Ranjivost otkrivena u radu paketa mumble potencijalnim napadačima omogućuje otkrivanje osjetljivih informacija.
| Paket: | mumble 1.x |
| Operacijski sustavi: | Fedora 15, Fedora 16, Fedora 17 |
| Kritičnost: | 2.1 |
| Problem: | nepravilno rukovanje lozinkama |
| Iskorištavanje: | lokalno/udaljeno |
| Posljedica: | otkrivanje osjetljivih informacija |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2012-0863 |
| Izvorni ID preporuke: | FEDORA-2012-8960 |
| Izvor: | Fedora |
| Problem: | |
| Propust je posljedica postavljenih pogrešnih ovlasti nad datotekom baze podataka ~/.local/share/data/Mumble/.mumble.sqlit. |
|
| Posljedica: | |
| Zlonamjerni korisnik bi mogao iskoristiti propust za dohvaćanje korisničke lozinke ili za pregled konfiguracijskih postavki. |
|
| Rješenje: | |
| Savjetuje se nadogradnja paketa na noviju inačicu. |
|
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8960
2012-06-07 01:39:03
--------------------------------------------------------------------------------
Name : mumble
Product : Fedora 15
Version : 1.2.3
Release : 4.fc15.1
URL : http://mumble.sourceforge.net/
Summary : Voice chat suite aimed at gamers
Description :
Mumble provides low-latency, high-quality voice communication for gamers.
It includes game linking, so voice from other players comes
from the direction of their characters, and has echo
cancellation so that the sound from your loudspeakers
won't be audible to other players.
--------------------------------------------------------------------------------
Update Information:
This update fixes a number of startup problems of the mumble server murmur.
Additionally it contains a fix for CVE-2012-0863 (insecure world-readable
permissions on database file) of the mumble client.
Rebuild for newer protobuf
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 31 2012 Christian Krause <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-4.1
- Fix startup issues of murmurd (BZ 711711, BZ 771423)
- Fix directory ownership of %{_libdir}/mumble and %{_datadir}/mumble*
(BZ 744886)
- Add upstream patch for CVE-2012-0863 (BZ 791058)
- Fix broken logrotate config file (BZ 730129)
- Add dependency for qt4-sqlite (BZ 660221)
- Remove /sbin/ldconfig from %post(un) since mumble does not
contain any libraries in %{_libdir}
- Some minor cleanup
* Mon Sep 12 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-4
- Rebuild for updated protobuf
* Mon Jun 20 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-3
- Rebuild for updated protobuf
* Tue May 17 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-2
- Added celt071 functionality
- Fixed the qmake args
* Wed Mar 30 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-1
- Update to 1.2.3
- Fixes vulnerability #610845
- Added patch to make it compile with Ice 3.4.0
- Added tmpfile.d config file for murmur
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #791000 - CVE-2012-0863 mumble: insecure world-readable permissions
on database file
https://bugzilla.redhat.com/show_bug.cgi?id=791000
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update mumble' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8903
2012-06-07 01:34:58
--------------------------------------------------------------------------------
Name : mumble
Product : Fedora 17
Version : 1.2.3
Release : 7.fc17.1
URL : http://mumble.sourceforge.net/
Summary : Voice chat suite aimed at gamers
Description :
Mumble provides low-latency, high-quality voice communication for gamers.
It includes game linking, so voice from other players comes
from the direction of their characters, and has echo
cancellation so that the sound from your loudspeakers
won't be audible to other players.
--------------------------------------------------------------------------------
Update Information:
This update fixes a number of startup problems of the mumble server murmur.
Additionally it contains a fix for CVE-2012-0863 (insecure world-readable
permissions on database file) of the mumble client.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 31 2012 Christian Krause <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-7.1
- Fix startup issues of murmurd (BZ 711711, BZ 771423)
- Fix directory ownership of %{_libdir}/mumble and %{_datadir}/mumble*
(BZ 744886)
- Add upstream patch for CVE-2012-0863 (BZ 791058)
- Fix broken logrotate config file (BZ 730129)
- Add dependency for qt4-sqlite (BZ 660221)
- Remove /sbin/ldconfig from %post(un) since mumble does not
contain any libraries in %{_libdir}
- Some minor cleanup
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #791000 - CVE-2012-0863 mumble: insecure world-readable permissions
on database file
https://bugzilla.redhat.com/show_bug.cgi?id=791000
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update mumble' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-8956
2012-06-07 01:38:47
--------------------------------------------------------------------------------
Name : mumble
Product : Fedora 16
Version : 1.2.3
Release : 5.fc16.1
URL : http://mumble.sourceforge.net/
Summary : Voice chat suite aimed at gamers
Description :
Mumble provides low-latency, high-quality voice communication for gamers.
It includes game linking, so voice from other players comes
from the direction of their characters, and has echo
cancellation so that the sound from your loudspeakers
won't be audible to other players.
--------------------------------------------------------------------------------
Update Information:
This update fixes a number of startup problems of the mumble server murmur.
Additionally it contains a fix for CVE-2012-0863 (insecure world-readable
permissions on database file) of the mumble client.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 31 2012 Christian Krause <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-5.1
- Fix startup issues of murmurd (BZ 711711, BZ 771423)
- Fix directory ownership of %{_libdir}/mumble and %{_datadir}/mumble*
(BZ 744886)
- Add upstream patch for CVE-2012-0863 (BZ 791058)
- Fix broken logrotate config file (BZ 730129)
- Add dependency for qt4-sqlite (BZ 660221)
- Remove /sbin/ldconfig from %post(un) since mumble does not
contain any libraries in %{_libdir}
- Some minor cleanup
* Thu Nov 10 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-5
- Updated Ice version in patch0
- Added new patch to build against celt071 includes thanks to Florent Le Coz
* Thu Nov 10 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-4
- rebuilt for protobuf update
* Mon Sep 12 2011 Andreas Osowski <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.2.3-3
- Rebuild for newer protobuf
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #791000 - CVE-2012-0863 mumble: insecure world-readable permissions
on database file
https://bugzilla.redhat.com/show_bug.cgi?id=791000
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update mumble' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke