Mail Index


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ApacheGallery] Security upgrade



Just for good measure: Yes, there is a local privilege escalation (or
perhaps descalation :) attack in A::G. The safest approach is to upgrade
to the latest snapshot, which eliminates Inline C code entirely, but
hasn't received that much testing yet.
It requires the installation of Image::Imlib2 which is known to have
compilation problems. The patch at
http://slartibartfast.nerd.dk/~scoof/image-imlib2-croak-patch may or may
not solve any compilation problems.

Again: The security-bug can only be exploited by local users with
write-access to /tmp - and enables the user to run code as the apache
userid.

-- 
Andreas Plesner Jacobsen | Bus error -- please leave by the rear door.
_______________________________________________
users mailing list
[email protected]
http://ufo.hestdesign.com/cgi-bin/mailman/listinfo/agusers