[Sec-cert] [Fedora] Schwachstelle in Condor vor Version 7.4.1 - FEDORA-2010-0213

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Do Jan 7 15:16:26 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2009-4133 - Schwachstelle in Condor

  Im Condor Job Management System befindet sich ein Fehler bei der
  Annahme von Jobs, durch die ein am System angemeldeter Angreifer Jobs
  unter einer beliebigen lokalen Userid ablaufen lassen kann. Allerdings
  erlaubt Condor nicht, Jobs unter der Userid root ablaufen zu lassen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket condor

  Fedora 11
  Fedora 12

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-package-announce/2010-January/msg00227.html
  https://www.redhat.com/archives/fedora-package-announce/2010-January/msg00220.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
	Torsten Voss

- --
 
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-0213
2010-01-07 00:37:45
- --------------------------------------------------------------------------------

Name        : condor
Product     : Fedora 12
Version     : 7.4.1
Release     : 1.fc12
URL         : http://www.cs.wisc.edu/condor/
Summary     : Condor: High Throughput Computing
Description :
Condor is a specialized workload management system for
compute-intensive jobs. Like other full-featured batch systems, Condor
provides a job queueing mechanism, scheduling policy, priority scheme,
resource monitoring, and resource management. Users submit their
serial or parallel jobs to Condor, Condor places them into a queue,
chooses when and where to run the jobs based upon a policy, carefully
monitors their progress, and ultimately informs the user upon
completion.

- --------------------------------------------------------------------------------
Update Information:

Upgrade to Condor 7.4.1, including recent security fix
- --------------------------------------------------------------------------------
ChangeLog:

* Tue Jan  5 2010 <matt at redhat> - 7.4.1-1
- - Upgrade to 7.4.1 release
- - Upstreamed: guess_version_from_release_dir, fix_platform_check
- - Security update (BZ549577)
* Fri Dec  4 2009 <matt at redhat> - 7.4.0-1
- - Upgrade to 7.4.0 release
- - Fixed POSTIN error (BZ540439)
- - Removed NOTICE.txt source, now provided by upstream
- - Removed no_rpmdb_query.patch, applied upstream
- - Removed no_basename.patch, applied upstream
- - Added only_dynamic_unstripped.patch to reduce build time
- - Added guess_version_from_release_dir.patch, for previous
- - Added fix_platform_check.patch
- - Use new --with-platform, to avoid modification of make_final_tarballs
- - Introduced vm-gahp package to hold libvirt deps
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #544371 - CVE-2009-4133 Condor: queue super user cannot drop privs
        https://bugzilla.redhat.com/show_bug.cgi?id=544371
- --------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update condor' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLRey6WmhIvjFb90URAgqKAJ4o61OiSDXOLu7v/+Dsesw8UWruWwCfVe/u
cl3tMmwMqEUEVbhL3wGgXyc=
=KDIH
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert