Sicherheit: Fehlerhafte Zugriffsrechte in livecd-tools - Pro-Linux

Name        : livecd-tools
Product     : Fedora 18
Version     : 18.17
Release     : 1.fc18
URL         : http://git.fedorahosted.org/git/livecd
Summary     : Tools for building live CDs
Description :
Tools for generating live CDs on Fedora based systems including
derived distributions such as RHEL, CentOS and others. See
http://fedoraproject.org/wiki/FedoraLiveCD for more details.

-------------------------------------------------------------------------------
-
Update Information:

Added a couple features to livecd-iso-to-disk (--updates and --ks) and fixed a
 traceback when there are dependency problems running livecd-creator.
Require rsync
The livecd-tools package provides support for reading and executing

Kickstart files in order to create a system image. It was discovered

that livecd-tools gave the root user an empty password rather than

leaving the password locked in situations where no 'rootpw' directive

was used or when the 'rootpw --lock' directive was used within the

Kickstart file, which could allow local users to gain access to the

root account. (CVE-2013-2069)

Please note that livecd-tools is also used by appliance-tools to create

images used for virtual machines, USB based systems, and so on.

Additionally, the Python script components of livecd-tools have been

broken out into a separate package named python-imgcreate on some

distributions (such as Fedora).

Acknowledgements:

Red Hat would like to thank Amazon Web Services for reporting this issue. 

Amazon Web Services acknowledges Sylvain Beucler as the original reporter.
-------------------------------------------------------------------------------
-
ChangeLog:

* Mon Jul 15 2013 Brian C. Lane <bcl@redhat.com> 18.17-1
- Version 18.17 (bcl)
- litd: Add kickstart option (bcl)
- litd: Add --updates option (bcl)
- ts.check output is a list of tuples (#979759) (bcl)
* Wed May 29 2013 Brian C. Lane <bcl@redhat.com> 18.16-2
- Add requirement on rsync (#967948)
* Thu May 23 2013 Brian C. Lane <bcl@redhat.com> 18.16-1
- Version 18.16 (bcl)
- Avoid setting empty root password (#964299) (thoger)
  CVE-2013-2069
* Wed Apr  3 2013 Brian C. Lane <bcl@redhat.com> 18.15-1
- Version 18.15 (bcl)
- Use parted to check for GPT disklabel (#947653) (bcl)
- Output details of dep check failure (bcl)
- Properly generate kernel stanzas (#928093) (bcl)
- correctly check for selinux state (#896610) (bcl)
- Simplify kickstart example (#903378) (bcl)
- default to symlink for /etc/localtime (#885246) (bcl)
-------------------------------------------------------------------------------
-
References:

  [ 1 ] Bug #979759 - livecd-creator yum error rawhide
        https://bugzilla.redhat.com/show_bug.cgi?id=979759
  [ 2 ] Bug #967948 - livecd-tools should depends on rsync
        https://bugzilla.redhat.com/show_bug.cgi?id=967948
  [ 3 ] Bug #966594 - CVE-2013-2069 livecd-tools: improper handling of
 passwords [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=966594
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program.  Use 
su -c 'yum update livecd-tools' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce