http://www.mandriva.com/en/
______________________________
Package : librsync
Date : April 27, 2015
Affected: Business Server 1.0
______________________________
Problem Description:
Updated librsync packages fix security vulnerability:
librsync before 1.0.0 used a truncated MD4 strong check sum to match
blocks. However, MD4 is not cryptographically strong. It's possible
that an attacker who can control the contents of one part of a file
could use it to control other regions of the file, if it's transferred
using librsync/rdiff (CVE-2014-8242).
The change to fix this is not backward compatible with older versions
of librsync. Backward compatibility can be obtained using the new
rdiff sig --hash=md4 option or through specifying the signature magic
in the API, but this should not be used when either the old or new
file contain untrusted data.
Also, any applications that use the librsync library will need to
be recompiled against the updated library. The rdiff-backup packages
have been rebuilt for this reason.
______________________________
References:
http://cve.mitre.org/cgi-bin/
http://advisories.mageia.org/
______________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
e9e5dbb84ff6effa94d8b37d805e45
db4b256939b54eb5919eceedf50f41
ffaaf1c1364528d0c18bdda8cf514c
fd173f99aecfaa9d1d8d9af132b136
707dc6da51d7451541ce83400ee33f
eb91121a971f6079d3b666419e08e0
______________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Komentarų nėra:
Rašyti komentarą