U radu programskog paketa rdesktop, distribuiranog s operacijskim sustavima Fedora 13 i 14, uočen je sigurnosni propust kojeg napadač može iskoristiti za čitanje i pisanje u proizvoljne korisničke datoteke.
Paket:
rdesktop 1.x
Operacijski sustavi:
Fedora 13, Fedora 14
Kritičnost:
4.3
Problem:
pogreška u programskoj funkciji
Iskorištavanje:
udaljeno
Posljedica:
otkrivanje osjetljivih informacija, umetanje proizvoljnih podataka u zaštićenu sjednicu
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-1595
Izvorni ID preporuke:
FEDORA-2011-7694
Izvor:
Fedora
Problem:
Sigurnosna ranjivost se javlja u funkcij "disk_create" u datoteci "disk.c".
Posljedica:
Ukoliko se korisnik poveže sa zloćudnim poslužiteljem, napadač može iskoristiti nedostatak za čitanje i prepisivanje proizvoljnih datoteka.
Rješenje:
Svim se korisnicima navedenog sustava savjetuje korištenje dostupnih programskih nadogradnji.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7694
2011-05-30 21:46:14
--------------------------------------------------------------------------------
Name : rdesktop
Product : Fedora 13
Version : 1.6.0
Release : 10.fc13
URL : http://www.rdesktop.org/
Summary : X client for remote desktop into Windows Terminal Server
Description :
rdesktop is an open source client for Windows NT Terminal Server and
Windows 2000 & 2003 Terminal Services, capable of natively speaking
Remote Desktop Protocol (RDP) in order to present the user's NT
desktop. Unlike Citrix ICA, no server extensions are required.
--------------------------------------------------------------------------------
Update Information:
This update fixes a security issue in rdesktop 1.6.0.
A directory traversal flaw was found in the way rdesktop shared a local path
with a remote server. If a user connects to a malicious server with rdesktop,
the server could use this flaw to cause rdesktop to read and write to arbitrary,
local files accessible to the user running rdesktop. (CVE-2011-1595)
Fedora would like to thank Cendio AB for reporting this issue. Cendio AB
acknowledges an anonymous contributor working with the SecuriTeam Secure
Disclosure program as the original reporter.
--------------------------------------------------------------------------------
ChangeLog:
* Mon May 30 2011 Kalev Lember <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-10
- Prevent remote file access (CVE-2011-1595)
* Sat Nov 20 2010 Dominik Mierzejewski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-9
- add libao support (supports ALSA and PulseAudio, should fix bugs
* Fri Aug 20 2010 Dominik Mierzejewski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-8
- drop hard dependency on pcsc-lite (bug #527712)
- add a proper source URL
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #676252 - CVE-2011-1595 rdesktop remote file access
https://bugzilla.redhat.com/show_bug.cgi?id=676252
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update rdesktop' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7697
2011-05-30 21:46:22
--------------------------------------------------------------------------------
Name : rdesktop
Product : Fedora 14
Version : 1.6.0
Release : 11.fc14
URL : http://www.rdesktop.org/
Summary : X client for remote desktop into Windows Terminal Server
Description :
rdesktop is an open source client for Windows NT Terminal Server and
Windows 2000 & 2003 Terminal Services, capable of natively speaking
Remote Desktop Protocol (RDP) in order to present the user's NT
desktop. Unlike Citrix ICA, no server extensions are required.
--------------------------------------------------------------------------------
Update Information:
This update fixes a security issue in rdesktop 1.6.0.
A directory traversal flaw was found in the way rdesktop shared a local path
with a remote server. If a user connects to a malicious server with rdesktop,
the server could use this flaw to cause rdesktop to read and write to arbitrary,
local files accessible to the user running rdesktop. (CVE-2011-1595)
Fedora would like to thank Cendio AB for reporting this issue. Cendio AB
acknowledges an anonymous contributor working with the SecuriTeam Secure
Disclosure program as the original reporter.
--------------------------------------------------------------------------------
ChangeLog:
* Mon May 30 2011 Kalev Lember <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-11
- Prevent remote file access (CVE-2011-1595)
* Thu Dec 2 2010 Dominik Mierzejewski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-10
- patch libao output driver to fix segfault (bugs #657172, #657813,
* Sat Nov 20 2010 Dominik Mierzejewski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-9
- add libao support (supports ALSA and PulseAudio, should fix bugs
* Fri Aug 20 2010 Dominik Mierzejewski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.6.0-8
- drop hard dependency on pcsc-lite (bug #527712)
- fix build against current pcsc-lite
- add a proper source URL
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #676252 - CVE-2011-1595 rdesktop remote file access
https://bugzilla.redhat.com/show_bug.cgi?id=676252
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update rdesktop' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke