Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2014-358)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.120317

Kategorie: Amazon Linux Local Security Checks

Titel: Amazon Linux: Security Advisory (ALAS-2014-358)

Zusammenfassung: The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory.

Vulnerability Insight:
It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files:

./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam(),

This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module.

Affected Software/OS:
'perl-Capture-Tiny' package(s) on Amazon Linux.

Solution:
Please install the updated package(s).

CVSS Score:
3.6

CVSS Vector:
AV:L/AC:L/Au:N/C:N/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2014-1875
BugTraq ID: 65475
http://www.securityfocus.com/bid/65475
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128823.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128882.html
http://seclists.org/oss-sec/2014/q1/267
http://seclists.org/oss-sec/2014/q1/272
http://osvdb.org/102963
http://secunia.com/advisories/56823
XForce ISS Database: capturetiny-perl-symlink(91464)
https://exchange.xforce.ibmcloud.com/vulnerabilities/91464

Copyright Copyright (C) 2015 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.120317
Kategorie:	Amazon Linux Local Security Checks
Titel:	Amazon Linux: Security Advisory (ALAS-2014-358)
Zusammenfassung:	The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory. Vulnerability Insight: It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files: ./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam(), This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module. Affected Software/OS: 'perl-Capture-Tiny' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 3.6 CVSS Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1875 BugTraq ID: 65475 http://www.securityfocus.com/bid/65475 http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128823.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128882.html http://seclists.org/oss-sec/2014/q1/267 http://seclists.org/oss-sec/2014/q1/272 http://osvdb.org/102963 http://secunia.com/advisories/56823 XForce ISS Database: capturetiny-perl-symlink(91464) https://exchange.xforce.ibmcloud.com/vulnerabilities/91464
Copyright	Copyright (C) 2015 Greenbone AG