Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 03 Feb 2014 10:58:22 +1100
From: Murray McAllister <>
Subject: CVE-2014-0039: fwsnort loaded configuration file from cwd when run
 as a non-root user

Good morning,

When fwsnort was run as a non-root user, it opened the fwsnort.conf file
from the current working directory if a configuration file was not
explicitly specified. The configuration file can specify a directory to
load libraries from, so this would have been an issue if running fwsnort
in an attacker-controlled directory.

Michael Rash has released fwsnort-1.6.4 to fix this issue:

The patch (with further issue details) for CVE-2014-0039 is:

For the affected versions, I had only tested 1.6.3 (on Fedora and EPEL).


Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ