Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2020-0356)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2020.0356

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2020-0356)

Resumen: The remote host is missing an update for the 'hylafax+' package(s) announced via the MGASA-2020-0356 advisory.

Descripción: Summary:
The remote host is missing an update for the 'hylafax+' package(s) announced via the MGASA-2020-0356 advisory.

Vulnerability Insight:
In HylaFAX+ through 7.0.2, the faxsetup utility calls chown on files in
user-owned directories. By winning a race, a local attacker could use this to
escalate his privileges to root (CVE-2020-15396).

HylaFAX+ through 7.0.2 has scripts that execute binaries from directories
writable by unprivileged users (e.g., locations under /var/spool/hylafax that
are writable by the uucp account). This allows these users to execute code in
the context of the user calling these binaries (often root) (CVE-2020-15397).

The hylafax+ package has been updated to version 7.0.3, fixing thesee issues
and several other bugs.

Affected Software/OS:
'hylafax+' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
7.2

CVSS Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-15396
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y46FOVJUS5SO44A2VEKR7DXEHTI4WK5L/
https://security.gentoo.org/glsa/202007-06
https://bugzilla.suse.com/show_bug.cgi?id=1173521
https://sourceforge.net/p/hylafax/HylaFAX+/2534/
SuSE Security Announcement: openSUSE-SU-2020:1209 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00039.html
SuSE Security Announcement: openSUSE-SU-2020:1210 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00040.html
SuSE Security Announcement: openSUSE-SU-2020:1231 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00046.html
SuSE Security Announcement: openSUSE-SU-2020:1438 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00054.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-15397
https://bugzilla.suse.com/show_bug.cgi?id=1173519

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2020.0356
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2020-0356)
Resumen:	The remote host is missing an update for the 'hylafax+' package(s) announced via the MGASA-2020-0356 advisory.
Descripción:	Summary: The remote host is missing an update for the 'hylafax+' package(s) announced via the MGASA-2020-0356 advisory. Vulnerability Insight: In HylaFAX+ through 7.0.2, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root (CVE-2020-15396). HylaFAX+ through 7.0.2 has scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root) (CVE-2020-15397). The hylafax+ package has been updated to version 7.0.3, fixing thesee issues and several other bugs. Affected Software/OS: 'hylafax+' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-15396 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J52QFVREJWJ35YSEEDDRMZQ2LM2H2WE6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y46FOVJUS5SO44A2VEKR7DXEHTI4WK5L/ https://security.gentoo.org/glsa/202007-06 https://bugzilla.suse.com/show_bug.cgi?id=1173521 https://sourceforge.net/p/hylafax/HylaFAX+/2534/ SuSE Security Announcement: openSUSE-SU-2020:1209 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00039.html SuSE Security Announcement: openSUSE-SU-2020:1210 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00040.html SuSE Security Announcement: openSUSE-SU-2020:1231 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00046.html SuSE Security Announcement: openSUSE-SU-2020:1438 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00054.html Common Vulnerability Exposure (CVE) ID: CVE-2020-15397 https://bugzilla.suse.com/show_bug.cgi?id=1173519
Copyright	Copyright (C) 2022 Greenbone AG