lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PLMAD-0003Fc-4Y@titan.mandriva.com>
Date: Wed, 24 Nov 2010 21:42:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:241 ] gnucash

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:241
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : gnucash
 Date    : November 24, 2010
 Affected: 2010.0, 2010.1
 _______________________________________________________________________

 Problem Description:

 A vulnerability was discovered and corrected in gnucash:
 
 gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length
 directory name in the LD_LIBRARY_PATH, which allows local users to
 gain privileges via a Trojan horse shared library in the current
 working directory (CVE-2010-3999).
 
 The affected /usr/bin/gnc-test-env file has been removed to mitigate
 the CVE-2010-3999 vulnerability as gnc-test-env is only used for
 tests and while building gnucash.
 
 Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible
 with guile. This update adapts gnucash to the new API of guile.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3999
 https://qa.mandriva.com/59304
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.0:
 56cf958fe980c5a0200c4ee9a83ea97f  2010.0/i586/gnucash-2.2.9-4.1mdv2010.0.i586.rpm
 c7479e27310a06eaf93a5eb0c0e858e5  2010.0/i586/gnucash-hbci-2.2.9-4.1mdv2010.0.i586.rpm
 1297d123c6f533b5430089bbdd82f43e  2010.0/i586/gnucash-ofx-2.2.9-4.1mdv2010.0.i586.rpm
 515b01c7d01e108712e9899f373142fa  2010.0/i586/gnucash-sql-2.2.9-4.1mdv2010.0.i586.rpm
 d0df126101c1b36c12fa50368e08765c  2010.0/i586/libgnucash0-2.2.9-4.1mdv2010.0.i586.rpm
 3a9ea97884237c0806e30551cbde20de  2010.0/i586/libgnucash-devel-2.2.9-4.1mdv2010.0.i586.rpm 
 9dacaaaf7a396cc1dfd41e4f70fd3abe  2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 2a5205e0b385b3d075eba704b70fd546  2010.0/x86_64/gnucash-2.2.9-4.1mdv2010.0.x86_64.rpm
 8302623562d64617f4ea24ecb4435a63  2010.0/x86_64/gnucash-hbci-2.2.9-4.1mdv2010.0.x86_64.rpm
 dfe6fb4bb37b6e5d11655ceec2d769fb  2010.0/x86_64/gnucash-ofx-2.2.9-4.1mdv2010.0.x86_64.rpm
 618d692845b97a450222742901a544bc  2010.0/x86_64/gnucash-sql-2.2.9-4.1mdv2010.0.x86_64.rpm
 9141713f798d366397a2ec986d1c21c0  2010.0/x86_64/lib64gnucash0-2.2.9-4.1mdv2010.0.x86_64.rpm
 a513d026d03c8de42580865b0b45e2bc  2010.0/x86_64/lib64gnucash-devel-2.2.9-4.1mdv2010.0.x86_64.rpm 
 9dacaaaf7a396cc1dfd41e4f70fd3abe  2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 4cb058dc1f74fef7b4b3eb3a696685d9  2010.1/i586/gnucash-2.2.9-8.1mdv2010.1.i586.rpm
 3331f3c7f123f22f513e5cd7806343fd  2010.1/i586/gnucash-hbci-2.2.9-8.1mdv2010.1.i586.rpm
 f59bc5b7fbfaf74d2c7b201ebb99da28  2010.1/i586/gnucash-ofx-2.2.9-8.1mdv2010.1.i586.rpm
 273cc89a4dc4853f14108a1a1943bb69  2010.1/i586/gnucash-sql-2.2.9-8.1mdv2010.1.i586.rpm
 5af2c774e9eb77a8065bcc3f5a5d6a28  2010.1/i586/libgnucash0-2.2.9-8.1mdv2010.1.i586.rpm
 850779757f61e59053f2449df7ee8048  2010.1/i586/libgnucash-devel-2.2.9-8.1mdv2010.1.i586.rpm 
 fbb320190b8294bc3db5ee1b0d2f85b3  2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 a07444c2b30334707a51745bf76c6551  2010.1/x86_64/gnucash-2.2.9-8.1mdv2010.1.x86_64.rpm
 286b7a849261b8f1dc9c032b6e182a67  2010.1/x86_64/gnucash-hbci-2.2.9-8.1mdv2010.1.x86_64.rpm
 da91c9d1a6e5c5f8560ac4d9f8302304  2010.1/x86_64/gnucash-ofx-2.2.9-8.1mdv2010.1.x86_64.rpm
 9c7dd297b265a6eef2f23eeb05ffd290  2010.1/x86_64/gnucash-sql-2.2.9-8.1mdv2010.1.x86_64.rpm
 6ef57480ae7da1991c101324430a961f  2010.1/x86_64/lib64gnucash0-2.2.9-8.1mdv2010.1.x86_64.rpm
 90f9563f9f323fe42f7d37ab12632bfd  2010.1/x86_64/lib64gnucash-devel-2.2.9-8.1mdv2010.1.x86_64.rpm 
 fbb320190b8294bc3db5ee1b0d2f85b3  2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFM7UwFmqjQ0CJFipgRAkssAJ0YVPrj6+kerANWGsZRfaDWfq18dgCguRgq
5kjT/nubYxdyH5aHKNUIuvs=
=JfiB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ