Subject: | |
From: | |
Reply To: | |
Date: | Tue, 25 Nov 2008 13:41:49 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Important: tog-pegasus security update
Issue date: 2008-11-25
CVE Names: CVE-2008-4313 CVE-2008-4315
Scientific Linux defines additional security enhancements for OpenGroup Pegasus
WBEM services in addition to those defined by the upstream OpenGroup Pegasus
release.
After re-basing to version 2.7.0 of the OpenGroup Pegasus code, these
additional security enhancements were no longer being applied. As a
consequence, access to OpenPegasus WBEM services was not restricted to the
dedicated users. An attacker able to authenticate using a valid user account
could use this flaw to send requests to WBEM services. (CVE-2008-4313)
Note: default SELinux policy prevents tog-pegasus from modifying system
files. This flaw's impact depends on whether or not tog-pegasus is confined
by SELinux, and on any additional CMPI providers installed and enabled on a
particular system.
Failed authentication attempts against the OpenPegasus CIM server were not
logged to the system log. An attacker could use this flaw to perform password
guessing attacks against a user account without leaving traces in the system
log. (CVE-2008-4315)
SL 5.x
SRPMS:
tog-pegasus-2.7.0-2.el5_2.1.src.rpm
i386:
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
x86_64:
tog-pegasus-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-2.7.0-2.el5_2.1.x86_64.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.i386.rpm
tog-pegasus-devel-2.7.0-2.el5_2.1.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|