Resolved Bugs
1216975 – CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache [fedora-all]
1214609 – CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments [fedora-all]
1214452 – CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus [fedora-all]
1212871 – CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure [fedora-all]
1212865 – CVE-2015-1869 abrt: default event scripts follow symbolic links [fedora-all]
1212821 – CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others [fedora-all]
1218239 – CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt [fedora-all]
1128400 – ABRT does not honor dmesg_restrict<br
Security fixes for:
* CVE-2015-3315
* CVE-2015-3142
* CVE-2015-1869
* CVE-2015-1870
* CVE-2015-3151
* CVE-2015-3150
* CVE-2015-3159
abrt:
– Move the default dump location from /var/tmp/abrt to /var/spool/abrt
– Use root for owner of all dump directories
– Stop reading hs_error.log from /tmp
– Don not save the system logs by default
– Don not save dmesg if kernel.dmesg_restrict=1
libreport:
– Harden the code against directory traversal, symbolic and hard link attacks
– Fix a bug causing that the first value of AlwaysExcludedElements was ignored
– Fix missing icon for the “Stop” button icon name
– Improve development documentation
– Translations updates
gnome-abrt:
– Enabled the Details also for the System problems
– Do not crash in the testing of availabitlity of XServer
– Fix ‘Open problem’s data directory’
– Quit Application on Ctrl+Q
– Translation updates
satyr:
– New kernel taint flags
– More secure core stacktraces from core hook