Mail Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ApacheGallery] Security upgrade

To: users@xxxxxxxxxxxxxxxx
Subject: [ApacheGallery] Security upgrade
From: Andreas Plesner Jacobsen <apj@xxxxxxx>
Date: Mon, 8 Sep 2003 22:17:39 +0200
Sender: users-admin@xxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.3i

Just for good measure: Yes, there is a local privilege escalation (or
perhaps descalation :) attack in A::G. The safest approach is to upgrade
to the latest snapshot, which eliminates Inline C code entirely, but
hasn't received that much testing yet.
It requires the installation of Image::Imlib2 which is known to have
compilation problems. The patch at
http://slartibartfast.nerd.dk/~scoof/image-imlib2-croak-patch may or may
not solve any compilation problems.

Again: The security-bug can only be exploited by local users with
write-access to /tmp - and enables the user to run code as the apache
userid.

-- 
Andreas Plesner Jacobsen | Bus error -- please leave by the rear door.
_______________________________________________
users mailing list
users@xxxxxxxxxxxxxxxx
http://ufo.hestdesign.com/cgi-bin/mailman/listinfo/agusers

Prev by Date: Re: [ApacheGallery] Templates that validate.
Next by Date: [ApacheGallery] Cookie patch
Previous by thread: [ApacheGallery] Testers wanted (was: (unofficial) Inline-free version of A::G available for test)
Next by thread: [ApacheGallery] Cookie patch
Index(es):
- Date
- Thread