| Description: | Description:
The remote host is missing an update to autofs
announced via advisory MDVSA-2008:009.
The default behaviour of autofs 5 for the hosts map did not specify the
nosuid and nodev mount options. This could allow a local user with
control of a remote NFS server to create a setuid root executable on
the exported filesystem of the remote NFS server. If this filesystem
was mounted with the default hosts map, it would allow the user to
obtain root privileges (CVE-2007-5964). Likewise, the same scenario
would be available for local users able to create device files on
the exported filesystem which could allow the user to gain access to
important system devices (CVE-2007-6285).
Because the default behaviour of autofs was to mount -hosts map
entries with the dev and suid options enabled by default, autofs has
been altered to always use nodev and nosuid by default. In order
to have the old behaviour, the configuration must now explicitly set
the dev and/or suid options.
This change only affects the -hosts map which corresponds to the /net
entry in the default configuration.
Affected: 2007.0, 2007.1, 2008.0
Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2008:009
Risk factor : High
CVSS Score:
6.9
|
