Login
Newsletter
Werbung

Sicherheit: Fehlerhafte Zugriffsrechte in livecd-tools
Aktuelle Meldungen Distributionen
Name: Fehlerhafte Zugriffsrechte in livecd-tools
ID: FEDORA-2013-13131
Distribution: Fedora
Plattformen: Fedora 18
Datum: Mo, 30. September 2013, 07:17
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2069
Applikationen: livecd-tools

Originalnachricht

Name        : livecd-tools
Product : Fedora 18
Version : 18.17
Release : 1.fc18
URL : http://git.fedorahosted.org/git/livecd
Summary : Tools for building live CDs
Description :
Tools for generating live CDs on Fedora based systems including
derived distributions such as RHEL, CentOS and others. See
http://fedoraproject.org/wiki/FedoraLiveCD for more details.

-------------------------------------------------------------------------------
-
Update Information:

Added a couple features to livecd-iso-to-disk (--updates and --ks) and fixed a
traceback when there are dependency problems running livecd-creator.
Require rsync
The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow local users to gain access to the
root account. (CVE-2013-2069)

Please note that livecd-tools is also used by appliance-tools to create
images used for virtual machines, USB based systems, and so on.
Additionally, the Python script components of livecd-tools have been
broken out into a separate package named python-imgcreate on some
distributions (such as Fedora).

Acknowledgements:

Red Hat would like to thank Amazon Web Services for reporting this issue.
Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
-------------------------------------------------------------------------------
-
ChangeLog:

* Mon Jul 15 2013 Brian C. Lane <bcl@redhat.com> 18.17-1
- Version 18.17 (bcl)
- litd: Add kickstart option (bcl)
- litd: Add --updates option (bcl)
- ts.check output is a list of tuples (#979759) (bcl)
* Wed May 29 2013 Brian C. Lane <bcl@redhat.com> 18.16-2
- Add requirement on rsync (#967948)
* Thu May 23 2013 Brian C. Lane <bcl@redhat.com> 18.16-1
- Version 18.16 (bcl)
- Avoid setting empty root password (#964299) (thoger)
CVE-2013-2069
* Wed Apr 3 2013 Brian C. Lane <bcl@redhat.com> 18.15-1
- Version 18.15 (bcl)
- Use parted to check for GPT disklabel (#947653) (bcl)
- Output details of dep check failure (bcl)
- Properly generate kernel stanzas (#928093) (bcl)
- correctly check for selinux state (#896610) (bcl)
- Simplify kickstart example (#903378) (bcl)
- default to symlink for /etc/localtime (#885246) (bcl)
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #979759 - livecd-creator yum error rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=979759
[ 2 ] Bug #967948 - livecd-tools should depends on rsync
https://bugzilla.redhat.com/show_bug.cgi?id=967948
[ 3 ] Bug #966594 - CVE-2013-2069 livecd-tools: improper handling of
passwords [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=966594
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update livecd-tools' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung