Scientific Linux Security Update : system-config-firewall on SL6.x i386/x86_64

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.

Synopsis :

The remote Scientific Linux host is missing one or more security

Description :

system-config-firewall is a graphical user interface for basic
firewall setup.

It was found that system-config-firewall used the Python pickle module
in an insecure way when sending data (via D-Bus) to the privileged
back-end mechanism. A local user authorized to configure firewall
rules using system-config-firewall could use this flaw to execute
arbitrary code with root privileges, by sending a specially crafted
serialized object. (CVE-2011-2520)

This erratum updates system-config-firewall to use JSON (JavaScript
Object Notation) for data exchange, instead of pickle. Therefore, an
updated version of system-config-printer that uses this new
communication data format is also provided in this erratum.

Users of system-config-firewall are advised to upgrade to these
updated packages, which contain a backported patch to resolve this
issue. Running instances of system-config-firewall must be restarted
before the utility will be able to communicate with its updated

See also :

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.0

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 61084 ()

Bugtraq ID:

CVE ID: CVE-2011-2520

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now