Detalji

Uočeni su višestruki sigurnosni propusti u radu programskog paketa Logrotate, distribuiranog s operacijskim sustavom Fedora 15. Logrotate je programski paket za rukovanje log datotekama. Sigurnosni propusti uočeni su zbog postavljanja neodgovarajućih ovlasti prilikom stvaranja novih datoteka, nepravilnog izvršavanja "write state" naredbe te kod rukovanja shred konfiguracijskom direktivom. Napadaču omogućuju DoS (eng. Denial of Service) napad, pokretanje proizvoljnih naredbi te otkrivanje potencijalno osjetljivih podataka. Svim korisnicima preporučuje se nadogradnja navedenog programskog paketa. 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-3758
2011-03-22 03:25:14
--------------------------------------------------------------------------------

Name        : logrotate
Product     : Fedora 15
Version     : 3.7.9
Release     : 8.fc15
URL         : None
Summary     : Rotates, compresses, removes and mails system log files
Description :
The logrotate utility is designed to simplify the administration of
log files on a system which generates a lot of log files.  Logrotate
allows for the automatic rotation compression, removal and mailing of
log files.  Logrotate can be set to handle a log file daily, weekly,
monthly or when the log file gets to a certain size.  Normally,
logrotate runs as a daily cron job.

Install the logrotate package if you need a utility to deal with the
log files on your system.

--------------------------------------------------------------------------------
Update Information:

Fixes CVE-2011-1154, CVE-2011-1155 and CVE-2011-1098.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #680798 - CVE-2011-1098 logrotate: TOCTOU race condition by
creation of new files (between opening the file and moment, final permissions
have been applied) [information disclosure]
        https://bugzilla.redhat.com/show_bug.cgi?id=680798
  [ 2 ] Bug #680796 - CVE-2011-1154 logrotate: Shell command injection by using
the shred configuration directive
        https://bugzilla.redhat.com/show_bug.cgi?id=680796
  [ 3 ] Bug #680797 - CVE-2011-1155 logrotate: DoS due improper escaping of
file names within 'write state' action
        https://bugzilla.redhat.com/show_bug.cgi?id=680797
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update logrotate' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Idi na vrh