web

2.1.11-23.0.1.el7_1

libreport-web-devel

2.1.11-23.0.1.el7_1

Связанные CVE

CVE-2015-3142
CVE-2015-3151
CVE-2015-3147
CVE-2015-1869
CVE-2015-1870
CVE-2015-3150
CVE-2015-3315
CVE-2015-3159

Ссылки на источники

Связанные уязвимости

oracle-oval логотип

ELSA-2015-1210

oracle-oval
около 10 лет назад

ELSA-2015-1210: abrt security update (MODERATE)

redhat логотип

CVE-2015-3142

redhat
больше 10 лет назад

The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps to them, which allows local users to obtain sensitive information by leveraging write permissions to the working directory of a crashed application.

nvd логотип

CVE-2015-3142

CVSS3: 4.7
nvd
около 8 лет назад

The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps to them, which allows local users to obtain sensitive information by leveraging write permissions to the working directory of a crashed application.

github логотип

GHSA-fpvf-mw5r-q2rm

CVSS3: 4.7
github
больше 3 лет назад

The kernel-invoked coredump processor in Automatic Bug Reporting Tool (ABRT) does not properly check the ownership of files before writing core dumps to them, which allows local users to obtain sensitive information by leveraging write permissions to the working directory of a crashed application.

redhat логотип

CVE-2015-3151

redhat
больше 10 лет назад

Directory traversal vulnerability in abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to read, write to, or change ownership of arbitrary files via unspecified vectors to the (1) NewProblem, (2) GetInfo, (3) SetElement, or (4) DeleteElement method.