-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:083 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : glib2.0 Date : April 9, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated glib2.0 packages fix security vulnerability: It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilises dbus via glib, a local user could gain escalated privileges with a specially crafted environment. This is related to a similar issue with dbus (CVE-2012-3524). This updated version of glib adds appropriate protection against such scenarios and also adds additional hardening when used in a setuid environment. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0293 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: de4094c18ae9b4513078d4ef000dd875 mbs1/x86_64/glib2.0-common-2.32.4-1.mbs1.x86_64.rpm b2e1e347ae6d793ecb2dc9c7c980413b mbs1/x86_64/glib-gettextize-2.32.4-1.mbs1.x86_64.rpm b7973bd0af7715153573f254fe888ff3 mbs1/x86_64/lib64gio2.0_0-2.32.4-1.mbs1.x86_64.rpm 06abc13fc1fefa27501416cd78a2daca mbs1/x86_64/lib64glib2.0_0-2.32.4-1.mbs1.x86_64.rpm 5a264af58cd6398813766213b3f644d8 mbs1/x86_64/lib64glib2.0-devel-2.32.4-1.mbs1.x86_64.rpm 513ab313c25d170152de83ae5cf9a403 mbs1/x86_64/lib64glib2.0-static-devel-2.32.4-1.mbs1.x86_64.rpm 5f1a72a5c8fecf94e5ff9d176ef79e7f mbs1/SRPMS/glib2.0-2.32.4-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRY7mDmqjQ0CJFipgRAvcXAJ4m4Z681SwmeecNwtbP77I1knMZyACgpOE+ OCpNk6uioH19jXv74MA/4Dk= =ektN -----END PGP SIGNATURE-----
