Sudo Contains Root Exploit
Pages: 1, 2
exuberant-ctags
The exuberant-ctags package insecurely creates symbolic-link files. An attacker may exploit this vulnerability to overwrite files with the permissions of the user running exuberant-ctags.
Users should upgrade to version 3.5 of exuberant-ctags as soon as possible.
DCForum
DCForum, a web-based message board system produced by DCScripts, has several bugs that a remote user can exploit to upload files and execute Perl code with the permissions of the user running the web server.
DCScripts has released a patch for this problem and recommends that users apply it as soon as possible.
|
Alerts this week • sudo • Samba • VMware • innfeed • DCForum • nedit |
nedit
The Nirvana Editor, nedit, is a text editor similar to editors used with Microsoft Windows. While printing, nedit creates a temporary file insecurely causing a race condition that can be used by an attacker to overwrite system files with the permissions of the user running nedit. No workaround is known, as nedit ignores the $TMPDIR environmental variable.
Users of nedit should upgrade to version 5.1.1.
Cyberscheduler
Cyberscheduler is a calendaring and scheduling package produced by Crosswind that is available for Linux, Solaris, and Windows. Cyberscheduler has a buffer overflow in the time zone variable that can be exploited to execute arbitrary code as the user running the web server.
Users of Cyberscheduler should upgrade to the most recent version as soon as possible.
sendfiled
sendfiled, a server daemon that implements the Simple Asynchronous File Transfer (SAFT) protocol, does not drop its privileges correctly. This can be easily exploited by a local user to execute code with the permissions of the root user.
Users should upgrade to version 2.1-20 as soon as possible.
Red Hat mgetty
The mgetty program distributed with Red Hat Linux 5.2, 6.2, 7.0, and 7.1 does not log error messages correctly.
Users should obtain the appropriate update from Red Hat.
Bubblemon
Bubblemon is a Gnome panel applet that displays the system load as bubbles rising through a liquid. Bubblemon does not properly drop its permissions and this allows a user to click the Bubblemon applet and execute a script or application that will run with its egid as kmem.
Users should upgrade to a version newer than 1.32.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
