Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 30 Dec 2016 16:33:24 -0500
From: <cve-assign@...re.org>
To: <michael@...itzky.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request: Nagios: Incomplete fix for CVE-2016-8641

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> CVE-2016-8641 describes an attack
> wherein that restricted user replaces the aforementioned path with a
> symlink. The root user (via the init script) will -- the next time
> Nagios is started -- give ownership of the symlink's target to Nagios's
> user

> An identical attack not addressed by CVE-2016-8641 works with hard
> links

Use CVE-2016-10089.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYZtIlAAoJEHb/MwWLVhi2uusP/0aReE472/YzkPBswLATf8cU
0/mhc9HGu4CeDy/nORI3TOoh9XC8NSg9Cbs2r7m83/EkK8D2YZpF5swyb4uLhwL7
5wLLodraBig20Ps53GQSHfKA7/LqXiPxCZH+qdTKiZ12nv2iZm9FwP8Rlp34g4e5
7ltvnFAAXvq2P7WgF5F1+l6obSe9+Vq/Twsj6Nr+8mfeolQKEBfOWJlYThWAv572
EcXN6vDUGOzt/epWh5EM7c4CMkA/lzryylbX0Q1f6MAQ1PwavwMzrUi7iB8oBGsa
xUxgXQsQfjT4QGIJ+xHJ6MFZDmNj3QQQKdzw5sU30qopeHanJkX/dNSBmnk/ZGEW
rF7EUVNpald/KnADGGNsQGo+NkXddKt1OUfSAvNRgk7z/Dbe+0mUGM0jTz5myDi5
W6i/SbDcfPywwovORY3+Y7qltucbvawbfWaTjnoUfEPkyNc22YxaHtEnns8/o3uL
QvqSGMy+j0Ih7+VJBiQ8AobfAn4BpxYUUcaVDnK/sx0CrT9Msy8PdxRjA7ZgXR2w
rANNhtkclladIBn6ciihkr1gHQybm5qpLb0LLpdM02VHrePA5UmarFK+NjzsSPaM
sO0u8+Doed/kdKQnHHYGAr5gg+wuN58+X5Iyi/28QtVDbKYAN1SUgNDYpKJLradR
/+fzONrCZAyHkySd0TjW
=L1tp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ