Mageia alert MGASA-2015-0278 (libuser)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0278: Updated libuser package fixes security vulnerabilities 
Date:
    	     
 
Fri, 24 Jul 2015 18:36:32 +0200
Message-ID:
    	     
 
<20150724163632.163BE40FF8@valstar.mageia.org>
MGASA-2015-0278 - Updated libuser package fixes security vulnerabilities

Publication date: 24 Jul 2015
URL: http://advisories.mageia.org/MGASA-2015-0278.html
Type: security
Affected Mageia releases: 4, 5
CVE: CVE-2015-3245,
     CVE-2015-3246

Description:
Two flaws were found in the way the libuser library handled the
/etc/passwd file. A local attacker could use an application compiled
against libuser (for example, userhelper) to manipulate the /etc/passwd
file, which could result in a denial of service or possibly allow the
attacker to escalate their privileges to root (CVE-2015-3245,
CVE-2015-3246).

References:
- https://bugs.mageia.org/show_bug.cgi?id=16459
- https://securityblog.redhat.com/2015/07/23/libuser-vulner...
- https://access.redhat.com/articles/1537873
- http://openwall.com/lists/oss-security/2015/07/23/16
- https://rhn.redhat.com/errata/RHSA-2015-1483.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3245
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3246

SRPMS:
- 4/core/libuser-0.60-2.1.mga4
- 5/core/libuser-0.60-5.1.mga5