Fedora 9 : libHX-1.23-1.fc9 / pam_mount-0.47-1.fc9 (2008-7976)
High Nessus Plugin ID 34184
SynopsisThe remote Fedora host is missing one or more security updates.
DescriptionA security flaw in the pam_mount's handling of user defined volumes using the 'luserconf' option has been fixed in this update. The vulnerability allowed users to arbitrarily mount filesystems at arbitrary locations. More details about this vulnerability can be found in the announcement message sent to the pam-mount-user mailinglist at SourceForge: http://sourceforge.net/mailarchive/me ssage.php?msg_name=alpine.LNX.1.10.0809042353120.17569%40fbirervta.pbz chgretzou. qr Upstream changelog (excluding the git shortlog) for versions 0.43-0.47 :
- mount.crypt: fix option slurping (SF bug #2054323) - properly handle simple sgrp config items (Debian bug #493497) - src: correct error check in run_lsof()
- conf: check that slash follows home tilde - conf:
wildcard inadvertently matched root sometimes - fix double-freeing the authentication token - use ofl instead of lsof/fuser - kill-on-logout support (terminate processes that would stand in the way of unmounting) - mount.crypt: auto-detect necessity for running losetup - mount.crypt: add missing null command to conform to sh syntax (SF bug #2089446) - conf: fix printing of strings when luser volume options were not ok - conf: re-add luserconf security checks - add support for encfs 1.3.x (1.4.x already has been in for long) - conf: add the 'noroot' attribute for <volume> to force mounting with the unprivileged user account (required for FUSE filesystems) - replace fixed-size buffers and arrays with dynamic ones (complete) Note:
This update also introduces a new version of libHX, which is required by updated pam_mount.
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected libHX and / or pam_mount packages.