Fedora 21 Security Update: gnome-abrt-1.0.0-3.fc21,abrt-2.3.0-7.fc21,libreport-2.3.0-8.fc21

Resolved Bugs
1214609 – CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments [fedora-all]
1216975 – CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache [fedora-all]
1214452 – CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus [fedora-all]
1212871 – CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure [fedora-all]
1212821 – CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others [fedora-all]
1213485 – Can’t extract files from downloaded debuginfo package
1169774 – failure to extract debuginfo
1193656 – abrt-gui renders crash list white-on-white when using dark theme
986876 – RFE: Disallow core dump upload entirely
1212865 – CVE-2015-1869 abrt: default event scripts follow symbolic links [fedora-all]
1218239 – CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
1179752 – undocumented options in abrt-cli<br
Security fixes for:
* CVE-2015-3315
* CVE-2015-3142
* CVE-2015-1869
* CVE-2015-1870
* CVE-2015-3151
* CVE-2015-3150
* CVE-2015-3159
abrt:
=====
* Move the default dump location from /var/tmp/abrt to /var/spool/abrt
* Use root for owner of all dump directories
* Stop reading hs_error.log from /tmp
* Don not save the system logs by default
* Don not save dmesg if kernel.dmesg_restrict=1
libreport:
==========
* Harden the code against directory traversal, symbolic and hard link attacks
* Fix a bug causing that the first value of AlwaysExcludedElements was ignored
* Fix missing icon for the “Stop” button icon name
* Improve development documentation
* Translations updates
gnome-abrt:
===========
* Use DBus to get problem data for detail dialog
* Fix an error introduced with the details on System page
* Enabled the Details also for the System problems

Leave a Reply