A CVE was issued for /tmp-file security issues fixed in ctdb 2.5: http://openwall.com/lists/oss-security/2014/05/29/12 There are also links to upstream commits to fix these issues in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=986773#c3 There are kernel protections against this type of issue in Mageia 4, but we should probably fix this for Mageia 3 at least. For Cauldron, it should be updated to 2.5.3. Reproducible: Steps to Reproduce:
CC: (none) => bgmilne, mageiaWhiteboard: (none) => MGA4TOO, MGA3TOO
I will take this one. One question : If I understand you right I have to update to 2.5.3 and apply the patch for M3 and Cauldron. Roelof
CC: (none) => rwobben
ctdb-2.5.3-1.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated ctdb packages fix security vulnerability: ctdb before 2.5 is vulnerable to symlink attacks to due the use of predictable filenames in /tmp, such as /tmp/ctdb.socket (CVE-2013-4159). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4159 https://bugzilla.redhat.com/show_bug.cgi?id=986773 ======================== Updated packages in core/updates_testing: ======================== ctdb-1.2.46-3.1.mga3 ctdb-devel-1.2.46-3.1.mga3 ctdb-1.2.46-4.1.mga4 ctdb-devel-1.2.46-4.1.mga4 from SRPMS: ctdb-1.2.46-3.1.mga3.src.rpm ctdb-1.2.46-4.1.mga4.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
CTDB looks to be very complicated to set up, to say the least: https://ctdb.samba.org/
OpenSuSE has issued an advisory for this today (June 25): http://lists.opensuse.org/opensuse-updates/2014-06/msg00052.html
Testing complete mga4 64 OpenSuSE bugs are still embargoed. This really needs some kind of dedicated cluster to test properly and, by the looks of it, several days to experiment. As we have neither, just testing the update installs cleanly, which it does.
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
URL: (none) => http://lwn.net/Vulnerabilities/603506/
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0274.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED