drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in tnftp
Name: |
Ausführen beliebiger Kommandos in tnftp |
|
ID: |
201611-05 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Di, 15. November 2016, 10:39 |
|
Referenzen: |
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517 |
|
Applikationen: |
tnftp |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kRGcSNCC0BnRtfVpOBqdb9p2O4uFsvnnL Content-Type: multipart/mixed; boundary="FXFV5O1NGwciXdpq9uE1EkoNJB0GqS0Es" From: Aaron Bauman <bman@gentoo.org> To: gentoo-announce@lists.gentoo.org Message-ID: <b0c8eed7-c7fd-e628-bf85-dc1742c1fea2@gentoo.org> Subject: [ GLSA 201611-05 ] tnftp: Arbitrary code execution
--FXFV5O1NGwciXdpq9uE1EkoNJB0GqS0Es Content-Type: text/plain; charset=windows-125 Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201611-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: tnftp: Arbitrary code execution Date: November 15, 2016 Bugs: #527302 ID: 201611-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
tnftp is vulnerable to remote code execution if output file is not specified.
Background ==========
tnftp is a NetBSD FTP client with several advanced features.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-ftp/tnftp < 20141104 >= 20141104
Description ===========
The fetch_url function in usr.bin/ftp/fetch.c allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
Impact ======
A remote attacker could possibly execute arbitrary code with the privileges of the process.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All tnftp users should upgrade to the latest version:
<code> # emerge --sync # emerge --ask --verbose --oneshot ">=net-ftp/tnftp-20141104"
References ==========
[ 1 ] CVE-2014-8517 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201611-05
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--FXFV5O1NGwciXdpq9uE1EkoNJB0GqS0Es--
--kRGcSNCC0BnRtfVpOBqdb9p2O4uFsvnnL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQJ8BAEBCgBmBQJYKrJhXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1OTcyRDI4NDhFOEE0NDYwRTdERTY4QUM5 RjI4QkQ4QkQxRTM5NUZGAAoJEJ8ovYvR45X/peoP/i7kX8A+GsmuKGgncaRcQObY Kzuo8oFoqCyyf1cMIe7RsZe5TAZGhOaBmEf9NyVvduIqVx78R4EEsRItIJUcI+l9 tUz60uvWZzA3p+TMX/Fjpy93d5zCjx3bTRdF1Hz2+oFmBl0k8XrhBsy4kOErmFE1 YagtuyVEbc1Gsltyuwf9dB1eW2tr1MHG9IPvaLwrdnfqUfhsw/d4rnuR64ckh8We QSrBt/xLSPaosXtFG7nOirQJP+C1wmpMATc0kc2hmz7k/0p6q2shp/chxBx/ieFu yx3znUx98uGEPkXGJkoGG1LTIk7eaVhbp6Owi2OHVx97SNWa1On0Pl8+7cNSpb0A cszWtuI52UXVyMuq6EiY1E5AFY+DGjoIvVtOf2guDqYpZYkmqjFUe1wdblfzWYeh GJqhSLQ3l4Trj2HNutzlAuWrbOvwvvgzKyo1gLOUq+xrt8Xrl//GOWwFrcQC7ujI MV02CnvFsF8BkGu7so8FtTxAB4qX8zuaZ3CfhjGk5528RuPVwB30PkGY4K9SwOg/ icwSWdZi1CN8bj+Ryvq3a/wLYR6prK346O/DZjppo7Feu/U8+0LS6ncBumxykBhY +xNlpQt2hITGw4w+8/MsWQRauodhdmrjjrDRAA8f5tHy5FR5VXd6JhsbJZuWmkBC 4YoXvifEiRua7ZT8r8G0 =juZO -----END PGP SIGNATURE-----
--kRGcSNCC0BnRtfVpOBqdb9p2O4uFsvnnL--
|
|
|
|