StarlingX

[Debian] Medium CVE: CVE-2024-5742 nano

Bug #2071583 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2024-5742: https://nvd.nist.gov/vuln/detail/CVE-2024-5742

A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.

Base Score: Medium

Reference:

['nano_5.4-2_amd64.deb===>nano_5.4-2+deb11u3_amd64.deb']

CVE References

Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/924049

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/924049
Committed: https://opendev.org/starlingx/tools/commit/ffd7ab2bf266ffafaa9f9a8d1c4a69b69d73ae32
Submitter: "Zuul (22348)"
Branch: master

commit ffd7ab2bf266ffafaa9f9a8d1c4a69b69d73ae32
Author: Peng Zhang <email address hidden>
Date: Wed Jul 10 08:34:53 2024 +0000

    Debian: nano: fix CVE-2024-5742

    Upgrade nano to 5.4-2+deb11u3

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2024-5742

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image

    Closes-Bug: 2071583

    Change-Id: Iecda4096d54b5f662e1bcd2e0be92d3de5124e38
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.