Gentoo alert 200306-16 (noweb) [LWN.net]


From:
    	       Daniel Ahlberg <aliz@gentoo.org>
To:
    	       gentoo-announce@gentoo.org
Subject:
    	       GLSA:  noweb (200306-16)
Date:
    	       Sat, 28 Jun 2003 22:23:29 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200306-16
- - - ---------------------------------------------------------------------

          PACKAGE : noweb
          SUMMARY : insecure temporary file creations
             DATE : 2003-06-28 20:23 UTC
          EXPLOIT : local
VERSIONS AFFECTED : <noweb-2.9-r3
    FIXED VERSION : >=noweb-2.9-r3
              CVE : CAN-2003-0381

- - - ---------------------------------------------------------------------

quote from cve:
"Multiple vulnerabilities in noweb 2.9 and earlier creates temporary 
files insecurely, which allows local users to overwrite arbitrary files 
via multiple vectors including the noroff script."

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-text/noweb upgrade to noweb-2.9-r3 as follows

emerge sync
emerge noweb
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+/flBfT7nyhUpoZMRAsBhAJ9J9rMW/ecxem29uUOs6v3ARwVvpQCeKOjN
rh2kN/TzLR17eFLuzDsPHjc=
=ZAMM
-----END PGP SIGNATURE-----
(Log in to post comments)