Summary: | <net-misc/icecast-2.4.1: supplementary groups are not overriden (CVE-2014-9091) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1168146 | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-11-26 16:24:46 UTC
+ 06 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -icecast-2.3.3-r2.ebuild, + -icecast-2.3.3-r3.ebuild, -icecast-2.4.0.ebuild, -files/init.d.icecast, + metadata.xml: + Removed vulnerable versions. Took over maintenance. + CVE-2014-9091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9091): Icecast before 2.4.0 does not change the supplementary group privileges when <changeowner> is configured, which allows local users to gain privileges via unspecified vectors. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201412-38 at http://security.gentoo.org/glsa/glsa-201412-38.xml by GLSA coordinator Sean Amoss (ackle). |