An issue has been identified in Mandriva Business Server 2’s setup
package where the /etc/shadow and /etc/gshadow files containing
password hashes were created with incorrect permissions, making them
world-readable (mga#14516).
This update fixes this issue by enforcing that those files are owned
by the root user and shadow group, and are only readable by those
two entities.
Note that this issue only affected new Mandriva Business Server
2 installations. Systems that were updated from previous Mandriva
versions were not affected.
This update was already issued as MDVSA-2015:184, but the latter was
withdrawn as it generated .rpmnew files for critical configuration
files, and rpmdrake might propose the user to use those basically empty
files, thus leading to loss of passwords or partition table. This new
update ensures that such .rpmnew files are not kept after the update.
Updated perl-Module-Signature package fixes the following security
vulnerabilities reported by John Lightsey:
Module::Signature could be tricked into interpreting the unsigned
portion of a SIGNATURE file as the signed portion due to faulty
parsing of the PGP signature boundaries.
When verifying the contents of a CPAN module, Module::Signature
ignored some files in the extracted tarball that were not listed in
the signature file. This included some files in the t/ directory that
would execute automatically during make test
When generating checksums from the signed manifest, Module::Signature
used two argument open() calls to read the files. This allowed
embedding arbitrary shell commands into the SIGNATURE file that would
execute during the signature verification process.
Several modules were loaded at runtime inside the extracted module
directory. Modules like Text::Diff are not guaranteed to be available
on all platforms and could be added to a malicious module so that
they would load from the ‘.’ path in @INC.
When Asterisk registers to a SIP TLS device and and verifies the
server, Asterisk will accept signed certificates that match a common
name other than the one Asterisk is expecting if the signed certificate
has a common name containing a null byte after the portion of the
common name that Asterisk expected (CVE-2015-3008).
Updated tor packages fix security vulnerabilities:
disgleirio discovered that a malicious client could trigger an
assertion failure in a Tor instance providing a hidden service,
thus rendering the service inaccessible (CVE-2015-2928).
DonnchaC discovered that Tor clients would crash with an assertion
failure upon parsing specially crafted hidden service descriptors
(CVE-2015-2929).
Introduction points would accept multiple INTRODUCE1 cells on one
circuit, making it inexpensive for an attacker to overload a hidden
service with introductions. Introduction points now no longer allow
multiple cells of that type on the same circuit.
The tor package has been updated to version 0.2.4.27, fixing these
issues.
librsync before 1.0.0 used a truncated MD4 strong check sum to match
blocks. However, MD4 is not cryptographically strong. It’s possible
that an attacker who can control the contents of one part of a file
could use it to control other regions of the file, if it’s transferred
using librsync/rdiff (CVE-2014-8242).
The change to fix this is not backward compatible with older versions
of librsync. Backward compatibility can be obtained using the new
rdiff sig –hash=md4 option or through specifying the signature magic
in the API, but this should not be used when either the old or new
file contain untrusted data.
Also, any applications that use the librsync library will need to
be recompiled against the updated library. The rdiff-backup packages
have been rebuilt for this reason.
“A few hours ago, the WordPress team was made aware of a cross-site
scripting vulnerability, which could enable commenters to compromise a
site. The vulnerability was discovered by Jouko Pynnönen.“