Debian has issued an advisory on June 2: http://www.debian.org/security/2012/dsa-2481 The issue was caused by a RedHat patch that Debian borrowed, and we have borrowed this patch as well (arpwatch-2.1a13-drop_root.diff). Cauldron/Mageia 2 are affected as well. Here is the RedHat bug for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=825328
CC: (none) => ennael1
Version: 1 => CauldronWhiteboard: (none) => MGA2TOO, MGA1TOO
I fixed this by updating the patch. Fixed in Cauldron, Mageia 2, and Mageia 1. Advisory: ======================== Updated arpwatch package fixes security vulnerability: Steve Grubb from Red Hat discovered that a patch for arpwatch (as shipped at least in Red Hat and Debian distributions) in order to make it drop root privileges would fail to do so and instead add the root group to the list of the daemon uses (CVE-2012-2653). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2653 http://www.debian.org/security/2012/dsa-2481 ======================== Updated packages in core/updates_testing: ======================== arpwatch-2.1a15-8.1.mga1 arpwatch-2.1a15-9.1.mga2 from SRPMS: arpwatch-2.1a15-8.1.mga1.src.rpm arpwatch-2.1a15-9.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Tested this on mga2-x86_64: Before update: $ grep ^[NUG] /proc/3220/status Name: arpwatch Uid: 492 492 492 492 Gid: 487 487 487 487 Groups: 0 After update from Testing: $ grep ^[NUG] /proc/3444/status Name: arpwatch Uid: 492 492 492 492 Gid: 487 487 487 487 Groups: 487
CC: (none) => balaton
Testing complete i586 Mageia 1 Thanks for testing Zoltan, adding the whiteboard keyword. Before ------ Altered /etc/sysconfig/arpwatch as I don't have and active eth0 Started arpwatch service # ps -e | grep arpwatch | grep -v grep 25670 ? 00:00:00 arpwatch # grep ^[NUG] /proc/25670/status Name: arpwatch Uid: 469 469 469 469 Gid: 412 412 412 412 Groups: 0 # grep arpwatch /etc/passwd arpwatch:x:469:412:system user for arpwatch:/var/lib/arpwatch:/bin/sh # grep root /etc/group root:x:0: Shows it is using group 0 which is root. After ----- # rpm -q arpwatch arpwatch-2.1a15-9.1.mga2 # service arpwatch restart Restarting arpwatch (via systemctl): [ OK ] # ps -e | grep arpwatch | grep -v grep 26452 ? 00:00:00 arpwatch # grep ^[NUG] /proc/26452/status Name: arpwatch Uid: 469 469 469 469 Gid: 412 412 412 412 Groups: 412 Shows it is now using arpwatch group.
Hardware: i586 => AllWhiteboard: MGA1TOO => MGA1TOO mga2-32-OK mga2-64-OK
testing was mageia 2 above not mageia 1 as stated
Testing complete Mageia 1 64 tail /var/spool/mail/root shows new stations discovered, as it finds them.
Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-64-OK
Testing complete Mageia 1 32 Validating Updates for mga1 and mga2 See comment 1 for advisory and srpms Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO mga2-32-OK mga2-64-OK mga1-64-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-64-OK mga1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0129
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED