On Mon, Apr 06, 2009 at 07:11:10PM +0200, Nico Golde wrote: > Package: multipath-tools > Severity: grave > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for multipath-tools. Thanks for bringing this to my attention! > > CVE-2009-0115[0]: > | multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux > | Enterprise Server (SLES) 10 uses world-writable permissions for the > | socket file (aka /var/run/multipathd.sock), which allows local users > | to send arbitrary commands to the multipath daemon. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. I've uploaded a fixed version for unstable and prepared an upload for lenny to stable-security (0.4.8-14+lenny1) and am just building the version for oldstable-security (0.4.7-1.1etch2). Shall I just go ahead and upload them? Cheers, -- Guido
-- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
