Executive Summary

Summary
Title New cfengine packages fix arbitrary file overwriting
Informations
Name DSA-835 First vendor Publication 2005-10-01
Vendor Debian Last vendor Modification 2005-10-01
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine, which is probably root.

For the old stable distribution (woody) these problems have been fixed in version 1.6.3-9woody1.

For the stable distribution (sarge) these problems have been fixed in version 1.6.5-1sarge1.

For the unstable distribution (sid) these problems have will be fixed soon.

We recommend that you upgrade your cfengine package.

Original Source

Url : http://www.debian.org/security/2005/dsa-835

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 28
Os 13

OpenVAS Exploits

Date Description
2008-09-04 Name : FreeBSD Ports: cfengine
File : nvt/freebsd_cfengine.nasl
2008-01-17 Name : Debian Security Advisory DSA 835-1 (cfengine)
File : nvt/deb_835_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 836-1 (cfengine2)
File : nvt/deb_836_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
19820 Cfengine cfmailfilter Symlink Arbitrary File Overwrite

19819 Cfengine contrib/vicf.in Symlink Arbitrary File Overwrite

Nessus® Vulnerability Scanner

Date Description
2006-05-13 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_8688d5cd328c11daa2630001020eed82.nasl - Type : ACT_GATHER_INFO
2006-01-15 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-198-1.nasl - Type : ACT_GATHER_INFO
2005-10-19 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-184.nasl - Type : ACT_GATHER_INFO
2005-10-05 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-835.nasl - Type : ACT_GATHER_INFO
2005-10-05 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-836.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:34:26
  • Multiple Updates