Bug#522813: multipath-tools: CVE-2009-0115 insecure permissions of control socket
Guido Günther
agx at sigxcpu.org
Mon Apr 6 18:37:06 UTC 2009
On Mon, Apr 06, 2009 at 07:11:10PM +0200, Nico Golde wrote:
> Package: multipath-tools
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for multipath-tools.
Thanks for bringing this to my attention!
>
> CVE-2009-0115[0]:
> | multipath-tools in SUSE openSUSE 10.3 through 11.0 and SUSE Linux
> | Enterprise Server (SLES) 10 uses world-writable permissions for the
> | socket file (aka /var/run/multipathd.sock), which allows local users
> | to send arbitrary commands to the multipath daemon.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
I've uploaded a fixed version for unstable and prepared an upload for
lenny to stable-security (0.4.8-14+lenny1) and am just building the
version for oldstable-security (0.4.7-1.1etch2). Shall I just go ahead
and upload them?
Cheers,
-- Guido
More information about the pkg-lvm-maintainers
mailing list