-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:166 http://www.mandriva.com/security/ _______________________________________________________________________ Package : bacula Date : October 12, 2012 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in bacula: The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does not properly enforce ACL rules, which allows remote authenticated users to obtain resource dump information via unspecified vectors (CVE-2012-4430). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4430 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 19c2e396c057a462eed645763f6dd214 mes5/i586/bacula-common-3.0.3-0.2mdvmes5.2.i586.rpm 2ed8f24e1dd0631c0f66459c803d77d6 mes5/i586/bacula-console-3.0.3-0.2mdvmes5.2.i586.rpm 125e86f5f3ab21c7187e7250a6a398d4 mes5/i586/bacula-console-gnome-3.0.3-0.2mdvmes5.2.i586.rpm 02ecfe2faed93c639198d92bdb9136c1 mes5/i586/bacula-console-wx-3.0.3-0.2mdvmes5.2.i586.rpm 3ece4e74eecdc68f248328b0cd44df91 mes5/i586/bacula-dir-common-3.0.3-0.2mdvmes5.2.i586.rpm 12eac5efa71756f40c9b87a2196c971d mes5/i586/bacula-dir-mysql-3.0.3-0.2mdvmes5.2.i586.rpm 518f88db266dffdc6b28655c59b9cd12 mes5/i586/bacula-dir-pgsql-3.0.3-0.2mdvmes5.2.i586.rpm 8cc7f89f0b8c9733664e6ae41ef940a4 mes5/i586/bacula-dir-sqlite-3.0.3-0.2mdvmes5.2.i586.rpm aa6982dc6d72b8ecebf0e5a2e5b12d93 mes5/i586/bacula-dir-sqlite3-3.0.3-0.2mdvmes5.2.i586.rpm fa909ff617fc0985bef861cbcd82ce96 mes5/i586/bacula-fd-3.0.3-0.2mdvmes5.2.i586.rpm 96557d5790a25b37a6e2e5fb8058b04b mes5/i586/bacula-gui-bimagemgr-3.0.3-0.2mdvmes5.2.i586.rpm ccd13a62c0835c0cc418cda38ba565e6 mes5/i586/bacula-gui-bweb-3.0.3-0.2mdvmes5.2.i586.rpm 9dcaf0949cb92e3e5137255810699296 mes5/i586/bacula-gui-web-3.0.3-0.2mdvmes5.2.i586.rpm 5695b3150b11f84223a5152bb30aba64 mes5/i586/bacula-sd-3.0.3-0.2mdvmes5.2.i586.rpm 2df32a57b05c2e1290d84786f9ef31c7 mes5/SRPMS/bacula-3.0.3-0.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: b271737aee3770bcd7cef6f1d97875e9 mes5/x86_64/bacula-common-3.0.3-0.2mdvmes5.2.x86_64.rpm 623c71cdb2c38b1b6f06d6d6a321b6c5 mes5/x86_64/bacula-console-3.0.3-0.2mdvmes5.2.x86_64.rpm 795c5261d9b92e6868a57da5c554b464 mes5/x86_64/bacula-console-gnome-3.0.3-0.2mdvmes5.2.x86_64.rpm 8562e98eef26fa0fe1d4eb94cd21dcb0 mes5/x86_64/bacula-console-wx-3.0.3-0.2mdvmes5.2.x86_64.rpm 2044cbdb6d62d872c79727a67951f218 mes5/x86_64/bacula-dir-common-3.0.3-0.2mdvmes5.2.x86_64.rpm c28eec43673f0967e0b17f1baf8b7c42 mes5/x86_64/bacula-dir-mysql-3.0.3-0.2mdvmes5.2.x86_64.rpm 817f3d6a0697b9c97189592f18f92983 mes5/x86_64/bacula-dir-pgsql-3.0.3-0.2mdvmes5.2.x86_64.rpm 6d7413099343399fde6d99b3a7df8dd9 mes5/x86_64/bacula-dir-sqlite-3.0.3-0.2mdvmes5.2.x86_64.rpm e96a8577bea4e733d9e6f88914684173 mes5/x86_64/bacula-dir-sqlite3-3.0.3-0.2mdvmes5.2.x86_64.rpm ac3a716e0e1ce3ee931854e34aeead9d mes5/x86_64/bacula-fd-3.0.3-0.2mdvmes5.2.x86_64.rpm 4cb81dd656d54b66f6e62d3dd3454e01 mes5/x86_64/bacula-gui-bimagemgr-3.0.3-0.2mdvmes5.2.x86_64.rpm cf2c22981a45797cab0e84afa0d003c8 mes5/x86_64/bacula-gui-bweb-3.0.3-0.2mdvmes5.2.x86_64.rpm 072cc023f4e40755f27dcb6fdea3985d mes5/x86_64/bacula-gui-web-3.0.3-0.2mdvmes5.2.x86_64.rpm dd975ce1741046ab3e91465920c19e79 mes5/x86_64/bacula-sd-3.0.3-0.2mdvmes5.2.x86_64.rpm 2df32a57b05c2e1290d84786f9ef31c7 mes5/SRPMS/bacula-3.0.3-0.2mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQd/16mqjQ0CJFipgRAlCOAJ48TB2FJWQOaj3BwljB3jfYKxys8gCdHZ8z ORU1yhmQ4yGX9M+HGq57Hj8= =wCu3 -----END PGP SIGNATURE-----