OracleVM 3.2 : rpm (OVMSA-2016-0077)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- Add missing files in /usr/share/doc/

- Fix warning when applying the patch for #1163057

- Fix race condidition where unchecked data is exposed in
the file system (CVE-2013-6435)(#1163057)

- Fix segfault on rpmdb addition when header unload fails
(#706935)

- Fix segfault on invalid OpenPGP packet (#743203)

- Account for excludes and hardlinks wrt payload max size
(#716853)

- Fix payload size tag generation on big-endian systems
(#648516)

- Track all install failures within a transaction
(#671194)

- fix changelog (bug #707677 is actually #808547)

- Document -D and -E options in man page (#814602)

- Require matching arch for freshen on colored
transactions (#813282)

- Add DWARF 3 and 4 support to debugedit (#808547)

- No longer add \n to group tag in Python bindings
(#783451)

- Fix typos in Japanese rpm man page (#760552)

- Bump Geode compatibility up to i686 (#620570)

- Proper region tag validation on package/header read
(CVE-2012-0060)

- Double-check region size against header size
(CVE-2012-0061)

- Validate negated offsets too in headerVerifyInfo
(CVE-2012-0815)

- Revert fix for #740291, too many packages rely on the
broken behavior

- Add support for XZ-compressed sources and patches to
rpmbuild (#620674)

- Avoid unnecessary assert-death when closing NULL fd
(#573043)

- Add scriptlet error notification callbacks (#533831)

- Honor --noscripts for pre- and posttrans scriptlets too
(#740345)

- Avoid bogus error on printing empty ds from python
(#628883)

- File conflicts correctness & consistency fixes (#740291)

- Create the directory used for transaction lock if
necessary (#510469)

- Only enforce default umask during transaction (#673821)

- fix thinko in the CVE backport

- fix CVE-2011-3378 (#742157)

- accept windows cr/lf line endings in gpg keys (#530212)

- Backport multilib ordering fixes from rpm 4.8.x
(#641892)

See also :

https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000492.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 91753 ()

Bugtraq ID: 49799
52865
71558

CVE ID: CVE-2011-3378
CVE-2012-0060
CVE-2012-0061
CVE-2012-0815
CVE-2013-6435

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now