Summary: | <app-shells/fish-2.1.1: Multiple vulnerabilities (CVE-2014-{2905,2906,2914,3219}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | polynomial-c, zanchey |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1092091 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-29 08:38:43 UTC
No release tarball available yet... Still no release yet: http://sourceforge.net/p/fish/mailman/message/32280902/ CVE-2014-2905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2905): fish (aka fish-shell) 1.16.0 before 2.1.1 does not properly check the credentials, which allows local users to gain privileges via the universal variable socket, related to /tmp/fishd.socket.user permissions. Still not available adding rest of CVE's Another symlink account has been found and CVE assigned for it. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746259#10 2.1.1 has been released about a month ago: https://github.com/fish-shell/fish-shell/releases I just got a working ebuild in my overlay by renaming the 2.1.0-r3 one to 2.1.1 I think it would be good if this could be updated in the main repositories, since it fixes these security bugs. +*fish-2.1.1 (17 Nov 2014) + + 17 Nov 2014; Lars Wendler <polynomial-c@gentoo.org> -fish-2.0.0.ebuild, + +fish-2.1.1.ebuild: + Security bump (bug #509044). Removed old. + Arches please test and mark stable =app-shells/fish-2.1.1 with target KEYWORDS: amd64 ppc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos ~x86-solaris amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 06 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -fish-2.1.0-r2.ebuild, + -fish-2.1.0-r3.ebuild: + Removed vulnerable versions. + This issue was resolved and addressed in GLSA 201412-49 at http://security.gentoo.org/glsa/glsa-201412-49.xml by GLSA coordinator Mikle Kolyada (Zlogene). |