[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ MDVSA-2010:241 ] gnucash

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ MDVSA-2010:241 ] gnucash
From: security@xxxxxxxxxxxx
Date: Wed, 24 Nov 2010 21:42:01 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:241
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : gnucash
 Date    : November 24, 2010
 Affected: 2010.0, 2010.1
 _______________________________________________________________________

 Problem Description:

 A vulnerability was discovered and corrected in gnucash:
 
 gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length
 directory name in the LD_LIBRARY_PATH, which allows local users to
 gain privileges via a Trojan horse shared library in the current
 working directory (CVE-2010-3999).
 
 The affected /usr/bin/gnc-test-env file has been removed to mitigate
 the CVE-2010-3999 vulnerability as gnc-test-env is only used for
 tests and while building gnucash.
 
 Additionally for Mandriva 2010.1 gnucash-2.2.9 was not compatible
 with guile. This update adapts gnucash to the new API of guile.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3999
 https://qa.mandriva.com/59304
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.0:
 56cf958fe980c5a0200c4ee9a83ea97f  
2010.0/i586/gnucash-2.2.9-4.1mdv2010.0.i586.rpm
 c7479e27310a06eaf93a5eb0c0e858e5  
2010.0/i586/gnucash-hbci-2.2.9-4.1mdv2010.0.i586.rpm
 1297d123c6f533b5430089bbdd82f43e  
2010.0/i586/gnucash-ofx-2.2.9-4.1mdv2010.0.i586.rpm
 515b01c7d01e108712e9899f373142fa  
2010.0/i586/gnucash-sql-2.2.9-4.1mdv2010.0.i586.rpm
 d0df126101c1b36c12fa50368e08765c  
2010.0/i586/libgnucash0-2.2.9-4.1mdv2010.0.i586.rpm
 3a9ea97884237c0806e30551cbde20de  
2010.0/i586/libgnucash-devel-2.2.9-4.1mdv2010.0.i586.rpm 
 9dacaaaf7a396cc1dfd41e4f70fd3abe  
2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 2a5205e0b385b3d075eba704b70fd546  
2010.0/x86_64/gnucash-2.2.9-4.1mdv2010.0.x86_64.rpm
 8302623562d64617f4ea24ecb4435a63  
2010.0/x86_64/gnucash-hbci-2.2.9-4.1mdv2010.0.x86_64.rpm
 dfe6fb4bb37b6e5d11655ceec2d769fb  
2010.0/x86_64/gnucash-ofx-2.2.9-4.1mdv2010.0.x86_64.rpm
 618d692845b97a450222742901a544bc  
2010.0/x86_64/gnucash-sql-2.2.9-4.1mdv2010.0.x86_64.rpm
 9141713f798d366397a2ec986d1c21c0  
2010.0/x86_64/lib64gnucash0-2.2.9-4.1mdv2010.0.x86_64.rpm
 a513d026d03c8de42580865b0b45e2bc  
2010.0/x86_64/lib64gnucash-devel-2.2.9-4.1mdv2010.0.x86_64.rpm 
 9dacaaaf7a396cc1dfd41e4f70fd3abe  
2010.0/SRPMS/gnucash-2.2.9-4.1mdv2010.0.src.rpm

 Mandriva Linux 2010.1:
 4cb058dc1f74fef7b4b3eb3a696685d9  
2010.1/i586/gnucash-2.2.9-8.1mdv2010.1.i586.rpm
 3331f3c7f123f22f513e5cd7806343fd  
2010.1/i586/gnucash-hbci-2.2.9-8.1mdv2010.1.i586.rpm
 f59bc5b7fbfaf74d2c7b201ebb99da28  
2010.1/i586/gnucash-ofx-2.2.9-8.1mdv2010.1.i586.rpm
 273cc89a4dc4853f14108a1a1943bb69  
2010.1/i586/gnucash-sql-2.2.9-8.1mdv2010.1.i586.rpm
 5af2c774e9eb77a8065bcc3f5a5d6a28  
2010.1/i586/libgnucash0-2.2.9-8.1mdv2010.1.i586.rpm
 850779757f61e59053f2449df7ee8048  
2010.1/i586/libgnucash-devel-2.2.9-8.1mdv2010.1.i586.rpm 
 fbb320190b8294bc3db5ee1b0d2f85b3  
2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm

 Mandriva Linux 2010.1/X86_64:
 a07444c2b30334707a51745bf76c6551  
2010.1/x86_64/gnucash-2.2.9-8.1mdv2010.1.x86_64.rpm
 286b7a849261b8f1dc9c032b6e182a67  
2010.1/x86_64/gnucash-hbci-2.2.9-8.1mdv2010.1.x86_64.rpm
 da91c9d1a6e5c5f8560ac4d9f8302304  
2010.1/x86_64/gnucash-ofx-2.2.9-8.1mdv2010.1.x86_64.rpm
 9c7dd297b265a6eef2f23eeb05ffd290  
2010.1/x86_64/gnucash-sql-2.2.9-8.1mdv2010.1.x86_64.rpm
 6ef57480ae7da1991c101324430a961f  
2010.1/x86_64/lib64gnucash0-2.2.9-8.1mdv2010.1.x86_64.rpm
 90f9563f9f323fe42f7d37ab12632bfd  
2010.1/x86_64/lib64gnucash-devel-2.2.9-8.1mdv2010.1.x86_64.rpm 
 fbb320190b8294bc3db5ee1b0d2f85b3  
2010.1/SRPMS/gnucash-2.2.9-8.1mdv2010.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFM7UwFmqjQ0CJFipgRAkssAJ0YVPrj6+kerANWGsZRfaDWfq18dgCguRgq
5kjT/nubYxdyH5aHKNUIuvs=
=JfiB
-----END PGP SIGNATURE-----
Prev by Date: [ MDVSA-2010:240 ] mono
Next by Date: [USN-1021-1] Apache vulnerabilities
Previous by thread: [ MDVSA-2010:240 ] mono
Next by thread: [USN-1021-1] Apache vulnerabilities
Index(es):
- Date
- Thread