Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2014-358)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.120317

Categoría: Amazon Linux Local Security Checks

Título: Amazon Linux: Security Advisory (ALAS-2014-358)

Resumen: The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory.

Descripción: Summary:
The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory.

Vulnerability Insight:
It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files:

./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam(),

This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module.

Affected Software/OS:
'perl-Capture-Tiny' package(s) on Amazon Linux.

Solution:
Please install the updated package(s).

CVSS Score:
3.6

CVSS Vector:
AV:L/AC:L/Au:N/C:N/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-1875
BugTraq ID: 65475
http://www.securityfocus.com/bid/65475
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128823.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128882.html
http://seclists.org/oss-sec/2014/q1/267
http://seclists.org/oss-sec/2014/q1/272
http://osvdb.org/102963
http://secunia.com/advisories/56823
XForce ISS Database: capturetiny-perl-symlink(91464)
https://exchange.xforce.ibmcloud.com/vulnerabilities/91464

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.120317
Categoría:	Amazon Linux Local Security Checks
Título:	Amazon Linux: Security Advisory (ALAS-2014-358)
Resumen:	The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory.
Descripción:	Summary: The remote host is missing an update for the 'perl-Capture-Tiny' package(s) announced via the ALAS-2014-358 advisory. Vulnerability Insight: It was found [1] that the Capture::Tiny module, provided by the perl-Capture-Tiny package, used the File::temp::tmpnam module to generate temporary files: ./lib/Capture/Tiny.pm: $stash->{flag_files}{$which} = scalar tmpnam(), This module makes use of the mktemp() function when called in the scalar context, which creates significantly more predictable temporary files. Additionally, the temporary file is created with world-writable (0666) permission. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a program using the Capture::Tiny module. Affected Software/OS: 'perl-Capture-Tiny' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 3.6 CVSS Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-1875 BugTraq ID: 65475 http://www.securityfocus.com/bid/65475 http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128823.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128882.html http://seclists.org/oss-sec/2014/q1/267 http://seclists.org/oss-sec/2014/q1/272 http://osvdb.org/102963 http://secunia.com/advisories/56823 XForce ISS Database: capturetiny-perl-symlink(91464) https://exchange.xforce.ibmcloud.com/vulnerabilities/91464
Copyright	Copyright (C) 2015 Greenbone AG