-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:345 http://www.mandriva.com/security/ _______________________________________________________________________ Package : acl Date : December 28, 2009 Affected: 2009.0, 2009.1, 2010.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in acl: The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack (CVE-2009-4411). This update provides a fix for this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4411 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 85085eb1f2e217ac6db6819f36e590db 2009.0/i586/acl-2.2.47-4.2mdv2009.0.i586.rpm d6850e7ee04d6e5d6c1e006148807f9a 2009.0/i586/libacl1-2.2.47-4.2mdv2009.0.i586.rpm 35ecb78e1345620c6640cbac8aca7cd0 2009.0/i586/libacl-devel-2.2.47-4.2mdv2009.0.i586.rpm 2f3de3fef6add27f07d7536603daf96f 2009.0/SRPMS/acl-2.2.47-4.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 44d4d3cffbdf3088681ba8eac294f405 2009.0/x86_64/acl-2.2.47-4.2mdv2009.0.x86_64.rpm 8b0918e159b2da664a762dab891bd322 2009.0/x86_64/lib64acl1-2.2.47-4.2mdv2009.0.x86_64.rpm b984bbb26adc1f73d7ee010e351a5f6d 2009.0/x86_64/lib64acl-devel-2.2.47-4.2mdv2009.0.x86_64.rpm 2f3de3fef6add27f07d7536603daf96f 2009.0/SRPMS/acl-2.2.47-4.2mdv2009.0.src.rpm Mandriva Linux 2009.1: c3a02ac328bc96547b9157f68977c173 2009.1/i586/acl-2.2.47-5.1mdv2009.1.i586.rpm 674911bdf647ee4d30149bd32e417bb7 2009.1/i586/libacl1-2.2.47-5.1mdv2009.1.i586.rpm 62a1f6e00abd0da7174771b8d012a85b 2009.1/i586/libacl-devel-2.2.47-5.1mdv2009.1.i586.rpm f05c4e59f1772c729fafaac0294d57bc 2009.1/SRPMS/acl-2.2.47-5.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: d7c7d4ad8c86b129097ab77d47b02d9e 2009.1/x86_64/acl-2.2.47-5.1mdv2009.1.x86_64.rpm 849241d3c01fe1854e5553af5bb22b4c 2009.1/x86_64/lib64acl1-2.2.47-5.1mdv2009.1.x86_64.rpm 0ca12919b3f2110c4be3c260fcfa8321 2009.1/x86_64/lib64acl-devel-2.2.47-5.1mdv2009.1.x86_64.rpm f05c4e59f1772c729fafaac0294d57bc 2009.1/SRPMS/acl-2.2.47-5.1mdv2009.1.src.rpm Mandriva Linux 2010.0: c47933ef2dc3d89ebe614471b8ecb861 2010.0/i586/acl-2.2.48-1.1mdv2010.0.i586.rpm 45f7cc7ce0afcce08a0b0e02c2d76973 2010.0/i586/libacl1-2.2.48-1.1mdv2010.0.i586.rpm d533e59fb185f5674944387aede52d4b 2010.0/i586/libacl-devel-2.2.48-1.1mdv2010.0.i586.rpm f17057a31d8f7f6f441dbc7ead634776 2010.0/SRPMS/acl-2.2.48-1.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 71744500b8e325e09062acd221cad582 2010.0/x86_64/acl-2.2.48-1.1mdv2010.0.x86_64.rpm bf7c769383b9cc736aa565261be57a33 2010.0/x86_64/lib64acl1-2.2.48-1.1mdv2010.0.x86_64.rpm 7f8a8db6720f0c8f18b0e5b22269929a 2010.0/x86_64/lib64acl-devel-2.2.48-1.1mdv2010.0.x86_64.rpm f17057a31d8f7f6f441dbc7ead634776 2010.0/SRPMS/acl-2.2.48-1.1mdv2010.0.src.rpm Mandriva Enterprise Server 5: 78ed39a64acd0186365f86d484c01edd mes5/i586/acl-2.2.47-4.2mdvmes5.i586.rpm 5c6079223bbd9797175934347c3fc3bb mes5/i586/libacl1-2.2.47-4.2mdvmes5.i586.rpm a67beea2c129051e33bfa2ef2342c9ac mes5/i586/libacl-devel-2.2.47-4.2mdvmes5.i586.rpm bbda0bedef0d52edb98a93ad62f256c2 mes5/SRPMS/acl-2.2.47-4.2mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 802538312a3c3ef0cf70411feaaf9f38 mes5/x86_64/acl-2.2.47-4.2mdvmes5.x86_64.rpm 5f48b77cb6c0fd2e4ae442b6e10f923e mes5/x86_64/lib64acl1-2.2.47-4.2mdvmes5.x86_64.rpm 5042eb91ee69f76c34e4c340890e2e32 mes5/x86_64/lib64acl-devel-2.2.47-4.2mdvmes5.x86_64.rpm bbda0bedef0d52edb98a93ad62f256c2 mes5/SRPMS/acl-2.2.47-4.2mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLOSDdmqjQ0CJFipgRAvXNAKDip6+gvkNWkz6Fj1ed6cvEBGZRdgCfROOL a3Es+T2rqHu6X3xp7bcEIig= =SaC5 -----END PGP SIGNATURE-----