| Description: | Summary:
The remote host is missing an update for the 'openssl' package(s) announced via the SSA:2022-179-03 advisory.
Vulnerability Insight:
New openssl packages are available for Slackware 14.2 to fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.2u-i586-4_slack14.2.txz: Rebuilt.
We're sending out the Slackware 14.2 updates again because the package
build number wasn't incremented which caused slackpkg to not pick up the
updates. It's been bumped and the packages rebuilt - otherwise there are
no new changes. Thanks to John Jenkins for the report.
For reference, here's the information from the previous advisory:
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection were
found by code review.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
For more information, see:
[links moved to references]
(* Security fix *)
patches/packages/openssl-solibs-1.0.2u-i586-4_slack14.2.txz: Rebuilt.
+--------------------------+
Affected Software/OS:
'openssl' package(s) on Slackware 14.2.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
