Fedora alert FEDORA-2010-6361 (nss_db)
| From: | updates@fedoraproject.org | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 12 Update: nss_db-2.2-47.fc12 | |
| Date: | Thu, 06 May 2010 03:41:31 +0000 | |
| Message-ID: | <20100506034131.08903110EB8@bastion02.phx2.fedoraproject.org> | |
| Archive‑link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-6361 2010-04-10 08:52:51 -------------------------------------------------------------------------------- Name : nss_db Product : Fedora 12 Version : 2.2 Release : 47.fc12 URL : http://sources.redhat.com/glibc/ Summary : An NSS library for the Berkeley DB Description : Nss_db is a set of C library extensions which allow Berkeley Databases to be used as a primary source of aliases, ethers, groups, hosts, networks, protocol, users, RPCs, services, and shadow passwords (instead of or in addition to using flat files or NIS). Install nss_db if your flat name service files are too large and lookups are slow. -------------------------------------------------------------------------------- Update Information: Stephane Chazelas reported that the nss_db module attempts to read a DB_CONFIG file in the current directory when it is used. If the contents of the file can't be parsed properly, the copy of libdb which nss_db uses will print an error message. If nss_db is invoked from a setuid process, it may then expose privileged information to the unprivileged user who started the process. This update imports Kees Cook's fix for the issue (CVE-2010-0826). -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 7 2010 Nalin Dahyabhai <nalin@redhat.com> - 2.2-47 - import Kees Cook's patch to fix accidental leakage of part of ./DB_CONFIG (#580191, CVE-2010-0826) * Fri Feb 5 2010 Nalin Dahyabhai <nalin@redhat.com> - 2.2-46 - correct some tests in the patch for detecting SELinux support (#562052) -------------------------------------------------------------------------------- References: [ 1 ] Bug #580187 - CVE-2010-0826 nss_db: Information leak due the DB_CONFIG file read from current working directory https://bugzilla.redhat.com/show_bug.cgi?id=580187 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update nss_db' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...