U radu programskog paketa PCP (Performance Co-Pilot), namijenjenog operacijskom sustavu Fedora 18, uočeno je nekoliko sigurnosnih propusta. Udaljenim napadačima omogućuju izvođenje DoS napada, pokretanje proizvoljnog programskog koda i otkrivanje osjetljivih informacija.
Paket:
pcp 3.x
Operacijski sustavi:
Fedora 18
Kritičnost:
4.4
Problem:
pogreška u programskoj funkciji, pogreška u programskoj komponenti
Propusti su posljedica pogreške u /proc datotečnom sustavu, višestrukih curenja memorije, te nepravilnosti u brojnim funkcijama, kao npr. "pduread", "__pmDecodeCreds", "__pmDecodeNameList", itd. Za više detalja savjetuje se čitanje izvorne preporuke.
Posljedica:
Napadači ih mogu iskoristiti za DoS napad, pokretanje proizvoljnog programskog koda i čitanje osjetljivih podataka.
Rješenje:
Korisnicima se preporuča instalacija sigurnosnih zakrpa.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-11988
2012-08-16 16:49:50
--------------------------------------------------------------------------------
Name : pcp
Product : Fedora 18
Version : 3.6.5
Release : 1.fc18
URL : http://oss.sgi.com/projects/pcp
Summary : System-level performance monitoring and performance management
Description :
Performance Co-Pilot (PCP) provides a framework and services to support
system-level performance monitoring and performance management.
The PCP open source release provides a unifying abstraction for all of
the interesting performance data in a system, and allows client
applications to easily retrieve and process any subset of that data.
--------------------------------------------------------------------------------
Update Information:
Security and bugfix update. Security flaws fixed include CVE-2012-3418
CVE-2012-3419 CVE-2012-3420 and CVE-2012-3421
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #841698 - CVE-2012-3418 pcp: multiple integer and heap-based buffer
overflow flaws
https://bugzilla.redhat.com/show_bug.cgi?id=841698
[ 2 ] Bug #841702 - CVE-2012-3419 pcp: privileged information diclosure flaw
https://bugzilla.redhat.com/show_bug.cgi?id=841702
[ 3 ] Bug #841704 - CVE-2012-3420 pcp: two memory leaks can lead to pcmd crash
or trigger OOM killer
https://bugzilla.redhat.com/show_bug.cgi?id=841704
[ 4 ] Bug #841706 - CVE-2012-3421 pcp: event-driven programming flaw blocks
pmcd from responding to other legitimate requests
https://bugzilla.redhat.com/show_bug.cgi?id=841706
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update pcp' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-12940
2012-08-29 18:36:21
--------------------------------------------------------------------------------
Name : pcp
Product : Fedora 18
Version : 3.6.6
Release : 1.fc18
URL : http://oss.sgi.com/projects/pcp
Summary : System-level performance monitoring and performance management
Description :
Performance Co-Pilot (PCP) provides a framework and services to support
system-level performance monitoring and performance management.
The PCP open source release provides a unifying abstraction for all of
the interesting performance data in a system, and allows client
applications to easily retrieve and process any subset of that data.
--------------------------------------------------------------------------------
Update Information:
- Added the python PMAPI bindings and an initial python client
in pmcollectl. Separate, new package exists for python libs
for those platforms that split out packages (rpm, deb).
- Added a pcp-testsuite package for those platforms that might
want this (rpm, deb again, mainly)
- Re-introduced the pcp/qa subdirectory in pcp and deprecated
the external pcpqa git tree.
- Fix potential buffer overflow in pmlogger host name handling.
- Reworked the configure --prefix handling to be more like the
rest of the open source world.
- Ensure the __pmDecodeText ident parameter is always set
Resolves Red Hat bugzilla bug #841306.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #841306 - libpcp additional decoder hardening
https://bugzilla.redhat.com/show_bug.cgi?id=841306
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update pcp' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke