Scientific Linux Security Update : logrotate on SL6.x i386/x86_64

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.

Synopsis :

The remote Scientific Linux host is missing a security update.

Description :

A shell command injection flaw was found in the way logrotate handled
the shred directive. A specially crafted log file could cause
logrotate to execute arbitrary commands with the privileges of the
user running logrotate (root, by default). Note: The shred directive
is not enabled by default. (CVE-2011-1154)

A race condition flaw was found in the way logrotate applied
permissions when creating new log files. In some specific
configurations, a local attacker could use this flaw to open new log
files before logrotate applies the final permissions, possibly leading
to the disclosure of sensitive information. (CVE-2011-1098)

An input sanitization flaw was found in logrotate. A log file with a
specially crafted file name could cause logrotate to abort when
attempting to process that file a subsequent time. (CVE-2011-1155)

See also :

Solution :

Update the affected logrotate package.

Risk factor :

Medium / CVSS Base Score : 6.9

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 61004 ()

Bugtraq ID:

CVE ID: CVE-2011-1098

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now