Summary: | <dev-perl/Module-Signature-0.770.0: multiple vulnerabilities (CVE-2015-{3406,3407,3408,3409}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | perl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/04/07/1 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-04-08 10:03:04 UTC
+*Module-Signature-0.770.0 (08 Apr 2015) + + 08 Apr 2015; Patrice Clement <monsieurp@gentoo.org> + +Module-Signature-0.770.0.ebuild: + Version bump to 0.77. Fix security bug 545946. Not sure about stabilising the package. Let's wait for someone else to sign off on it (dilfridge/zlogene?). CVE-2015-3409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3409): Untrusted search path vulnerability in Module::Signature before 0.75 allows local users to gain privileges via a Trojan horse module under the current working directory, as demonstrated by a Trojan horse Text::Diff module. CVE-2015-3408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3408): Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest. CVE-2015-3407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3407): Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files. Arch teams, Please stabilise: =dev-perl/Module-Signature-0.770.0 Target arches: amd64 x86 Thanks. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. + 15 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -Module-Signature-0.730.0.ebuild: + Remove old. + Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA vote: no. |