drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Fehlerhafte Zugriffsrechte in lspp-eal4-config-ibm, capp-lspp-eal4-config-hp
Name: |
Fehlerhafte Zugriffsrechte in lspp-eal4-config-ibm, capp-lspp-eal4-config-hp |
|
ID: |
RHSA-2008:0193-02 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Enterprise Linux |
|
Datum: |
Di, 1. April 2008, 16:43 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0884 |
|
Applikationen: |
capp-lspp-eal4-config-hp, lspp-eal4-config-ibm |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: lspp-eal4-config-ibm and capp-lspp-eal4-config-hp security update Advisory ID: RHSA-2008:0193-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0193.html Issue date: 2008-04-01 CVE Names: CVE-2008-0884 =====================================================================
1. Summary:
Updated lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
2. Description:
The lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages contain utilities and documentation for configuring a machine for the Controlled Access Protection Profile, or the Labeled Security Protection Profile.
It was discovered that use of the "capp-lspp-config" script results in the "/etc/pam.d/system-auth" file being set to world-writable. Authorized local users who have limited privileges could then exploit this to gain additional access, or to escalate their privileges. (CVE-2008-0884)
This issue only affects users who have installed either of these packages from the Red Hat FTP site as their base system configuration kickstart script.
New deployments using the lspp-eal4-config-ibm or capp-lspp-eal4-config-hp packages are advised to upgrade to these updated packages, which resolve this issue.
For systems already deployed, the following command can be run as root to restore the permissions to a secure setting:
chmod 0644 /etc/pam.d/system-auth
3. Solution:
This update is available via the Red Hat FTP site.
lspp-eal4-config-ibm-0.65-2.el5.noarch.rpm capp-lspp-eal4-config-hp-0.65-2.el5.noarch.rpm
4. Bugs fixed (http://bugzilla.redhat.com/):
435442 - CVE-2008-0884 system-auth-ac is world-writable
5. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0884 http://www.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFH8kZFXlSAg2UNWIIRAhk8AJ96YmzPO8oVcWsXCmpZOM4KSIsoQQCfSEjv dFSW0Ib6HTU9LOAVdS/Q7Tk= =xphM -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|