LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Sudo Contains Root Exploit
Pages: 1, 2

exuberant-ctags

The exuberant-ctags package insecurely creates symbolic-link files. An attacker may exploit this vulnerability to overwrite files with the permissions of the user running exuberant-ctags.



Users should upgrade to version 3.5 of exuberant-ctags as soon as possible.

DCForum

DCForum, a web-based message board system produced by DCScripts, has several bugs that a remote user can exploit to upload files and execute Perl code with the permissions of the user running the web server.

DCScripts has released a patch for this problem and recommends that users apply it as soon as possible.

Alerts this week

sudo

Samba

Red Hat FTP iptables

VMware

innfeed

exuberant-ctags

DCForum

nedit

Cyberscheduler

sendfiled

Red Hat mgetty

Bubblemon

nedit

The Nirvana Editor, nedit, is a text editor similar to editors used with Microsoft Windows. While printing, nedit creates a temporary file insecurely causing a race condition that can be used by an attacker to overwrite system files with the permissions of the user running nedit. No workaround is known, as nedit ignores the $TMPDIR environmental variable.

Users of nedit should upgrade to version 5.1.1.

Cyberscheduler

Cyberscheduler is a calendaring and scheduling package produced by Crosswind that is available for Linux, Solaris, and Windows. Cyberscheduler has a buffer overflow in the time zone variable that can be exploited to execute arbitrary code as the user running the web server.

Users of Cyberscheduler should upgrade to the most recent version as soon as possible.

sendfiled

sendfiled, a server daemon that implements the Simple Asynchronous File Transfer (SAFT) protocol, does not drop its privileges correctly. This can be easily exploited by a local user to execute code with the permissions of the root user.

Users should upgrade to version 2.1-20 as soon as possible.

Red Hat mgetty

The mgetty program distributed with Red Hat Linux 5.2, 6.2, 7.0, and 7.1 does not log error messages correctly.

Users should obtain the appropriate update from Red Hat.

Bubblemon

Bubblemon is a Gnome panel applet that displays the system load as bubbles rising through a liquid. Bubblemon does not properly drop its permissions and this allows a user to click the Bubblemon applet and execute a script or application that will run with its egid as kmem.

Users should upgrade to a version newer than 1.32.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: