Mageia alert MGASA-2012-0321 (bacula) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0321: bacula-5.0.3-2.1.mga1 (1/core),
 bacula-5.0.3-3.1.mga2 (2/core) 
Date:
    	       Tue, 6 Nov 2012 20:22:00 +0100
Message-ID:
    	       <20121106192200.GA8638@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0321
Date: 	November 6th, 2012
Affected releases: 	1, 2


Description:
Updated bacula packages fix security vulnerabilities:

Some of the mtx-changer example autochangers in bacula before 5.2.1 could
allow local users to overwrite any local file via a symlink attack, due
to insecure temp file naming (CVE-2008-5373).

An information leak flaw was found in the way Bacula before 5.2.11 enforced
access control list (ACL) rules prior providing information about a
particular resource. A remote attacker could use this flaw to obtain
(possibly sensitive) information (CVE-2012-4430).

Additionally, two other security-related fixes from upstream have been
included. One is a fix for a possible fnmatch problem, and the other
adds rate limiting of bad connections.


Updated Packages:
Mageia 1:
bacula-bat-5.0.3-2.1.mga1
bacula-common-5.0.3-2.1.mga1
bacula-console-5.0.3-2.1.mga1
bacula-console-wx-5.0.3-2.1.mga1
bacula-dir-common-5.0.3-2.1.mga1
bacula-dir-mysql-5.0.3-2.1.mga1
bacula-dir-pgsql-5.0.3-2.1.mga1
bacula-dir-sqlite3-5.0.3-2.1.mga1
bacula-fd-5.0.3-2.1.mga1
bacula-gui-bimagemgr-5.0.3-2.1.mga1
bacula-gui-brestore-5.0.3-2.1.mga1
bacula-gui-web-5.0.3-2.1.mga1
bacula-sd-5.0.3-2.1.mga1
bacula-tray-monitor-5.0.3-2.1.mga1
lib(64)bacula-5.0.3-2.1.mga1

Mageia 2:
bacula-bat-5.0.3-3.1.mga2
bacula-common-5.0.3-3.1.mga2
bacula-console-5.0.3-3.1.mga2
bacula-console-wx-5.0.3-3.1.mga2
bacula-dir-common-5.0.3-3.1.mga2
bacula-dir-mysql-5.0.3-3.1.mga2
bacula-dir-pgsql-5.0.3-3.1.mga2
bacula-dir-sqlite3-5.0.3-3.1.mga2
bacula-fd-5.0.3-3.1.mga2
bacula-gui-bimagemgr-5.0.3-3.1.mga2
bacula-gui-brestore-5.0.3-3.1.mga2
bacula-gui-web-5.0.3-3.1.mga2
bacula-sd-5.0.3-3.1.mga2
bacula-tray-monitor-5.0.3-3.1.mga2
lib(64)bacula-5.0.3-3.1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/Rel...
http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/Cha...
http://lists.fedoraproject.org/pipermail/package-announce...
https://bugzilla.redhat.com/show_bug.cgi?id=857955
http://www.debian.org/security/2012/dsa-2558
https://bugs.mageia.org/show_bug.cgi?id=7470
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)