drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Unsichere Verwendung temporärer Dateien in SyncEvolution
Name: |
Unsichere Verwendung temporärer Dateien in SyncEvolution |
|
ID: |
FEDORA-2014-5186 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 20 |
|
Datum: |
Do, 24. April 2014, 18:45 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1639 |
|
Applikationen: |
SyncEvolution |
|
Originalnachricht |
Name : syncevolution Product : Fedora 20 Version : 1.4.1 Release : 1.fc20 URL : http://syncevolution.org/ Summary : SyncML client for evolution Description : syncevolution is designed to provide a SyncML client that can connect to and sync with various SyncML-based servers
------------------------------------------------------------------------------- - Update Information:
Update to 1.4.1 stable release
CVE-2014-1639 syncevolution: insecure temporary file usage in installcheck-local.sh
It was found [1] that the installcheck-local.sh script of the syncevolution package creates temporary files in an insecure way. A local attacker could use these flaws to perform a symbolic link attack on the temporary files used by installcheck-local.sh.
NOTE: The vulnerable installcheck-local.sh script is not shipped in the syncevolution RPM package, but is included in the source and may be called at compile time. This flaw is therefore only a concern for those rebuilding the SRPM package. Regular users of the syncevolution package are not affected.
[1] http://seclists.org/oss-sec/2014/q1/138 ------------------------------------------------------------------------------- - ChangeLog:
* Mon Apr 14 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.4.1-1 - Update to 1.4.1 stable release * Tue Feb 18 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.4-1 - Update to 1.4 stable release - Enable gnome-online-accounts support * Tue Feb 4 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.3.99.7-1 - 1.3.99.7 devel release * Mon Feb 3 2014 Milan Crha <mcrha@redhat.com> - 1.3.99.6-3 - Rebuild against newer evolution-data-server * Tue Jan 14 2014 Milan Crha <mcrha@redhat.com> - 1.3.99.6-2 - Rebuild against newer evolution-data-server * Tue Dec 10 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.3.99.6-1 - 1.3.99.6 devel release ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1057544 - CVE-2014-1639 syncevolution: insecure temporary file usage in installcheck-local.sh https://bugzilla.redhat.com/show_bug.cgi?id=1057544 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update syncevolution' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|