drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Verbindungsaufbau ohne Wissen des Benutzers in rest
Name: |
Verbindungsaufbau ohne Wissen des Benutzers in rest |
|
ID: |
FEDORA-2011-15833 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 16 |
|
Datum: |
Fr, 25. November 2011, 08:56 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4129 |
|
Applikationen: |
rest |
|
Originalnachricht |
Name : rest Product : Fedora 16 Version : 0.7.12 Release : 1.fc16 URL : http://www.gnome.org Summary : A library for access to RESTful web services Description : This library was designed to make it easier to access web services that claim to be "RESTful". A RESTful service should have urls that represent remote objects, which methods can then be called on. The majority of services don't actually adhere to this strict definition. Instead, their RESTful end point usually has an API that is just simpler to use compared to other types of APIs they may support (XML-RPC, for instance). It is this kind of API that this library is attempting to support.
------------------------------------------------------------------------------- - Update Information:
CVE-2011-4129
A security flaw was found in the way the libsocialweb, a social network data aggregator, performed its initialization when this service start was initiated by the dbus daemon. Due to a deficiency in a way the libsocialweb service was initialized, an untrusted (non-SSL) network connection has been opened to remote Twitter service servers without explicit approval of the user, running the libsocialweb service on the local host. A remote attacker could use this flaw to conduct various MITM attacks and potentially alter integrity of the user account in question.
* libsocialweb: The views will try and fetch content from the web service even if they aren't configured.
* rest: enforce that the SSL certificate is valid ------------------------------------------------------------------------------- - ChangeLog:
* Thu Nov 10 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.7.12-1 - Release 0.7.12. Fixes CVE-2011-4129 RHBZ 752022 * Fri Oct 28 2011 Peter Robinson <pbrobinson@fedoraproject.org> 0.7.11-1 - Release 0.7.11 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #752022 - CVE-2011-4129 libsocialweb: Untrusted connection to Twitter without user's approval upon service start via dbus https://bugzilla.redhat.com/show_bug.cgi?id=752022 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update rest' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|