Otkriven je sigurnosni propust u biblioteci rest koji udaljeni napadač može iskoristiti za izvođenje MITM napada čime potencijalno može dovesti u pitanje integritet korisničkog računa.
Paket:
rest 0.x
Operacijski sustavi:
Fedora 16
Kritičnost:
8.3
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
proizvoljno izvršavanje programskog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-4129
Izvorni ID preporuke:
FEDORA-2011-15833
Izvor:
Fedora
Problem:
Navedeni propust posljedica je pogreške u "libsocialweb" komponenti.
Posljedica:
Navedeni propust udaljeni napadač može iskoristiti za izvođenje raznih MITM napada i tako dovesti u pitanje integritet korisničkog računa.
Rješenje:
Rješenje problema sigurnosti je nadogradnja paketa na novije inačice.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-15833
2011-11-13 04:38:34
--------------------------------------------------------------------------------
Name : rest
Product : Fedora 16
Version : 0.7.12
Release : 1.fc16
URL : http://www.gnome.org
Summary : A library for access to RESTful web services
Description :
This library was designed to make it easier to access web services that
claim to be "RESTful". A RESTful service should have urls that represent
remote objects, which methods can then be called on. The majority of services
don't actually adhere to this strict definition. Instead, their RESTful end
point usually has an API that is just simpler to use compared to other types
of APIs they may support (XML-RPC, for instance). It is this kind of API that
this library is attempting to support.
--------------------------------------------------------------------------------
Update Information:
CVE-2011-4129
A security flaw was found in the way the libsocialweb, a social network data
aggregator, performed its initialization when this service start was initiated
by the dbus daemon. Due to a deficiency in a way the libsocialweb service was
initialized, an untrusted (non-SSL) network connection has been opened to remote
Twitter service servers without explicit approval of the user, running the
libsocialweb service on the local host. A remote attacker could use this flaw to
conduct various MITM attacks and potentially alter integrity of the user account
in question.
* libsocialweb: The views will try and fetch content from the web service even
if they aren't configured.
* rest: enforce that the SSL certificate is valid
--------------------------------------------------------------------------------
ChangeLog:
* Thu Nov 10 2011 Peter Robinson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 0.7.12-1
- Release 0.7.12. Fixes CVE-2011-4129 RHBZ 752022
* Fri Oct 28 2011 Peter Robinson <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 0.7.11-1
- Release 0.7.11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #752022 - CVE-2011-4129 libsocialweb: Untrusted connection to
Twitter without user's approval upon service start via dbus
https://bugzilla.redhat.com/show_bug.cgi?id=752022
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update rest' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke