* Stefano Lattarini ([email protected]) wrote: > This message announces the Automake 1.11.6 bug-fixing release. > > This release FIXES A SECURITY VULNERABILITY (CVE-2012-3386), so you are > strongly encouraged to upgrade your existing Automake installation ASAP. > > With this release, the recipe of the 'distcheck' target no longer grants > temporary world-wide write permissions on the extracted distdir. Even if > such rights were only granted for a vanishingly small time window, the > implied race condition proved to be enough to allow a local attacker to > run arbitrary code with the privileges of the user running "make distcheck". > > The fix of this security vulnerability is the only change between the > earlier 1.11.5 release and the present 1.11.6 one. > > Download the fixed release here: > > ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.gz > ftp://ftp.gnu.org/gnu/automake/automake-1.11.6.tar.xz > > Please report bugs and problems to <[email protected]>, and send > general comments and feedback to <[email protected]>. > > Thanks to everyone who has reported problems, contributed patches, > and helped testing Automake!
Are older versions of automake also vulnerable? -- Eric Dorland <[email protected]> ICQ: #61138586, Jabber: [email protected]
signature.asc
Description: Digital signature
