Mageia alert MGASA-2013-0158 (sssd)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2013-0158: Updated sssd packages fix
 security vulnerability 
Date:
    	     
 
Thu, 6 Jun 2013 21:23:52 +0200
Message-ID:
    	     
 
<20130606192353.10C7C4B5DE@valstar.mageia.org>

MGASA-2013-0158 - Updated sssd packages fix security vulnerability

Publication date: 06 Jun 2013
Type: security
Affected Mageia releases: 2


Description:
A TOCTOU (time-of-check time-of-use) race condition was found in the way SSSD,
System Security Services Daemon, performed copying and removal of (user)
directory trees.A local attacker, with permissions to write into directory of
the victim, being actively / currently copied / removed via the sssd daemon
facility, could use this flaw to conduct symbolic link attacks, leading to
their ability to alter / remove directories outside of originally intended, to
be modified, directory tree (CVE-2013-0219).

References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0219

- https://fedorahosted.org/sssd/ticket/1782

- http://lists.fedoraproject.org/pipermail/package-announce...
- https://bugs.mageia.org/show_bug.cgi?id=9027


SRPMS:
- 2/core/sssd-1.8.6-1.mga2