------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-33 security@pardus.org.tr ------------------------------------------------------------------------ Date: 2008-08-31 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= [UPDATE]: Last security update with OpenSC 0.11.5 had a small glitch due to a strict check, so this version fixes that issue. A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions. Description =========== The security issue is caused due to the application improperly setting the ADMIN file control information to "00" while initializing smart cards having a Siemens CardOS M4 operating system. This can be exploited to change a user PIN code without having the PIN or PUK if the smart card was initialized with OpenSC. Affected packages: Pardus 2008: opensc, all before 0.11.6-7-2 Resolution ========== There are update(s) for opensc. You can update them via Package Manager or with a single command from console: pisi up opensc References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=8066 * http://permalink.gmane.org/gmane.comp.security.oss.general/863 * http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2235 * http://secunia.com/advisories/31330 ------------------------------------------------------------------------ -- Pınar Yanardağ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/