[Zarafa] CVE-2015-3436: Overwrite arbitrary files in filesystem at Zarafa
Robert Scheck
robert at fedoraproject.org
Mon May 18 22:58:20 UTC 2015
Good evening,
Guido Günther detected and reported that replacing /tmp/zarafa-upgrade-lock
by a symlink makes the zarafa-server process following that symlink and
thus allows to overwrite arbitrary files in the filesystem (assuming that
zarafa-server runs as root which is not case by default at Fedora/EPEL, but
upstream default). One just needs write permissions in /tmp and wait until
the zarafa-server is restarted. CVE-2015-3436 was assigned for this flaw.
Updated RPM packages of Zarafa with a backport of the patch (from Zarafa
7.2.1 beta 1) have been submitted to updates-testing for Fedora EPEL 5, 6
and 7, Fedora 20 and 21.
You should be able to update to Zarafa 7.1.12 (re-released) by using
something like:
yum update --enablerepo=updates-testing 'zarafa*'
on all Fedora releases and for Fedora EPEL you should use the following:
yum update --enablerepo=epel-testing 'zarafa*'
After testing, please add positive or negative karma to the Zarafa packages
in Bodhi:
https://admin.fedoraproject.org/updates/zarafa
And if you should find bugs or issues, please fill a bug report in Red Hat
Bugzilla as described here:
https://fedoraproject.org/wiki/Zarafa#Bugs
Your feedback is very much appreciated.
Greetings,
Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/zarafa-announce/attachments/20150519/93f99809/attachment.sig>
More information about the zarafa-announce
mailing list