-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-6331 2010-04-10 08:52:02 --------------------------------------------------------------------------------
Name : nss_db Product : Fedora 11 Version : 2.2 Release : 46.fc11 URL : http://sources.redhat.com/glibc/ Summary : An NSS library for the Berkeley DB Description : Nss_db is a set of C library extensions which allow Berkeley Databases to be used as a primary source of aliases, ethers, groups, hosts, networks, protocol, users, RPCs, services, and shadow passwords (instead of or in addition to using flat files or NIS). Install nss_db if your flat name service files are too large and lookups are slow. -------------------------------------------------------------------------------- Update Information: Stephane Chazelas reported that the nss_db module attempts to read a DB_CONFIG file in the current directory when it is used. If the contents of the file can't be parsed properly, the copy of libdb which nss_db uses will print an error message. If nss_db is invoked from a setuid process, it may then expose privileged information to the unprivileged user who started the process. This update imports Kees Cook's fix for the issue (CVE-2010-0826). -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 7 2010 Nalin Dahyabhai <[email protected]> - 2.2-46 - import Kees Cook's patch to fix accidental leakage of part of ./DB_CONFIG (#580191, CVE-2010-0826) * Fri Feb 5 2010 Nalin Dahyabhai <[email protected]> - 2.2-45 - correct some tests in the patch for detecting SELinux support (#562052) -------------------------------------------------------------------------------- References: [ 1 ] Bug #580187 - CVE-2010-0826 nss_db: Information leak due the DB_CONFIG file read from current working directory https://bugzilla.redhat.com/show_bug.cgi?id=580187 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update nss_db' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
