Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <mpro.lp1g063w5e11102h5.taviso@cmpxchg8b.com>
Date: Thu, 28 Jul 2011 12:04:54 +0200
From: Tavis Ormandy <taviso@...xchg8b.com>
To: oss-security@...ts.openwall.com
Subject: Re: two systemtap flaws: CVE-2011-2502 and CVE-2011-2503

Vincent Danen <vdanen@...hat.com> wrote:

> This is just a heads up to notify those who are shipping systemtap that
> two flaws were found that could allow members of group stapusr to elevate
> their privileges:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2502
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2503
> 

Interesting, I also looked at systemtap and found a local root
(CVE-2010-4170), but was under the impression we had agreed it should be
restricted to a privileged group?

https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/systemtap-2010-11-18

I stopped looking because I concluded that had eliminated any security risk,
is that no longer the case?

(I dont have an up to date RHEL machine to check)


Tavis.


-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.