Date: Tue, 21 Mar 2017 20:34:17 +0100 From: Cedric Buissart <cbuissar@...hat.com> To: oss-security@...ts.openwall.com Subject: subscription-manager: CVE-2017-2663 unsafe dbus interface Hi, CVE-2017-2663 has been assigned for the following issue : Subscription-manager's new DBus interface provides methods that can be used for malicious usage. It allows an unprivileged local user to have access to information known to root only, and/or to modify subscription-manager configuration file, allowing, for example, privilege escalation. -> Upstream patch : * Lock down Facts object to be accessible to root only. https://github.com/candlepin/subscription-manager/commit/882bb587a -> Followed by this one : * 1434094: Deny D-BUS Config.Set from non-root https://github.com/candlepin/subscription-manager/commit/afa0f7afee Affected versions : from subscription-manager-1.19.0-1 (information disclosure) & subscription-manager-1.19.3-1 (configuration modification) Fixed version : subscription-manager-1.19.4-1 Thanks, -- Cedric Buissart, Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ