| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Nov 2010 21:42:01 +0100 From: security@...driva.com To: full-disclosure@...ts.grok.org.uk Subject: [ MDVSA-2010:241 ] gnucash -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:241 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gnucash Date : November 24, 2010 Affected: 2010.0, 2010.1 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in gnucash: gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory (CVE-2010-3999). The affected /usr/bin/gnc-test-env file has been removed to mitigate the CVE-2010-3999 vulnerability as gnc-test-env is only used for tests and while building gnucash. Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible with guile. This update adapts gnucash to the new API of guile. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3999 https://qa.mandriva.com/59304 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.0: 56cf958fe980c5a0200c4ee9a83ea97f 2010.0/i586/gnucash-2.2.9-4.1mdv2010.0.i586.rpm c7479e27310a06eaf93a5eb0c0e858e5 2010.0/i586/gnucash-hbci-2.2.9-4.1mdv2010.0.i586.rpm 1297d123c6f533b5430089bbdd82f43e 2010.0/i586/gnucash-ofx-2.2.9-4.1mdv2010.0.i586.rpm 515b01c7d01e108712e9899f373142fa 2010.0/i586/gnucash-sql-2.2.9-4.1mdv2010.0.i586.rpm d0df126101c1b36c12fa50368e08765c 2010.0/i586/libgnucash0-2.2.9-4.1mdv2010.0.i586.rpm 3a9ea97884237c0806e30551cbde20de 2010.0/i586/libgnucash-devel-2.2.9-4.1mdv2010.0.i586.rpm 9dacaaaf7a396cc1dfd41e4f70fd3abe 2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 2a5205e0b385b3d075eba704b70fd546 2010.0/x86_64/gnucash-2.2.9-4.1mdv2010.0.x86_64.rpm 8302623562d64617f4ea24ecb4435a63 2010.0/x86_64/gnucash-hbci-2.2.9-4.1mdv2010.0.x86_64.rpm dfe6fb4bb37b6e5d11655ceec2d769fb 2010.0/x86_64/gnucash-ofx-2.2.9-4.1mdv2010.0.x86_64.rpm 618d692845b97a450222742901a544bc 2010.0/x86_64/gnucash-sql-2.2.9-4.1mdv2010.0.x86_64.rpm 9141713f798d366397a2ec986d1c21c0 2010.0/x86_64/lib64gnucash0-2.2.9-4.1mdv2010.0.x86_64.rpm a513d026d03c8de42580865b0b45e2bc 2010.0/x86_64/lib64gnucash-devel-2.2.9-4.1mdv2010.0.x86_64.rpm 9dacaaaf7a396cc1dfd41e4f70fd3abe 2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm Mandriva Linux 2010.1: 4cb058dc1f74fef7b4b3eb3a696685d9 2010.1/i586/gnucash-2.2.9-8.1mdv2010.1.i586.rpm 3331f3c7f123f22f513e5cd7806343fd 2010.1/i586/gnucash-hbci-2.2.9-8.1mdv2010.1.i586.rpm f59bc5b7fbfaf74d2c7b201ebb99da28 2010.1/i586/gnucash-ofx-2.2.9-8.1mdv2010.1.i586.rpm 273cc89a4dc4853f14108a1a1943bb69 2010.1/i586/gnucash-sql-2.2.9-8.1mdv2010.1.i586.rpm 5af2c774e9eb77a8065bcc3f5a5d6a28 2010.1/i586/libgnucash0-2.2.9-8.1mdv2010.1.i586.rpm 850779757f61e59053f2449df7ee8048 2010.1/i586/libgnucash-devel-2.2.9-8.1mdv2010.1.i586.rpm fbb320190b8294bc3db5ee1b0d2f85b3 2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: a07444c2b30334707a51745bf76c6551 2010.1/x86_64/gnucash-2.2.9-8.1mdv2010.1.x86_64.rpm 286b7a849261b8f1dc9c032b6e182a67 2010.1/x86_64/gnucash-hbci-2.2.9-8.1mdv2010.1.x86_64.rpm da91c9d1a6e5c5f8560ac4d9f8302304 2010.1/x86_64/gnucash-ofx-2.2.9-8.1mdv2010.1.x86_64.rpm 9c7dd297b265a6eef2f23eeb05ffd290 2010.1/x86_64/gnucash-sql-2.2.9-8.1mdv2010.1.x86_64.rpm 6ef57480ae7da1991c101324430a961f 2010.1/x86_64/lib64gnucash0-2.2.9-8.1mdv2010.1.x86_64.rpm 90f9563f9f323fe42f7d37ab12632bfd 2010.1/x86_64/lib64gnucash-devel-2.2.9-8.1mdv2010.1.x86_64.rpm fbb320190b8294bc3db5ee1b0d2f85b3 2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFM7UwFmqjQ0CJFipgRAkssAJ0YVPrj6+kerANWGsZRfaDWfq18dgCguRgq 5kjT/nubYxdyH5aHKNUIuvs= =JfiB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists