openSUSE Security Update : ack (openSUSE-SU-2014:0142-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- update to ack 2.12: fixes potential remote code
execution via per-project .ackrc files [bnc#855340]
[CVE-2013-7069]

- prevents the --pager, --regex and --output options from
being used from project-level ackrc files, preventing
possible code execution when using ack through malicious
files

- --pager, --regex and --output options may still be used
from the global /etc/ackrc, your own private ~/.ackrc,
the ACK_OPTIONS environment variable, and of course from
the command line.

- Now ignores Eclipse .metadata directory.

- includes changes form 2.11_02 :

- upstream source mispackaging fix

- includes changes from 2.11_01

- Fixed a race condition in t/file-permission.t that was
causing failures if tests were run in parallel.

- includes changes from 2.10 :

- Add --perltest for *.t files

- Added Matlab support

- More compatibility fixes for Perl 5.8.8.

- includes changes from 2.08

- ack now ignores CMake's build/cache directories by
default

- Add shebang matching for --lua files

- Add documentation for --ackrc

- Add Elixir filetype

- Add --cathy option

- Add some helpful debugging tips when an invalid option
is found

- Ignore PDF files by default, because Perl will detect
them as text

- Ignore .gif, .jpg, .jpeg and .png files. They won't
normally be selected, but this is an optimization so
that ack doesn't have to open them to know

- Ack's colorizing of output would get confused with
multiple sets of parentheses

- Ack would get confused when trying to colorize the
output in DOS-format files

- includes changes from 2.05_01

- We now ignore the node_modules directories created by
npm

- --pager without an argument implies --pager=$PAGER

- --perl now recognizes Plack-style .psgi files

- Added filetypes for Coffescript, JSON, LESS, and Sass.

- Command-line options now override options set in ackrc
files

- ACK_PAGER and ACK_PAGER_COLOR now work as advertised.

- Fix a bug resulting in uninitialized variable warnings
when more than one capture group was specified in the
search pattern

- Make sure ack is happy to build and test under cron and
other console-less environments.

- packaging changes :

- run more rests with IO::Pty

- refresh ack-ignore-osc.patch for upstream changes

- update project URL

- port changes from devel:languages:perl ack by
[email protected] :

- correct metadata: licence, CPAN download, homepage

- unset forced prefix - let Perl configuration and
toolchain determine the prefix/install_base which will
DTRT

- bash completion is gone, remove dead code

- modified patches :

- ack-ignore-osc.patch adjust for upstream source changes

See also :

http://lists.opensuse.org/opensuse-updates/2014-01/msg00094.html
https://bugzilla.novell.com/show_bug.cgi?id=855340

Solution :

Update the affected ack packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 75410 ()

Bugtraq ID:

CVE ID: CVE-2013-7069

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now