SuSE 11.1 Security Update : FUSE (SAT Patch Number 4095)
Medium Nessus Plugin ID 53231
The remote SuSE 11 host is missing one or more security updates.
The following security issues were fixed : - FUSE allowed local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem. (CVE-2010-3879) - Avoid mounting a directory including evaluation of symlinks, which might have allowed local attackers to mount filesystems anywhere in the system. (CVE-2011-0541) - Avoid symlink attacks on the mount point written in the mtab file. Four bugs were fixed:. (CVE-2011-0543) - fixed retrying nfs mounts on rpc timeouts - allow seperate control of the internet protocol uses by rpc.mount seperately of the protocol used by nfs. - Fixed locking in libuuid/uuid to avoid duplicate uuids. - mkswap bad block check marked every block bad in O(n!) time on a good device New features were implemented : - mount now has --fake and --no-canonicalize options, required for the symlink security fixes. These were backported from mainline. - mount can now auto-detect and differentiate between squashfs3 and squashfs (v4) filesystems, allowing backward compatibility to the SUSE Linux Enterprise 11 GA codebase.