lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YvUFz-000427-6y@master.debian.org>
Date: Thu, 21 May 2015 17:27:43 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 3266-1] fuse security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3266-1                   security@...ian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
May 21, 2015                           http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : fuse
CVE ID         : CVE-2015-3202

Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not
scrub the environment before executing mount or umount with elevated
privileges. A local user can take advantage of this flaw to overwrite
arbitrary files and gain elevated privileges by accessing debugging
features via the environment that would not normally be safe for
unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.9.0-2+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.9.3-15+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your fuse packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVXhUoAAoJEAVMuPMTQ89E1VIQAJ0atrAmdzG2yiJdVEF+15HP
8YvdZbArbyay4mgQBxZCe8+x9V07gs0M2an9j7MwgCaicWOS7z0cea9AUotOEfhc
eWd4cuaGhozZUk8qKTVphj88wJvbYX4W7ha8ld3JnrsBq1fImTcRL2c8JBzdx8aD
FWDosY4uCVfIF+89/IbHuOJQ2KsZrq8s8cTXf7wtm8+GC69ZDWPBO+3zPHnzpa8e
Y7nU/UC5rt2d20OQvQasszCkD41vncYhsw4OvOV6iA9CvGgoo5f9fsyOp3euEZwC
O18sKvFRSMH98SKgBHaKu9qyXRhy4RG7GBuLghLKDaBvQuTLoHCgLLCtEY1ZLybg
OSWH7De+fagxuTE+xrsoa5RY/uhrKbi80RTXUUfbVcecwr2ycfs3q2WbYGxdu1kE
hi06prNbDPWNO+EHGq+CcHoEAqOU2FY/klc3+VwvmpNzetautZK8Qx9ZhL52zLK4
aSSaLAQkcj1nig8aKvf3U0qu00ymSjr7Wl2ZenupK+fExDYs/MBvO8nxVAM21TSS
sVv43MgeTesKGMHRVTjtLDc9bRmXrC7wPE17QPfPdZ8enhEn6t3oQ6oKII9pfTvI
deo+WE7aVzDC8tyUmqbNSt1MlHUxIIfcaPCAUV0ILc1BoM8KyUqEIgBcHQiB+FEL
PiSzqmlVrFkfTYzhwgSV
=H1uy
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ