Summary: | <app-forensics/lynis-2.5.2: Possible symlink attack on temporary file (CVE-2017-8108) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | ncl |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | forensics+obsolete, maintainer-needed |
Priority: | Normal | Flags: | ncl:
Assigned_To+
stable-bot: sanity-check+ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://cisofy.com/security/cve/cve-2017-8108/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=591262 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: |
=app-forensics/lynis-2.5.2
|
Runtime testing required: | --- |
Description
ncl
2017-06-09 04:53:19 UTC
CVE-2017-8108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8108): Unspecified tests in Lynis before 2.5.0 allow local users to write to arbitrary files or possibly gain privileges via a symlink attack on a temporary file. Doesn't affect Gentoo kernels with security coverage due to protected_{symlinks,hardlinks} hardening. @ Maintainer(s): Please bump to >=app-forensics/lynis-2.5.0 Shoud be superseded by version 2.5.2, see https://github.com/gentoo/gentoo/pull/5281 commit cada6eaa63e82a908cb06a863b5e4252973f1ff8 (HEAD) Author: charIes17 <charles17@arcor.de> AuthorDate: Thu Aug 3 09:14:43 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Fri Aug 4 08:22:13 2017 +0200 app-forensics/lynis: version bump to 2.5.2. Gentoo-Bug: https://bugs.gentoo.org/621266 Gentoo-Bug: https://bugs.gentoo.org/591262 Package-Manager: Portage-2.3.6, Repoman-2.3.1 Closes: https://github.com/gentoo/gentoo/pull/5281 app-forensics/lynis/Manifest | 1 + app-forensics/lynis/lynis-2.5.2.ebuild | 55 ++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 app-forensics/lynis/lynis-2.5.2.ebuild commit 6f1f6bea7cf05c5ede27af1a26f3c2f32e8c461e (HEAD -> master, origin/master, origin/HEAD) Author: charIes17 <charles17@arcor.de> AuthorDate: Thu Aug 3 09:18:00 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Fri Aug 4 08:22:21 2017 +0200 app-forensics/lynis: remove vulnerable versions. Gentoo-Bug: https://bugs.gentoo.org/621266 Package-Manager: Portage-2.3.6, Repoman-2.3.1 Closes: https://github.com/gentoo/gentoo/pull/5281 app-forensics/lynis/Manifest | 3 -- app-forensics/lynis/lynis-1.6.4.ebuild | 54 ---------------------------------- app-forensics/lynis/lynis-2.1.0.ebuild | 54 ---------------------------------- app-forensics/lynis/lynis-2.1.1.ebuild | 54 ---------------------------------- 4 files changed, 165 deletions(-) delete mode 100644 app-forensics/lynis/lynis-1.6.4.ebuild delete mode 100644 app-forensics/lynis/lynis-2.1.0.ebuild delete mode 100644 app-forensics/lynis/lynis-2.1.1.ebuild @Maintainers: please call for stabilization when you are ready. Coordinated with b-man. Since we have removed a stable ebuild from tree, we need to ensure that the new keeps visibility or prepare a GLSA about the stable removal. Thanks, Security Team Padawan ChrisADR the package has never been stabilised, so closed with noglsa as vuln versions have been removed. re-open to figure out about dropped stable version. @monsieurp, ? guess he doesn't care. |