[ Martin Pitt ]
* New upstream security update:
- etc/cron.daily/apport: Only attempt to remove files and symlinks, do not
descend into subdirectories of /var/crash/. Doing so might be exploited by
a race condition between find traversing a huge directory tree, changing
an existing subdir into a symlink to e. g. /etc/, and finally getting
that piped to rm. This also changes the find command to not use GNU
extensions. Thanks to Stephane Chazelas for discovering this!
(LP: #357024, CVE-2009-1295)
- Other fixes were already cherrypicked in the previous upload.
[ Matt Zimmerman ]
* package-hooks/source_linux.py: Attach info for linux-restricted-modules
and linux-backports-modules
This bug was fixed in the package apport - 1.1.1-0ubuntu1
---------------
apport (1.1.1-0ubuntu1) karmic; urgency=low
[ Martin Pitt ] daily/apport: Only attempt to remove files and symlinks, do not
* New upstream security update:
- etc/cron.
descend into subdirectories of /var/crash/. Doing so might be exploited by
a race condition between find traversing a huge directory tree, changing
an existing subdir into a symlink to e. g. /etc/, and finally getting
that piped to rm. This also changes the find command to not use GNU
extensions. Thanks to Stephane Chazelas for discovering this!
(LP: #357024, CVE-2009-1295)
- Other fixes were already cherrypicked in the previous upload.
[ Matt Zimmerman ] hooks/source_ linux.py: Attach info for linux-restricte d-modules -modules
* package-
and linux-backports
-- Martin Pitt <email address hidden> Thu, 30 Apr 2009 09:08:29 +0200