-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:342 http://www.mandriva.com/security/ _______________________________________________________________________ Package : acpid Date : December 26, 2009 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in acpid: A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to the open function with insufficient arguments, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file, cause a denial of service by overwriting this file, or gain privileges by executing this file (CVE-2009-4033). acpid 1.0.4 sets an unrestrictive umask, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file or cause a denial of service by overwriting this file, a different vulnerability than CVE-2009-4033 (CVE-2009-4235). This update provides a solution to these vulnerabilities. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4235 _______________________________________________________________________ Updated Packages: Corporate 4.0: cc578555f4de1362cd8ea344a8b6a184 corporate/4.0/i586/acpid-1.0.4-6.4.20060mlcs4.i586.rpm 0b8535180ecdae336003fcc220488716 corporate/4.0/SRPMS/acpid-1.0.4-6.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 7ab456d04757a0aba4011e1f818b50ad corporate/4.0/x86_64/acpid-1.0.4-6.4.20060mlcs4.x86_64.rpm 0b8535180ecdae336003fcc220488716 corporate/4.0/SRPMS/acpid-1.0.4-6.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLNlvJmqjQ0CJFipgRAiL/AKC3PTVR57n+2kceDPa2h2pXkTAbTgCdFrP3 anUkX+kGBpacQENJtmHLdtA= =UQVj -----END PGP SIGNATURE-----