Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Red Hat alert RHSA-2008:0193-02 (lspp-eal4-config-ibm, capp-lspp-eal4-config-hp)
| From: | bugzilla@redhat.com | |
| To: | rhsa-announce@redhat.com, enterprise-watch-list@redhat.com | |
| Subject: | [RHSA-2008:0193-02] Important: lspp-eal4-config-ibm and capp-lspp-eal4-config-hp security update | |
| Date: | Tue, 1 Apr 2008 10:27:25 -0400 | |
| Message-ID: | <200804011427.m31ERPQ5008855@pobox.devel.redhat.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: lspp-eal4-config-ibm and capp-lspp-eal4-config-hp security update Advisory ID: RHSA-2008:0193-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0193.html Issue date: 2008-04-01 CVE Names: CVE-2008-0884 ===================================================================== 1. Summary: Updated lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages that fix a security issue are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Description: The lspp-eal4-config-ibm and capp-lspp-eal4-config-hp packages contain utilities and documentation for configuring a machine for the Controlled Access Protection Profile, or the Labeled Security Protection Profile. It was discovered that use of the "capp-lspp-config" script results in the "/etc/pam.d/system-auth" file being set to world-writable. Authorized local users who have limited privileges could then exploit this to gain additional access, or to escalate their privileges. (CVE-2008-0884) This issue only affects users who have installed either of these packages from the Red Hat FTP site as their base system configuration kickstart script. New deployments using the lspp-eal4-config-ibm or capp-lspp-eal4-config-hp packages are advised to upgrade to these updated packages, which resolve this issue. For systems already deployed, the following command can be run as root to restore the permissions to a secure setting: chmod 0644 /etc/pam.d/system-auth 3. Solution: This update is available via the Red Hat FTP site. ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/... ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/HP/R... 4. Bugs fixed (http://bugzilla.redhat.com/): 435442 - CVE-2008-0884 system-auth-ac is world-writable 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0884 http://www.redhat.com/security/updates/classification/#im... 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFH8kZFXlSAg2UNWIIRAhk8AJ96YmzPO8oVcWsXCmpZOM4KSIsoQQCfSEjv dFSW0Ib6HTU9LOAVdS/Q7Tk= =xphM -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-...
(Log in to post comments)