Advisories
Mandriva Advisories
|
 |
| Problem Description |
Javier Fern�ndez-Sanguino Pe�a discovered several insecure temporary
file uses in cfengine <= 1.6.5 and <= 2.1.16 which allows local users
to overwrite arbitrary files via a symlink attack on temporary files
used by vicf.in. (CAN-2005-2960)
In addition, Javier discovered the cfmailfilter and cfcron.in files
for cfengine <= 1.6.5 allow local users to overwrite arbitrary files
via a symlink attack on temporary files (CAN-2005-3137)
The updated packages have been patched to address this issue.
| Updated Packages |
Mandrakelinux 10.1
acf648169c296d474886d1d98752a763 10.1/RPMS/cfengine-1.6.5-4.3.101mdk.i586.rpm 176cbf5b72aba7c6a2b40daf4ee09c94 10.1/SRPMS/cfengine-1.6.5-4.3.101mdk.src.rpm
Mandrakelinux 10.1/X86_64
a9bed51735d6762fe3e1d66c8657f65a x86_64/10.1/RPMS/cfengine-1.6.5-4.3.101mdk.x86_64.rpm 176cbf5b72aba7c6a2b40daf4ee09c94 x86_64/10.1/SRPMS/cfengine-1.6.5-4.3.101mdk.src.rpm
Corporate Server 2.1
12057e0591bdb14e49b74d5c1c268196 corporate/2.1/RPMS/cfengine-1.6.3-8.3.C21mdk.i586.rpm 4026484a33d7d324da1dce56fd697842 corporate/2.1/SRPMS/cfengine-1.6.3-8.3.C21mdk.src.rpm
Corporate Server 2.1/X86_64
4dc4d9a367d056f053af80118cee8886 x86_64/corporate/2.1/RPMS/cfengine-1.6.3-8.3.C21mdk.x86_64.rpm 4026484a33d7d324da1dce56fd697842 x86_64/corporate/2.1/SRPMS/cfengine-1.6.3-8.3.C21mdk.src.rpm
Corporate Server 3.0
0c82f22f7ef0f6db35eb5f19caba9d2d corporate/3.0/RPMS/cfengine-1.6.5-3.3.C30mdk.i586.rpm ac84162471431da5f5afae45d48ca5c8 corporate/3.0/SRPMS/cfengine-1.6.5-3.3.C30mdk.src.rpm
Corporate Server 3.0/X86_64
bb704e30c6f6c0edb0b03d6a6d6c62d3 x86_64/corporate/3.0/RPMS/cfengine-1.6.5-3.3.C30mdk.x86_64.rpm ac84162471431da5f5afae45d48ca5c8 x86_64/corporate/3.0/SRPMS/cfengine-1.6.5-3.3.C30mdk.src.rpm
Mandriva Linux LE2005
426fd00421697c85c0e63f527faac7e8 10.2/RPMS/cfengine-2.1.12-7.2.102mdk.i586.rpm edd39a03e85f5176a0c28667cc91c388 10.2/RPMS/cfengine-cfservd-2.1.12-7.2.102mdk.i586.rpm 5c9a0c525c45a802f5d89686123e751c 10.2/SRPMS/cfengine-2.1.12-7.2.102mdk.src.rpm
Mandriva Linux LE2005/X86_64
e75f232aa540e80fb9a12558d0c1f105 x86_64/10.2/RPMS/cfengine-2.1.12-7.2.102mdk.x86_64.rpm 3680ec121accdf0cdf1830b374d804ee x86_64/10.2/RPMS/cfengine-cfservd-2.1.12-7.2.102mdk.x86_64.rpm 5c9a0c525c45a802f5d89686123e751c x86_64/10.2/SRPMS/cfengine-2.1.12-7.2.102mdk.src.rpm
Mandriva Linux 2006
61f3c7fe9cf1a69e889cfa4d476473af 2006.0/RPMS/cfengine-base-2.1.15-2.2.20060mdk.i586.rpm 5a7d6087787de6a9f98288c415562ced 2006.0/RPMS/cfengine-cfagent-2.1.15-2.2.20060mdk.i586.rpm 0cd9ecbccf2a0b4e775d6629b1b7416f 2006.0/RPMS/cfengine-cfenvd-2.1.15-2.2.20060mdk.i586.rpm 5c10e7371d807d4f42f2524f24809a92 2006.0/RPMS/cfengine-cfexecd-2.1.15-2.2.20060mdk.i586.rpm 0bd54480c32575625f3d42badf59d690 2006.0/RPMS/cfengine-cfservd-2.1.15-2.2.20060mdk.i586.rpm 1b3213afe77bd75af306a63f746994cd 2006.0/SRPMS/cfengine-2.1.15-2.2.20060mdk.src.rpm
Mandriva Linux 2006/X86_64
e81ea72b0431a8cc40753a6dee7037d2 x86_64/2006.0/RPMS/cfengine-base-2.1.15-2.2.20060mdk.x86_64.rpm f997658d8fa1dea25353906141443ba9 x86_64/2006.0/RPMS/cfengine-cfagent-2.1.15-2.2.20060mdk.x86_64.rpm bc560e64dc5de8046b9d14be43621a10 x86_64/2006.0/RPMS/cfengine-cfenvd-2.1.15-2.2.20060mdk.x86_64.rpm 1d3cb518f0266f57c182712350935fb8 x86_64/2006.0/RPMS/cfengine-cfexecd-2.1.15-2.2.20060mdk.x86_64.rpm db890abf046c63d91fc5fb60c6b796a8 x86_64/2006.0/RPMS/cfengine-cfservd-2.1.15-2.2.20060mdk.x86_64.rpm 1b3213afe77bd75af306a63f746994cd x86_64/2006.0/SRPMS/cfengine-2.1.15-2.2.20060mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3137
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.