Mageia alert MGASA-2016-0354 (guile)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2016-0354: Updated guile packages fix security vulnerability 
Date:
    	     
 
Sun, 23 Oct 2016 12:33:04 +0200
Message-ID:
    	     
 
<20161023103304.9B30C9F79F@duvel.mageia.org>
MGASA-2016-0354 - Updated guile packages fix security vulnerability

Publication date: 23 Oct 2016
URL: http://advisories.mageia.org/MGASA-2016-0354.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-8605,
     CVE-2016-8606

Description:
The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme 
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions (CVE-2016-8605).

GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes. The REPL server is vulnerable to the
HTTP inter-protocol attack. This constitutes a remote code execution
vulnerability for developers running a REPL server that listens on a
loopback device or private network (CVE-2016-8606).

The guile package has been updated to version 2.0.13, fixing these
issues and other bugs. See the upstream release announcements for
details.

References:
- https://bugs.mageia.org/show_bug.cgi?id=19567
- http://www.openwall.com/lists/oss-security/2016/10/12/1
- http://www.openwall.com/lists/oss-security/2016/10/12/2
- http://lwn.net/Vulnerabilities/703769/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8605
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8606

SRPMS:
- 5/core/guile-2.0.13-1.mga5